reactive systems: modelling, speciﬁcation and veriﬁcation...

Reactive Systems:Modelling, Specification and Verification

DRAFT OF September 19, 2006

Luca Aceto1 2 Anna Ingolfsdottir1 2 Kim G. Larsen1

Jiri Srba1

September 19, 2006

1BRICS, Department of Computer Science, Aalborg University, 9220 Aalborg Ø, Den-mark.

2Department of Computer Science, School of Science and Engineering,Reykjavık University, Iceland

http://www.cs.auc.dk/~luca/

http://www.cs.auc.dk/~annai/

http://www.cs.auc.dk/~kgl/

http://www.brics.dk/~srba

http://www.brics.dk

http://www.cs.auc.dk/

http://www.auc.dk/

http://www.ru.is

ii

This draft textbook, to be published by Cambridge UniversityPress in the first half of 2007, is intended to support the courseson Semantics and Verification(Aalborg) and Modelling and Verifi-cation (Reykjavık). It is under constant revision, and its mostrecent version is available at the URL

http://www.cs.aau.dk/∼luca/SV/sv-book.ps.

Please let us know of any comment you may have, or typograph-ical mistake you may find, by sending an email at the addresses

[email protected] and [email protected]

with subject line ‘RS Book’.

http://www.cs.aau.dk/~luca/SV/sv-book.ps

[email protected]

[email protected]

Contents

Preface xi

I A Classic Theory of Reactive Systems 1

1 Introduction 31.1 What are reactive systems?. . . . . . . . . . . . . . . . . . . . . 41.2 Process algebras. . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 The language CCS 92.1 Some CCS process constructions. . . . . . . . . . . . . . . . . . 9

2.1.1 The behaviour of processes. . . . . . . . . . . . . . . . . 172.2 CCS, formally. . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.2.1 The model of labelled transition systems. . . . . . . . . . 202.2.2 The formal syntax and semantics of CCS. . . . . . . . . 252.2.3 Value passing CCS. . . . . . . . . . . . . . . . . . . . . 32

3 Behavioural equivalence 373.1 Criteria for a good behavioural equivalence. . . . . . . . . . . . 373.2 Trace equivalence: a first attempt. . . . . . . . . . . . . . . . . . 403.3 Strong bisimilarity . . . . . . . . . . . . . . . . . . . . . . . . . 423.4 Weak bisimilarity . . . . . . . . . . . . . . . . . . . . . . . . . . 613.5 Game characterization of bisimilarity. . . . . . . . . . . . . . . 73

3.5.1 Weak bisimulation games. . . . . . . . . . . . . . . . . 793.6 Further results on equivalence checking. . . . . . . . . . . . . . 81

4 Theory of fixed points and bisimulation equivalence 854.1 Posets and complete lattices. . . . . . . . . . . . . . . . . . . . 854.2 Tarski’s fixed point theorem. . . . . . . . . . . . . . . . . . . . 894.3 Bisimulation as a fixed point. . . . . . . . . . . . . . . . . . . . 96

iii

iv CONTENTS

5 Hennessy-Milner logic 101

6 Hennessy-Milner logic with recursive definitions 1156.1 Examples of recursive properties. . . . . . . . . . . . . . . . . . 1206.2 Syntax and semantics of HML with recursion. . . . . . . . . . . 1226.3 Largest fixed points and invariant properties. . . . . . . . . . . . 1276.4 A game characterization for HML with recursion. . . . . . . . . 128

6.4.1 Examples of use. . . . . . . . . . . . . . . . . . . . . . 1316.5 Mutually recursive equational systems. . . . . . . . . . . . . . . 1346.6 Characteristic properties. . . . . . . . . . . . . . . . . . . . . . 1386.7 Mixing largest and least fixed points. . . . . . . . . . . . . . . . 1486.8 Further results on model checking. . . . . . . . . . . . . . . . . 152

7 Modelling and analysis of mutual exclusion algorithms 1557.1 Specifying mutual exclusion in HML. . . . . . . . . . . . . . . . 1607.2 Specifying mutual exclusion using CCS itself. . . . . . . . . . . 1627.3 Testing mutual exclusion. . . . . . . . . . . . . . . . . . . . . . 166

II A Theory of Real-time Systems 173

8 Introduction 175

9 CCS with Time Delays 1779.1 Intuition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1779.2 Timed Labelled Transition Systems. . . . . . . . . . . . . . . . 1799.3 Syntax and SOS rules. . . . . . . . . . . . . . . . . . . . . . . . 1819.4 Parallel composition . . . . . . . . . . . . . . . . . . . . . . . . 1849.5 Discussion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

10 Timed Automata 19110.1 Motivation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19110.2 Syntax of Timed Automata. . . . . . . . . . . . . . . . . . . . . 19210.3 Timed and Untimed Trace Equivalence. . . . . . . . . . . . . . . 20010.4 Timed and Untimed Bisimilarity. . . . . . . . . . . . . . . . . . 20210.5 Region Graph. . . . . . . . . . . . . . . . . . . . . . . . . . . . 20610.6 Overview of the Main Results. . . . . . . . . . . . . . . . . . . 21610.7 Networks of Timed Automata. . . . . . . . . . . . . . . . . . . 217

CONTENTS v

11 Hennessy-Milner Logic with Time 22311.1 Basic Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22411.2 Timed Bisimilarity vs. Hennessy-Milner Logic with Time . . . . . 23311.3 Adding Recursively Defined Formulae to HML with Time. . . . 23811.4 Overview of the Main Results. . . . . . . . . . . . . . . . . . . 247

12 Modelling and Analysis of Fischer’s Algorithm 24912.1 Mutual Exclusion Using Timing. . . . . . . . . . . . . . . . . . 25112.2 Modelling Fischer’s Algorithm. . . . . . . . . . . . . . . . . . . 252

12.2.1 Proving Mutual Exclusion Using UPPAAL . . . . . . . . . 25412.2.2 An Erroneous Version of Fischer’s Algorithm. . . . . . . 256

12.3 Further Exercises on Timing Based Mutual Exclusion Algorithms 258

13 Suggestions for student projects 26313.1 Alternating bit protocol. . . . . . . . . . . . . . . . . . . . . . . 26313.2 Gossiping girls . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Bibliography 266

Index 278

List of Figures

2.1 The interface for process CS. . . . . . . . . . . . . . . . . . . . 102.2 The interface for process CM| CS . . . . . . . . . . . . . . . . . 132.3 The interface for process CM| CS| CS′ . . . . . . . . . . . . . . 142.4 The interface for process CM| CS| CM′ . . . . . . . . . . . . . . 152.5 The interface for process SmUni| CS′ . . . . . . . . . . . . . . . 162.6 Labelled transition system with initial statep . . . . . . . . . . . 22

3.1 P R Q implies thatC[P ] R C[Q] . . . . . . . . . . . . . . . . . . 393.2 A bisimulation showingB2

0 ∼ B10 | B1

0 . . . . . . . . . . . . . . 59

6.1 Two processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1166.2 A process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1236.3 The processesp andpi for i ≤ n . . . . . . . . . . . . . . . . . . 1396.4 The nice coffee machinegkm . . . . . . . . . . . . . . . . . . . 1416.5 Simple infinite processp . . . . . . . . . . . . . . . . . . . . . . 143

7.1 The pseudocode for Hyman’s algorithm. . . . . . . . . . . . . . 160

10.1 Light switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19110.2 Clock constraint in the guard vs. in the invariant. . . . . . . . . . 199

12.1 The Timed AutomatonAi for Processi . . . . . . . . . . . . . . 25212.2 Erroneous Timed AutomatonAw

i for Processi . . . . . . . . . . . 257

vii

List of Tables

2.1 An alternative formulation for process CS. . . . . . . . . . . . . 182.2 SOS rules for CCS (α ∈ Act, a ∈ L) . . . . . . . . . . . . . . . . 29

3.1 The behaviour of(CMb | CS) \ {coin, coffee} . . . . . . . . . . . 633.2 The sender, receiver and medium in (3.8). . . . . . . . . . . . . 67

9.1 SOS Rules for TCCS (d, d′ ∈ R≥0) . . . . . . . . . . . . . . . . . 183

12.1 Program for Processi (Alur and Taubenfeld). . . . . . . . . . . . 25912.2 Program for Processi (Revised Algorithm) . . . . . . . . . . . . 260

ix

Preface

This book is based on courses that have been held at Aalborg University and Reyk-javık University over the last five-six years. The aim of those semester-long courseswas to introduce students at the early stage of their MSc. degrees, or late in theirBSc. degree studies, in Computer Science to the theory of concurrency, and to itsapplications in the modelling and analysis of reactive systems. This is an areaof formal methods that is finding increasing application outside academic circles,and allows the students to appreciate how techniques and software tools based onsound theoretical principles are very useful in the design and analysis of non-trivialreactive computing systems.

In order to carry this message across to the students in the most effective way,the courses on which the material in this book is based presented

• some of the prime models used in the theory of concurrency (with specialemphasis on state-transition models of computation like labelled transitionsystems and timed automata),

• languages for describing actual systems and their specifications (with focuson classic algebraic process calculi like Milner’s Calculus of CommunicatingSystems and logics like modal and temporal logics), and

• their embodiment in tools for the automatic verification of computing sys-tems.

The use of the theory and the associated software tools in themodelling and anal-ysis of computing systems is a very important component in our courses since itgives the students hands-on experience in the application of what they have learned,and reinforces their belief that the theory they are studying is indeed useful andworth mastering. Once we have succeeded in awakening an interest in the theoryof concurrency and its applications amongst our students, it will be more likelythat at least some of them will decide to pursue a more in-depth study of the moreadvanced, and mathematically sophisticated, aspects of our field—for instance,during their MSc. thesis work or at a doctoral level.

xi

xii PREFACE

It has been very satisfying for us to witness a change of attitudes in the studentstaking our courses over the years. Indeed, we have gone from astate in which mostof the students saw very little point in taking the course on which this material isbased, to one in which the relevance of the material we cover is uncontroversialto many of them! At the time when an early version of our coursewas elective atAalborg University, and taken only by a few mathematically inclined individuals,one of our students remarked in his course evaluation form that ‘This course oughtto be mandatory for Computer Science students.’ Now the course is mandatory, itis attended by all of the MSc. students in Computer Science atAalborg University,and most of them happily play with the theory and tools we introduce in the course.

How did this change in attitude come about? And why do we believe that thisis an important change? In order to answer these questions, it might be best to de-scribe first the general area of Computer Science this textbook aims at contributingto.

The correctness problem and its importance Computer scientists build arti-facts (implemented in hardware, software or, as is the case in the fast-growing areaof embedded and interactive systems, using a combination ofboth) that are sup-posed to offer some well defined services to their users. Since these computingsystems are deployed in very large numbers, and often control crucial, if not safetycritical, industrial processes, it is vital that they correctly implement the specifica-tion of their intended behaviour. The problem of ascertaining whether a computingsystem does indeed offer the behaviour described by its specification is called thecorrectness problem, and is one of the most fundamental problems in ComputerScience. The field of Computer Science that studies languages for the descriptionof (models of) computer systems and their specifications, and (possibly automated)methods for establishing the correctness of systems with respect to their specifica-tions is calledalgorithmic verification.

Despite their fundamental scientific and practical importance, however,20th

century computer and communication technology has not paidsufficient attentionto issues related to correctness and dependability of systems in its drive towardfaster and cheaper products. (See the editorial (Patterson, 2005) by David Patter-son, former president of the ACM, for forceful arguments to this effect.) As a re-sult, system crashes are commonplace, sometimes leading tovery costly, when notaltogether spectacular, system failures like Intel’s Pentium-II bug in the floating-point division unit (Pratt, 1995) and the crash of the Ariane-5 rocket due to a con-version of a 64-bit real number to a 16-bit integer (Lions, n.d.).

Classic engineering disciplines have a time-honoured and effective approach tobuilding artifacts that meet their intended specifications: before actually construct-

PREFACE xiii

ing the artifacts, engineers build models of the design to bebuilt and subject it toa thorough analysis. Surprisingly, such an approach has only recently been usedextensively in the development of computing systems.

This textbook, and the courses we have given over the years based on the ma-terial it presents, stem from our deep conviction that each well educated21st cen-tury computer scientist should be well versed in the technology of algorithmic,model-based verification. Indeed, as recent advances in algorithmic verificationand applications of model checking (Clarke, Gruemberg and Peled, 1999) haveshown, the tools and ideas developed within these fields can be used to analyzedesigns of considerable complexity that, until a few years ago, were thought to beintractable using formal analysis and modelling tools. (Companies such as AT&T,Cadence, Fujitsu, HP, IBM, Intel, Motorola, NEC, Siemens and Sun—to mentionbut a few—are using these tools increasingly on their own designs to reduce timeto market and ensure product quality.)

We believe that the availability of automatic software tools for model-basedanalysis of systems is one of the two main factors behind the increasing interestamongst students and practitioners alike in model-based verification technology.Another is the realization that even small reactive systems—for instance, relativelyshort concurrent algorithms—exhibit very complex behaviours due to their inter-active nature. Unlike in the setting of sequential software, it is therefore not hardfor the students to realize that systematic and formal analysis techniquesare useful,when not altogether necessary, to obtain some level of confidence in the correctnessof our designs. The tool support that is now available to explore the behaviour ofmodels of systems expressed as collections of interacting state machines of somesort makes the theory presented in this textbook very appealing for many studentsat several levels of their studies.

It is our firmly held belief that only by teaching the beautiful theory of con-current systems, together with its applications and associated verification tools, toour students, we shall be able to transfer the available technology to industry, andimprove the reliability of embedded software and other reactive systems. We hopethat this textbook will offer a small contribution to this pedagogical endeavour.

Why this book? This book is by no means the first one devoted to aspects ofthe theory of reactive systems. Some of the books that have been published inthis area over the last twenty years or so are the references (Baeten and Weijland,1990; Fokkink, 2000; Hennessy, 1988; Hoare, 1985; Magee andKramer, 1999;Milner, 1989; Roscoe, 1999; Schneider, 1999; Stirling, 2001) to mention but afew. However, unlike all the aforementioned books but (Fokkink, 2000; Mageeand Kramer, 1999; Schneider, 1999), the present book was explicitly written to

xiv PREFACE

serve as a textbook, and offers a distinctive pedagogical approach to the materialthat derives from our extensive use of the material presented here in book form inthe classroom. In writing this textbook we have striven to transfer on paper thespirit of the lectures on which this text is based. Our readers will find that the stylein which this book is written is often colloquial, and attempts to mimic the Socraticdialogue with which we try to entice our student audience to take active part in thelectures and associated exercise sessions. Explanations of the material presentedin this textbook are interspersed with questions to our readers and exercises thatinvite the readers to check straight away whether they understand the material asit is being presented. We believe that this makes this book suitable for self-studyas well as for use as the main reference text in courses ranging from advancedBSc. courses to MSc. courses in Computer Science and relatedsubjects.

Of course, it is not up to us to say whether we have succeeded inconveyingthe spirit of the lectures in the book you now hold in your hands, but we sincerelyhope that our readers will experience some of the excitementthat we still have inteaching our courses based on this material, and in seeing our students appreciateit, and enjoy working with concurrency theory and the tools it offers to analyzereactive systems.

For the instructor We have used some of the material presented in this textbookin several one semester courses at Aalborg University and atReykjavık Univer-sity. These courses usually consist of about thirty hours oflectures and a similarnumber of hours of exercise sessions where the students solve exercises and workon projects related to the material in the course. As we already stated above, westrongly believe that these practical sessions play a very important role in makingthe students appreciate the importance of the theory they are learning, and under-stand it in depth. Examples of recent courses based on this book may be found atthe following URLs:

• http://www.cs.aau.dk/∼luca/SV/ (course given at Aalborg Uni-versity in the spring 2004 by Luca Aceto),

• http://www.cs.auc.dk/∼annai/HI/SV04/plan.html (coursegiven at the University of Iceland in the spring 2004 by Anna Ingolfsdottir),

• http://www.cs.aau.dk/∼srba/courses/SV-05/ (course givenat Aalborg University in the spring 2005 by Jiri Srba) and

• http://www.ru.is/kennarar/luca/MV/ (course given at Reyk-javık University in the spring 2006 by Luca Aceto).

http://www.cs.aau.dk/~luca/SV/

http://www.cs.auc.dk/~annai/HI/SV04/plan.html

http://www.cs.aau.dk/~srba/courses/SV-05/

http://www.ru.is/kennarar/luca/MV/

PREFACE xv

There the instructor will find suggested schedules for his/her courses, exercises thatcan be used to supplement those in the textbook, links to other useful teaching re-sources available on the web, further suggestions for student projects and electronicslides that can be used for the lectures. (As an example, we usually supplementlectures covering the material in this textbook with a series of four-six 45 minutelectures on Binary Decision Diagrams (Bryant, 1992) and their use in verificationbased on Henrik Reif Andersen’s excellent lecture notes (Andersen, n.d.) that arefreely available on the web and on Randel Bryant’s survey paper (Bryant, 1992).)

We strongly recommend that the teaching of the material covered in this bookbe accompanied by the use of software tools for verification and validation. In ourcourses, we usually employ the Edinburgh Concurrency Workbench1 for the partof the course devoted to classic reactive systems, and, not surprisingly, UPPAAL2

for the lectures on real-time systems. Both of these tools are freely available, andtheir use makes the theoretical material covered during thelectures come alivefor the students. Using the tools, the students will be able to analyze systemsof considerable complexity, and we suggest that courses based upon this book beaccompanied by two practical projects involving the use of these, or similar, toolsfor verification and validation.

We plan to maintain a page with all of the supporting material, and other usefulresources for students and instructors alike, at the URL

http://www.ru.is/MV-BOOK/.

In writing this book, we have tried to be at once pedagogical,careful and precise.However, despite our efforts, we are sure that there is stillroom for improvingthis text, and correcting any mistake that may have escaped our attention. Weshall use the aforementioned web page to inform the reader about additions andmodifications to this book.

We welcome corrections (typographical or otherwise), comments and sugges-tions from our readers. You can contact us by sending an emailat the addresses

[email protected] [email protected]

with subject line ‘RS Book’.

Acknowledgments This book was partly written while Luca Aceto was on leavefrom Aalborg University at Reykjavık University, Anna Ingolfsdottir was workingat deCODE Genetics, and Jiri Srba was visiting the University of Stuttgart spon-sored by a grant from the Alexander von Humboldt Foundation.They thank these

1http://homepages.inf.ed.ac.uk/perdita/cwb/2http://www.uppaal.com/

http://www.ru.is/MV-BOOK/

[email protected]

[email protected]

http://homepages.inf.ed.ac.uk/perdita/cwb/

http://www.uppaal.com/

xvi PREFACE

institutions for their hospitality and excellent working conditions. Luca Aceto andAnna Ingolfsdottir were partly supported by the project ‘The Equational Logic ofParallel Processes’ (nr. 060013021) of The Icelandic Research Fund.

We thank Silvio Capobianco, Pierre-Louis Curien, Gudmundur Hreidarson,Rocco De Nicola, Ralph Leibmann and the students of the Concurrency Course(Concurrence) (number 2–3) 2004–2005, Master Parisien de Recherche en Infor-matique, for useful comments and corrections on drafts of this text.

The authors used drafts of the book in courses taught in the spring of 2004,2005 and 2006, and in the autumn 2006, at Aalborg University,Reykjavık Univer-sity and the University of Iceland. The students who took those courses offeredvaluable feedback on the text, and gave us detailed lists of errata. We thank ClausBrabrand for using a draft of the first part of this book in his course Semantics (Q1,2005) at Aarhus University. The suggestions from Claus and his students helpedus improve the text further. Moreover, Claus and one of his students designed andimplemented an excellent CCS simulator3 that our students can use to experimentwith the behaviour of processes written in this language.

Last, but not least, we are thankful to David Tranah at Cambridge UniversityPress for his enthusiasm for our project, and to the three anonymous reviewers thatprovided useful comments on a draft of this book.

Any remaining infelicity is solely our responsibility.Luca Aceto and Anna Ingolfsdottir dedicate this book to their son Robert.

Luca Aceto and Anna Ingolfsdottir, Reykjavık, IcelandKim G. Larsen and Jiri Srba, Aalborg, Denmark

3http://www.brics.dk/∼martinm/CCSVisualizer.html

http://www.brics.dk/~martinm/CCSVisualizer.html

Part I

A Classic Theory of ReactiveSystems

1

Chapter 1

Introduction

The aim of the first part of this book is to introduce three of the basic notions thatwe shall use to describe, specify and analyze reactive systems, namely

• Milner’s Calculus of Communicating Systems (CCS) (Milner,1989),

• the model of Labelled Transition Systems (LTSs) (Keller, 1976), and

• Hennessy-Milner Logic (HML) (Hennessy and Milner, 1985) and its exten-sion with recursive definitions of formulae (Larsen, 1990).

We shall present a general theory of reactive systems and itsapplications. In par-ticular, we intend to show how

1. to describe actual systems using terms in our chosen models (that is, eitheras terms in the process description language CCS or as labelled transitionsystems),

2. to offer specifications of the desired behaviour of systems either as terms ofour models or as formulae in HML, and

3. to manipulate these descriptions, possibly (semi-)automatically, in order toanalyze the behaviour of the model of the system under consideration.

In the second part of the book, we shall introduce a similar trinity of basic no-tions that will allow us to describe, specify and analyze real-time systems—thatis, systems whose behaviour depends crucially on timing constraints. There weshall present the formalisms of timed automata (Alur and Dill, 1994) and TimedCCS (Wang, 1990; Wang, 1991a; Wang, 1991b) to describe real-time systems, themodel of timed labelled transition systems and a real-time version of Hennessy-Milner Logic (Laroussinie, Larsen and Weise, 1995).

3

4 CHAPTER 1. INTRODUCTION

After having worked through the material in this book, you will be able todescribe non-trivial reactive systems and their specifications using the aforemen-tioned models, and verify the correctness of a model of a system with respect togiven specifications either manually or by using automatic verification tools like theEdinburgh Concurrency Workbench(Cleaveland, Parrow and Steffen, 1993) andUPPAAL (Behrmann, David and Larsen, 2004).

Our, somewhat ambitious, aim is therefore to present a modelof reactive sys-tems that supports their design, specification and verification. Moreover, sincemany real-life systems are hard to analyze manually, we should like to have com-puter support for our verification tasks. This means that allthe models and lan-guages that we shall use in this book need to have aformal syntax and semantics.(The syntaxof a language consists of the rules governing the formation of state-ments, whereas itssemanticsassigns meaning to each of the syntactically correctstatements in the language.) These requirements of formality are not only neces-sary in order to be able to build computer tools for the analysis of systems’ descrip-tions, but are also fundamental in agreeing upon what the terms in our models areactually intended to describe in the first place. Moreover, as Donald Knuth oncewrote:

A person does not really understand something until after teachingit to a computer, i.e. expressing it as an algorithm.. . . An attempt toformalize things as algorithms leads to a much deeper understandingthan if we simply try to comprehend things in the traditionalway.

The pay-off of using formal models with an explicit formal semantics to describeour systems will therefore be the possibility of devising algorithms for the anima-tion, simulation and verification of system models. These would be impossible toobtain if our models were specified only in an informal notation.

Now that we know what to expect from this book, it is time to getto work.We shall begin our journey through the beautiful land of Concurrency Theory byintroducing a prototype description language for reactivesystems and its seman-tics. However, before setting off on such an enterprise, we should describe in moredetail what we actually mean with the term ‘reactive system’.

1.1 What are reactive systems?

The ‘standard’ view of computing systems is that, at a high level of abstraction,these may be considered as black boxes that take inputs and provide appropriateoutputs. This view agrees with the description of algorithmic problems. Anal-gorithmic problemis specified by a collection of legal inputs, and, for each legal

http://www.dcs.ed.ac.uk/home/cwb/


1.1. WHAT ARE REACTIVE SYSTEMS? 5

input, its expected output. In an imperative setting, an abstract view of a computingsystem may therefore be given by describing how it transforms an initialstate—that is, a function from variables to their values—to a final state. This functionwill, in general, bepartial—that is, it may be undefined for some initial states—tocapture that the behaviour of a computing system may be non-terminating for someinput states. For example, the effect of the program

S = z ← x;x← y; y ← z

is described by the function[[S]] from states to states defined thus:

[[S]] = λs. s[x 7→ s(y), y 7→ s(x), z 7→ s(x)] ,

where the states[x 7→ s(y), y 7→ s(x), z 7→ s(x)] is the one in which the value ofvariablex is the value ofy in states and that of variablesy andz is the value ofxin states. The values of all of the other variables are those they had instates. Thisstate transformation is a way of formally describing that the intended effect ofS isessentially to swap the values of the variablesx andy.

On the other hand, the effect of the program

U = while truedo skip ,

where we useskip to stand for a ‘no operation’, is described by thepartial functionfrom states to states given by

[[U ]] = λs. undefined,

that is the always undefined function. This captures the factthat the computationof U never produces a result (final state) irrespective of the initial state.

In this view of computing systems, non-termination is a highly undesirablephenomenon. An algorithm that fails to terminate on some inputs is not one theusers of a computing system would expect to have to use. A moment of reflection,however, should make us realize that we already use many computing systemswhose behaviour cannot be readily described as a function from inputs to outputs—not least because, at some level of abstraction, these systems are inherently meantto be non-terminating. Examples of such computing systems are

• operating systems,

• communication protocols,

• control programs, and


• software running in embedded system devices like mobile telephones.

At a high level of abstraction, the behaviour of a control program can be seen to begoverned by the following pseudo-code algorithm skeleton.

loopread the sensors’ values at regular intervalsdepending on the sensors’ values trigger the relevant actuators

forever

The aforementioned examples, and many others, are examplesof computing sys-tems that interact with their environment by exchanging information with it. Likethe neurons in a human brain, these systems react to stimuli from their computingenvironment (in the example control program above these arevariations in the val-ues of the sensors) by possibly changing their state or mode of computation, andin turn influence their environment by sending back some signals to it, or initiat-ing some operations whose effect it is to affect the computing environment (thisis the role played by the actuators in the example control program). David Hareland Amir Pnueli coined the termreactive systemin (Harel and Pnueli, 1985) to de-scribe a system that, like the aforementioned ones, computes by reacting to stimulifrom its environment.

As the above examples and discussion indicate, reactive systems are inherentlyparallel systems, and a key role in their behaviour is playedby communication andinteraction with their computing environment. A ‘standard’ computing system canalso be viewed as a reactive system in which interaction withthe environment onlytakes place at the beginning of the computation (when inputsare fed to the com-puting device) and at the end (when the output is received). On the other hand, allthe example systems given before maintain a continuous interaction with their en-vironment, and we may think of both the computing system and its environment asparallel processes that communicate one with the other. In addition, as again nicelyexemplified by the skeleton of a control program given above,non-termination is adesirablefeature of some reactive systems. In contrast to the settingof ‘standard’computing systems, we certainly donot expect the operating systems running onour computers or the control program monitoring a nuclear reactor to terminate!

Now that we have an idea of what reactive systems are, and of the key aspectsof their behaviour, we can begin to consider what an appropriate abstract modelfor this class of systems should offer. In particular, such amodel should allowus to describe the behaviour of collections of (possibly non-terminating) parallelprocesses that may compute independently and interact withone another. It shouldprovide us with facilities for the description of well-known phenomena that appearin the presence of concurrency and are familiar to us from theworld of operating

1.2. PROCESS ALGEBRAS 7

systems and parallel computation in general (e.g., deadlock, livelock, starvationand so on). Finally, in order to abstract from implementation dependent issueshaving to do with, e.g., scheduling policies, the chosen model should permit aclean description ofnon-determinism—a most useful modelling tool in ComputerScience.

Our aim in the remainder of this book will be to present a general purpose the-ory that can be used to describe, and reason about,any collection of interactingprocesses. The approach we shall present will make use of a collection of modelsand formal techniques that is often referred to asProcess Theory. The key ingredi-ents in this approach are

• (Process) Algebra,

• Automata/labelled transition systems,

• Structural Operational Semantics, and

• Logic.

These ingredients give the foundations for the developmentof (semi-)automaticverification tools for reactive systems that support various formal methods for val-idation and verification that can be applied to the analysis of highly non-trivialcomputing systems. The development of these tools requiresin turn advances inalgorithmics, and via the increasing complexity of the analyzed designs feeds backto the theory development phase by suggesting the inventionof new languages andmodels for the description of reactive systems.

Unlike in the setting of sequential programs, where we oftenkid ourselvesinto believing that the development of correct programs canbe done without anyrecourse to ‘formalism’, it is a well-recognized fact of life that the behaviour ofeven very short parallel programs may be very hard to analyzeand understand.Indeed, analyzing these programs requires a careful consideration of issues relatedto the interactions amongst their components, and even imagining all of these isoften a mind-boggling task. As a result, the techniques and tools that we shallpresent in this book are becoming widely accepted in the academic and industrialcommunities that develop reactive systems.

1.2 Process algebras

The first ingredient in the approach to the theory of reactivesystems presentedin this book is a prototypical example of aprocess algebra. Process algebras are


prototype specification languages for reactive systems. They evolved from the in-sights of many outstanding researchers over the last thirtyyears, and a brief historyof the evolution of the original ideas that led to their development may be foundin (Baeten, 2004). (For an accessible, but more advanced, discussion of the role thatalgebra plays in process theory you may consult the survey paper (Luttik, 2006).)A crucial initial observation that is at the heart of the notion of process algebrais due to Milner, who noticed that concurrent processes havean algebraic struc-ture. For example, once we have built two processesP and Q, we can form anew process by combiningP andQ sequentially or in parallel. The result of thesecombinations will be a new process whose behaviour depends on that ofP andQand on theoperationthat we have used to compose them. This is the first sensein which these description languages are algebraic: they consist of a collection ofoperations for building new process descriptions from existing ones.

Since these languages aim at specifying parallel processesthat may interactwith one another, a key issue that needs to be addressed is howto describe commu-nication/interaction between processes running at the same time. Communicationamounts to information exchange between a process that produces the informa-tion (thesender), and a process that consumes it (thereceiver). We often think ofthis communication of information as taking place via somemediumthat connectsthe sender and the receiver. If we are to develop a theory of communicating sys-tems based on this view, it looks as if we have to decide upon the communicationmedium used in inter-process communication. Several possible choices immedi-ately come to mind. Processes may communicate via, e.g., (un)bounded buffers,shared variables, some unspecified ether, or the tuple spaces used by Linda-likelanguages (Gelernter, 1985). Which one do we choose? The answer is not at allclear, and each specific choice may in fact reduce the applicability of our languageand the models that support it. A language that can properly describe processes thatcommunicate via, say, FIFO buffers may not readily allow us to specify situationsin which processes interact via shared variables, say.

The solution to this riddle is both conceptually simple and general. One of thecrucial original insights of figures like Hoare and Milner isthat we need not distin-guish between active components like senders and receivers, and passive ones likethe aforementioned kinds of communication media. All of these may be viewed asprocesses—that is, as systems that exhibit behaviour. All of these processes can in-teract via message-passing modelled assynchronized communication, which is theonly basic mode of interaction. This is the key idea underlying Hoare’s Communi-cating Sequential Processes (CSP) (Hoare, 1978; Hoare, 1985), a highly influentialproposal for a programming language for parallel programs,and Milner’s Calcu-lus of Communicating Systems (CCS) (Milner, 1989), the paradigmatic processalgebra.

Chapter 2

The language CCS

We shall now introduce the language CCS. We begin by informally presenting theprocess constructions allowed in this language and their semantics in Section2.1.We then proceed to put our developments on a more formal footing in Section2.2.

2.1 Some CCS process constructions

It is useful to begin by thinking of a CCS process as a black box. This blackbox may have a name that identifies it, and has aprocess interface. This interfacedescribes the collection ofcommunication ports, also referred to aschannels, thatthe process may use to interact with other processes that reside in its environment,together with an indication of whether it uses these ports for inputting or outputtinginformation. For example, the drawing in Figure2.1 pictures the interface for aprocess whose name is CS (for Computer Scientist). This process may interactwith its environment via three ports, or communication channels, namely coffee,coin andpub. The port coffee is used for input, whereas the portscoin andpub areused by process CS for output. In general, given a port namea, we usea for outputon porta. We shall often refer to labels as coffee orcoin asactions.

A description like the one given in Figure2.1 only gives static informationabout a process. What we are most interested in is thebehaviourof the process be-ing specified. The behaviour of a process is described by giving a ‘CCS program’.The idea being that, as we shall see soon, the process constructions that are usedin building the program allow us to describe both the structure of a process and itsbehaviour.

Inaction, prefixing and recursive definitions Let us begin by introducing theconstructs of the language CCS by means of examples. The mostbasic process of

9

10 CHAPTER 2. THE LANGUAGE CCS

'

&

$

%u uu

coffee CS

coin

pub

Figure 2.1: The interface for process CS

all is the process0 (read ‘nil’). This is the most boring process imaginable, asitperforms no action whatsoever. The process0 offers the prototypical example of adeadlocked behaviour—one that cannot proceed any further in its computation.

The most basic process constructor in CCS isaction prefixing. Two exampleprocesses built using0 and action prefixing are a match and a complex match,described by the expressions

strike.0 and take.strike.0 ,

respectively. Intuitively, a match is a process that dies when stricken (i.e., thatbecomes the process0 after executing theactionstrike), and a complex match isone that needs to be taken before it can behave like a match. More in general, theformation rule for action prefixing says that:

If P is a process anda is a label, thena.P is a process.

The idea is that a label, like strike orpub, will denote an input or output action ona communication port, and that the processa.P is one that begins by performingactiona and behaves likeP thereafter.

We have already mentioned that processes can be given names,very much likeprocedures can. This means that we can introduce names for (complex) processes,and that we can use these names in defining other process descriptions. For in-stance, we can give the name Match to the complex match thus:

Matchdef= take.strike.0 .

The introduction of names for processes allows us to give recursive definitions ofprocess behaviours—compare with the recursive definition of procedures or meth-ods in your favourite programming language. For instance, we may define the

2.1. SOME CCS PROCESS CONSTRUCTIONS 11

behaviour of an everlasting clock thus:

Clockdef= tick.Clock .

Note that, since the process name Clock is a short-hand for the term on the right-hand side of the above equation, we may repeatedly replace the name Clock withits definition to obtain that

Clockdef= tick.Clock

= tick.tick.Clock

= tick.tick.tick.Clock...

= tick. . . . .tick︸︷︷︸

n-times

.Clock ,

for each positive integern.As another recursive process specification, consider that of a simple coffee

vending machine:

CMdef= coin.coffee.CM . (2.1)

This is a machine that is willing to accept a coin as input, deliver coffee to itscustomer, and thereafter return to its initial state.

Choice The CCS constructs that we have presented so far would not allow usto describe the behaviour of a vending machine that allows its paying customerto choose between tea and coffee, say. In order to allow for the description ofprocesses whose behaviour may follow different patterns ofinteraction with theirenvironment, CCS offers thechoice operator, which is written ‘+’. For example, avending machine offering either tea or coffee may be described thus:

CTMdef= coin.(coffee.CTM + tea.CTM) . (2.2)

The idea here is that, after having received a coin as input, the process CTM is will-ing to deliver either coffee or tea, depending on its customer’s choice. In general,the formation rule for choice states that:

If P andQ are processes, then so isP + Q.

The processP +Q is one that has the initial capabilities of bothP andQ. However,choosing to perform initially an action fromP will pre-empt the further executionof actions fromQ, and vice versa.


Exercise 2.1 Give a CCS process that describes a clock that ticks at least once,and that may stop ticking after each clock tick. �

Exercise 2.2 Give a CCS process that describes a coffee machine that may behavelike that given by (2.1), but may also steal the money it receives and fail at anytime. �

Exercise 2.3 A finite process graphT is a quadruple(Q, A, δ, q0), where

• Q is a finite set of states,

• A is a finite set of labels,

• q0 ∈ Q is the start state and

• δ : Q×A→ 2Q is the transition function.

Using the operators introduced so far, give a CCS process that ‘describesT ’. �

Parallel composition It is well-known that a computer scientist working in aresearch university is a machine for turning coffee into publications. The behaviourof such an academic may be described by the CCS process

CSdef= pub.coin.coffee.CS . (2.3)

As made explicit by the above description, a computer scientist is initially keento produce a publication—possibly straight out of her doctoral dissertation—, butshe needs coffee to produce her next publication. Coffee is only available throughinteraction with the departmental coffee machine CM. In order to describe systemsconsisting of two or more processes running in parallel, andpossibly interactingwith each other, CCS offers theparallel composition operation, which is written‘ |’. For example, the CCS expression CM| CS describes a system consisting oftwo processes—the coffee machine CM and the computer scientist CS—that runin parallel one with the other. These two processes may communicate via the com-munication ports they share and use in complementary fashion, namely coffee andcoin. By complementary, we mean that one of the processes uses the port for inputand the other for output. Potential communications are represented in Figure2.2by the solid lines linking complementary ports. The port pubis instead used bythe computer scientist to communicate with her research environment, or, moreprosaically, with other processes that may be present in herenvironment and thatare willing to accept input along that port. One important thing to note is that thelink between complementary ports in Figure2.2 denotes that it ispossiblefor the


'

&

$

%u uu

'

&

$

%u

uCS

coin

pubcoffee

coffee

coin

CM

Figure 2.2: The interface for process CM| CS

computer scientist and the coffee machine to communicate inthe parallel compo-sition CM | CS. However, we donot require that they must communicate with oneanother. Both the computer scientist and the coffee machinecould use their com-plementary ports to communicate with other reactive systems in their environment.For example, another computer scientist CS′ can use the coffee machine CM, and,in so doing, make sure that he can produce publications to beef up his curriculumvitae, and thus be a worthy competitor for CS in the next competition for a tenuredposition. (See Figure2.3.) Alternatively, the computer scientist may have accessto another coffee machine in her environment, as pictured inFigure2.4.

In general, given two CCS expressionsP andQ, the processP |Q describes asystem in which

• P andQ may proceed independently or

• may communicate via complementary ports.

Restriction and relabelling Since academics like the computer scientist oftenlive in a highly competitive ‘publish or perish’ environment, it may be fruitfulfor her to make the coffee machine CM private to her, and therefore inaccessibleto her competitors. To make this possible, the language CCS offers an operationcalledrestriction, whose aim is to delimit the scope of channel names in much thesame way as variables have scope in block structured programming languages. Forinstance, using the operations\coin and\coffee, we may hide the coin and coffeeports from the environment of the processes CM and CS. Define the process SmUni(for ‘Small University’) thus:

SmUnidef= (CM | CS) \ coin\ coffee . (2.4)


'

&

$

%u uu

'

&

$

%u

u

'

&

$

%uu u

CS

coin

pub

pub

coffee

coffee

CS’

coin

coffee

coin

CM

Figure 2.3: The interface for process CM| CS| CS′


'

&

$

%u uu

'

&

$

%u

u

'

&

$

%u

u

CS

coin

pubcoffee

coffee

coin

CM

coffee

coin

CM’

Figure 2.4: The interface for process CM| CS| CM′

As pictured in Figure2.5, the restricted coin and coffee ports may now only beused for communication between the computer scientist and the coffee machine,and are not available for interaction with their environment. Their scope is re-stricted to the process SmUni. The only port of SmUni that is visible to its envi-ronment, e.g., to the competing computer scientist CS′, is the one via which thecomputer scientist CS outputs her publications. In general, the formation rule forrestriction is as follows:

If P is a process andL is a set of port names, thenP \ L is a process.

In P \L, the scope of the port names inL is restricted toP—those port names canonly be used for communication withinP .

Since a computer scientist cannot live on coffee alone, it isbeneficial for herto have access to other types of vending machines offering, say, chocolate, driedfigs and crisps. The behaviour of these machines may be easilyspecified by meansof minor variations on equation2.1 on page11. For instance, we may define the


'

&

$

%u uu

'

&

$

%u

u

'

&

$

%u

uu

CS pubCM

pub

coin

coffee CS’

Figure 2.5: The interface for process SmUni| CS′


processes

CHMdef= coin.choc.CHM

DFMdef= coin.figs.DFM

CRMdef= coin.crisps.CRM .

Note, however, that all of these vending machines follow a common behaviouralpattern, and may be seen as specific instances of agenericvending machine thatreceives a coin as input, dispenses an item and restarts, namely the process

VMdef= coin.item.VM .

All of the aforementioned specific vending machines may be obtained as appropri-ate ‘renamings’ of VM. For example,

CHMdef= VM [choc/item] ,

where VM[choc/item] is a process that behaves like VM, but outputs chocolatewhenever VM dispenses the generic item. In general,

If P is a process andf is a function from labels to labels satisfyingcertain requirements that will be made precise in Section2.2, thenP [f ] is a process.

By introducing the relabelling operation, we have completed our informal tourof the operations offered by the language CCS for the description of process be-haviours. We hope that this informal introduction has givenour readers a feelingfor the language, and that our readers will agree with us thatCCS is indeed alanguage based upon very few operations with an intuitivelyclear semantic inter-pretation. In passing, we have also hinted at the fact that CCS processes may beseen as defining automata which describe their behaviour—see Exercise2.3. Weshall now expand a little on the connection between CCS expressions and the au-tomata describing their behaviour. The presentation will again be informal, as weplan to highlight the main ideas underlying this connectionrather than to focus im-mediately on the technicalities. The formal connection between CCS expressionsand labelled transition systems will be presented in Section 2.2 using the tools ofStructural Operational Semantics (Plotkin, 1981; Plotkin, 2004b).

2.1.1 The behaviour of processes

The key idea underlying the semantics of CCS is that a processpasses throughstatesduring its execution; processes change their state by performing actions. For


CSdef= pub.CS1

CS1def= coin.CS2

CS2def= coffee.CS

Table 2.1: An alternative formulation for process CS

instance, for the purpose of notational convenience in whatfollows, let us rede-fine the process CS (originally defined in equation2.3on page12) as in Table2.1.(This is the definition of the process CS that we shall use from now on, both whendiscussing its behaviour in isolation and in the context of other processes—for in-stance, as a component of the process SmUni.) Process CS can perform actionpuband evolve into a process whose behaviour is described by theCCS expression CS1in doing so. Process CS1 can then output a coin, thereby evolving into a processwhose behaviour is described by the CCS expression CS2. Finally, this process canreceive coffee as input, and behave like our good old CS all over again. Thus theprocesses CS, CS1 and CS2 are the only possible states of the computation of pro-cess CS. Note, furthermore, that there is really no conceptual difference betweenprocesses and their states! By performing an action, a process evolves to anotherprocess that describes what remains to be executed of the original one.

In CCS, processes change state by performing transitions, and these transitionsare labelled by the action that caused them. An example statetransition is

CSpub→ CS1 ,

which says that CS can perform actionpub, and become CS1 in doing so. The op-erational behaviour of our computer scientist CS is therefore completely describedby the following labelled transition system.

CSpub // CS1

coin // CS2

coffee

��

In much the same way, we can make explicit the set of states of the coffee machinedescribed in equation2.1on page11 by rewriting that equation thus:

CMdef= coin.CM1

CM1def= coffee.CM .


Note that the computer scientist is willing to output a coin in state CS1, as wit-nessed by the transition

CS1coin→ CS2 ,

and the coffee machine is willing to accept that coin in its initial state, because ofthe transition

CMcoin→ CM1 .

Therefore, when put in parallel with one another, these two processes may commu-nicate and change state simultaneously. The result of the communication shouldbe described as a state transition of the form

CM | CS1?→ CM1 | CS2 .

However, we are now faced with an important design decision—namely, we shoulddecide what label to use in place of the ‘?’ labelling the above transition. Shouldwe decide to use a standard label denoting input or output on some port, then athird process might be able to synchronize further with the coffee machine andthe computer scientist, leading to multi-way synchronization. The choice madeby Milner in his design of CCS is different. In CCS, communication is viahand-shake, and leads to a state transition that is unobservable, in thesense that it cannotsynchronize further. This state transition is labelled by anew labelτ . So the abovetransition is indicated by

CM | CS1τ→ CM1 | CS2 .

In this way, the behaviour of the process SmUni defined by equation 2.4on page13can be described by the following labelled transition system.

SmUni

pub

��(CM | CS1) \ coin\ coffee

τ

��(CM1 | CS2) \ coin\ coffee

τ

��(CM | CS) \ coin\ coffee

pub

ii


Sinceτ actions are supposed to be unobservable, the following process seems tobe an appropriate high level specification of the behaviour exhibited by processSmUni:

Specdef= pub.Spec .

Indeed, we expect that SmUni and Spec describe the same observable behaviour,albeit at different levels of abstraction. We shall see in the remainder of this bookthat one of the big questions in process theory is to come up with notions of ‘be-havioural equivalence’ between processes that will allow us to establish formallythat, for instance, SmUni and Spec do offer the same behaviour. But this is gettingahead of our story.

2.2 CCS, formally

Having introduced CCS by example, we now proceed to present formal definitionsfor its syntax and semantics.

2.2.1 The model of labelled transition systems

We have already indicated in our examples how the operational semantics for CCScan be given in terms of automata—which we have called labelled transition sys-tems, as customary in concurrency theory. These we now proceed to define, for thesake of clarity. We first introduce the ingredients in the model of labelled transitionsystems informally, and then provide its formal definition.

In the model of labelled transition systems, processes are represented by ver-tices of certain edge-labelled directed graphs (the labelled transition systems them-selves) and a change of process state caused by performing anaction is understoodas moving along an edge, labelled by the action name, that goes out of that state.

A labelled transition system consists therefore of a set ofstates(also referred toasprocessesor configurations), a set oflabels(or actions), and a transition relation→ describing changes in process states: if a processp can perform an actiona andbecome a processp′, we writep

a→ p′. Sometimes a state is singled out as thestartstatein the labelled transition system under consideration. In that case, we say thatthe labelled transition system isrooted.

Example 2.1 Let us start with a variation on the classic example of a tea/coffeevending machine. The very simplified behaviour of the process which determinesthe interaction of the machine with a customer can be described as follows. Fromthe initial state—say,p—representing the situation ‘waiting for a request’, two pos-sible actions are enabled. Either the tea button or the coffee button can be pressed

2.2. CCS, FORMALLY 21

(the corresponding action ‘tea’ or ‘coffee’ is executed) and the internal state of themachine changes accordingly top1 or p2. Formally, this can be described by thetransitions

ptea→ p1 andp

coffee→ p2 .

The target statep1 records that the customer has requested tea, whereasp2 de-scribes the situation in which coffee has been selected.

Now the customer is asked to insert the corresponding amountof money, let ussay one euro for a cup of tea and two euros for a cup of coffee. This is reflectedby corresponding changes in the control state of the vendingmachine. These statechanges can be modelled by the transitions

p11C=→ p3 andp2

2C=→ p3 ,

whose target statep3 records that the machine has received payment for the chosendrink.

Finally, the drink is collected and the machine returns to its initial statep, readyto accept the request of another customer. This correspondsto the transition

p3collect→ p .

�

It is often convenient and suggestive to use a graphical representation for labelledtransition systems. The following picture represents the tea/coffee machine de-scribed above.

p

tea

~~}}}}

}}}}

}}}}

}}

coffee

AAA

AAAA

AAAA

AAA

p1

1C=

AAA

AAAA

AAAA

AAp2

2C=

~~}}}}

}}}}

}}}}

}

p3

collect

OO

Sometimes, when referring only to the processp, we do not have to give names tothe other process states (in our examplep1, p2 andp3) and it is sufficient to providethe following labelled transition system for the processp.


p

a

��p1

b

TT

p2

czzdoo

Figure 2.6: Labelled transition system with initial statep

p

•

tea

~~||||

||||

||||

||

coffee

BBB

BBBB

BBBB

BBB

•

1C=

BBB

BBBB

BBBB

BBB •

2C=

~~||||

||||

||||

||

•

collect

OO

Remark 2.1 The definition of a labelled transition system permits situations likethat in Figure2.6 (wherep is the initial state). In that labelled transition system,the statep2, where the actionc can be performed in a loop, is irrelevant for thebehaviour of the processp since, as you can easily check,p2 can never be reachedfrom p. This motivates us to introduce the notion of reachable states. We say thata statep′ in the transition system representing a processp is reachablefrom p iffthere exists an directed path fromp to p′. The set of all such states is called thesetof reachable states. In our example this set contains exactly two states, namelypandp1. �

Definition 2.1 [Labelled transition system] Alabelled transition system (LTS)(attimes also called atransition graph) is a triple(Proc, Act, { a→| a ∈ Act}), where:

• Proc is a set ofstates(or processes);

• Act is a set ofactions(or labels);

• a→⊆ Proc × Proc is a transition relation, for everya ∈ Act. As usual, weshall use the more suggestive notations

a→ s′ in lieu of (s, s′) ∈ a→, andwrite s

a9 (read ‘s refusesa’) iff s

a→ s′ for no states′.


A labelled transition system isfinite if its sets of states and actions are both finite.�

For example, the LTS for the process SmUni defined by equation2.4 on page13(see page19) is formally specified thus:

Proc = {SmUni, (CM | CS1) \ coin\ coffee, (CM1 | CS2) \ coin\ coffee,

(CM | CS) \ coin\ coffee}Act = {pub, τ}pub→ = {

(SmUni, (CM | CS1) \ coin\ coffee

),

((CM | CS) \ coin\ coffee, (CM | CS1) \ coin\ coffee

)} , and

τ→ = {((CM | CS1) \ coin\ coffee, (CM1 | CS2) \ coin\ coffee

),

((CM1 | CS2) \ coin\ coffee, (CM | CS) \ coin\ coffee

)} .

As mentioned above, we shall often distinguish a so calledstart state(or initialstate), which is one selected state in which the system initially starts. For exam-ple, the start state for the process SmUni presented above is, not surprisingly, theprocess SmUni itself.

Remark 2.2 Sometimes the transition relationsa→ are presented as a ternary rela-

tion→⊆ Proc×Act×Proc and we writesa→ s′ whenever(s, a, s′) ∈→. This is

an alternative way to describe a labelled transition systemand it defines the samenotion as Definition2.1. �

Notation 2.1 Let us now recall a few useful notations that will be used in connec-tion with labelled transitions systems.

• We can extend the transition relation to the elements ofAct∗ (the set of allfinite strings overAct including the empty stringε). The definition is asfollows:

– sε→ s for everys ∈ Proc, and

– saw→ s′ iff there is a statet ∈ Proc such thats

a→ t andtw→ s′, for

everys, s′ ∈ Proc, a ∈ Act andw ∈ Act∗.

In other words, ifw = a1a2 · · · an for a1, a2 . . . , an ∈ Act then we writes

w→ s′ whenever there exist statess0, s1, . . . , sn−1, sn ∈ Proc such that

s = s0a1→ s1

a2→ s2a3→ s3

a4→ · · · an−1→ sn−1an→ sn = s′ .

For the transition system in Figure2.6 we have, for example, thatpε→ p,

pab→ p andp1

bab→ p.


• We writes→ s′ whenever there is an actiona ∈ Act such thatsa→ s′.

For the transition system in Figure2.6 we have, for instance, thatp → p1,p1 → p, p2 → p1 andp2 → p2.

• We use the notationsa→ meaning that there is somes′ ∈ Proc such that

sa→ s′.

For the transition system in Figure2.6 we have, for instance, thatpa→ and

p1b→.

• We writes →∗ s′ iff sw→ s′ for somew ∈ Act∗. In other words,→∗ is the

reflexive and transitive closure of the relation→.

For the transition system in Figure2.6 we have, for example, thatp →∗ p,p→∗ p1, andp2 →∗ p.

�

Exercise 2.4 Consider the following labelled transition system.

s a // s1

a

��s3

a

OO

s2aoo

• Define the labelled transition system as a triple(Proc, Act, { a→| a ∈ Act}).

• What is the reflexive closure of the binary relationa→? (A drawing is fine.)

• What is the symmetric closure of the binary relationa→? (A drawing is fine.)

• What is the transitive closure of the binary relationa→? (A drawing is fine.)

�

Definition 2.2 [Reachable states] LetT = (Proc, Act, { a→| a ∈ Act}) be a la-belled transition system, and lets ∈ Proc be its initial state. We say thats′ ∈ Procis reachablein the transition systemT iff s →∗ s′. The set ofreachable statescontains all states reachable inT . �

In the transition system from Figure2.6, wherep is the initial state, the set ofreachable states is equal to{p, p1}.


Exercise 2.5What would the set of reachable states in the labelled transition sys-tem in Figure2.6be if its start state werep2? �

The step from a process denoted by a CCS expression to the LTS describingits operational behaviour is taken using the framework ofStructural OperationalSemantics(SOS) as pioneered by Plotkin in (Plotkin, 2004b). (The history ofthe development of the ideas that led to SOS is recounted by Plotkin himselfin (Plotkin, 2004a).) The key idea underlying this approachis that the collection ofCCS process expressions will be the set of states of a (large)labelled transition sys-tem, whose actions will be either input or output actions on communication portsor τ , and whose transitions will be exactly those that can be proven to hold bymeans of a collection of syntax-driven rules. These rules will capture the informalsemantics of the CCS operators presented above in a very simple and elegant way.The operational semantics of a CCS expression is then obtained by selecting thatexpression as the start state in the LTS for the whole language, and restricting our-selves to the collection of CCS expressions that are reachable from it by followingtransitions.

2.2.2 The formal syntax and semantics of CCS

The next step in our formal developments is to offer the formal syntax for thelanguage CCS. Since the set of ports plays a crucial role in the definition of CCSprocesses, we begin by assuming a countably infinite collection A of (channel)names. (‘Countably infinite’ means that we have as many names as there are naturalnumbers.) The set

A = {a | a ∈ A}is the set ofcomplementary names(or co-names for short). In our informal intro-duction to the language, we have interpreted names as input actions and co-namesas output actions. We let

L = A ∪ Abe the set oflabels, and

Act = L ∪ {τ}be the set ofactions. In our formal developments, we shall usea, b to range overL andα as a typical member ofAct, but, as we have already done in the previoussection, we shall often use more suggestive names for channels in applicationsand examples. By convention, we assume that¯a = a for each labela. (Thisalso makes sense intuitively because the complement of output is input.) We alsoassume a given countably infinite collectionK of process names(or constants).(This ensures that we never run out of names for processes.)


Definition 2.3 The collectionP of CCS expressionsis given by the followinggrammar:

P,Q ::= K | α.P |∑

i∈I

Pi | P | Q | P [f ] | P \ L ,

where

• K is a process name inK;

• α is an action inAct;

• I is a possibly infinite index set;

• f : Act→ Act is arelabelling functionsatisfying the following constraints:

f(τ) = τ and

f(a) = f(a) for each labela ;

• L is a set of labels fromL.

We write0 for an empty sum of processes, i.e.,

0 =∑

i∈∅Pi ,

andP1 + P2 for a sum of two processes, i.e.,

P1 + P2 =∑

i∈{1,2}Pi .

Moreover, we assume that the behaviour of each process constantK ∈ K is givenby a defining equation

Kdef= P ,

whereP ∈ P. As it was already made clear by the previous informal discussion,the constantK may appear inP . �

We sometimes write[b1/a1, . . . , bn/an], wheren ≥ 1, ai, bi ∈ A for eachi ∈{1, . . . , n} and theai are distinct channel names, for the relabelling[f ], wherefis the relabelling function mapping eachai to bi, eachai to bi (i ∈ {1, . . . , n}) andacting like the identity function on all of the other actions. For each labela, wealso often write\a in lieu of \{a}.

To avoid the use of too many parentheses in writing CCS expressions, we usethe convention that the operators have decreasing binding strength in the following


order: restriction and relabelling (tightest binding), action prefixing, parallel com-position and summation. For example, the expressiona.0 | b.P \ L + c.0 standsfor

((a.0) | (b.(P \ L))) + (c.0) .

Exercise 2.6Which of the following expressions are syntactically correct CCS ex-pressions? Why? Assume thatA, B are process constants anda, b are channelnames.

• a.b.A + B

• (a.0 + a.A) \ {a, b}

• (a.0 | a.A) \ {a, τ},

• a.B + [a/b]

• τ.τ.B + 0

• (a.B + b.B)[a/b, b/a]

• (a.B + τ.B)[a/τ, b/a]

• (a.b.A + a.0) | B

• (a.b.A + a.0).B

• (a.b.A + a.0) + B

• (0 | 0) + 0

�

Our readers can easily check that all of the processes presented in the previoussection are indeed CCS expressions. Another example of a CCSexpression isgiven by a counter, which is defined thus:

Counter0def= up.Counter1 (2.5)

Counterndef= up.Countern+1 + down.Countern−1 (n > 0) . (2.6)

The behaviour of such a process is intuitively clear. For each non-negative integern, the process Countern behaves like a counter whose value isn; the ‘up’ actionsincrease the value of the counter by one, and the ‘down’ actions decrease it by one.It would also be easy to construct the (infinite state) LTS forthis process based onits syntactic description, and on the intuitive understanding of process behaviour


we have so far developed. However, intuition alone can lead us to wrong con-clusions, and most importantly cannot be fed to a computer! To capture formallyour understanding of the semantics of the language CCS, we therefore introducethe collection of SOS rules in Table2.2. These rules are used to generate an LTSwhose states are CCS expressions. In that LTS, a transitionP

α→ Q holds for CCSexpressionsP,Q and actionα if, and only if, it can be proven using the rules inTable2.2.

A rule like

α.Pα→ P

is an axiom, as it has nopremises—that is, it has no transition above the solidline. This means that proving that a process of the formα.P affords the transitionα.P

α→ P (theconclusionof the rule) can be done without establishing any furthersub-goal. Therefore each process of the formα.P affords the transitionα.P

α→ P .As an example, we have that the following transition

pub.CS1pub→ CS1 (2.7)

is provable using the above rule for action prefixing.On the other hand, a rule like

Pα→ P ′

Kα→ P ′ K

def= P

has a non-empty set of premises. This rule says that to establish that constantKaffords the transition mentioned in the conclusion of the rule, we have to provefirst that the body of the defining equation forK, namely the processP , affordsthe transitionP

α→ P ′. Using this rule, pattern matching and transition (2.7), wecan prove the transition

CSpub→ CS1 ,

which we had informally derived before for the version of process CS given inTable2.1on page18.

The aforementioned rule for constants has aside condition, namelyKdef= P ,

that describes a constraint that must be met in order for the rule to be applicable. Inthat specific example, the side condition states intuitively that the rule may be usedto derive an initial transition for constantK if ‘ K is declared to have bodyP ’.

Another example of a rule with a side condition is that for restriction.

Pα→ P ′

P \ Lα→ P ′ \ L

α, α 6∈ L


ACTα.P

α→ P

SUMj

Pjα→ P ′

j∑

i∈I Piα→ P ′

j

wherej ∈ I

COM1P

α→ P ′

P | Q α→ P ′ | Q

COM2Q

α→ Q′

P | Q α→ P | Q′

COM3P

a→ P ′ Qa→ Q′

P | Q τ→ P ′ | Q′

RESP

α→ P ′

P \ Lα→ P ′ \ L

whereα, α 6∈ L

RELP

α→ P ′

P [f ]f(α)→ P ′[f ]

CONP

α→ P ′

Kα→ P ′

whereKdef= P

Table 2.2: SOS rules for CCS (α ∈ Act, a ∈ L)


This rule states that every transition of a termP determines a transition of theexpressionP \ L, provided that neither the action producing the transitionnor itscomplement are inL. For example, as you can check, this side condition preventsus from proving the existence of the transition

(coffee.CS) \ coffeecoffee→ CS\ coffee .

Finally, note that, when considering the binary version of the summation operator,the family of rules SUMj reduces to the following two rules.

SUM1P1

α→ P ′1

P1 + P2α→ P ′

1

SUM2P2

α→ P ′2

P1 + P2α→ P ′

2

To get a feeling for the power of recursive definitions of process behaviours, con-sider the process C defined thus:

Cdef= up.(C | down.0) . (2.8)

What are the transitions that this process affords? Using the rules for constantsand action prefixing, you should have little trouble in arguing that the only initialtransition for C is

Cup→ C | down.0 . (2.9)

What next? Observing that down.0down→ 0, using rule COM2 in Table2.2 we can

infer thatC | down.0

down→ C | 0 .

Since it is reasonable to expect that the process C| 0 exhibits the same behaviouras C—and we shall see later on that this does hold true—, the above transitioneffectively brings our process back to its initial state, atleast up to behaviouralequivalence. However, this is not all, because, as we have already proven (2.9),using rule COM1 in Table2.2we have that the transition

C | down.0up→ (C | down.0) | down.0

is also possible. You might find it instructive to continue building a little more ofthe transition graph for process C. As you may begin to notice, the LTS givingthe operational semantics of the process expression C looksvery similar to that forCounter0, as given in (2.5). Indeed, we shall prove later on that these two processesexhibit the same behaviour in a very strong sense.

Exercise 2.7 Use the rules of the SOS semantics for CCS to derive the LTS fortheprocess SmUni defined by equation2.4 on page13. (Use the definition of CS inTable2.1.) �


Exercise 2.8Assume thatAdef= b.a.B. By using the SOS rules for CCS prove the

existence of the following transitions:

• (A | b.0) \ {b} τ→ (a.B | 0) \ {b},

• (A | b.a.B) + (b.A)[a/b]b→ (A | a.B), and

• (A | b.a.B) + (b.A)[a/b]a→ A[a/b].

�

Exercise 2.9Draw (part of) the transition graph for the process name A whosebehaviour is given by the defining equation

Adef= (a.A) \ b .

The resulting transition graph should have infinitely many states. Can you think ofa CCS term that generates a finite labelled transition systemthat should intuitivelyhave the same behaviour as A? �

Exercise 2.10Draw (part of) the transition graph for the process name A whosebehaviour is given by the defining equation

Adef= (a0.A)[f ]

where we assume that the set of channel names is{a0, a1, a2, . . .}, andf(ai) =ai+1 for eachi.

The resulting transition graph should (again!) have infinitely many states. Canyou give an argument showing that there is no finite state labelled transition systemthat could intuitively have the same behaviour as A? �

Exercise 2.11

1. Draw the transition graph for the process name Mutex1 whose behaviour isgiven by the defining equation

Mutex1def= (User| Sem) \ {p, v}

Userdef= p.enter.exit.v.User

Semdef= p.v.Sem .


2. Draw the transition graph for the process name Mutex2 whose behaviour isgiven by the defining equation

Mutex2def= ((User| Sem) | User) \ {p, v} ,

where User and Sem are defined as before.

Would the behaviour of the process change if User was defined as

Userdef= p.enter.v.exit.User ?

3. Draw the transition graph for the process name FMutex whose behaviour isgiven by the defining equation

FMutexdef= ((User| Sem) | FUser) \ {p, v} ,

where User and Sem are defined as before, and the behaviour of FUser isgiven by the defining equation

FUserdef= p.enter.(exit.v.FUser+ exit.v.0) .

Do you think that Mutex2 and FMutex are offering the same behaviour? Canyou argue informally for your answer?

�

2.2.3 Value passing CCS

This section may be skipped on first reading as it is meant mainly as a pointer forfurther reading and self-study.

So far, we have only introduced the so-calledpure CCS—that is, the fragmentof CCS where communication is pure synchronization and involves no exchangeof data. In many applications, however, processes exchangedata when they com-municate. To allow for a natural modelling of these examples, it is convenient,although theoretically unnecessary as argued in (Milner, 1989, Section 2.8), toextend our language to what is usually calledvalue passing CCS. We shall nowintroduce the new features in this language, and their operational semantics, bymeans of examples. In what follows, we shall assume for simplicity that the onlydata type is the set of non-negative integers.

Assume that we wish to define a one-place buffer B which has thefollowingbehaviour.


• If B is empty, then it is only willing to accept one datum as input along achannel called ‘in’. The received datum is stored for further output.

• If B is full, then it is only willing to output the successor ofthe value it stores,and empties itself in doing so.

This behaviour of B can be modelled in value passing CCS thus:

Bdef= in(x).B(x)

B(x)def= out(x + 1).B .

Note that the input prefix ‘in’ now carries a parameter that isa variable—in thiscasex—whose scope is the process that is prefixed by the input action—in thisexample, B(x). The intuitive idea is that process B is willing to accept a non-negative integern as input, bind the received value tox and thereafter behave likeB(n)—that is, like a full one-place buffer storing the valuen. The behaviour ofthe process B(n) is then described by the second equation above, where the scopeof the formal parameterx is the whole right-hand side of the equation. Note thatoutput prefixes, like ‘out(x+1)’ above, may carry expressions—the idea being thatthe value being output is the one that results from the evaluation of the expression.

The general SOS rule for input prefixing now becomes

a(x).Pa(n)→ P [n/x]

n ≥ 0

where we writeP [n/x] for the expression that results by replacing each free oc-currence of the variablex in P with n. The general SOS rule for output prefixingis instead the one below.

a(e).Pa(n)→ P

n is the result of evaluatinge

In value passing CCS, as we have already seen in our definitionof the one placebuffer B, process names may be parameterized by value variables. The generalform that these parameterized constants may take is A(x1, . . . , xn), where A is aprocess name,n ≥ 0 andx1, . . . , xn are distinct value variables. The operationalsemantics for these constants is given by the following rule.

P [v1/x1, . . . , vn/xn]α→ P ′

A(e1, . . . , en)α→ P ′ A(x1, . . . , xn)

def= P and eachei has valuevi


To become familiar with these rules, you should apply them tothe one-place bufferB, and derive its possible transitions.

In what follows, we shall restrict ourselves to CCS expressions that have nofree occurrences of value variables—that is, to CCS expressions in which eachoccurrence of a value variable, sayy, is within the scope of an input prefix of theform a(y) or of a parameterized constant A(x1, . . . , xn) with y = xi for some1 ≤ i ≤ n. For instance, the expression

a(x).b(y + 1).0

is disallowed because the single occurrence of the value variabley is bound neitherby an input prefixing nor by a parameterized constant.

Since processes in value passing CCS may manipulate data, itis natural toadd anif bexpthen P elseQ construct to the language, where bexp is a booleanexpression. Assume, by way of example, that we wish to define aone-place bufferPred that computes the predecessor function on the non-negative integers. Thismay be defined thus:

Preddef= in(x).Pred(x)

Pred(x)def= if x = 0 then out(0).Predelseout(x− 1).Pred .

We expect Pred(0) to output the value0 on channel ‘out’, and Pred(n + 1) tooutputn on the same channel for each non-negative integern. The SOS rules forif bexpthen P elseQ will allow us to prove this formally. They are the expectedones, namely

Pα→ P ′

if bexpthen P elseQα→ P ′ bexp is true

andQ

α→ Q′

if bexpthen P elseQα→ Q′ bexp is false.

Exercise 2.12Consider a one place buffer defined by

Celldef= in(x).Cell(x)

Cell(x)def= out(x).Cell .

Use the Cell to define a two-place bag and a two-place FIFO queue. (Recall thata bag, also known as multiset, is a set whose elements have multiplicity.) Givespecifications of the expected behaviour of these processes, and use the operationalrules given above to convince yourselves that your implementations are correct.�


Exercise 2.13Consider the process B defined thus:

Bdef= push(x).(C(x)⌢B) + empty.B

C(x)def= push(y).(C(y)⌢C(x)) + pop(x).D

Ddef= o(x).C(x) + e.B ,

where the linking combinator P⌢Q is as follows:

P⌢Q = (P[p′/p, e′/e, o′/o] |Q[p′/push, e′/empty, o′/pop]) \ {p′, o′, e′} .

Draw an initial fragment of the transition graph for this process. What behaviourdo you think B implements? �

Exercise 2.14 (For the theoretically minded)Prove that the operational seman-tics for value passing CCS we have given above is in complete agreement with thesemantics for this language via translation into the pure calculus given by Milnerin (Milner, 1989, Section 2.8). �

Chapter 3

Behavioural equivalence

We have previously remarked that CCS, like all other processalgebras, can be usedto describe both implementations of processes and specifications of their expectedbehaviours. A language like CCS therefore supports the so-calledsingle languageapproachto process theory—that is, the approach in which a single language isused to describe both actual processes and their specifications. An important in-gredient of these languages is therefore a notion of behavioural equivalence orbehavioural approximation between processes. One processdescription, say SYS,may describe an implementation, and another, say SPEC, may describe a specifica-tion of the expected behaviour. To say that SYS and SPEC are equivalent is takento indicate that these two processes describe essentially the same behaviour, albeitpossibly at different levels of abstraction or refinement. To say that, in some formalsense, SYS is an approximation of SPEC means roughly that every aspect of thebehaviour of this process is allowed by the specification SPEC, and thus that noth-ing unexpected can happen in the behaviour of SYS. This approach to programverification is also sometimes calledimplementation verificationor equivalencechecking.

3.1 Criteria for a good behavioural equivalence

We have already informally argued that some of the processesthat we have met sofar ought to be considered behaviourally equivalent. For instance, we claimed thatthe behaviour of the process SmUni defined in equation2.4 on page13 should beconsidered equivalent to that of the specification

Specdef= pub.Spec ,

37

38 CHAPTER 3. BEHAVIOURAL EQUIVALENCE

and that the process C in equation2.8on page30behaves like a counter. Our orderof business now will be to introduce a suitable notion of behavioural equivalencethat will allow us to establish these expected equalities and many others.

Before doing so, it is however instructive to consider the criteria that we expecta suitable notion of behavioural equivalence for processesto meet. First of all, wehave already used the term ‘equivalence’ several times, andsince this is a mathe-matical notion that some of you may not have met before, it is high time to defineit precisely.

Definition 3.1 Let X be a set. Abinary relationoverX is a subset ofX ×X, theset of pairs of elements ofX. If R is a binary relation overX, we often writexRyinstead of(x, y) ∈ R.

An equivalence relationoverX is a binary relationR that satisfies the follow-ing constraints:

• R is reflexive—that is,x R x for eachx ∈ X;

• R is symmetric—that is,x R y impliesy R x, for all x, y ∈ X; and

• R is transitive—that is,x R y andy R z imply x R z, for all x, y, z ∈ X.

A reflexive and transitive relation is apreorder. �

An equivalence relation is therefore a more abstract version of the notion of equal-ity that we are familiar with since elementary school.

Exercise 3.1 Which of the following relations over the set of non-negative integersN is an equivalence relation?

• The identity relationI = {(n, n) | n ∈ N}.

• The universal relationU = {(n,m) | n,m ∈ N}.

• The standard≤ relation.

• The parity relationM2 = {(n,m) | n,m ∈ N, n mod 2 = m mod 2}.

Can you give an example of a preorder over the setN that is not an equivalencerelation? �

Since we expect that each process is a correct implementation of itself, a relationused to support implementation verification should certainly be reflexive. More-over, as we shall now argue, it should also be transitive—at least if it is to supportstepwise derivation of implementations from specifications. In fact, assume thatwe wish to derive a correct implementation from a specification via a sequence of

3.1. CRITERIA FOR A GOOD BEHAVIOURAL EQUIVALENCE 39

P

C

Q

C

C(P ) C(Q)

Figure 3.1:P R Q implies thatC[P ] R C[Q]

refinement steps which are known to preserve some behavioural relationR. In thisapproach, we might begin from our specification Spec and transform it into ourimplementation Imp via a sequence of intermediate stages Speci (0 ≤ i ≤ n) thus:

Spec= Spec0 R Spec1 R Spec2 R · · · R Specn = Imp .

Since each of the steps above preserves the relationR, we would like to concludethat Imp is a correct implementation of Spec with respect toR—that is, that

SpecR Imp

holds. This is guaranteed to be true if the relationR is transitive.From the above discussion, it follows that a relation supporting implementation

verification should at least be a preorder. The relations considered in the classictheory of CCS, and in the main body of this book, are also symmetric, and aretherefore equivalence relations.

Another intuitively desirable property that an equivalence relationR that sup-ports implementation verification should have is that it is acongruence. This meansthat process descriptions that are related byR can be used interchangeably as partsof a larger process description without affecting its overall behaviour. More pre-cisely, if P R Q andC[ ] is a program fragment with ‘a hole’, then

C[P ] R C[Q] .

This is pictorially represented in Figure3.1.Finally, we expect our notion of relation supporting implementation verifica-

tion to be based on the observable behaviour of processes, rather than on their struc-ture, the actual name of their states or the number of transitions they afford. Ideally,we should like to identify two processes unless there is somesequence of ‘inter-actions’ that an ‘observer’ may have with them leading to different ‘outcomes’.


The lack of consensus on what constitutes an appropriate notion of observable be-haviour for reactive systems has led to a large number of proposals for behaviouralequivalences for concurrent processes. (See the study (Glabbeek, 2001), where vanGlabbeek presents the linear time-branching time spectrum—a lattice of known be-havioural equivalences and preorders over labelled transition systems, ordered byinclusion.) In our search for a reasonable notion of behavioural relation to supportimplementation verification, we shall limit ourselves to presenting a tiny sample ofthese.

So let’s begin our search!

3.2 Trace equivalence: a first attempt

Labelled transition systems (LTSs) (Keller, 1976) are a fundamental model of con-current computation, which is widely used in light of its flexibility and applica-bility. In particular, they are the prime model underlying Plotkin’s Structural Op-erational Semantics (Plotkin, 2004b) and, following Milner’s pioneering work onCCS (Milner, 1989), are by now the standard semantic model for various processdescription languages.

As we have already seen, LTSs model processes by explicitly describing theirstates and their transitions from state to state, together with the actions that pro-duced them. Since this view of process behaviours is very detailed, several notionsof behavioural equivalence and preorder have been proposedfor LTSs. The aimof such behavioural semantics is to identify those (states of) LTSs that afford thesame ‘observations’, in some appropriate technical sense.

Now, LTSs are essentially (possibly infinite state) automata, and the classictheory of automata suggests a ready made notion of equivalence for them, and thusfor the CCS processes that denote them.

Let us say that atraceof a processP is a sequenceα1 · · ·αk ∈ Act∗ (k ≥ 0)such that there exists a sequence of transitions

P = P0α1→ P1

α2→ P2 · · ·Pk−1αk→ Pk ,

for someP1, . . . , Pk. We write Traces(P ) for the collection of all traces ofP .SinceTraces(P ) describes all the possible finite sequences of interactionsthat wemay have with processP , it is reasonable to require that our notion of behaviouralequivalence only relates processes that afford the same traces, or else we shouldhave a very good reason for telling them apart—namely a sequence of actions thatcan be performed with one, but not with the other. This means that, for all processesP andQ, we require that

if P andQ are behaviourally equivalent, thenTraces(P ) = Traces(Q) . (3.1)

3.2. TRACE EQUIVALENCE: A FIRST ATTEMPT 41

Taking the point of view of standard automata theory, and abstracting from the no-tion of ‘accept state’ that is missing altogether in our treatment, an automaton maybe completely identified by its set of traces, and thus two processes are equivalentif, and only if, they afford the same traces.

This point of view is totally justified and natural if we view our LTSs as non-deterministic devices that may generate or accept sequences of actions. However,is it still a reasonable one if we view our automata as reactive machines that interactwith their environment?

To answer this questions, consider the coffee and tea machine CTM defined inequation2.2on page11, and compare it with the following one:

CTM′ def= coin.coffee.CTM′ + coin.tea.CTM′ . (3.2)

You should be able to convince yourselves that CTM and CTM′ afford the sametraces. (Do so!) However, if you were a user of the coffee and tea machine whowants coffee and hates tea, which machine would you like to interact with? Wecertainly would prefer to interact with CTM as that machine will give us coffeeafter receiving a coin, whereas CTM′ may refuse to deliver coffee after havingaccepted our coin!

This informal discussion may be directly formalized withinCCS by assumingthat the behaviour of the coffee starved user is described bythe process

CAdef= coin.coffee.CA .

Consider now the terms

(CA | CTM) \ {coin, coffee, tea}

and(CA | CTM′) \ {coin, coffee, tea}

that we obtain by forcing interaction between the coffee addict CA and the twovending machines. Using the SOS rules for CCS, you should convince yourselvesthat the former term can only perform an infinite computationconsisting ofτ -labelled transitions, whereas the second term can deadlockthus:

(CA |CTM′)\{coin, coffee, tea} τ→ (coffee.CA | tea.CTM′)\{coin, coffee, tea} .

Note that the target term of this transition captures precisely the deadlock situationthat we intuitively expected to have, namely that the user only wants coffee, butthe machine is only willing to deliver tea. So trace equivalent terms may exhibit


different deadlock behaviour when made to interact with other parallel processes—a highly undesirable state of affairs.

In light of the above example, we are forced to reject the law

α.(P + Q) = α.P + α.Q ,

which is familiar from the standard theory of regular languages, for our desirednotion of behavioural equivalence. (Can you see why?) Therefore we need torefine our notion of equivalence in order to differentiate processes that, like the twovending machines above, exhibit different reactive behaviour while still having thesame traces.

Exercise 3.2 (Recommended)A completed traceof a processP is a sequenceα1 · · ·αk ∈ Act∗ (k ≥ 0) such that there exists a sequence of transitions

P = P0α1→ P1

α2→ P2 · · ·Pk−1αk→ Pk 9 ,

for someP1, . . . , Pk. The completed traces of a process may be seen as capturingits deadlock behaviour, as they are precisely the sequencesof actions that may leadthe process into a state from which no further action is possible.

1. Do the processes

(CA | CTM) \ {coin, coffee, tea}

and(CA | CTM′) \ {coin, coffee, tea}

defined above have the same completed traces?

2. Is it true that ifP and Q are two CCS processes affording the same com-pleted traces andL is a set of labels, thenP \ L andQ \ L also have thesame completed traces?

You should, of course, argue for your answers. �

3.3 Strong bisimilarity

Our aim in this section will be to present one of the key notions in the theory ofprocesses, namelystrong bisimulation. In order to motivate this notion intuitively,let us reconsider once more the two processes CTM and CTM′ that we used aboveto argue that trace equivalence is not a suitable notion of behavioural equivalencefor reactive systems. The problem was that, as fully formalized in Exercise3.2, the

3.3. STRONG BISIMILARITY 43

trace equivalent processes CTM and CTM′ exhibited different deadlock behaviourwhen made to interact with a third parallel process, namely CA. In hindsight, thisis not overly surprising. In fact, when looking purely at the(completed) traces of aprocess, we focus only on the sequences of actions that the process may perform,but do not take into account the communication capabilitiesof the intermediatestates that the process traverses as it computes. As the above example shows,the communication potential of the intermediate statesdoes matterwhen we mayinteract with the process at all times. In particular, thereis a crucial difference inthe capabilities of the states reached by CTM and CTM′ after these processes havereceived a coin as input. Indeed, after accepting a coin the machine CTM alwaysenters a state in which it is willing to output both coffee andtea, depending onwhat its user wants, whereas the machine CTM′ can only enter a state in which itis willing to deliver either coffee or tea, but not both.

The lesson that we may learn from the above discussion is thata suitable notionof behavioural relation between reactive systems should allow us to distinguishprocesses that may have different deadlock potential when made to interact withother processes. Such a notion of behavioural relation musttake into account thecommunication capabilities of the intermediate states that processes may reach asthey compute. One way to ensure that this holds is to require that in order for twoprocesses to be equivalent, not only should they afford the same traces, but, in someformal sense, the states that they reach should still be equivalent. You can easilyconvince yourselves that trace equivalence does not meet this latter requirement,as the states that CTM and CTM′ may reach after receiving a coin as input arenottrace equivalent.

The classic notion of strong bisimulation equivalence, introduced by DavidPark in (Park, 1981) and widely popularized by Robin Milner in (Milner, 1989),formalizes the informal requirements introduced above in avery elegant way.

Definition 3.2 [Strong bisimulation] A binary relationR over the set of states ofan LTS is abisimulationiff whenevers1 R s2 andα is an action:

- if s1α→ s′1, then there is a transitions2

α→ s′2 such thats′1 R s′2;


α→ s′1 such thats′1 R s′2.

Two statess ands′ arebisimilar, written s ∼ s′, iff there is a bisimulation thatrelates them. Henceforth the relation∼ will be referred to asstrong bisimulationequivalenceor strong bisimilarity. �

Since the operational semantics of CCS is given in terms of anLTS whose statesare CCS process expressions, the above definition applies equally well to CCS


processes. Intuitively, a strong bisimulation is a kind of invariant relation betweenprocesses that is preserved by transitions in the sense of Definition 3.2.

Before beginning to explore the properties of strong bisimilarity, let us remarkone of its most appealing features, namely a proof techniquethat it supports toshow that two processes are strongly bisimilar. Since two processes are stronglybisimilar if there is a strong bisimulation that relates them, to prove that they arerelated by∼ it suffices only to exhibit a strong bisimulation that relates them.

Example 3.1 Consider the labelled transition system

(Proc, Act, { a→| a ∈ Act}) ,

where

• Proc = {s, s1, s2, t, t1},

• Act = {a, b},• a→= {(s, s1), (s, s2), (t, t1)}, and

• b→= {(s1, s2), (s2, s2), (t1, t1)}.Here is a graphical representation of this labelled transition system.

s

a

��

��

��

a

��888

8888

8888

8 t

a

��s1

b // s2

b

kk t1

b

ll

We will show thats ∼ t. In order to do so, we have to define a strong bisimulationR such that(s, t) ∈ R. Let us define it as

R = {(s, t), (s1, t1), (s2, t1)} .

The binary relationR can be graphically depicted by dotted lines like in the fol-lowing picture.

s

a

��

��

��

a

��888

8888

8888

8 t

a

��s1

b // s2

b

kk t1

b

ll


Obviously,(s, t) ∈ R. We have to show thatR is a strong bisimulation, i.e., thatit meets the requirements stated in Definition3.2. To this end, for each pair ofstates fromR, we have to investigate all the possible transitions from both statesand see whether they can be matched by corresponding transitions from the otherstate. Note that a transition under some label can be matchedonly by a transitionunder the same label. We will now present a complete analysisof all of the stepsneeded to show thatR is a strong bisimulation, even though they are very simpleand tedious.

• Let us consider first the pair(s, t):

– transitions froms:

∗ sa→ s1 can be matched byt

a→ t1 and(s1, t1) ∈ R,

∗ sa→ s2 can be matched byt

a→ t1 and(s2, t1) ∈ R, and

∗ these are all the transitions froms;

– transitions fromt:

∗ ta→ t1 can be matched, e.g, bys

a→ s2 and (s2, t1) ∈ R (an-other possibility would be to match it bys

a→ s1 but finding onematching transition is enough), and

∗ this is the only transition fromt.

• Next we consider the pair(s1, t1):

– transitions froms1:

∗ s1b→ s2 can be matched byt1

b→ t1 and(s2, t1) ∈ R, and

∗ this is the only transition froms1;

– transitions fromt1:

∗ t1b→ t1 can be matched bys1

b→ s2 and(s2, t1) ∈ R, and

∗ this is the only transition fromt1.

• Finally we consider the pair(s2, t1):

– transitions froms2:

∗ s2b→ s2 can be matched byt1

b→ t1 and(s2, t1) ∈ R, and

∗ this is the only transition froms2;

– transitions fromt1:

∗ t1b→ t1 can be matched bys2

b→ s2 and(s2, t1) ∈ R, and

∗ this is the only transition fromt1.


This completes the proof thatR is a strong bisimulation and, since(s, t) ∈ R, weget thats ∼ t.

In order to prove that, e.g.,s1 ∼ s2 we can use the following relation

R = {(s1, s2), (s2, s2)} .

The reader is invited to verify thatR is indeed a strong bisimulation. �

Example 3.2 In this example we shall demonstrate that it is possible for the initialstate of a labelled transition system with infinitely many reachable states to bestrongly bisimilar to a state from which only finitely many states are reachable.Consider the labelled transition system(Proc, Act, { a→| a ∈ Act}) where

• Proc = {si | i ≥ 1} ∪ {t},

• Act = {a}, and

• a→= {(si, si+1) | i ≥ 1} ∪ {(t, t)}.

Here is a graphical representation of this labelled transition system.

s1a // s2

a // s3a // s4

a // . . .

t

a

mm

We can now observe thats1 ∼ t because the relation

R = {(si, t) | i ≥ 1}

is a strong bisimulation and it contains the pair(s1, t). The reader is invited toverify this simple fact. �

Consider now the two coffee and tea machines in our running example. We canargue that CTM and CTM′ are not strongly bisimilar thus. Assume, towards acontradiction, that CTM and CTM′ are strongly bisimilar. This means that there isa strong bisimulationR such that

CTMR CTM′ .

Recall thatCTM′ coin→ tea.CTM′ .


So, by the second requirement in Definition3.2, there must be a transition

CTMcoin→ P

for some processP such thatP R tea.CTM′. A moment of thought should beenough to convince yourselves that the only process that CTMcan reach by re-ceiving a coin as input iscoffee.CTM + tea.CTM. So we are requiring that

(coffee.CTM + tea.CTM)R tea.CTM′ .

However, now a contradiction is immediately reached. In fact,

coffee.CTM + tea.CTMcoffee→ CTM ,

but tea.CTM′ cannot output coffee. Thus the first requirement in Definition 3.2cannot be met. It follows that our assumption that the two machines were stronglybisimilar leads to a contradiction. We may therefore conclude that, as claimed, theprocesses CTM and CTM′ arenot strongly bisimilar.

Example 3.3 Consider the processesP andQ defined thus:

Pdef= a.P1 + b.P2

P1def= c.P

P2def= c.P

and

Qdef= a.Q1 + b.Q2

Q1def= c.Q3

Q2def= c.Q3

Q3def= a.Q1 + b.Q2 .

We claim thatP ∼ Q. To prove that this does hold, it suffices to argue that thefollowing relation is a strong bisimulation

R = {(P,Q), (P,Q3), (P1, Q1), (P2, Q2)} .

We encourage you to check that this is indeed the case. �


Exercise 3.3 Consider the processesP andQ defined thus:

Pdef= a.P1

P1def= b.P + c.P

and

Qdef= a.Q1

Q1def= b.Q2 + c.Q

Q2def= a.Q3

Q3def= b.Q + c.Q2 .

Show thatP ∼ Q holds by exhibiting an appropriate strong bisimulation. �

Exercise 3.4 Consider the processes

Pdef= a.(b.0 + c.0) and

Qdef= a.b.0 + a.c.0 .

Show thatP andQ are not strongly bisimilar. �


s

a

��

a

��888

8888

8888

s1

a

��

��

��

b

��888

8888

888

s2

a

��s3

a

@@

s4

a

jj t

a

��

a // t3a // t4

a

||

t1

b

a

��t2

a

BB

Show thats ∼ t by finding a strong bisimulationR containing the pair(s, t). �

Before looking at a few more examples, we now proceed to present some of thegeneral properties of strong bisimilarity. In particular,we shall see that∼ is anequivalence relation, and that it is preserved by all of the constructs in the CCSlanguage.

The following result states the most basic properties of strong bisimilarity, andis our first theorem in this book.


Theorem 3.1 For all LTSs, the relation∼ is

1. an equivalence relation,

2. the largest strong bisimulation, and

3. satisfies the following property:

s1 ∼ s2 iff for each actionα,


α→ s′2 such thats′1 ∼ s′2;


α→ s′1 such thats′1 ∼ s′2.

Proof: Consider an LTS(Proc, Act, { α→| α ∈ Act}). We prove each of the state-ments in turn.

1. In order to show that∼ is an equivalence relation over the set of statesProc,we need to argue that it is reflexive, symmetric and transitive. (See Defini-tion 3.1.)

To prove that∼ is reflexive, it suffices only to provide a bisimulation thatcontains the pair(s, s), for each states ∈ Proc. It is not hard to see that theidentity relation

I = {(s, s) | s ∈ Proc}is such a relation.

We now show that∼ is symmetric. Assume, to this end, thats1 ∼ s2 forsome statess1 ands2 contained inProc. We claim thats2 ∼ s1 also holds.To prove this claim, recall that, sinces1 ∼ s2, there is a bisimulationR thatcontains the pair of states(s1, s2). Consider now the relation

R−1 = {(s′, s) | (s, s′) ∈ R} .

You should now be able to convince yourselves that the pair(s2, s1) is con-tained inR−1, and that this relation is indeed a bisimulation. Therefores2 ∼ s1, as claimed.

We are therefore left to argue that∼ is transitive. Assume, to this end, thats1 ∼ s2 ands2 ∼ s3 for some statess1, s2 ands3 contained inProc. Weclaim thats1 ∼ s3 also holds. To prove this, recall that, sinces1 ∼ s2 ands2 ∼ s3, there are two bisimulationsR andR′ that contain the pairs of states(s1, s2) and(s2, s3), respectively. Consider now the relation

S = {(s′1, s′3) | (s′1, s′2) ∈ R and(s′2, s′3) ∈ R′, for somes′2} .


The pair(s1, s3) is contained inS. (Why?) Moreover, using thatR andR′ are bisimulations, you should be able to show that so isS. Therefores1 ∼ s3, as claimed.

2. We aim at showing that∼ is the largest strong bisimulation over the set ofstatesProc. To this end, observe, first of all, that the definition of∼ statesthat

∼ =⋃

{R | R is a bisimulation} .

This yields immediately that each bisimulation is includedin ∼. We aretherefore left to show that the right-hand side of the above equation is itselfa bisimulation. This we now proceed to do.

Since we have already shown that∼ is symmetric, it is sufficient to provethat if

(s1, s2) ∈⋃

{R | R is a bisimulation} and s1α→ s′1 , (3.3)

then there is a states′2 such thats2α→ s′2 and

(s′1, s′2) ∈

⋃


Assume, therefore, that (3.3) holds. Since

(s1, s2) ∈⋃

{R | R is a bisimulation} ,

there is a bisimulationR that contains the pair(s1, s2). AsR is a bisimu-lation ands1

α→ s′1, we have that there is a states′2 such thats2α→ s′2 and

(s′1, s′2) ∈ R. Observe now that the pair(s′1, s

′2) is also contained in

⋃


Hence, we have argued that there is a states′2 such thats2α→ s′2 and

(s′1, s′2) ∈

⋃

{R | R is a bisimulation} ,

which was to be shown.

3. We now aim at proving that∼ satisfies the following property:

s1 ∼ s2 iff for each actionα,






The implication from left to right is an immediate consequence of the factthat, as we have just shown,∼ is itself a bisimulation. We are therefore leftto prove the implication from right to left. To this end, assume thats1 ands2

are two states inProc having the following property:

(∗) for each actionα,





We shall now prove thats1 ∼ s2 holds by constructing a bisimulation thatcontains the pair(s1, s2).

How can we build the desired bisimulationR? First of all, we must add thepair (s1, s2) to R because we wish to use that relation to proves1 ∼ s2.SinceR should be a bisimulation, each transitions1

α→ s′1 from s1 shouldbe matched by a transitions2

α→ s′2 from s2, for some states′2 such that(s′1, s

′2) ∈ R. In light of the aforementioned property, this can be easily

achieved by adding to the relationR all of the pairs of states contained in∼!Since we have already shown that∼ is itself a bisimulation, no more pairsof states need be added toR.

The above discussion suggests that we consider the relation

R = {(s1, s2)}∪ ∼ .

Indeed, by construction, the pair(s1, s2) is contained inR. Moreover, usingproperty (∗) and statement2 of the theorem, it is not hard to prove thatR isa bisimulation. This shows thats1 ∼ s2, as claimed.

The proof is now complete. 2

Exercise 3.6Prove that the relations we have built in the proof of Theorem3.1areindeed bisimulations. �

Exercise 3.7 In the proof of Theorem3.1(2), we argued that the union of all of thebisimulation relations over an LTS is itself a bisimulation. Use the argument weadopted in the proof of that statement to show that the union of an arbitrary familyof bisimulations is always a bisimulation. �

Exercise 3.8 Is it true that any strong bisimulation must be reflexive, transitiveand symmetric? If yes then prove it, if not then give counter-examples—that is


• define an LTS and a binary relation over states that is not reflexive but is astrong bisimulation;

• define an LTS and a binary relation over states that is not symmetric but is astrong bisimulation; and

• define an LTS and a binary relation over states that is not transitive but is astrong bisimulation.

Are the relations you have constructed the largest strong bisimulations over yourlabelled transition systems? �

Exercise 3.9 (Recommended)A binary relationR over the set of states of an LTSis astring bisimulationiff whenevers1R s2 andσ is a sequence of actions inAct:

- if s1σ→ s′1, then there is a transitions2

σ→ s′2 such thats′1 R s′2;

- if s2σ→ s′2, then there is a transitions1

σ→ s′1 such thats′1 R s′2.

Two statess ands′ arestring bisimilariff there is a string bisimulation that relatesthem.

Prove that string bisimilarity and strong bisimilarity coincide. That is, showthat two statess ands′ are string bisimilar iff they are strongly bisimilar. �

Exercise 3.10Assume that the defining equation for the constantK is Kdef= P .

Show thatK ∼ P holds. �

Exercise 3.11Prove that two strongly bisimilar processes afford the sametraces,and thus that strong bisimulation equivalence satisfies therequirement for a be-havioural equivalence we set out in equation (3.1). Hint: Use your solution toExercise3.9to show that, for each traceα1 · · ·αk (k ≥ 0),

P ∼ Q andα1 · · ·αk ∈ Traces(P ) implyα1 · · ·αk ∈ Traces(Q) .

Is it true that strongly bisimilar processes have the samecompletedtraces? (SeeExercise3.2for the definition of the notion of completed trace.) �

Exercise 3.12 (Recommended)Show that the relations listed below are strongbisimulations:

{(P |Q,Q | P ) | whereP,Q are CCS processes}{(P | 0, P ) | whereP is a CCS process}{((P |Q) | R,P | (Q | R)) | whereP,Q,R are CCS processes} .


Conclude that, for allP,Q,R,

P |Q ∼ Q | P , (3.4)

P | 0 ∼ P , and (3.5)

(P |Q) | R ∼ P | (Q | R) . (3.6)

Find three CCS processesP,Q,R such that(P + Q) |R 6∼ (P |R) + (Q |R). �

Exercise 3.13 Is it true that, for all CCS processesP andQ,

(P |Q) \ a ∼ (P \ a) | (Q \ a) ?

Does the following equivalence hold for all CCS processesP and Q, and rela-belling functionf?

(P |Q)[f ] ∼ (P [f ]) | (Q[f ]) .

If your answer to the above questions is positive, then construct appropriate bisim-ulations. Otherwise, provide a counter-example to the claim. �

As we saw in Exercise3.12, parallel composition is associative and commutativemodulo strong bisimilarity. Therefore, since the precise bracketing of terms in aparallel composition does not matter, we can use the notation Πk

i=1Pi, wherek ≥ 0and thePi are CCS processes, to stand for

P1 | P2 | · · · | Pk .

If k = 0, then, by convention, the above term is just0.As mentioned before, one of the desirable properties for a notion of behavioural

equivalence is that it should allow us to ‘replace equivalent processes for equivalentprocesses’ in any larger process expression without affecting its behaviour. Thefollowing theorem states that this is indeed possible for strong bisimilarity.

Theorem 3.2 Let P,Q,R be CCS processes. Assume thatP ∼ Q. Then

• α.P ∼ α.Q, for each actionα;

• P + R ∼ Q + R andR + P ∼ R + Q, for each processR;

• P | R ∼ Q |R andR | P ∼ R |Q, for each processR;

• P [f ] ∼ Q[f ], for each relabellingf ; and

• P \ L ∼ Q \ L, for each set of labelsL.


Proof: We limit ourselves to showing that∼ is preserved by parallel compositionand restriction. We consider these two operations in turn. In both cases, we assumethatP ∼ Q.

• Let R be a CCS process. We aim at showing thatP | R ∼ Q | R. Tothis end, we shall build a bisimulationR that contains the pair of processes(P |R,Q |R).

Consider the relation

R = {(P ′ |R′, Q′ |R′) | P ′ ∼ Q′ andP ′, Q′, R′ are CCS processes} .

You should readily be able to convince yourselves that the pair of processes(P | R,Q | R) is indeed contained inR, and thus that all we are left to doto complete our argument is to show thatR is a bisimulation. The proofof this fact will, hopefully, also highlight that the above relationR was not‘built out of thin air’, and will epitomize the creative process that underliesthe building of bisimulation relations.

First of all, observe that, by symmetry, to prove thatR is a bisimulation, it issufficient to argue that if(P ′ |R′, Q′ |R′) is contained inR andP ′ |R′ α→ Sfor some actionα and CCS processS, thenQ′ | R′ α→ T for some CCSprocessT such that(S, T ) ∈ R. This we now proceed to do.

Assume that(P ′ | R′, Q′ | R′) is contained inR andP ′ | R′ α→ S for someaction α and CCS processS. We now proceed with the proof by a caseanalysis on the possible origins of the transitionP ′ | R′ α→ S. Recall thatthe transition we are considering must be provable using theSOS rules forparallel composition given in Table2.2on page29. Therefore there are threepossible forms that the transitionP ′ |R′ α→ S may take, namely:

1. P ′ is responsible for the transition andR′ ‘stands still’—that is,

P ′ |R′ α→ S

because, by rule COM1 for parallel composition in Table2.2, P ′ α→ P ′′

andS = P ′′ | R′, for someP ′′,

2. R′ is responsible for the transition andP ′ ‘stands still’—that is,

P ′ |R′ α→ S

because, by rule COM2 for parallel composition in Table2.2, R′ α→ R′′

andS = P ′ | R′′, for someR′′, or


3. the transition under consideration is the result of a synchronization be-tween a transition ofP ′ and one ofR′—that is,

P ′ |R′ α→ S

because, by rule COM3 for parallel composition in Table2.2, α = τ ,and there are a labela and processesP ′′ andR′′ such thatP ′ a→ P ′′,R′ a→ R′′ andS = P ′′ | R′′.

We now proceed by examining each of these possibilities in turn.

1. SinceP ′ α→ P ′′ andP ′ ∼ Q′, we have thatQ′ α→ Q′′ andP ′′ ∼ Q′′,for someQ′′. Using the transitionQ′ α→ Q′′ as premise in rule COM1for parallel composition in Table2.2on page29, we can infer that

Q′ |R′ α→ Q′′ | R′ .

By the definition of the relationR, we have that

(P ′′ | R′, Q′′ |R′) ∈ R .

We can therefore takeT = Q′′ | R′, and we are done.

2. In this case, we have thatR′ α→ R′′. Using this transition as premisein rule COM2 for parallel composition in Table2.2on page29, we caninfer that

Q′ |R′ α→ Q′ |R′′ .


(P ′ | R′′, Q′ | R′′) ∈ R .

We can therefore takeT = Q′ |R′′, and we are done.

3. SinceP ′ a→ P ′′ andP ′ ∼ Q′, we have thatQ′ a→ Q′′ andP ′′ ∼ Q′′,for someQ′′. Using the transitionsQ′ a→ Q′′ andR′ a→ R′′ as premisesin rule COM3 for parallel composition in Table2.2on page29, we caninfer that

Q′ | R′ τ→ Q′′ |R′′ .


(P ′′ | R′′, Q′′ |R′′) ∈ R .

We can therefore takeT = Q′′ | R′′, and we are done.


Therefore the relationR is a bisimulation, as claimed.

• Let L be a set of labels. We aim at showing thatP \ L ∼ Q \ L. Tothis end, we shall build a bisimulationR that contains the pair of processes(P \ L,Q \ L).

Consider the relation

R = {(P ′ \ L,Q′ \ L) | P ′ ∼ Q′ andP ′, Q′ are CCS processes} .

You should readily be able to convince yourselves that the pair of processes(P \L,Q\L) is indeed contained inR. Moreover, following the lines of theproof we have just gone through for parallel composition, itis an instructiveexercise to show that

– the relationR is symmetric, and

– if (P ′ \ L,Q′ \ L) is contained inR andP ′ \ Lα→ S for some action

α and CCS processS, thenQ′ \Lα→ T for some CCS processT such

that(S, T ) ∈ R.

You are strongly encouraged to fill in the missing details in the proof. 2

Exercise 3.14Prove that∼ is preserved by action prefixing, summation and rela-belling. �

Exercise 3.15 (For the theoretically minded)For each set of labelsL and pro-cessP , we may wish to build the processτL(P ) that is obtained by turning intoa τ each actionα performed byP with α ∈ L or α ∈ L. Operationally, thebehaviour of the constructτL( ) can be described by the following two rules.

Pα→ P ′

τL(P )τ→ τL(P ′)

if α ∈ L or α ∈ L

Pα→ P ′

τL(P )α→ τL(P ′)

if α = τ or α, α 6∈ L

Prove thatτL(P ) ∼ τL(Q), wheneverP ∼ Q.Consider the question of whether the operationτL( ) can be defined in CCS

modulo∼—that is, can you find a CCS expressionCL[ ] with a ‘hole’ (a placeholder when another process can be plugged) such that, for each processP ,

τL(P ) ∼ CL[P ] ?

Argue for your answer. �


Recall that we defined the specification of a counter thus:

Counter0def= up.Counter1

Counterndef= up.Countern+1 + down.Countern−1 (n > 0) .

Moreover, we stated that we expect that process to be ‘behaviourally equivalent’ tothe process C defined by

Cdef= up.(C | down.0) .

We can now show that, in fact, C and Counter0 are strongly bisimilar. To this end,note that this follows if we can show that the relationR below

{(C | Πki=1Pi, Countern) | (1) k ≥ 0 ,

(2) Pi = 0 or Pi = down.0, for eachi ,(3) the number ofis withPi = down.0 is n}

is a strong bisimulation. (Can you see why?) The following result states that thisdoes hold true.

Proposition 3.1 The relationR defined above is a strong bisimulation.

Proof: Assume that(C |Πk

i=1Pi)R Countern .

By the definition of the relationR, eachPi is either0 or down.0, and the numberof Pi = down.0 is n. We shall now show that

1. if C | Πki=1Pi

α→ P for some actionα and processP , then there is someprocessQ such that Countern

α→ Q andP RQ, and

2. if Counternα→ Q for some some actionα and processQ, then there is some

processP such thatC | Πki=1Pi

α→ P andP RQ.

We establish these two claims separately.

1. Assume thatC | Πki=1Pi

α→ P for some some actionα and processP . Then

• eitherα = up andP = C | down.0 |Πki=1Pi

• or n > 0, α = down andP = C | Πki=1P

′i , where the vectors of

processes(P1, . . . , Pk) and(P ′1, . . . , P

′k) differ in exactly one position

ℓ, and at that positionPℓ = down.0 andP ′ℓ = 0.


In the former case, argue that the matching transition is

Counternup→ Countern+1 .

In the latter, argue that the matching transition is

Counterndown→ Countern−1 .

2. Assume that Counternα→ Q for some some actionα and processQ. Then

• eitherα = up andQ = Countern+1

• or n > 0, α = down andQ = Countern−1.

Finding matching transitions fromC | Πki=1Pi is left as an exercise for the

reader.

We can therefore conclude thatR is a strong bisimulation, which was to be shown.2

Exercise 3.16Fill in the missing details in the above proof. �

Using CCS, we may specify the desired behaviour of a buffer with capacity onethus:

B10

def= in.B1

1

B11

def= out.B1

0 .

The constantB10 stands for an empty buffer with capacity one—that is a bufferwith

capacity one holding zero items—, andB11 stands for a full buffer with capacity

one—that is a buffer with capacity one holding one item.By analogy with the above definition, in general we may specify a buffer of

capacityn ≥ 1 as follows, where the superscript stands for the maximal capacityof the buffer and the subscript for the number of elements thebuffer currentlyholds:

Bn0

def= in.Bn

1

Bni

def= in.Bn

i+1 + out.Bni−1 for 0 < i < n

Bnn

def= out.Bn

n−1 .

It seems natural to expect that we may implement a buffer of capacity n ≥ 1 bymeans of the parallel composition ofn buffers of capacity one. This expectation is


B20

in��

B10 | B1

0in

�� in

++B21

in��

out

ZZ

B11 | B1

0

in ++

out

EE

B10 | B1

1in

��

outkk

B22

out

ZZ

B11 | B1

1

out

kk

out

EE

Figure 3.2: A bisimulation showingB20 ∼ B1

0 | B10

certainly met whenn = 2 because, as you can readily check, the relation depictedin Figure3.2 is a bisimulation showing that

B20 ∼ B1

0 | B10 .

That this holds regardless of the size of the buffer to be implemented is the importof the following result.

Proposition 3.2 For each natural numbern ≥ 1,

Bn0 ∼ B1

0 | B10 | · · · | B1

0︸︷︷︸

n times

.

Proof: Construct the following binary relation, wherei1, i2, . . . , in ∈ {0, 1}:

R = {(Bn

i , B1i1| B1

i2| · · · | B1

in

)|

n∑

j=1

ij = i} .

Intuitively, the above relation relates a buffer of capacity n holding i items with aparallel composition ofn buffers of capacity one, provided that exactlyi of themare full.

It is not hard to see that

•(Bn

0 , B10 | B1

0 | · · · | B10

)∈ R, and

• R is a strong bisimulation.

It follows thatBn

0 ∼ B10 | B1

0 | · · · | B10

︸︷︷︸

n times

,

which was to be shown. We encourage you to fill in the details inthis proof. 2


Exercise 3.17 (Simulation)Let us say that a binary relationR over the set ofstates of an LTS is asimulationiff whenevers1 R s2 andα is an action:


α→ s′2 such thats′1 R s′2.

We say thats′ simulatess, written s <∼ s′, iff there is a simulationR with sR s′.

Two statess ands′ are simulation equivalent, written s ≃ s′, iff s <∼ s′ ands′ <

∼ sboth hold.

1. Prove that<∼ is a preorder and≃ is an equivalence relation.

2. Build simulations showing that

a.0 <∼ a.a.0 and

a.b.0 + a.c.0 <∼ a.(b.0 + c.0) .

Do the converse relations hold?

3. Show that strong bisimilarity is included in simulation equivalence—that is,that for any two strongly bisimilar statess ands′ it holds thats′ simulatess. Does the converse inclusion also hold?

Is there a CCS process that can simulate any other CCS process? �

Exercise 3.18 (Ready Simulation)Let us say that a binary relationR over the setof states of an LTS is aready simulationiff whenevers1 R s2 andα is an action:


α→ s′2 such thats′1 R s′2; and

- if s2α→, thens1

α→.

We say thats′ ready simulatess, writtens <∼RS s′, iff there is a ready simulationR

with sR s′. Two statess ands′ are ready simulation equivalent, writtens ≃RS s′,iff s <

∼RS s′ ands′ <∼RS s both hold.

1. Prove that<∼RS is a preorder and≃RS is an equivalence relation.

2. Do the following relations hold?

a.0 <∼RS a.a.0 and

a.b.0 + a.c.0 <∼RS a.(b.0 + c.0) .

3. Show that strong bisimilarity is included in ready simulation equivalence—that is, that for any two strongly bisimilar statess and s′ it holds thats′

ready simulatess. Does the converse inclusion also hold?

3.4. WEAK BISIMILARITY 61

Is there a CCS process that can ready simulate any other CCS process? �

Exercise 3.19 (For the theoretically minded)Consider the processes

Pdef= a.b.c.0 + a.b.d.0 and

Qdef= a.(b.c.0 + b.d.0) .

Argue, first of all, thatP andQ are not strongly bisimilar. Next show that:

1. P andQ have the same completed traces (see Exercise3.2);

2. for each processR and set of labelsL, the processes

(P | R) \ L and(Q |R) \ L

have the same completed traces.

SoP andQ have the same deadlock behaviour in all parallel contexts, even thoughstrong bisimilarity distinguishes them.

The lesson to be learned from these observations is that moregenerous notionsof behavioural equivalence than bisimilarity may be necessary to validate somedesirable equivalences. �

3.4 Weak bisimilarity

As we have seen in the previous section, strong bisimilarityaffords many of theproperties that we expect a notion of behavioural relation to be used in implemen-tation verification to have. (See the introduction to Chapter 3.) In particular, strongbisimilarity is an equivalence relation that is preserved by all of the CCS opera-tors, it is the largest strong bisimulation, supports a veryelegant proof techniqueto demonstrate equivalences between process descriptions, and it suffices to es-tablish several natural equivalences. For instance, you used strong bisimilarity inExercise3.12to justify the expected equalities

P |Q ∼ Q | P ,

P | 0 ∼ P , and

(P |Q) | R ∼ P | (Q | R) .

Moreover, a wealth of other ‘structural equivalences’ likethe ones above may beproven to hold modulo strong bisimilarity. (See (Milner, 1989, Propositions 7–8).)


Should we look any further for a notion of behavioural equivalence to supportimplementation verification? Is there any item on our wish list that is not met bystrong bisimilarity?

You might recall that we stated early on in this book thatτ actions in processbehaviours are supposed to beinternal, and thusunobservable. This is a naturalconsequence of Milner’s design decision to letτ indicate the result of a successfulcommunication between two processes. Since communicationis binary in CCS,and observing the behaviour of a process means communicating with it in somefashion, the unobservable nature ofτ actions is the upshot of the assumption thatthey cannot be used for further communication. This discussion indicates that anotion of behavioural equivalence should allow us to abstract from such steps inprocess behaviours.

Consider, for instance, the processesa.τ.0 anda.0. Sinceτ actions should beunobservable, we intuitively expect these to be observationally equivalent. Unfor-tunately, however, the processesa.τ.0 anda.0 arenot strongly bisimilar. In fact,the definition of strong bisimulation requires thateachtransition in the behaviour ofone process should be matched byonetransition of the other, regardless of whetherthat transition is labelled by an observable action orτ , anda.τ.0 affords the traceaτ , whereasa.0 does not.

In hindsight, this failure of strong bisimilarity to account for the unobservablenature ofτ actions is expected because the definition of strong bisimulation treatsinternal actions as if they were ordinary observable actions. What we should like tohave is a notion of bisimulation equivalence that affords all of the good propertiesof strong bisimilarity, and abstracts fromτ actions in the behaviour of processes.However, in order to fulfill this aim, first we need to understand what ‘abstractingfrom τ actions’ actually means. Does this simply mean that we can ‘erase’ all ofthe τ actions in the behaviour of a process? This would be enough toshow thata.τ.0 anda.0 are equivalent, as the former process is identical to the latter if we‘erase theτ prefix’. But would this work in general?

To understand the issue better, let us make our old friend from the computerscience department, namely the process CS defined in Table2.1on page18interactwith a nasty variation on the coffee machine CM from equation2.1 on page11.This latest version of the coffee machine delivered to the computer scientist’s officeis given by

CMbdef= coin.coffee.CMb + coin.CMb . (3.7)

(The subscript ‘b’ indicates that this version of the coffeemachine is bad!)Note that, upon receipt of a coin, the coffee machine CMb can decide to go

back to its initial state without delivering the coffee. Youshould be able to con-vince yourselves that the sequences of transitions in Table3.1describe the possible


Start

pub

��(CMb | CS1) \ {coin, coffee}

τ

xxpppppppppppppppppp

τ

&&NNNNNNNNNNNNNNNNNN

Good

τ

55

Bad

where

Start ≡ (CMb | CS) \ {coin, coffee} CSdef= pub.CS1

Good ≡ (coffee.CMb | CS2) \ {coin, coffee} CS1def= coin.CS2

Bad ≡ (CMb | CS2) \ {coin, coffee} CS2def= coffee.CS .

Table 3.1: The behaviour of(CMb | CS) \ {coin, coffee}

behaviours of the system(CMb |CS) \ {coin, coffee}. In that table, for the sake ofnotational convenience, we use Start as a short-hand for theCCS expression

(CMb | CS) \ {coin, coffee} .

The short-hands Bad and Good are also introduced in the picture using the ‘decla-rations’

Good ≡ (coffee.CMb | CS2) \ {coin, coffee} andBad ≡ (CMb | CS2) \ {coin, coffee} .

Note that, there are two possibleτ -transitions that stem from the process

(CMb | CS1) \ {coin, coffee} ,

and that one of them, namely

(CMb | CS1) \ {coin, coffee} τ→ (CMb | CS2) \ {coin, coffee} ,

leads to a deadlocked state. Albeit directly unobservable,this transition cannot beignored in our analysis of the behaviour of this system because it pre-empts theother possible behaviour of the machine. So, unobservable actions cannot be just


erased from the behaviour of processes because, in light of their pre-emptive powerin the presence of nondeterministic choices, they may affect what we may observe.

Note that the pre-emptive power of internal transitions is unimportant in thestandard theory of automata as there we are only concerned with the possibilityof processing our input strings correctly. Indeed, as you may recall from yourcourses in the theory of automata, the so-calledε-transitions donot increase theexpressive power of nondeterministic finite automata—see,for instance, the text-book (Sipser, 2005, Chapter 1). In a reactive environment, on the other hand, thispower of internal transitions must be taken into account in areasonable definition ofprocess behaviour because it may lead to undesirable consequences, e.g., the dead-lock situation in the above example. We therefore expect that the behaviour of theprocess SmUni isnot equivalent to that of the process(CMb |CS) \ {coin, coffee}since the latter may deadlock after outputting a publication, whereas the formercannot.

In order to define a notion of bisimulation that allows us to abstract from inter-nal transitions in process behaviours, and to differentiate the process SmUni from(CMb | CS) \ {coin, coffee}, we begin by introducing a new notion of transitionrelation between processes.

Definition 3.3 Let P andQ be CCS processes, or, more generally, states in anLTS. For each actionα, we shall writeP

α⇒ Q iff either

• α 6= τ and there are processesP ′ andQ′ such that

P (τ→)∗P ′ α→ Q′(

τ→)∗Q

• or α = τ andP (τ→)∗Q,

where we write(τ→)∗ for the reflexive and transitive closure of the relation

τ→. �

ThusPα⇒ Q holds if P can reachQ by performing anα-labelled transition, pos-

sibly preceded and followed by sequences ofτ -labelled transitions. For example,a.τ.0

a⇒ 0 anda.τ.0a⇒ τ.0 both hold, as well asa.τ.0

τ⇒ a.τ.0. In fact, we haveP

τ⇒ P for each processP .In the LTS depicted in Table3.1, apart from the obvious one steppub-labelled

transition, we have that

Startpub⇒ Good ,

Startpub⇒ Bad , and

Startpub⇒ Start .


Our order of business will now be to use the new transition relations presentedabove to define a notion of bisimulation that can be used to equate processes thatoffer the same observable behaviour despite possibly having very different amountsof internal computations. The idea underlying the definition of the new notion ofbisimulation is that a transition of a process can now be matched by a sequence oftransitions from the other that has the same ‘observationalcontent’ and leads to astate that is bisimilar to that reached by the first process.

Definition 3.4 [Weak bisimulation and observational equivalence] A binary rela-tionR over the set of states of an LTS is aweak bisimulationiff whenevers1R s2

andα is an action (includingτ ):


α⇒ s′2 such thats′1 R s′2;


α⇒ s′1 such thats′1 R s′2.

Two statess ands′ areobservationally equivalent(or weakly bisimilar), writtens ≈ s′, iff there is a weak bisimulation that relates them. Henceforth the relation≈ will be referred to asobservational equivalenceor weak bisimilarity. �

Example 3.4 Let us consider the following labelled transition system.

s τ // s1a // s2 t

a // t1

Obviouslys 6∼ t. On the other hands ≈ t because the relation

R = {(s, t), (s1, t), (s2, t1)}

is a weak bisimulation such that(s, t) ∈ R. It remains to verify thatR is indeed aweak bisimulation.

• Let us examine all possible transitions from the componentsof the pair(s, t).If s

τ→ s1 then tτ⇒ t and (s1, t) ∈ R. If t

a→ t1 then sa⇒ s2 and

(s2, t1) ∈ R.

• Let us examine all possible transitions from(s1, t). If s1a→ s2 thent

a⇒ t1and(s2, t1) ∈ R. Similarly if t

a→ t1 thens1a⇒ s2 and again(s2, t1) ∈ R.

• Consider now the pair(s2, t1). Since neithers2 nor t1 can perform anytransition, it is safe to have this pair inR.

Hence we have shown that each pair fromR satisfies the conditions given in Defi-nition 3.4, which means thatR is a weak bisimulation, as claimed. �


We can readily argue thata.0 ≈ a.τ.0 by establishing a weak bisimulation thatrelates these two processes. (Do so by renaming the states inthe labelled transitionsystem and in the bisimulation above!) On the other hand, there is no weak bisim-ulation that relates the process SmUni and the process Startin Table3.1. In fact,the process SmUni is observationally equivalent to the process

Specdef= pub.Spec ,

but the process Start is not.

Exercise 3.20Prove the claims that we have just made. �

Exercise 3.21Prove that the behavioural equivalences claimed in Exercise 2.11hold with respect to observational equivalence (weak bisimilarity). �

The definition of weak bisimilarity is so natural, at least toour mind, that it is easyto miss some of its crucial consequences. To highlight some of these, consider theprocess

A?def= a.0 + τ.B?

B?def= b.0 + τ.A? .

Intuitively, this process describes a ‘polling loop’ that may be seen as an imple-mentation of a process that is willing to receive on porta and portb, and thenterminate. Indeed, it is not hard to show that

A?≈ B?≈ a.0 + b.0 .

(Prove this!) This seems to be non-controversial until we note that A? and B? havea livelock (that is, a possibility of divergence) due to theτ -loop

A?τ→ B?

τ→ A? ,

buta.0+ b.0 doesnot. The above equivalences capture one of the main features ofobservational equivalence, namely the fact that it supports what is called ‘fair ab-straction from divergence’. (See (Baeten, Bergstra and Klop, 1987), where Baeten,Bergstra and Klop show that a proof rule embodying this idea,namely Koomen’sfair abstraction rule, is valid with respect to observational equivalence.) This meansthat observational equivalence assumes that if a process can escape from a loopconsisting of internal transitions, then it will eventually do so. This property of ob-servational equivalence, that is by no means obvious from its definition, is crucialin using it as a correctness criterion in the verification of communication protocols,


Senddef= acc.Sending Rec

def= trans.Del

Sendingdef= send.Wait Del

def= del.Ack

Waitdef= ack.Send+ error.Sending Ack

def= ack.Rec

Meddef= send.Med′

Med′def= τ.Err + trans.Med

Errdef= error.Med

Table 3.2: The sender, receiver and medium in (3.8)

where the communication media may lose messages, and messages may have to beretransmitted some arbitrary number of times in order to ensure their delivery.

Note moreover that0 is observationally equivalent to the process

Divdef= τ.Div .

This means that a process that can only diverge is observationally equivalent to adeadlocked one. This may also seem odd at first sight. However, you will probablyagree that, assuming that we can only observe a process by communicating with it,the systems0 and Div are observationally equivalent since both refuse each attemptat communicating with them. (They do so for different reasons, but these reasonscannot be distinguished by an external observer.)

As an example of an application of observational equivalence to the verificationof a simple protocol, consider the process Protocol defined by

(Send|Med | Rec) \ L (L = {send, error, trans, ack}) (3.8)

consisting of a sender and a receiver that communicate via a potentially faultymedium. The sender, the receiver and the medium are given in Table3.2. (In thattable, we use the port names acc and del as short-hands for ‘accept’ and ‘deliver’,respectively.) Note that the potentially faulty behaviourof the medium Med is de-scribed abstractly in the defining equation for process Med′ by means of an internaltransition to an ‘error state’. When it has entered that state, the medium informsthe sender process that it has lost a message, and therefore that the message mustbe retransmitted. The sender will receive this message whenin state Wait, and willproceed to retransmit the message.


We expect the protocol to behave like a one-place buffer described thus:

ProtocolSpecdef= acc.del.ProtocolSpec.

Note, however, that the necessity of possibly having to retransmit a message somearbitrary number of times before a successful delivery means that the process de-scribing the protocol has a livelock. (Find it!) However, you should be able toprove that

Protocol≈ ProtocolSpec

by building a suitable weak bisimulation.

Exercise 3.22Build the aforementioned weak bisimulation. �

The following theorem is the counterpart of Theorem3.1 for weak bisimilarity. Itstates that≈ is an equivalence relation, and that it is the largest weak bisimulation.

Theorem 3.3 For all LTSs, the relation≈ is

1. an equivalence relation,

2. the largest weak bisimulation, and

3. satisfies the following property:

s1 ≈ s2 iff for each actionα,


α⇒ s′2 such thats′1 ≈ s′2;


α⇒ s′1 such thats′1 ≈ s′2.

Proof: The proof follows the lines of that of Theorem3.1, and is therefore omitted.2

Exercise 3.23Fill in the details of the proof of the above theorem. �

Exercise 3.24Show that strong bisimilarity is included in observationalequiva-lence; that is, prove that any two strongly bisimilar statesare also weakly bisimilar.�

Exercise 3.25Consider the following labelled transition system.

s

τ

<<

a

��

s1

τ

<<

τ

}}

b

��

s2

τ||

τ

��s3 s4 s5

tτ //

a

��

��

��

b

��666

6666

666 t1 τ

xx

t2 t3


Show thats ≈ t by finding a weak bisimulation containing the pair(s, t). �

Exercise 3.26Show that, for allP,Q, the following equivalences, which are usu-ally referred to asMilner’s τ -laws, hold:

α.τ.P ≈ α.P (3.9)

P + τ.P ≈ τ.P (3.10)

α.(P + τ.Q) ≈ α.(P + τ.Q) + α.Q . (3.11)

Hint: Build appropriate weak bisimulations. �

Exercise 3.27Show that, for allP,Q, if Pτ⇒ Q andQ

τ⇒ P , thenP ≈ Q. �

Exercise 3.28We say that a CCS process isτ -free iff none of the states that it canreach by performing sequences of transitions affords aτ -labelled transition. Forexample,a.0 is τ -free, buta.(b.0 | b.0) is not.

Prove that noτ -free CCS process is observationally equivalent toa.0+ τ.0. �

Exercise 3.29Prove that, for each CCS processP , the processP \ (Act − {τ})is observationally equivalent to0. Does this remain true if we consider processesmodulo strong bisimilarity? �

Exercise 3.30 (Mandatory) Show that observational equivalence is the largestsymmetric relationR satisfying that whenevers1 R s2 then for each actionα(includingτ ), if s1

α⇒ s′1, then there is a transitions2α⇒ s′2 such thats′1 R s′2.

This means that observational equivalence may be defined like strong bisimi-larity, but over a labelled transition system whose transitions are

α⇒, with α rang-ing over the set of actions includingτ . �

Exercise 3.31For each sequenceσ of observable actions inL, and statess, t inan LTS, define the relation

σ⇒ thus:

• sε⇒ t iff s

τ⇒ t, and

• saσ′

⇒ t iff sa⇒ s′

σ′

⇒ t, for somes′.

A binary relationR over the set of states of an LTS is aweak string bisimulationiff whenevers1R s2 andσ is a (possibly empty) sequence of observable actions inL:

- if s1σ⇒ s′1, then there is a transitions2

σ⇒ s′2 such thats′1 R s′2;

- if s2σ⇒ s′2, then there is a transitions1

σ⇒ s′1 such thats′1 R s′2.


Two statess ands′ are weakly string bisimilariff there is a weak string bisimula-tion that relates them.

Prove that weak string bisimilarity and weak bisimilarity coincide. That is,show that two statess ands′ are weakly string bisimilar iff they are weakly bisim-ilar. �

The notion of observational equivalence that we have just defined seems to meetmany of our desiderata. There is, however, one important property that observa-tional equivalence doesnot enjoy. In fact, unlike strong bisimilarity, observationalequivalence isnot a congruence. This means that, in general, we cannot substituteobservationally equivalent processes one for the other in aprocess context withoutaffecting the overall behaviour of the system.

To see this, observe that0 is observationally equivalent toτ.0. However, it isnot hard to see that

a.0 + 0 6≈ a.0 + τ.0 .

In fact, the transitiona.0+τ.0τ→ 0 from the processa.0+τ.0 can only be matched

by a.0 + 0τ⇒ a.0 + 0, and the processes0 anda.0 + 0 are not observationally

equivalent. However, we still have that weak bisimilarity is a congruence withrespect to the remaining CCS operators.

Theorem 3.4 Let P,Q,R be CCS processes. Assume thatP ≈ Q. Then

• α.P ≈ α.Q, for each actionα,

• P |R ≈ Q | R andR | P ≈ R |Q, for each processR,

• P [f ] ≈ Q[f ], for each relabellingf , and

• P \ L ≈ Q \ L, for each set of labelsL.

Proof: The proof follows the lines of that of Theorem3.2, and is left as an exercisefor the reader. 2

Exercise 3.32Prove Theorem3.4. In the proof of the second claim in the proposi-tion, you may find the following fact useful:

if Qa⇒ Q′ andR

a→ R′, thenQ|R τ⇒ Q′|R′.

Show this fact by induction on the number ofτ -steps in the transitionQa⇒ Q′. �

Exercise 3.33Give syntactic restrictions on the syntax of CCS terms so that weakbisimilarity becomes a congruence also with respect to the choice operator. �


In light of Theorem3.4, observational equivalence is very close to being a con-gruence over CCS. The characterization and the study of the largest congruencerelation included in observational equivalence is a very interesting chapter in pro-cess theory. It is, however, one that we will not touch upon inthis book. (See,however, Exercise3.36for a glimpse of this theory.) The interested reader is re-ferred to (Milner, 1989, Chapter 7) and (Glabbeek, 2005) foran in depth treatmentof this interesting topic.

Exercise 3.34 (Dijkstra’s Dining Philosophers Problem)In this exercise, we in-vite you to use the Edinburgh Concurrency Workbench—a software tool for theanalysis of reactive systems specified as CCS processes—to model and analyze thedining philosophers problemproposed by the late Edsger Dijkstra in his classicpaper (Dijkstra, 1971).

The problem is usually described as follows. Five philosophers spend theirtime eating and thinking. Each philosopher usually keeps thinking, but at anypoint in time he might become hungry and decide that it is timeto eat. The researchinstitute where the philosophers work has a round dining table with a large bowl ofspaghetti at the centre of the table. There are five plates on the table and five forksset between the plates. Each philosopher needs two forks to eat, which he picks upone at a time. The funding agency sponsoring the institute isonly interested in thethinking behaviour of the philosophers, and would like the institute to perform likean ideal think factory—that is, like a system that produces thinking forever.

1. Assume, to begin with, that there are only two philosophers and two forks.Model the philosophers and the forks as CCS processes, assuming that thephilosophers and the forks are numbered from 1 to 2, and that the philoso-phers pick the forks up in increasing order. (When he becomeshungry, thesecond philosopher begins by picking up the second fork, andthen picks upthe first.) Argue that the system has a deadlock by finding a state in the re-sulting labelled transition system that is reachable from the start state, andhas no outgoing transitions.

We encourage you to find a possible deadlock in the system by yourselves,and without using the Workbench.

2. Argue that a model of the system with five philosophers and five forks alsoexhibits a deadlock.

3. Finally, assume that there are five philosophers and five forks, and that thephilosophers pick the forks up in increasing order, apart from the fifth, whopicks up the first fork before the fifth. Use the the Edinburgh Concurrency


Workbench to argue that the resulting system is observationally equivalentto the process ThinkFactory specified by

ThinkFactorydef= think.ThinkFactory .

Here we are assuming that each philosopher performs action ‘think’ when he isthinking, and that the funding agency is not interested in knowing which specificphilosopher is thinking! �

Exercise 3.35 (For the theoretically minded)A binary relationR over the set ofstates of an LTS is abranching bisimulation(van Glabbeek and Weijland, 1996) iffit is symmetric, and wheneversR t andα is an action (includingτ ):

if sα→ s′, then

- eitherα = τ ands′ R t

- or there is ak ≥ 0 and a sequence of transitions

t = t0τ→ t1

τ→ t2 · · · tk α→ t′

such thatsR ti for eachi ∈ {0, . . . , k}, ands′ R t′.

Two statess and t are branching bisimulation equivalent(or branching bisimi-lar) iff there is a branching bisimulation that relates them. The largest branchingbisimulation is calledbranching bisimilarity.

1. Show that branching bisimilarity is contained in weak bisimilarity.

2. Can you find two processes that are weakly bisimilar, but not branchingbisimilar?

3. Which of theτ -laws from Exercise3.26 holds with respect to branchingbisimilarity?

Is branching bisimilarity a congruence over the language CCS? �

Exercise 3.36Define the binary relation≈c over the set of states of an LTS asfollows:

s1 ≈c s2 iff for each actionα (includingτ ):

- if s1α→ s′1, then there is a sequence of transitionss2

τ⇒ s′′2α→

s′′′2τ⇒ s′2 such thats′1 ≈ s′2;

3.5. GAME CHARACTERIZATION OF BISIMILARITY 73

- if s2α→ s′2, then there is a sequence of transitionss1

τ⇒ s′′1α→

s′′′1τ⇒ s′1 such thats′1 ≈ s′2.

Prove the following claims.

1. The relation≈c is an equivalence relation.

2. The relation≈c is preserved by the operators of CCS—that is, show that ifP ≈c Q, then

• α.P ≈c α.Q, for each actionα;

• P + R ≈c Q + R andR + P ≈c R + Q, for each processR;

• P | R ≈c Q | R andR | P ≈c R |Q, for each processR;

• P [f ] ≈c Q[f ], for each relabellingf ; and

• P \ L ≈c Q \ L, for each set of labelsL.

3. Argue that≈c is included in weak bisimilarity.

4. Find an example of two weakly bisimilar processes that arenot related withrespect to≈c.

Which of theτ -laws from Exercise3.26holds with respect to≈c? �

3.5 Game characterization of bisimilarity

We can naturally ask ourselves the following question:

What techniques do we have to show that two states are not bisimilar?

In order to prove that for two given statess andt it is the case thats 6∼ t, we shouldby Definition3.2 enumerate all binary relations over the set of states and foreachof them show that if it contains the pair(s, t) then it is not a strong bisimulation.For the transition system from Example3.1on page44 this translates into investi-gating225 different candidates and in general for a transition systemwith n statesone would have to go through2n2

different binary relations. (Can you see why?)In what follows, we will introduce a game characterization of strong bisimilarity,which will enable us to determine in a much more perspicuous way whether twostates are strongly bisimilar or not.

The idea is that there are two players in the bisimulation game, called‘attacker’and‘defender’. The attacker is trying to show that two given states are not bisimilarwhile the defender aims to show the opposite. The formal definition follows.

74 CHAPTER3.5. GAME CHARACTERIZATION OF BISIMILARITY

Definition 3.5 [Strong Bisimulation Game] Let(Proc, Act, { a→| a ∈ Act}) bea labelled transition system. Astrong bisimulation gamestarting from the pairof states(s1, t1) ∈ Proc × Proc is a two-player game of an‘attacker’ and a‘defender’.

The game is played inrounds, andconfigurationsof the game are pairs of statesfrom Proc × Proc. In every round exactly one configuration is calledcurrent;initially the configuration(s1, t1) is the current one.

In each round the players change the current configuration(s, t) according tothe following rules.

1. The attacker chooses either the left- or the right-hand side of the currentconfiguration(s, t) and an actionα from Act.

• If the attacker chose left then he has to perform a transitionsα→ s′ for

some states′ ∈ Proc.

• If the attacker chose right then he has to perform a transition tα→ t′ for

some statet′ ∈ Proc.

2. In this step the defender must provide an answer to the attack made in theprevious step.

• If the attacker chose left then the defender plays on the right-hand side,and has to respond by making a transitionst

α→ t′ for somet′ ∈ Proc.

• If the attacker chose right then the defender plays on the left-hand sideand has to respond by making a transitionss

α→ s′ for somes′ ∈ Proc.

3. The configuration(s′, t′) becomes the current configuration and the gamecontinues for another round according to the rules described above.

�

A play of the game is a maximal sequence of configurations formed by the playersaccording to the rules described above, and starting from the initial configuration(s1, t1). (A sequence of configurations is maximal if it cannot be extended whilefollowing the rules of the game.) Note that a bisimulation game can have manydifferent plays according to the choices made by the attacker and the defender. Theattacker can choose a side, an action and a transition. The defender’s only choiceis in selecting one of the available transitions that are labelled with the same actionpicked by the attacker.

We shall now define when a play is winning for the attacker and when for thedefender.

CHAPTER3.5. GAME CHARACTERIZATION OF BISIMILARITY 75

A finite play is lost by the player who is stuck and cannot make amove fromthe current configuration(s, t) according to the rules of the game. Note that theattacker loses a finite play only if boths 9 and t 9, i.e., there is no transitionfrom both the left- and the right-hand side of the configuration. The defender losesa finite play if he has (on his side of the configuration) no available transition underthe action selected by the attacker.

It can also be the case that none of the players is stuck in any configurationand the play is infinite. In this situation the defender is thewinner of the play.Intuitively, this is a natural choice of outcome because if the play is infinite then theattacker has been unable to find a ‘difference’ in the behaviour of the two systems—which will turn out to be bisimilar.

A given play is always winning either for the attacker or the defender and itcannot be winning for both at the same time.

The following proposition relates strong bisimilarity with the correspondinggame characterization (see, e.g., (Stirling, 1995; Thomas, 1993)).

Proposition 3.3 Statess1 andt1 of a labelled transition system are strongly bisim-ilar if and only if the defender has a universal winning strategy in the strong bisim-ulation game starting from the configuration(s1, t1). The statess1 andt1 are notstrongly bisimilar if and only if the attacker has a universal winning strategy.

By universal winning strategy we mean that the player can always win the game,regardless of how the other player is selecting his moves. Incase the opponent hasmore than one choice for how to continue from the current configuration, all thesepossibilities have to be considered.

The notion of a universal winning strategy is best explainedby means of anexample.

Example 3.5 Let us recall the transition system from Example3.1.

s

a

��

��

��

a

��888

8888

8888

8 t

a

��s1

b // s2

b

kk t1

b

ll

We will show that the defender has a universal winning strategy from the configu-ration(s, t) and hence, in light of Proposition3.3, thats ∼ t. In order to do so, wehave to consider all possible attacker’s moves from this configuration and define


defender’s response to each of them. The attacker can make three different movesfrom (s, t).

1. Attacker selects right-hand side, actiona and makes the moveta→ t1,

2. Attacker selects left-hand side, actiona and makes the movesa→ s2.

3. Attacker selects left-hand side, actiona and makes the movesa→ s1.

• Defender’s answer to attack1. is by playingsa→ s2.

(Even though there are more possibilities it is sufficient toprovide only onesuitable answer.)The current configuration becomes(s2, t1).

• Defender’s answer to attack2. is by playingta→ t1.

The current configuration becomes again(s2, t1).

• Defender’s answer to attack3. is by playingta→ t1.

The current configuration becomes(s1, t1).

Now it remains to show that the defender has a universal winning strategy from theconfigurations(s2, t1) and(s1, t1).

From (s2, t1) it is easy to see that any continuation of the game will alwaysgo through the same current configuration(s2, t1) and hence the game will benecessarily infinite. According to the definition of a winning play, the defender isthe winner in this case.

From(s1, t1) the attacker has two possible moves. Eithers1b→ s2 or t1

b→ t1.

In the former case the defender answers byt1b→ t1, and in the latter case by

s1b→ s2. The next configuration is in both cases(s2, t1), and we already know

that the defender has a winning strategy from this configuration.Hence we have shown that the defender has a universal winningstrategy from

the configuration(s, t) and, according to Proposition3.3, this means thats ∼ t. �

The game characterization of bisimilarity introduced above is simple, yet powerful.It provides an intuitive understanding of this notion. It can be used both to showthat two states are strongly bisimilar as well as that they are not. The technique isparticularly useful for showing non-bisimilarity of two states. This is demonstratedby the following examples.

Example 3.6 Let us consider the following transition system (we provideonly itsgraphical representation).


s

a

��

t

a

~~~~~~

~~~~

~~

a

@@@

@@@@

@@@

s1

b

~~~~~~

~~~~

~~c

@@@

@@@@

@@@ t1

b

��

t2

c

��s2 s3 t3 t4

We will show thats 6∼ t by describing a universal winning strategy for the attackerin the bisimulation game starting from(s, t). We will in fact show two differentstrategies (but of course finding one is sufficient for proving non-bisimilarity).

• In the first strategy, the attacker selects the left-hand side, actiona and thetransitions

a→ s1. Defender can answer byta→ t1 or t

a→ t2. This meansthat we will have to consider two different configurations inthe next round,namely(s1, t1) and(s1, t2). From (s1, t1) the attacker wins by playing thetransitions1

c→ s3 on the left-hand side, and the defender cannot answer asthere is noc-transition fromt1. From (s1, t2) the attacker wins by playing

s1b→ s2 and the defender has again no answer fromt2. As we analyzed all

different possibilities for the defender and in every one the attacker wins, wehave found a universal winning strategy for the attacker. Hences andt arenot bisimilar.

• Now we provide another strategy, which is easier to describeand involvesswitching of sides. Starting from(s, t) the attacker plays on the right-handside according to the transitiont

a→ t1 and the defender can only answer bys

a→ s1 on the left-hand side (no more configurations need to be examined asthis is the only possibility for the defender). The current configuration hencebecomes(s1, t1). In the next round the attacker playss1

c→ s3 and wins thegame ast1

c9.

�

Example 3.7 Let us consider a slightly more complex transition system.

s

a

��

��

�a

��999

9999

99t

a

��999

9999

9

s1

b

��

��

�s2

bqq t1

bqq

b

��999

9999

9

s3 t2


We will define attacker’s universal winning strategy from(s, t) and hence showthats 6∼ t.

In the first round the attacker plays on the left-hand side themovesa→ s1

and the defender can only answer byta→ t1. The current configuration becomes

(s1, t1). In the second round the attacker plays on the right-hand side according

to the transitiont1b→ t1 and the defender can only answer bys1

b→ s3. Thecurrent configuration becomes(s3, t1). Now the attacker wins by playing again

the transitiont1b→ t1 (or t1

b→ t2) and the defender loses becauses3 9.�


s

a

��s1

b

��s2

b

YY

a

\\ t

a

��t1

b

��

b 88

t2

a

\\ u

a

��u1

b

��

u2 bgg

a

\\99999999999

u3

a

BB

b

BB��

v

a

��v1

b

��

b // v2

a

\\88888888888

v3

b

BB��

b

YY

Decide whethers ∼ t, s ∼ u, ands ∼ v. Support your claims by giving a universalwinning strategy either for the attacker (in the negative case) or the defender (inthe positive case). In the positive case, you should also define a strong bisimulationrelating the pair of processes in question. �

Exercise 3.38 (For the theoretically minded)Prove Proposition3.3on page75.Hint: Argue that, using the universal winning strategy for the defender, you canfind a strong bisimulation, and conversely that, given a strong bisimulation, youcan define a universal winning strategy for the defender. �

Exercise 3.39 (For the theoretically minded)Recall from Exercise3.17 that abinary relationR over the set of states of an LTS is asimulation iff whenevers1 R s2 anda is an action then

• if s1a→ s′1, then there is a transitions2

a→ s′2 such thats′1 R s′2.

A binary relationR over the set of states of an LTS is a2-nested simulationiff Ris a simulation and moreoverR−1 ⊆ R.


Two statess ands′ are in simulation preorder(respectively in2-nested simu-lation preorder) iff there is a simulation (respectively a 2-nested simulation) thatrelates them.

Modify the rules of the strong bisimulation game in such a waythat it charac-terizes the simulation preorder and the 2-nested simulation preorder. �

Exercise 3.40 (For the theoretically minded)Can you change the rules of thestrong bisimulation game in such a way that it characterizesthe ready simulationpreorder introduced in Exercise3.18? �

3.5.1 Weak bisimulation games

We shall now introduce a notion of weak bisimulation game that can be used tocharacterize weak bisimilarity, as introduced in Definition 3.4. Recall that the mainidea is that weak bisimilarity abstracts away from the internal behaviour of systems,which is modelled by the silent actionτ , and that to prove that two states in an LTSare weakly bisimilar it suffices only to exhibit a weak bisimulation that relatesthem.

As was the case for strong bisimilarity, showing that two states arenot weaklybisimilar is more difficult and, using directly the definition of weak bisimilarity,means that we have to enumerate all binary relations on states, and verify that noneof them is a weak bisimulation and at the same time contains the pair of states thatwe test for equivalence.

Fortunately, the rules of the strong bisimulation game as defined in the previoussection need only be slightly modified in order to achieve a characterization ofweak bisimilarity in terms of weak bisimulation games.

Definition 3.6 [Weak Bisimulation Game] Aweak bisimulation gameis definedin the same way as the strong bisimulation game in Definition3.5, with the onlyexception that the defender can answer using the weak transition relation

α⇒ insteadof only

α→ as in the strong bisimulation game. The attacker is still allowed to useonly the

α→ moves. �

The definitions of a play and winning strategy are exactly as before and we have asimilar proposition as for the strong bisimulation game.

Proposition 3.4 Two statess1 and t1 of a labelled transition system are weaklybisimilar if and only if the defender has a universal winningstrategy in the weakbisimulation game starting from the configuration(s1, t1). The statess1 andt1 arenot weakly bisimilar if and only if the attacker has a universal winning strategy.


We remind the reader of the fact that, in the weak bisimulation game from thecurrent configuration(s, t), if the attacker chooses a move under the silent actionτ (let us says

τ→ s′) then the defender can (as one possibility) simply answer bydoing ‘nothing’, i.e., by idling in the statet (as we always havet

τ⇒ t). In thatcase, the current configuration becomes(s′, t).

Again, the notions of play and universal winning strategy inthe weak bisimu-lation game are best explained by means of an example.

Example 3.8 Consider the following transition system.

s

a

��

t

τ

��s1

b

!!DDD

DDDD

DD

a

��

t1a

}}zzzz

zzzz

za

!!DDD

DDDD

DD

s2 s3 t2

a

��

t3τoo

b

��t4 t5

We will show thats 6≈ t by defining a universal winning strategy for the attackerin the weak bisimulation game from(s, t).

In the first round, the attacker selects the left-hand side and actiona, and playsthe moves

a→ s1. The defender has three possible moves to answer: (i)ta⇒ t2 via

t1, (ii) ta⇒ t2 via t1 andt3, and (iii) t

a⇒ t3 via t1. In case (i) and (ii) the currentconfiguration becomes(s1, t2) and in case (iii) it becomes(s1, t3).

From the configuration(s1, t2) the attacker wins by playings1b→ s3, and the

defender loses becauset2b

;.From the configuration(s1, t3) the attacker plays theτ -move from the right-

hand side:t3τ→ t2. Defender’s only answer froms1 is s1

τ⇒ s1 because noτactions are enabled froms1. The current configuration becomes(s1, t2) and, asargued above, the attacker has a winning strategy from this pair.

This concludes the proof and shows thats 6≈ t because we found a universalwinning strategy for the attacker. �

Exercise 3.41 In the weak bisimulation game the attacker is allowed to usea→

moves for the attacks, and the defender can usea⇒ moves in response. Argue

that if we modify the rules of the game so that the attacker canalso use movesof the form

a⇒ then this does not provide any additional power for the attacker.Conclude that both versions of the game provide the same answer about bisimilar-ity/nonbisimilarity of two processes. �

3.6. FURTHER RESULTS ON EQUIVALENCE CHECKING 81

3.6 Further results on equivalence checking

In the following few paragraphs we shall provide an overviewof a number of inter-esting results achieved within concurrency theory in the area of equivalence check-ing. We shall also provide pointers to selected references in the literature that theinterested readers may wish to consult for further independent study.

The first class of systems we consider is the one generated by CCS processeswhich have finitely many reachable states and finitely many transitions only. Suchsystems, usually calledregular, can simply be viewed as labelled transition systemswith a finite set of states and finitely many transitions. For alabelled transitionsystem withn states andm transitions, strong bisimilarity between any two givenstates is decidable in deterministic polynomial time—moreprecisely inO(nm)time (Kanellakis and Smolka, 1990). This result by Kanellakis and Smolka wassubsequently improved upon by Paige and Tarjan who devised an algorithm thatruns inO(m log n) time (Paige and Tarjan, 1987). This is in strong contrast withthe complexity of deciding language equivalence, where theproblem is knownto be PSPACE-complete (Hunt, Rosenkrantz and Szymanski, 1976). By way offurther comparison, we recall that deciding strong bisimilarity between finite la-belled transition systems is P-complete (Balcazar, Gabarro and Santha, 1992)—thismeans that it is one of the ‘hardest problems’ in the class P ofproblems solvablein polynomial time. (P-complete problems are of interest because they appear tolack highly parallel solutions. See, for instance, the book(Greenlaw, Hoover andRuzzo, 1995).)

We remind the reader that the aforementioned complexity results for finite la-belled transition systems are valid if the size of the input problem is measured asthe number of states plus the number of transitions in the input labelled transitionsystem. If we assume that the size of the input is the length ofthe CCS equationsthat describe a finite transition system, then we face the so called state explosionproblembecause relatively short CCS definitions can generate exponentially largelabelled transition systems. (For example, you should be able to convince your-selves that the labelled transition system associated withthe CCS expression

a1.0 | a2.0 | · · · | an.0

has2n states.) In this case the strong bisimilarity checking problem becomesEXPTIME-complete (Laroussinie and Schnoebelen, 2000)—this means that it isone of the ‘hardest problems’ in the class EXPTIME of problems solvable in ex-ponential time using deterministic algorithms.

The problem of checking observational equivalence (weak bisimilarity) overfinite labelled transition systems can be reduced to that of checking strong bisimi-larity using a technique calledsaturation. Intuitively, saturation amounts to


1. first pre-computing the weak transition relation, and then

2. constructing a new pair of finite processes whose originaltransitions are re-placed with the weak transitions.

The question whether two states are weakly bisimilar now amounts to checkingstrong bisimilarity over the saturated systems. Since the computation of the weaktransition relation can be carried out in polynomial time, the problem of checkingfor weak bisimilarity can also be decided in polynomial time.

This means that both strong and weak bisimilarity can be decided on finite-state transition systems faster than many other equivalences. This story repeatsitself also when we consider more general classes of transition systems.

Let us consider a class called BPP forBasic Parallel Processes, first studied byChristensen in his PhD thesis (Christensen, 1993). This is aclass of infinite-statetransition systems generated by a subclass of CCS expressions containing actionprefixing, bounded nondeterminism and a pure parallel composition with neitherrestriction nor communication. In the case of BPP the difference between equiva-lence checking with respect to strong bisimilarity and other notions of equivalenceis even more striking. It is known that language equivalence(Hirshfeld, 1994) aswell as essentially any other notion of equivalence except for bisimilarity is un-decidable (Huttel, 1994). On the other hand, a surprising result by Christensen,Hirshfeld and Moller (Christensen, Hirshfeld and Moller, 1993) shows that strongbisimilarity is decidable in general, and Hirshfeld, Jerrum and Moller (Hirshfeld,Jerrum and Moller, 1996b) showed that it is decidable in polynomial time for itssubclass containing normed processes only. (A BPP process is normediff fromany of its reachable states it is possible to reach a situation where all actions aredisabled.) Recently, the general bisimilarity problem forBPP was shown to bePSPACE-complete (Jancar, 2003; Srba, 2002a).

Should we try to go even further up (with respect to expressive power), wecan consider the class ofPetri nets(Reisig, 1985), a very well studied model ofconcurrent computation that strictly includes that of BPP processes. In fact, BPPis a subclass of Petri nets where every transition has exactly one input place. (Thisis also called the communication-free fragment of Petri nets.) The problem ofwhether two marked Petri nets are bisimilar, as well as a number of other problems,is undecidable, as shown by Jancar in (Jancar, 1995).

Researchers have also considered a sequential analogue to the BPP class, calledBPA for Basic Process Algebra, introduced by Bergstra and Klop (see (Bergstraand Klop, 1982)). Here, instead of the parallel operator we have a full sequentialcomposition operator. (Action prefixing in CCS enables onlya limited way to ex-press sequential composition, whereas in BPA one is allowedto write processeslike E.F where bothE and F can have a rather complicated behaviour.) This

3.6. FURTHER RESULTS ON EQUIVALENCE CHECKING 83

class also corresponds to context-free grammars in Greibach normal form whereonly left-most derivations are allowed. Bar-Hillel, Perles, and Shamir (Bar-Hillel,Perles and Shamir, 1961) showed that language equivalence for languages gener-ated by BPA is undecidable. In fact, most of the studied equivalences (apart frombisimilarity, again!) are undecidable for this class of processes (Huynh and Tian,1995; Groote and Huttel, 1994). On the other hand, Baeten, Bergstra, and Klopshowed that strong bisimilarity is decidable for normed BPAprocesses (Baeten,Bergstra and Klop, 1993), and there is even a polynomial timealgorithm for check-ing strong bisimilarity over this subclass of BPA processesby Hirshfeld, Jerrumand Moller (Hirshfeld, Jerrum and Moller, 1996a).

Christensen, Huttel, and Stirling proved in (Christensen, Huttel and Stirling,1995) that strong bisimilarity remains decidable for arbitrary (unnormed) BPA pro-cesses, but the precise complexity of the problem has not been determined yet. Theproblem is known to be PSPACE-hard (Srba, 2002b), yet no worse than doubly-exponential (Burkart, Caucal and Steffen, 1995).

The positive decidability trend is preserved even for a superclass of BPA calledPDA for pushdown automata. Even though BPA and PDA coincide with respect tolanguage equivalence (they both generate the class of context-free languages), PDAis strictly more expressive when bisimilarity is considered as the notion of equiva-lence. Celebrated results by Senizergues (Senizergues, 1998) and Stirling (Stirling,2000) both show the decidability of bisimulation equivalence over the class ofpushdown automata. On the other hand, the problem of checking for weak bisimi-larity over PDA is already undecidable (Srba, 2002c).

There are still some open problems left in the theory, mainlyconcerning thedecidability of weak bisimilarity. We refer the reader to anup-to-date overviewof the state-of-the-art (Srba, 2004) and to a more thorough introduction to the areaavailable, for instance, in (Burkart, Caucal, Moller and Steffen, 2001; Mayr, 2000).

Chapter 4

Theory of fixed points andbisimulation equivalence

The aim of this chapter is to collect under one roof all the mathematical notionsfrom the theory of partially ordered sets and lattices that is needed to introduceTarski’s classic fixed point theorem. You might think that this detour into some ex-otic looking mathematics is unwarranted in this textbook. However, we shall thenput these possible doubts of yours to rest by using this fixed point theorem to givean alternative definition of strong bisimulation equivalence. This reformulation ofthe notion of strong bisimulation equivalence is not just mathematically pleasing,but it also yields an algorithm for computing the largest strong bisimulation over fi-nite labelled transition systems—i.e., labelled transition systems with only finitelymany states, actions and transitions. This is an illustrative example of how appar-ently very abstract mathematical notions turn out to have algorithmic content and,possibly unexpected, applications in Computer Science. Asyou will see in whatfollows, we shall also put Tarski’s fixed point theorem to good use in Chapter6,where the theory developed in this chapter will allow us to understand the meaningof recursively defined properties of reactive systems.

4.1 Posets and complete lattices

We start our technical developments in this chapter by introducing the notion ofpartially ordered set (also known as poset) and some useful classes of such struc-tures that will find application in what follows. As you will see, you are alreadyfamiliar with many of the examples of posets that we shall mention in this chapter.

Definition 4.1 [Partially Ordered Sets] Apartially ordered set (poset)is a pair

85

http://www-groups.dcs.st-and.ac.uk/~history/Mathematicians/Tarski.html

86 CHAPTER4. THEORY OF FIXED POINTS

(D,⊑), whereD is a set, and⊑ is a binary relation overD (i.e., a subset ofD×D)such that:

• ⊑ is reflexive, i.e.,d ⊑ d for all d ∈ D;

• ⊑ is antisymmetric, i.e.,d ⊑ e ande ⊑ d imply d = e for all d, e ∈ D;

• ⊑ is transitive, i.e.,d ⊑ e ⊑ d′ impliesd ⊑ d′ for all d, d′, e ∈ D.

We moreover say that(D,⊑) is a totally ordered setif, for all d, e ∈ D, eitherd ⊑ e or e ⊑ d holds. �

Example 4.1 The following are examples of posets.

• (N,≤), whereN denotes the set of natural numbers, and≤ stands for thestandard ordering overN.

• (R,≤), whereR denotes the set of real numbers, and≤ stands for the stan-dard ordering overR.

• (A∗,≤), whereA∗ is the set of strings over alphabetA, and≤ denotes theprefix ordering between strings, i.e., for alls, t ∈ A∗, s ≤ t iff there existsw ∈ A∗ such thatsw = t. (Check that this is indeed a poset!)

• Let (A,≤) be a finite totally ordered set. Then(A∗,≺), the set of stringsin A∗ ordered lexicographically, is a poset. Recall that, for alls, t ∈ A∗,the relations ≺ t holds with respect to the lexicographic order if one of thefollowing conditions apply:

1. the length ofs is smaller than that oft;

2. s andt have equal length, and eithers = ε or there are stringsu, v, z ∈A∗ and lettersa, b ∈ A such thats = uav, t = ubz anda ≤ b.

• Let (D,⊑) be a poset andS be a set. Then the collection of functions fromS to D is a poset when equipped with the ordering relation defined thus:

f ⊑ g iff f(s) ⊑ g(s), for eachs ∈ S .

We encourage you to think of other examples of posets you are familiar with. �

Exercise 4.1 Convince yourselves that the structures mentioned in the above ex-ample are indeed posets. Which of the above posets is a totally ordered set? �

4.1. POSETS AND COMPLETE LATTICES 87

As witnessed by the list of structures in Example4.1and by the many other exam-ples that you have met in your discrete mathematics courses,posets are abundantin mathematics. Another example of a poset that will play an important role inthe developments to follow is the structure(2S ,⊆), whereS is a set,2S stands forthe set of all subsets ofS, and⊆ denotes set inclusion. For instance, the structure(2Proc,⊆) is a poset for each set of statesProc in a labelled transition system.

Exercise 4.2 Is the poset(2S ,⊆) totally ordered? �

Definition 4.2 [Least Upper Bounds and Greatest Lower Bounds] Let(D,⊑) bea poset, and takeX ⊆ D.

• We say thatd ∈ D is anupper boundfor X iff x ⊑ d for all x ∈ X. We saythatd is theleast upper bound (lub)of X, notation

⊔X, iff

– d is an upper bound forX and, moreover,

– d ⊑ d′ for everyd′ ∈ D which is an upper bound forX.

• We say thatd ∈ D is a lower boundfor X iff d ⊑ x for all x ∈ X. We saythatd is thegreatest lower bound (glb)of X, notation

dX, iff

– d is a lower bound forX and, moreover,

– d′ ⊑ d for everyd′ ∈ D which is a lower bound forX.

�

In the poset(N,≤), all finite subsets ofN have least upper bounds. Indeed, theleast upper bound of such a set is its largest element. On the other hand, no infinitesubset ofN has an upper bound. All subsets ofN have a least element, which istheir greatest lower bound.

In (2S ,⊆), everysubsetX of 2S has a lub and a glb given by⋃

X and⋂

X,respectively. For example, consider the poset(2N,⊆), consisting of the family ofsubsets of the set of natural numbersN ordered by inclusion. TakeX to be thecollection of finite sets of even numbers. Then

⋃X is the set of even numbers and

⋂X is the empty set. (Can you see why?)

Exercise 4.3 (Strongly recommended)Let (D,⊑) be a poset, and takeX ⊆ D.Prove that the lub and the glb ofX are unique, if they exist. �

Exercise 4.4

1. Prove that the lub and the glb of a subsetX of 2S are indeed⋃

X and⋂

X,respectively.


2. Give examples of subsets of{a, b}∗ that have upper bounds in the poset({a, b}∗,≤). Find examples of subsets that do not have upper bounds in thatposet.

�

As you have seen already, a poset like(2S ,⊆) has the pleasing property that eachof its subsets has both a least upper bound and a greatest lower bound. Posets withthis property will play a crucial role in what follows, and wenow introduce themformally.

Definition 4.3 [Complete Lattices] A poset(D,⊑) is a complete latticeiff⊔

Xand

dX exist for every subsetX of D. �

Note that a complete lattice(D,⊑) has a least element⊥ =d

D, often calledbottom, and a top element⊤ =

⊔D. For example, the bottom element of the

poset(2S ,⊆) is the empty set, and the top element isS. (Why?) By Exercise4.3,the least and top elements of a complete lattice are unique.

Exercise 4.5 Let(D,⊑) be a complete lattice. What are⊔ ∅ and

d ∅? Hint: Eachelement ofD is both a lower bound and an upper bound for∅. Why? �

Example 4.2

• The poset(N,≤) is not a complete lattice because, as remarked previously,it does not have lub’s for its infinite subsets.

• The poset(N∪{∞},⊑), obtained by adding a largest element∞ to (N,≤),is instead a complete lattice. This complete lattice can be pictured as follows:

∞...↑2↑1↑0

where≤ is the reflexive and transitive closure of the↑ relation.

• (2S ,⊆) is a complete lattice.

Of course, you should convince yourselves of these claims! �

4.2. TARSKI’S FIXED POINT THEOREM 89

4.2 Tarski’s fixed point theorem

Now that we have some familiarity with posets and complete lattices, we are in aposition to state and prove Tarski’s fixed point theorem—Theorem4.1. As you willsee in due course, this apparently very abstract result plays a key role in computerscience because it is a general tool that allows us to make sense of recursivelydefined objects. If you are interested in the uses of the theorem rather than in thereason why it holds, you can safely skip the proof of Theorem4.1on first reading.None of the future applications of that result in this textbook depend on its proof,and you should feel free to use it as a ‘black-box’.

In the statement of Tarski’s fixed point theorem, and in the applications tofollow, the collection of monotonic functions will play an important role. We nowproceed to define this type of function for the sake of completeness.

Definition 4.4 [Monotonic Functions and Fixed Points] Let(D,⊑) be a poset. Afunction f : D → D is monotoniciff d ⊑ d′ implies thatf(d) ⊑ f(d′), for alld, d′ ∈ D.

An elementd ∈ D is called afixed pointof f iff d = f(d). �

For example, the functionf : 2N → 2N defined, for eachX ⊆ N, by

f(X) = X ∪ {1, 2}is monotonic. The set{1, 2} is a fixed point off because

f({1, 2}) = {1, 2} ∪ {1, 2} = {1, 2} .

Exercise 4.6Can you give another example of a fixed point off? Can you char-acterize all of the fixed points of that function? Argue for your answers. �

Exercise 4.7Consider the function that is likef above, but maps the set{2} to{1, 2, 3}. Is such a function monotonic? �

As another example, consider the poset

⊤

0

CC��1

[[777777777777

⊥

CC��

[[777777777777


The identify function is monotonic, but the function mapping ⊥ to 0 and actinglike the identity function on all of the other elements is not. (Why?) Note that bothof the posets mentioned above are in fact complete lattices.

Intuitively, if we view the partial order relation in a poset(D,⊑) as an ‘infor-mation order’—that is, if we viewd ⊑ d′ as meaning that ‘d′ has at least as muchinformation asd’—, then monotonic functions have the property that providingmore information in the input will offer at least as much information as we hadbefore in the output. (Our somewhat imprecise, but hopefully suggestive, sloganduring lectures on this topic is that a monotonic function isone with the propertythat ‘the more you get in, the more you get out!’)

The following important theorem is due to Tarski (Tarski, 1955), and was alsoindependently proven for the special case of lattices of sets by Knaster (Knaster,1928).

Theorem 4.1 [Tarski’s Fixed Point Theorem] Let(D,⊑) be a complete lattice,and letf : D → D be monotonic. Thenf has a largest fixed pointzmax and a leastfixed pointzmin given by

zmax =⊔

{x ∈ D | x ⊑ f(x)} and

zmin =l{x ∈ D | f(x) ⊑ x} .

Proof: First we shall prove thatzmax is the largest fixed point off . This involvesproving the following two statements:

1. zmax is a fixed point off , i.e.,zmax = f(zmax), and

2. for everyd ∈ D that is a fixed point off , it holds thatd ⊑ zmax.

In what follows we prove each of these statements separately. In the rest of theproof we let

A = {x ∈ D | x ⊑ f(x)} .

1. Since⊑ is antisymmetric, to prove thatzmax is a fixed point off , it is suffi-cient to show that

zmax ⊑ f(zmax) and (4.1)

f(zmax) ⊑ zmax . (4.2)

First of all, we shall show that (4.1) holds. By definition, we have that

zmax =⊔

A .


Thus, for everyx ∈ A, it holds thatx ⊑ zmax. Asf is monotonic,x ⊑ zmax

implies thatf(x) ⊑ f(zmax). It follows that, for everyx ∈ A,

x ⊑ f(x) ⊑ f(zmax) .

Thusf(zmax) is an upper bound for the setA. By definition, zmax is theleast upper boundof A. Thuszmax ⊑ f(zmax), and we have shown (4.1).

To prove that (4.2) holds, note that, from (4.1) and the monotonicity off , wehave thatf(zmax) ⊑ f(f(zmax)). This implies thatf(zmax) ∈ A. Thereforef(zmax) ⊑ zmax, aszmax is an upper bound forA.

From (4.1) and (4.2), we have thatzmax ⊑ f(zmax) ⊑ zmax. By antisym-metry, it follows thatzmax = f(zmax), i.e.,zmax is a fixed point off .

2. We now show thatzmax is the largest fixed point off . Let d be any fixedpoint of f . Then, in particular, we have thatd ⊑ f(d). This implies thatd ∈ A and therefore thatd ⊑ ⊔

A = zmax.

We have thus shown thatzmax is the largest fixed point off .

To show thatzmin is the least fixed point off , we proceed in a similar fashion byproving the following two statements:

1. zmin is a fixed point off , i.e.,zmin = f(zmin), and

2. zmin ⊑ d, for everyd ∈ D that is a fixed point off .

To prove thatzmin is a fixed point off , it is sufficient to show that:

f(zmin) ⊑ zmin and (4.3)

zmin ⊑ f(zmin) . (4.4)

Claim (4.3) can be shown following the proof for (4.1), and claim (4.4) can beshown following the proof for (4.2). The details are left as an exercise for thereader. Having shown thatzmin is a fixed point off , it is a simple matter to provethat it is indeed the least fixed point off . (Do this as an exercise). 2

Consider, for example, a complete lattice of the form(2S ,⊆), whereS is a set,and a monotonic functionf : S → S. If we instantiate the statement of the abovetheorem to this setting, the largest and least fixed points for f can be characterizedthus:

zmax =⋃

{X ⊆ S | X ⊆ f(X)} and

zmin =⋂

{X ⊆ S | f(X) ⊆ X} .


For instance, the largest fixed point of the functionf : 2N → 2N defined byf(X) = X ∪ {1, 2} is

⋃

{X ⊆ N | X ⊆ X ∪ {1, 2}} = N .

On the other hand, the least fixed point off is

⋂

{X ⊆ N | X ∪ {1, 2} ⊆ X} = {1, 2} .

This follows becauseX ∪ {1, 2} ⊆ X means thatX already contains1 and2, andthe smallest set with this property is{1, 2}.

The following important theorem gives a characterization of the largest andleast fixed points for monotonic functions overfinite complete lattices. We shallsee in due course how this result gives an algorithm for computing the fixed pointswhich will find application in equivalence checking and in the developments inChapter6.

Definition 4.5 Let D be a set,d ∈ D, andf : D → D. For each natural numbern, we definefn(d) as follows:

f0(d) = d and

fn+1(d) = f(fn(d)) .

�

Theorem 4.2 Let (D,⊑) be afinite complete lattice and letf : D → D be mono-tonic. Then the least fixed point forf is obtained as

zmin = fm(⊥) ,

for some natural numberm. Furthermore the largest fixed point forf is obtainedas

zmax = fM(⊤) ,

for some natural numberM .

Proof: We only prove the first statement as the proof for the second one is similar.As f is monotonic we have the following non-decreasing sequence

⊥ ⊑ f(⊥) ⊑ f2(⊥) ⊑ . . . ⊑ f i(⊥) ⊑ f i+1(⊥) ⊑ . . .


of elements ofD. As D is finite, the sequence must be eventually constant, i.e.,there is anm such thatfk(⊥) = fm(⊥) for all k ≥ m. In particular,

f(fm(⊥)) = fm+1(⊥) = fm(⊥) ,

which is the same as saying thatfm(⊥) is a fixed point forf .To prove thatfm(⊥) is the least fixed point forf , assume thatd is another

fixed point forf . Then we have that⊥ ⊑ d and therefore, asf is monotonic, that⊥ ⊑ f(⊥) ⊑ f(d) = d. By repeating this reasoningm−1 more times we get thatfm(⊥) ⊑ d. We can therefore conclude thatfm(⊥) is the least fixed point forf .

The proof of the statement that characterizes largest fixed points is similar, andleft as an exercise for the reader. 2

Exercise 4.8 (For the Theoretically Minded) Fill in the details in the proof of theabove theorem. �

Example 4.3 Consider the functionf : 2{0,1} → 2{0,1} defined by

f(X) = X ∪ {0} .

This function is monotonic, and2{0,1} is a complete lattice, when ordered using setinclusion, with the empty set as least element and{0, 1} as largest element. Theabove theorem gives an algorithm for computing the least andlargest fixed pointof f . To compute the least fixed point, we begin by applyingf to the empty set.The result is{0}. Since, we have added0 to the input off , we have not found ourleast fixed point yet. Therefore we proceed by applyingf to {0}. We have that

f({0}) = {0} ∪ {0} = {0} .

It follows that, not surprisingly,{0} is the least fixed point of the functionf .To compute the largest fixed point off , we begin by applyingf to the top

element in our lattice, namely the set{0, 1}. Observe that

f({0, 1}) = {0, 1} ∪ {0} = {0, 1} .

Therefore{0, 1} is the largest fixed point of the functionf . �

Exercise 4.9Consider the functiong : 2{0,1,2} → 2{0,1,2} defined by

g(X) = (X ∩ {1}) ∪ {2} .

Use Theorem4.2 to compute the least and largest fixed point ofg. �


Exercise 4.10 (For the Theoretically Minded)This exercise is for those amongstyou that enjoy the mathematics of partially ordered sets. Ithas no direct bearingon the theory of reactive systems covered in the rest of the textbook.

1. Let (D,⊑) be a poset. Anω-chain in (D,⊑) is a sequencedi (i ≥ 0) ofelements ofD such thatdi ⊑ di+1 for eachi ≥ 0.

We say that(D,⊑) is a complete partial order (cpo) if eachω-chain

d0 ⊑ d1 ⊑ d2 ⊑ · · ·

in (D,⊑) has a least upper bound (written⊔

i≥0 di). A functionf : D → Dis continuous(see, for instance, (Nielson and Nielson, 1992, Page 103)) if

f(⊔

i≥0

di) =⊔

i≥0

f(di) ,

for eachω-chaindi (i ≥ 0).

Prove that if(D,⊑) is a cpo andf : D → D is continuous, then the poset

({x ∈ D | f(x) = x},⊑) ,

which consists of the set of fixed points off , is itself a cpo.

2. Give an example of a complete lattice(D,⊑) and of a monotonic functionf : D → D such that there arex, y ∈ D that are fixed points off , but⊔{x, y} is not a fixed point. Hint: Consider the complete latticeD picturedbelow

•↑•

ր տ• •տ ր•

and construct such anf : D → D.

3. Let(D,⊑) be a complete lattice, and letf : D → D be monotonic. Con-sider a subsetX of {x ∈ D | x ⊑ f(x)}.

(a) Prove that⊔

X ∈ {x ∈ D | x ⊑ f(x)}.


(b) Give an example showing that, in general,

lX 6∈ {x ∈ D | x ⊑ f(x)} .

Hint: Consider the lattice pictured above, but turned upside down.

4. Let(D,⊑) be a complete lattice, and letf : D → D be monotonic. Con-sider a subsetX of {x ∈ D | f(x) ⊑ x}.

(a) Prove thatd

X ∈ {x ∈ D | f(x) ⊑ x}.(b) Give an example showing that, in general,

⊔X 6∈ {x ∈ D | f(x) ⊑

x}. Hint: Use your solution to part 2 above.

5. Let(D,⊑) be a complete lattice.

(a) LetD →mon D be the set of monotonic functions fromD to D and�be the relation defined onD →mon D by

f � g iff f(d) ⊑ g(d), for eachd ∈ D .

Show that� is a partial order onD →mon D.

(b) Let∨

and∧

be defined onD →mon D as follows.

• If F ⊆ D →mon D then, for eachd ∈ D,

(∨

F)(d) =⊔

{f(d)|f ∈ F} .

• If F ⊆ D →mon D then, for eachd ∈ D,

(∧

F)(d) =l{f(d)|f ∈ F} .

Show that(D →mon D,�) is a complete lattice with∨

and∧

as luband glb.

�

We invite those amongst you who would like to learn more aboutthe mathematicsof partially ordered sets and lattices to consult the book (Davey and Priestley, 2002)and the collection of notes (Harju, 2006).


4.3 Bisimulation as a fixed point

Now that we have the theory underlying Tarski’s fixed point theorem in place,it is high time to put it into practice. We shall first use the theory we have justdeveloped to provide the promised reformulation of bisimulation equivalence, andnext we shall show by means of examples how this reformulation leads directly toan algorithm for computing bisimilarity over finite labelled transition systems. Thealgorithm for computing bisimilarity that stems from the theory of fixed points isnot the most efficient one that has been devised; however, it is really pleasingto see how apparently very abstract notions from mathematics turn out to haveunexpected applications in computer science.

Throughout this section, we let(Proc, Act, { a→ | a ∈ Act}) be a labelled tran-sition system. We recall that a relationR ⊆ Proc×Proc is astrong bisimulation—see Definition3.2on page43—if the following holds:

If (p, q) ∈ R then, for everyα ∈ Act:

1. pα→ p′ impliesq

α→ q′ for someq′ such that(p′, q′) ∈ R;

2. qα→ q′ impliesp

α→ p′ for somep′ such that(p′, q′) ∈ R.

Thenstrong bisimulation equivalence(or strong bisimilarity) is defined as

∼ =⋃

{R ∈ 2(Proc×Proc) | R is a strong bisimulation} .

In what follows we shall describe the relation∼ as a fixed point to a suitable mono-

tonic function. First we note that(2(Proc×Proc),⊆) (i.e., the set of binary rela-tions overProc ordered by set inclusion) is a complete lattice with

⋃and

⋂as

least upper bound and greatest lower bound. (Why? In fact, you should be ableto realize readily that we have seen this kind of complete lattice in our previousdevelopments!)

Consider now a binary relationR over Proc—that is, an element of the set

2(Proc×Proc). We define the setF(R) as follows:

(p, q) ∈ F(R), for all p, q ∈ Proc, if and only if

1. pα→ p′ impliesq

α→ q′ for someq′ such that(p′, q′) ∈ R;

2. qα→ q′ impliesp

α→ p′ for somep′ such that(p′, q′) ∈ R.

In other words,F(R) contains all the pairs of processes from which, in one roundof the bisimulation game, the defender can make sure that theplayers reach a cur-rent pair of processes that is already contained inR.

4.3. BISIMULATION AS A FIXED POINT 97

You should now convince yourselves that a relationR is a bisimulation if andonly if R ⊆ F(R), and consequently that

∼ =⋃

{R ∈ 2(Proc×Proc) | R ⊆ F(R)} .

Take a minute to look at the above equality, and compare it with the characteri-zation of the largest fixed point of a monotonic function given by Tarski’s fixedpoint theorem (Theorem4.1). That theorem tells us that the largest fixed point ofa monotonic functionf is the least upper bound of the set of elementsx such thatx ⊑ f(x)—these are called the post-fixed points of the function. In our specific

setting, the least upper bound of a subset of2(Proc×Proc) is given by⋃

, and thepost-fixed points ofF are precisely the binary relationsR over Proc such thatR ⊆ F(R). This means that the definition of∼ matches the one for the largestfixed point forF perfectly!

We note that ifR,S ∈ 2(Proc×Proc) andR ⊆ S thenF(R) ⊆ F(S)—that

is, the functionF is monotonic over(2(Proc×Proc),⊆). (Check this!) Therefore,as all the conditions for Tarski’s theorem are satisfied, we can conclude that∼ isindeed the largest fixed point ofF . In particular, by Theorem4.2, if Proc is finitethen∼ is equal toFM (Proc × Proc) for some integerM ≥ 0. Note how thisgives us an algorithm to calculate∼ for a given finite labelled transition system.

To compute∼, simply evaluate the non-increasing sequence

F0(Proc× Proc) ⊇ F1(Proc× Proc) ⊇ F2(Proc× Proc) ⊇ · · ·

until the sequence stabilizes. (Recall, thatF0(Proc×Proc) is just thetop element in the complete lattice, namelyProc× Proc.)

Example 4.4 Consider the labelled transition system described by the followingdefining equations in CCS:

Q1 = b.Q2 + a.Q3

Q2 = c.Q4

Q3 = c.Q4

Q4 = b.Q2 + a.Q3 + a.Q1 .

In this labelled transition system, we have that

Proc = {Qi | 1 ≤ i ≤ 4} .

Below, we useI to denote the identity relation overProc—that is,

I = {(Qi, Qi) | 1 ≤ i ≤ 4} .


We calculate the sequenceF i(Proc× Proc) for i ≥ 1 thus:

F1(Proc× Proc) = {(Q1, Q4), (Q4, Q1), (Q2, Q3), (Q3, Q2)} ∪ I

F2(Proc× Proc) = {(Q2, Q3), (Q3, Q2)} ∪ I and finally

F3(Proc× Proc) = F2(Proc× Proc) .

Therefore, the only distinct processes that are related by the largest strong bisim-ulation over this labelled transition system areQ2 andQ3, and indeedQ2 ∼ Q3.�

Exercise 4.11Using the iterative algorithm described above, compute thelargeststrong bisimulation over the labelled transition system described by the followingdefining equations in CCS:

P1 = a.P2

P2 = a.P1

P3 = a.P2 + a.P4

P4 = a.P3 + a.P5

P5 = 0 .

You may find it useful to draw the labelled transition system associated with theabove CCS definition first. �

Exercise 4.12Use the iterative algorithm described above to compute the largestbisimulation over the labelled transition system in Example 3.7. �

Exercise 4.13What is the worst case complexity of the algorithm outlined abovewhen run on a labelled transition system consisting ofn states andm transitions?Express your answer usingO-notation, and compare it with the complexity of thealgorithm due to Page and Tarjan mentioned in Section3.6. �

Exercise 4.14Let (Proc, Act, { a→ | a ∈ Act}) be a labelled transition system.For eachi ≥ 0, define the relation∼i as follows.

• s1 ∼0 s2 holds always.

• s1 ∼i+1 s2 holds iff for each actionα:


α→ s′2 such thats′1 ∼i s′2;


α→ s′1 such thats′1 ∼i s′2.

4.3. BISIMULATION AS A FIXED POINT 99

Prove that, for eachi ≥ 0:

1. the relation∼i is an equivalence relation,

2. ∼i+1 is included in∼i, and

3. ∼i= F i(Proc× Proc).

�

Exercise 4.15

1. Give a characterization for observational equivalence as a fixed point for amonotonic function similar to the one we presented above forstrong bisimi-larity.

2. Use your characterization to compute observational equivalence over thelabelled transition system in Example3.8.

What is the worst case complexity of your algorithm? �

Chapter 5

Hennessy-Milner logic

In the previous chapters we have seen that implementation verification is a naturalapproach to establishing the correctness of (models of) reactive systems described,for instance, in the language CCS. This is because CCS, like all other process alge-bras, can be used to describe both actual systems and their specifications. However,when establishing the correctness of our system with respect to a specification us-ing a notion of equivalence like observational equivalence, we are somehow forcedto specify the overall behaviour of the system under consideration.

Suppose, for instance, that all we want to know about our system is whether itcan perform ana-labelled transition ‘now’. Phrasing this correctness requirementin terms of observational equivalence seems at best unnatural, and maybe cannotbe done at all! (See the paper (Boudol and Larsen, 1992) for aninvestigation ofthis issue.)

We can imagine a whole array of similar properties of the behaviour of a pro-cess we may be interested in specifying and checking. For instance, we may wishto know whether our computer scientist

• is not willing to drink tea now,

• is willing to drink both coffee and tea now,

• is willing to drink coffee, but not tea, now,

• never drinks alcoholic beverages, or

• always produces a publication after drinking coffee.

No doubt, you will be able to come up with many others examplesof similar prop-erties of the computer scientist that we may wish to verify.

101

102 CHAPTER 5. HENNESSY-MILNER LOGIC

All of the aforementioned properties, and many others, seembest checked byexploring the state space of the process under consideration, rather than by trans-forming them into equivalence checking questions. However, before even thinkingof checking whether these properties hold of a process, either manually or automat-ically, we need to have a language for expressing them. This language must havea formal syntax and semantics, so that it can be understood bya computer, and al-gorithms to check whether a process affords a property may bedevised. Moreover,the use of a language with a well defined and intuitively understandable seman-tics will also allow us to overcome the imprecision that often accompanies naturallanguage descriptions. For instance, what do we really meanwhen we say that

our computer scientist is willing to drink both coffee and tea now?

Do we mean that, in its current state, the computer scientistcan perform both acoffee-labelled transition and atea-labelled one? Or do we mean that these tran-sitions should be possible one after the other? And, may these transitions be pre-ceded and/or followed by sequences of internal steps? Whether our computer sci-entist affords the specified property clearly depends on theanswer to the questionsabove, and the use of a language with a formal semantics will help us understandprecisely what is meant. Moreover, giving a formal syntax toour specificationlanguage will tell us what properties we can hope to express using it.

The approach to specification and verification of reactive systems that we shallbegin exploring in this section is often referred to as ‘model checking’. In thisapproach we usually use different languages for describingactual systems and theirspecifications. For instance, we may use CCS expressions or the LTSs that theydenote to describe actual systems, and some kind of logic to describe specifications.In this section, we shall present a property language that has been introduced inprocess theory by Hennessy and Milner in (Hennessy and Milner, 1985). This logicis often referred to asHennessy-Milner logic(or HML for short), and, as we shallsee in due course, has a very pleasing connection with the notion of bisimilarity.

Definition 5.1 The setM of Hennessy-Milner formulae over a set of actionsActis given by the following abstract syntax:

F,G ::= tt | ff | F ∧G | F ∨G | 〈a〉F | [a]F ,

wherea ∈ Act, and we usett andff to denote ‘true’ and ‘false’, respectively. IfA = {a1, . . . , an} ⊆ Act (n ≥ 0), we use the abbreviation〈A〉F for the formula〈a1〉F ∨ . . . ∨ 〈an〉F and[A]F for the formula[a1]F ∧ . . . ∧ [an]F . (If A = ∅,then〈A〉F = ff and[A]F = tt.) �

103

We are interested in using the above logic to describe properties of CCS processes,or, more generally, of states in an LTS over the set of actionsAct. The meaning ofa formula in the languageM is given by characterizing the collection of processesthat satisfy it. Intuitively, this can be described as follows.

• All processes satisfytt.

• No process satisfiesff .

• A process satisfiesF ∧G (respectively,F ∨G) iff it satisfies bothF andG(respectively, eitherF or G).

• A process satisfies〈a〉F for somea ∈ Act iff it affords ana-labelled transi-tion leading to a state satisfyingF .

• A process satisfies[a]F for somea ∈ Act iff all of its a-labelled transitionslead to a state satisfyingF .

So, intuitively, a formula of the form〈a〉F states that it ispossibleto performactiona and thereby satisfy propertyF . Whereas a formula of the form[a]F statesthat no matter how a process performs actiona, the state it reaches in doing so willnecessarilysatisfy the propertyF .

Logics that involve the use of expressions likepossiblyand necessarilyareusually calledmodal logics, and, in some form or another, have been studied byphilosophers throughout history, notably byAristotle and philosophers in the mid-dle ages. So Hennessy-Milner logic is a modal logic—in fact,a so-called multi-modal logic, since the logic involves modal operators that are parameterized byactions. The semantics of formulae is defined with respect toa given labelled tran-sition system

(Proc, Act, { a→| a ∈ Act}) .

We shall use[[F ]] to denote the set of processes inProc that satisfyF . This wenow proceed to define formally.

Definition 5.2 [Denotational Semantics] We define[[F ]] ⊆ Proc for F ∈M by

1. [[tt]] = Proc 4. [[F ∨G]] = [[F ]] ∪ [[G]]

2. [[ff ]] = ∅ 5. [[〈a〉F ]] = 〈·a·〉[[F ]]

3. [[F ∧G]] = [[F ]] ∩ [[G]] 6. [[[a]F ]] = [·a·][[F ]] ,

where we use the set operators〈·a·〉, [·a·] : 2Proc → 2Proc defined by

〈·a·〉S = {p ∈ Proc | p a→ p′ andp′ ∈ S, for somep′} and

[·a·]S = {p ∈ Proc | p a→ p′ impliesp′ ∈ S, for eachp′} .

http://plato.stanford.edu/entries/logic-modal/

http://plato.stanford.edu/entries/aristotle-logic/


We writep |= F iff p ∈ [[F ]].Two formulae areequivalentif, and only if, they are satisfied by the same

processes in every transition system. �

Example 5.1 In order to understand the definition of the set operators〈·a·〉, [·a·]introduced above, it is instructive to look at an example. Consider the followinglabelled transition system.

s

a

��

��

��

a

��888

8888

8888

8 t

a

��s1

b // s2

b

kk t1

b

ll

Then〈·a·〉{s1, t1} = {s, t} .

This means that〈·a·〉{s1, t1} is the collection of states from which it is possible toperform ana-labelled transition ending up in eithers1 or t1. On the other hand,

[·a·]{s1, t1} = {s1, s2, t, t1} .

The idea here is that[·a·]{s1, t1} consists of the set of all processes that becomeeithers1 or t1 no matter how they perform ana-labelled transition. Clearly,s doesnot have this property because it can perform the transitions

a→ s2, whereast doesbecause its onlya-labelled transition ends up int1. But why ares1, s2 andt1 in[·a·]{s1, t1}? To see this, look at the formal definition of the set

[·a·]{s1, t1} = {p ∈ Proc | p a→ p′ impliesp′ ∈ {s1, t1}, for eachp′} .

Sinces1, s2 andt1 do not afford a-labelled transitions it is vacuously true that allof theira-labelled transitions end up in eithers1 or t1! This is the reason why thosestates are in the set[·a·]{s1, t1}.

We shall come back to this important point repeatedly in whatfollows. �

Exercise 5.1 Consider the labelled transition system in the example above. Whatare 〈·b·〉{s1, t1} and [·b·]{s1, t1}? �

Let us now re-examine the properties of our computer scientist that we mentionedearlier, and let us see whether we can express them using HML.First of all, notethat, for the time being, we have defined the semantics of formulae inM in terms

105

of the one step transitionsa→. This means, in particular, that we are not considering

τ actions as unobservable. So, if we say that ‘a processP can do actiona now’,then we really mean that the process can perform a transitionof the formP

a→ Qfor someQ.

How can we express, for instance, that our computer scientist is willing to drinkcoffee now? Well, one way to say so using our logic is to say that the computerscientist has the possibility of doing a coffee-labelled transition. This suggests thatwe use a formula of the form〈coffee〉F for some formulaF that should be satisfiedby the state reached by the computer scientist after having drunk her coffee. Whatshould thisF be? Since we are not requiring anything of the subsequent behaviourof the computer scientist, it makes sense to setF = tt. So, it looks as if we canexpress our natural language requirement in terms of the formula〈coffee〉tt. In fact,since our property language has a formal semantics, we can actually prove that ourproposed formula is satisfied exactly by all the processes that have an outgoingcoffee-labelled transition. This can be done as follows:

[[〈coffee〉tt]] = 〈·coffee·〉[[tt]]= 〈·coffee·〉Proc

= {P | P coffee→ P ′ for someP ′ ∈ Proc}= {P | P coffee→ } .

So the formula we came up with does in fact say what we wanted.Can we express using HML that the computer scientist cannot drink tea now?

Consider the formula[tea]ff . Intuitively this formula says that all the states that aprocess can reach by doing a tea-labelled transition must satisfy the formulaff , i.e.,false. Since no state has the property ‘false’, the only way that a process can satisfythe property[tea]ff is that it has no tea-labelled transition. To prove formallythatour proposed formula is satisfied exactly by all the processes that have no outgoingtea-labelled transition, we proceed as follows:

[[[tea]ff ]] = [·tea·][[ff ]]

= [·tea·]∅= {P | P tea→ P ′ impliesP ′ ∈ ∅, for eachP ′}= {P | P tea

9} .

The last equality above follows from the fact that, for each processP ,

Ptea9 iff (P

tea→ P ′ impliesP ′ ∈ ∅, for eachP ′) .


To see that this holds, observe first of all that ifPtea→ Q for someQ, then it is not

true thatP ′ ∈ ∅ for all P ′ such thatPtea→ P ′. In fact, Q is a counter-example

to the latter statement. So the implication from right to left is true. To establish

the implication from left to right, assume thatPtea9. Then it is vacuously true that

P ′ ∈ ∅ for all P ′ such thatPtea→ P ′—indeed, since there is no suchP ′, there is no

counter-example to that statement!To sum up, we can express that a processcannotperform actiona ∈ Act with

the formula[a]ff .Suppose now that we want to say that the computer scientist must have a biscuit

after drinking coffee. This means that it is possible for thecomputer scientist tohave a biscuit in all the states that she can reach by drinkingcoffee. This can beexpressed by means of the formula

[coffee]〈biscuit〉tt .

Exercise 5.2 (Recommended)

1. Use the semantics of the logic to check that the above formula expresses thedesired property of the computer scientist.

2. Give formulae that express the following natural language requirements:

• the process is willing to drink both coffee and tea now;

• the process is willing to drink coffee, but not tea now;

• the process can always drink tea immediately after having drunk twocoffees in a row.

3. What do the formulae〈a〉ff and [a]tt express?

�


s

a

��

a

��888

8888

8888

s1

a

��

��

��

b

��888

8888

888

s2

a

��s3

a

@@

s4

a

jj

107

1. Decide whether the following statements hold:

• s?

|= 〈a〉tt,

• s?

|= 〈b〉tt,

• s?

|= [a]ff ,

• s?

|= [b]ff ,

• s?

|= [a]〈b〉tt,

• s?

|= 〈a〉〈b〉tt,

• s?

|= [a]〈a〉[a][b]ff ,

• s?

|= 〈a〉(〈a〉tt ∧ 〈b〉tt

),

• s?

|= [a](〈a〉tt ∨ 〈b〉tt

),

• s?

|= 〈a〉([b][a]ff ∧ 〈b〉tt

), and

• s?

|= 〈a〉([a](〈a〉tt ∧ [b]ff) ∧ 〈b〉ff

).

2. Compute the following sets using the denotational semantics for Hennessy-Milner logic.

• [[[a][b]ff ]] = ?

• [[〈a〉(〈a〉tt ∧ 〈b〉tt

)]] = ?

• [[[a][a][b]ff ]] = ?

• [[[a](〈a〉tt ∨ 〈b〉tt

)]] = ?

�

Exercise 5.4Consider an everlasting clock whose behaviour is defined thus:

Clockdef= tick.Clock .

Prove that the process Clock satisfies the formula

[tick](〈tick〉tt ∧ [tock]ff) .


Show also that, for eachn ≥ 0, the process Clock satisfies the formula

〈tick〉 · · · 〈tick〉︸︷︷︸

n-times

tt .

�

Exercise 5.5 (Mandatory) Find a formula inM that is satisfied bya.b.0+a.c.0,but not bya.(b.0 + c.0).

Find a formula inM that is satisfied bya.(b.c.0 + b.d.0), but not bya.b.c.0 +a.b.d.0. �

It is sometimes useful to have an alternative characterization of the satisfactionrelation|= presented in Definition5.2. This can be obtained by defining the binaryrelation|= relating processes to formulae by structural induction on formulae thus:

• P |= tt, for eachP ,

• P |= ff , for noP ,

• P |= F ∧G iff P |= F andP |= G,

• P |= F ∨G iff P |= F or P |= G,

• P |= 〈a〉F iff Pa→ P ′ for someP ′ such thatP ′ |= F , and

• P |= [a]F iff P ′ |= F , for eachP ′ such thatPa→ P ′.

Exercise 5.6 Show that the above definition of the satisfaction relation is equiva-lent to that given in Definition5.2. Hint: Use induction on the structure of formu-lae. �

Exercise 5.7 Find one labelled transition system with initial states that satisfiesall of the following properties:

• 〈a〉(〈b〉〈c〉tt ∧ 〈c〉tt),

• 〈a〉〈b〉([a]ff ∧ [b]ff ∧ [c]ff), and

• [a]〈b〉([c]ff ∧ 〈a〉tt).

�

109

Note that logical negation isnot one of the constructs in the abstract syntax forM. However, the languageM is closed under negation, in the sense that, for eachformulaF ∈ M, there is a formulaF c ∈ M that is equivalent to the negation ofF . This formulaF c is defined inductively on the structure ofF as follows:

1. ttc = ff 4. (F ∨G)c = F c ∧Gc

2. ff c = tt 5. (〈a〉F )c = [a]F c

3. (F ∧G)c = F c ∨Gc 6. ([a]F )c = 〈a〉F c .

Note, for instance, that

(〈a〉tt)c = [a]ff and

([a]ff)c = 〈a〉tt.

Proposition 5.1 Let (Proc, Act, { a→ | a ∈ Act}) be a labelled transition system.Then, for every formulaF ∈M, it holds that[[F c]] = Proc \ [[F ]].

Proof: The proposition can be proven by structural induction onF . The detailsare left as an exercise to the reader. 2

Exercise 5.8

1. Prove Proposition5.1.

2. Prove, furthermore, that(F c)c = F for every formulaF ∈ M. Hint: Usestructural induction onF .

�

As a consequence of Proposition5.1, we have that, for each processP and formulaF , exactly one ofP |= F and P |= F c holds. In fact, each process is eithercontained in[[F ]] or in [[F c]].

In Exercise5.5 you were asked to come up with formulae that distinguishedprocesses that we know are not strongly bisimilar. As a further example, considerthe processes

Adef= a.A + a.0 and

Bdef= a.a.B + a.0 .

These two processes arenotstrongly bisimilar. In fact, A affords the transition

Aa→ A .


This transition can only be matched by either

Ba→ 0

orB

a→ a.B .

However, neither0 nor a.B is strongly bisimilar to A, because this process canperform ana-labelled transition and become0 in doing so. On the other hand,

a.Ba→ B

is the only transition that is possible froma.B, and B is not strongly bisimilar to0.Based on this analysis, it seems that a property distinguishing the processes A

and B is〈a〉〈a〉[a]ff—that is, the process can perform a sequence of twoa-labelledtransitions, and in so doing reach a state from which noa-labelled transition ispossible. In fact, you should be able to establish that A satisfies this property, butB does not. (Do so!)

Again, faced with two non-bisimilar processes, we have beenable to find a for-mula in the logicM that distinguishes them, in the sense that one process satisfiesit, but the other does not. Is this true in general? And what can we say about twoprocesses that satisfy precisely the same formulae inM? Are they guaranteed tobe strongly bisimilar?

We shall now present a seminal theorem, due to Hennessy and Milner, that an-swers both of these questions in one fell swoop by establishing an elegant, and veryfruitful, connection between the apparently unrelated notions of strong bisimilarityand the logicM. The theorem applies to a class of processes that we now proceedto define.

Definition 5.3 [Image Finite Process] A processP is image finiteiff the collection{P ′ | P a→ P ′} is finite for each actiona.

An LTS is image finite if so is each of its states. �

For example, the process Arep (for ‘A replicated’) defined thus:

Arepdef= a.0 | Arep

is not image finite. In fact, you should be able to prove by inductionon n that, foreachn ≥ 0,

Arepa→ a.0 | · · · | a.0

︸︷︷︸

n times

|0 | Arep .

111

Another example of a process that is not image finite is

A<ω def=

∑

i≥0

ai , (5.1)

wherea0 = 0 andai+1 = a.ai.On the other hand all of the other processes that we have met sofar in this text

are image finite.

Theorem 5.1 [Hennessy and Milner (Hennessy and Milner, 1985)] Let

(Proc, Act, { a→| a ∈ Act})

be an image finite LTS. Assume thatP,Q are states inProc. ThenP ∼ Q iff PandQ satisfy exactly the same formulae in Hennessy-Milner logic.

Proof: We prove the two implications separately.

• Assume thatP ∼ Q andP |= F for some formulaF ∈M. Using structuralinduction onF , we prove thatQ |= F . By symmetry, this is enough toestablish thatP andQ satisfy the same formulae inM.

The proof proceeds by a case analysis on the form ofF . We only presentthe details for the caseF = [a]G for some actiona and formulaG. Ourinductive hypothesis is that, for all processesR andS, if R ∼ S andR |= G,thenS |= G. Using this hypothesis, we shall prove thatQ |= [a]G. To thisend, assume thatQ

a→ Q′ for someQ′. We wish to show thatQ′ |= G. Now,sinceP ∼ Q andQ

a→ Q′, there is a processP ′ such thatPa→ P ′ and

P ′ ∼ Q′. (Why?) By our assumption thatP |= [a]G, we have thatP ′ |= G.The inductive hypothesis yields thatQ′ |= G. Therefore eachQ′ such thatQ

a→ Q′ satisfiesG, and we may conclude thatQ |= [a]G, which was to beshown.

• Assume thatP andQ satisfy the same formulae inM. We shall prove thatP andQ are strongly bisimilar. To this end, note that it is sufficient to showthat the relation

R = {(R,S) | R,S ∈ Proc satisfy the same formulae inM}

is a strong bisimulation.

Assume thatRR S andRa→ R′. We shall now argue that there is a process

S′ such thatSa→ S′ andR′ R S′. SinceR is symmetric, this suffices to

establish thatR is a strong bisimulation.


Assume, towards a contradiction, that there is noS′ such thatSa→ S′ and

S′ satisfies the same properties asR′. SinceS is image finite, the set ofprocessesS can reach by performing ana-labelled transition is finite, say{S1, . . . , Sn} with n ≥ 0. By our assumption, none of the processes in theabove set satisfies the same formulae asR′. So, for eachi ∈ {1, . . . , n},there is a formulaFi such that

R′ |= Fi andSi 6|= Fi .

(Why? Could it not be thatR′ 6|= Fi andSi |= Fi, for somei ∈ {1, . . . , n}?)We are now in a position to construct a formula that is satisfied byR, but notby S—contradicting our assumption thatR andS satisfy the same formulae.In fact, the formula

〈a〉(F1 ∧ F2 ∧ · · · ∧ Fn)

is satisfied byR, but not byS. The easy verification is left to the reader.

The proof of the theorem is now complete. 2

Exercise 5.9 (Mandatory) Fill in the details that we have omitted in the aboveproof. What is the formula that we have constructed to distinguishR andS in theproof of the implication from right to left ifn = 0? �

Remark 5.1 In fact, the implication from left to right in the above theorem holdsfor arbitrary processes, not just image finite ones. �

The above theorem has many applications in the theory of processes, and in ver-ification technology. For example, a consequence of its statement is that if twoimage finite processes are not strongly bisimilar, then there is a formula inM thattells us one reason why they are not. Moreover, as the proof ofthe above theoremsuggests, we can always construct this distinguishing formula.

Note, moreover, that the above characterization theorem for strong bisimilarityis very general. For instance, in light of your answer to Exercise3.30, it also appliesto observational equivalence, provided that we interpret HML over the labelledtransition system whose set of actions consists of all of theobservable actions andof the labelτ , and whose transitions are precisely the ‘weak transitions’ whoselabels are either observable actions orτ .


113

s

a

��s1

b

��s2

b

YY

a

\\ t

a

��t1

b

��

b 88

t2

a

\\ v

a

��v1

b

��

b // v2

a

\\88888888888b

ww

v3

b

BB��

Argue thats 6∼ t, s 6∼ v and t 6∼ v. Next, find a distinguishing formula ofHennessy-Milner logic for the pairs

• s andt,

• s andv, and

• t andv.

Verify your claims in the Edinburgh Concurrency Workbench (use thestrongeqand checkprop commands) and check whether you found the shortest distin-guishing formula (use thedfstrong command). �

Exercise 5.11For each of the following CCS expressions decide whether they arestrongly bisimilar and, if they are not, find a distinguishing formula in Hennessy-Milner logic.

• b.a.0 + b.0 and b.(a.0 + b.0),

• a.(b.c.0 + b.d.0) and a.b.c.0 + a.b.d.0,

• a.0 | b.0 and a.b.0 + b.a.0, and

• (a.0 | b.0) + c.a.0 and a.0 | (b.0 + c.0).

Verify your claims in the Edinburgh Concurrency Workbench (use thestrongeqand checkprop commands) and check whether you found the shortest distin-guishing formula (use thedfstrong command). �

Exercise 5.12 (For the Theoretically Minded)Let (Proc, Act, { a→| a ∈ Act})be image-finite. Show that

∼=⋂

i≥0

∼i ,


where∼i (i ≥ 0) is the sequence of equivalence relations defined in Exercise4.14.�

Exercise 5.13 (For the Theoretically Minded)Consider the process Aω definedas follows:

Aω def= a.Aω .

Show that the processes A<ω and Aω + A<ω, where A<ω was defined in equation(5.1) on page111,

1. are not strongly bisimilar, but

2. satisfy the same properties inM.

Conclude that Theorem5.1 does not hold for processes that are not image finite.Hint: To prove that the two processes satisfy the same formulae inM, use struc-tural induction on formulae. You will find it useful to first establish the followingstatement:

Aω satisfies a formulaF ∈ M iff so doesai, wherei is the modaldepth ofF .

Themodal depthof a formula is the maximum nesting of the modal operators in it.�

Chapter 6

Hennessy-Milner logic withrecursive definitions

An HML formula can only describe afinite part of the overall behaviour of a pro-cess. In fact, as each modal operator allows us to explore theeffect of taking onestep in the behaviour of a process, using a single HML formulawe can only de-scribe properties of a fixed finite fragment of the computations of a process. Asthose of you who solved Exercise5.13already discovered, how much of the be-haviour of a process we can explore using a single formula is entirely determinedby its so-calledmodal depth—i.e., by the maximum nesting of modal operatorsin it. For example, the formula[a]〈a〉ff ∨ 〈b〉tt has modal depth 2, and checkingwhether a process satisfies it or not involves only an analysis of its sequences oftransitions whose length is at most 2. (We will return to thisissue in Section6.6,where a formal definition of the modal depth of a formula will be given.)

However, we often wish to describe properties that describestates of affairsthat may or must occur in arbitrarily long computations of a process. If we want toexpress properties as, for example, that a process isalwaysable to perform a givenaction, we have to extend the logic. As the following exampleindicates, one wayof doing so is to allow for infinite conjunctions and disjunctions in our propertylanguage.

Example 6.1 Consider the processesp andq in Figure6.1. It is not hard to comeup with an HML formula thatp satisfies andq does not. In fact, after performingana-action,p will always be able to perform another one, whereasq may fail to doso. This can be captured formally in HML as follows:

p |= [a]〈a〉tt but

q 6|= [a]〈a〉tt.

115

116 CHAPTER6. HML WITH RECURSION

a

aa

urqpu u -

-- "!#

"!#

Figure 6.1: Two processes

Since a difference in the behaviour of the two processes can already be found byexamining their behaviour after two transitions, a formulathat distinguishes themis ‘small’.

Assume, however, that we modify the labelled transition system forq by addinga sequence of transitions tor thus:

r = r0a→ r1

a→ r2a→ r3 · · · rn−1

a→ rn (n ≥ 0).

No matter how we choose a non-negative integern, there is an HML formula thatdistinguishes the processesp andq. In fact, we have that

p |= [a]n+1〈a〉tt but

q 6|= [a]n+1〈a〉tt ,

where[a]n+1 stands for a sequence of modal operators[a] of lengthn+1. However,no formula in HML would work for all values ofn. (Prove this claim!) This isunsatisfactory as there appears to be a general reason why the behaviours ofp andq are different. Indeed, the processp in Figure6.1 can always (i.e., at any pointin each of its computations) perform ana-action—that is,〈a〉tt is always true. Letus call thisinvariancepropertyInv(〈a〉tt). We could describe it in an extension ofHML as an infinite conjunction thus:

Inv(〈a〉tt) = 〈a〉tt ∧ [a]〈a〉tt ∧ [a][a]〈a〉tt ∧ · · · =∞∧

i=0

[a]i〈a〉tt .

This formula can be read as follows:

In order for a process to be always able to perform ana-action, thisaction should be possible now (as expressed by the conjunct〈a〉tt),and, for each positive integeri, it should be possible in each state

CHAPTER6. HML WITH RECURSION 117

that the process can reach by performing a sequence ofi actions (asexpressed by the conjunct[a]i〈a〉tt becausea is the only action in ourexample labelled transition system).

On the other hand, the processq has the option of terminating at any time by per-forming thea-labelled transition leading to processr, or equivalently it is possiblefrom q to satisfy[a]ff . Let us call this propertyPos([a]ff). We can express it inan extension of HML as the following infinite disjunction:

Pos([a]ff) = [a]ff ∨ 〈a〉[a]ff ∨ 〈a〉〈a〉[a]ff ∨ · · · =∞∨

i=0

〈a〉i[a]ff ,

where〈a〉i stands for a sequence of modal operators〈a〉 of lengthi. This formulacan be read as follows:

In order for a process to have the possibility of refusing ana-action atsome point, this action should either be refused now (as expressed bythe disjunct[a]ff ), or, for some positive integeri, it should be possibleto reach a state in which ana can be refused by performing a sequenceof i actions (as expressed by the disjunct〈a〉i[a]ff becausea is theonly action in our example labelled transition system).

�

Even if it is theoretically possible to extend HML with infinite conjunctions anddisjunctions, infinite formulae are not particularly easy to handle (for instance theyare infinitely long, and we would have a hard time using them asinputs for analgorithm). What do we do instead? The answer is in fact both simple and naturalfor a computer scientist; let us introducerecursioninto our logic. Assuming for themoment thata is the only action, we can then expressInv(〈a〉tt) by means of thefollowing recursive equation:

X ≡ 〈a〉tt ∧ [a]X , (6.1)

where we writeF ≡ G if and only if the formulaeF andG are satisfied by exactlythe same processes—i.e., if[[F ]] = [[G]]. The above recursive equation captures theintuition that a process that can invariantly perform ana-labelled transition—thatis, one that can perform ana-labelled transition in all of its reachable states—cancertainly perform one now, and, moreover, each state that itreaches via one suchtransition can invariantly perform ana-labelled transition. This looks deceptivelyeasy and natural. However, the mere fact of writing down an equation like (6.1)


does not mean that this equation makes sense! Indeed, equations may be seen asimplicitly defining the set of their solutions, and we are allfamiliar with equationsthat have no solutions at all. For instance, the equation

x = x + 1 (6.2)

has no solution over the set of natural numbers, and there is no X ⊆ N such that

X = N \X . (6.3)

On the other hand, there are uncountably manyX ⊆ N such that

X = {2} ∪X , (6.4)

namely all of the sets that contain the number2. There are also equations that havea finite number of solutions, but not a unique one. As an example, consider theequation

X = {10} ∪ {n− 1 | n ∈ X, n 6= 0} . (6.5)

The only finite set that is the solution for this equation is the set{0, 1, . . . , 10}, andthe only infinite solution isN itself.

Exercise 6.1 Check the claims that we have just made. �

Exercise 6.2 Reconsider equations (6.2)–(6.5).

1. Why doesn’t Tarski’s fixed point theorem apply to yield a solution to the firsttwo of these equations?

2. Consider the structure introduced in the second bullet ofExample4.2. Foreachd ∈ N ∪ {∞}, define

∞+ d = d +∞ =∞ .

Does equation (6.2) have a solution in the resulting structure? How manysolutions does that equation have?

3. Use Tarski’s fixed point theorem to find the largest and least solutions of(6.5).

�

Since an equation like (6.1) is meant to describe a formula, it is therefore naturalto ask ourselves the following questions:

CHAPTER6. HML WITH RECURSION 119

• Does (6.1) have a solution? And what precisely do we mean by that?

• If (6.1) has more than one solution, which one do we choose?

• How can we compute whether a process satisfies the formula described by(6.1)?

Precise answers to these questions will be given in the remainder of this chapter.However, to motivate our subsequent technical developments, it is appropriate hereto discuss briefly the first two questions above.

Recall that the meaning of a formula (with respect to a labelled transition sys-tem) is the set of processes that satisfy it. Therefore, it isnatural to expect that asetS of processes that satisfy the formula described by equation(6.1) should besuch that:

S = 〈·a·〉Proc ∩ [·a·]S .

It is clear thatS = ∅ is a solution to the equation (as no process can satisfy both〈a〉tt and [a]ff ). But the processp on Figure6.1 can perform ana-transition in-variantly andp 6∈ ∅, so this cannot be the solution we are looking for. Actually itturns out that it is thelargestsolution we need here, namely whereS = {p}. ThesetS = ∅ is theleast solution.

In other cases it is the least solution we are interested in. For instance, we canexpressPos([a]ff) by the following equation:

Y ≡ [a]ff ∨ 〈a〉Y .

Here the largest solution isY = {p, q, r} but, as the processp on Figure6.1cannot terminate at all, this is clearly not the solution we are interested in. Theleast solution over the labelled transition system on Figure6.1is Y = {q, r} and isexactly the set of processes in that labelled transition system that intuitively satisfyPos([a]ff).

When we write down a recursively defined property, we can indicate whetherwe desire the least or the largest solution by adding this information to the equalitysign. ForInv(〈a〉tt) we want the largest solution, and in this case we write

Xmax= 〈a〉tt ∧ [a]X .

ForPos([a]ff) we will write

Ymin= [a]ff ∨ 〈a〉Y .

More generally we can express that the formulaF holds for each reachable statein a labelled transition system having set of actionsAct (written Inv(F ), and read


‘invariantly F ’) by means of the equation

Xmax= F ∧ [Act]X

and thatF possibly holds at some point (writtenPos(F )) by

Ymin= F ∨ 〈Act〉Y.

Intuitively, we use largest solutions for those propertiesthat hold of a process un-less it has a finite computation that disproves the property.For instance, processq doesnot have propertyInv(〈a〉tt) because it can reach a state in which noa-labelled transition is possible. Conversely, we use least solutions for those proper-ties that hold of a process if it has a finite computation sequence which ‘witnesses´´the property. For instance, a process has propertyPos(〈a〉tt) if it has a computationleading to a state that can perform ana-labelled transition. This computation is awitness for the fact that the process can perform ana-labelled transition at somepoint in its behaviour.

We shall appeal to the intuition given above in the followingsection, where wepresent examples of recursively defined properties.

Exercise 6.3 Give a formula, built using HML and the temporal operatorsPos

and/or Inv , that expresses a property satisfied by exactly one of the processes inExercise5.13. �

6.1 Examples of recursive properties

Adding recursive definitions to Hennessy-Milner logic gives us a very powerfullanguage for specifying properties of processes. In particular this extension allowsus to express different kinds of ‘safety’ and ‘liveness’ properties. Before develop-ing the theory of HML with recursion, we give some more examples of its uses.

Consider the formulaSafe(F ) that is satisfied by a processp whenever it hasa complete transition sequence

p = p0a1→ p1

a2→ p2 · · · ,

where each of the processespi satisfiesF . (A transition sequence iscompleteif itis infinite or its last state affords no transition.) Thisinvariance ofF under somecomputationcan be expressed in the following way:

Xmax= F ∧ ([Act]ff ∨ 〈Act〉X) .

6.1. EXAMPLES OF RECURSIVE PROPERTIES 121

It turns out to be the largest solution that is of interest here as we will argue forformally later.

Intuitively, the recursively defined formula above states that a processp has acomplete transition sequence all of whose states satisfy the formulaF if, and onlyif,

• p itself satisfiesF , and

• eitherp has no outgoing transition (in which casep will satisfy the formula[Act]ff ) or p has a transition leading to a state that has a complete transitionsequence all of whose states satisfy the formulaF .

A processp satisfies the propertyEven(F ), read ‘eventuallyF ’, if each of itscomplete transition sequences will contain at least one state that has the propertyF . This means that eitherp satisfiesF , or p can perform some transition and everystate that it can reach by performing a transition can itselfeventually reach a statethat has propertyF . This can be expressed by means of the following equation:

Ymin= F ∨ (〈Act〉tt ∧ [Act]Y ) .

In this case we are interested in the least solution becauseEven(F ) should onlybe satisfied by those processes that can be reached fromp by a finite number oftransitions.

Note that the definitions ofSafe(F ) andEven(F ), respectivelyInv(F ) andPos(F ), are mutuallydual, i.e., they can be obtained from one another by replacing

∨ by ∧, [A] by 〈A〉 andmin= by

max= . One can show that¬Inv(F ) ≡ Pos(¬F ) and

¬Safe(F ) ≡ Even(¬F ), where we write¬ for logical negation.It is also possible to express thatF should be satisfied in each transition se-

quence untilG becomes true. There are two well known variants of this construc-tion:

• F Us G, the so-calledstrong until, that says that sooner or laterp reaches astate whereG is true and in all the states it reaches before this happensFmust hold;

• FUwG, the so-calledweak until, that says thatF must hold in all statespreaches until it gets into a state whereG holds (but maybe this will neverhappen!).

We express these operators as follows:


F Us Gmin= G ∨ (F ∧ 〈Act〉tt ∧ [Act](FUsG)) , and

F Uw Gmax= G ∨ (F ∧ [Act](FUwG)) .

It should be clear that, as the names indicate,strong untilis a stronger conditionthanweak until. We can use the ‘until’ operators to expressEven(F ) andInv(F ).ThusEven(G) ≡ tt Us G andInv(F ) ≡ F Uw ff .

Properties like ‘some time in the future’ and ‘until’ are examples of what wecall temporal properties. Temporais Latin—it is plural for tempus, which means‘time’—, and a logic that expresses properties that depend on time is calledtem-poral logic. The study of temporal logics is very old and can be traced back toAristotle. Within the last 30 years, researchers in computer science have startedshowing interest in temporal logic as within this frameworkit is possible to ex-press properties of the behaviour of programs that change over time (Clarke, E.A.Emerson and A.P. Sistla, 1986; Pnueli, 1977a).

The modalµ-calculus (Kozen, 1983a) is a generalization of Hennessy-Milnerlogic with recursion that allows for largest and least fixed point definitions to bemixed freely. It has been shown that the modalµ-calculus is expressive enoughto describe any of the standard operators that occur in the framework of temporallogic. In this sense by extending Hennessy-Milner logic with recursion we obtaina temporal logic.

From the examples in this section we can see that least fixed points are used toexpress that something will happen sooner or later, whereasthe largest fixed pointsare used to express invariance of some state of affairs during computations, or thatsomething doesnot happen as a system evolves.

6.2 Syntax and semantics of HML with recursion

The first step towards introducing recursion in HML is to add variables to the syn-tax. To start with we only consideronerecursively defined property. We will returnto the more general case of properties defined bymutual recursionlater.

The syntax for Hennessy-Milner-logic with one variableX, denoted byM{X},is given by the following grammar:

F ::= X | tt | ff | F1 ∧ F2 | F1 ∨ F2 | 〈a〉F | [a]F .

Semantically a formulaF (that may contain a variableX) is interpreted as a func-

tionOF : 2Proc → 2Proc that, given a set of processes that are assumed to satisfyX, gives us the set of processes that satisfyF .

6.2. SYNTAX AND SEMANTICS OF HML WITH RECURSION 123

a

a

ba

�

@@

@@

@@I@@

@@

@@R

��

��

��

p3p2

p1

Figure 6.2: A process

Example 6.2 Consider the formulaF = 〈a〉X and letProc be the set of statesin the transition graph in Figure6.2. If X is satisfied byp1, then〈a〉X will besatisfied byp3, i.e., we expect that

O〈a〉X ({p1}) = {p3} .

If the set of states satisfyingX is {p1, p2} then〈a〉X will be satisfied by{p1, p3}.Therefore we expect to have that

O〈a〉X ({p1, p2}) = {p1, p3} .

What is the setO[b]X({p2})? �

The above intuition is captured formally in the following definition.

Definition 6.1 Let (Proc, Act, { a→ | a ∈ Act}) be a labelled transition system.For eachS ⊆ Proc and formulaF , we defineOF (S) inductively as follows:

OX(S) = S

Ott(S) = Proc

Off (S) = ∅OF1∧F2

(S) = OF1(S) ∩ OF2

(S)

OF1∨F2(S) = OF1

(S) ∪ OF2(S)

O〈a〉F (S) = 〈·a·〉OF (S)

O[a]F (S) = [·a·]OF (S) .

�


A few words of explanation for the above definition are in order here. Intuitively,the first equality in Definition6.1expresses the trivial observation that if we assumethat S is the set of states that satisfyX, then the set of states satisfyingX is S!The second equation states the, equally obvious, fact that every state satisfiesttirrespective of the set of states that are assumed to satisfyX. The last equationinstead says that to calculate the set of states satisfying the formula[a]F under theassumption that the states inS satisfyX, it is sufficient to

1. compute the set of states satisfying the formulaF under the assumption thatthe states inS satisfyX, and then

2. find the collection of states that end up in that set no matter how they performana-labelled transition.

Exercise 6.4 Given the transition graph from Example6.2, use the above defini-tion to calculateO[b]ff∧[a]X({p2}). �

One can show that for every formulaF , the functionOF is monotonic(see Def-

inition 4.4) over the complete lattice(2Proc,⊆). In other words, for all subsetsS1, S2 of Proc, if S1 ⊆ S2 thenOF (S1) ⊆ OF (S2).

Exercise 6.5 Show thatOF is monotonic for allF . Consider what will happen ifwe introduce negation into our logic. �

As mentioned before, the idea underlying the definition of the functionOF is thatif [[X]] ⊆ Proc gives the set of processes that satisfyX, thenOF ([[X]]) will be theset of processes that satisfyF . What is this set[[X]] then? Syntactically we shallassume that[[X]] is implicitly given by a recursive equation forX of the form

Xmin= FX or X

max= FX .

As shown in the previous section, such an equation can be interpreted as the setequation

[[X]] = OFX([[X]]) . (6.6)

AsOFXis a monotonic function over a complete lattice we know that (6.6) has so-

lutions, i.e., thatOFXhas fixed points. In particular Tarski’s Fixed Point Theorem

(see Theorem4.1) gives us that there is a uniquelargestfixed point, denoted byFIX OFX

, and also a uniqueleastone, denoted byfix OFX, given respectively by

FIX OFX=

⋃

{S ⊆ Proc | S ⊆ OFX(S)} and

fix OFX=

⋂

{S ⊆ Proc | OFX(S) ⊆ S} .

6.2. SYNTAX AND SEMANTICS OF HML WITH RECURSION 125

A setS with the property thatS ⊆ OFX(S) is called apost fixed pointfor OFX

.CorrespondinglyS is pre fixed point for OFX

if OFX(S) ⊆ S.

In what follows, for a functionf : 2Proc −→ 2Proc we define

f0 = id2Proc (the identity function on2Proc), and

fm+1 = f ◦ fm .

WhenProc is finite we have the following characterization of the largest and leastfixed points.

Theorem 6.1 If Proc is finite thenFIX OFX= (OFX

)M (Proc) for someM andfix OFX

= (OFX)m(∅) for somem.

Proof: This follows directly from the fixed point theorem for finite complete lat-tices. See Theorem4.2 for the details. 2

The above theorem gives us an algorithm for computing the least and largest set ofprocesses solving an equation of the form (6.6). Consider, by way of example, theformula

Xmax= FX ,

whereFX = 〈b〉tt ∧ [b]X. The set of processes in the labelled transition system

s

a

��

��

��

a

��888

8888

8888

8 t

a

��s1

b // s2

b

kk t1

b

ll

that satisfy this property is the largest solution to the equation

[[X]] = (〈·b·〉{s, s1, s2, t, t1}) ∩ [·b·][[X]] .

This solution is nothing but the largest fixed point of the setfunction defined bythe right-hand side of the above equation—that is, the function mapping each setof statesS to the set

OFX(S) = (〈·b·〉{s, s1, s2, t, t1}) ∩ [·b·]S .

Since we are looking for the largest fixed point of this function, we begin the iter-ative algorithm by takingS = {s, s1, s2, t, t1}, the set of all states in our labelled


transition system. We therefore have that our first approximation to the largestfixed point is the set

OFX({s, s1, s2, t, t1}) = (〈·b·〉{s, s1, s2, t, t1}) ∩ [·b·]{s, s1, s2, t, t1}

= {s1, s2, t1} ∩ {s, s1, s2, t, t1}= {s1, s2, t1} .

Note that our candidate solution to the equation has shrunk in size, since an appli-cation ofOFX

to the set of all processes has removed the statess andt from ourcandidate solution. Intuitively, this is because, by applying OFX

to the set of allstates, we have found a reason whys andt do not afford the property specified by

Xmax= 〈b〉tt ∧ [b]X ;

namely thats andt do not have ab-labelled outgoing transition, and therefore thatneither of them is in the set〈·b·〉{s, s1, s2, t, t1}.

Following our iterative algorithm for the computation of a largest fixed point,we now apply the functionOFX

to the new candidate largest solution, namely{s1, s2, t1}. We now have that

OFX({s1, s2, t1}) = (〈·b·〉{s, s1, s2, t, t1}) ∩ [·b·]{s1, s2, t1}

= {s1, s2, t1} ∩ {s, s1, s2, t, t1}= {s1, s2, t1} .

(You should convince yourselves that the above calculations are correct!) We havenow found that{s1, s2, t1} is a fixed point of the functionOFX

. By Theorem6.1,this is the largest fixed point and therefore statess1, s2 andt1 are the only states inour labelled transition system that satisfy the property

Xmax= 〈b〉tt ∧ [b]X .

This is in complete agreement with our intuition because those are the only statesthat can perform ab-action in all states that they can reach by performing sequencesof b-labelled transitions.

Exercise 6.6 Consider the property

Ymin= 〈b〉tt ∨ 〈{a, b}〉Y .

Use Theorem6.1 to compute the set of processes in the labelled transition systemabove that satisfy this property. �

6.3. LARGEST FIXED POINTS AND INVARIANT PROPERTIES 127

6.3 Largest fixed points and invariant properties

In this section we shall have a closer look at the meaning of formulae defined bymeans of largest fixed points. More precisely we consider an equation of the form

Xmax= FX ,

and define[[X]] ⊆ Proc by

[[X]] = FIX OFX.

We have previously given an informal argument for whyinvariant properties areobtained as largest fixed points. In what follows we will formalize this argument,and prove its correctness.

As we saw in the previous section, the propertyInv(F ) is obtained as thelargest fixed point to the recursive equation

X = F ∧ [Act]X .

We will now show thatInv(F ) defined in this way indeed expresses thatF holdsat all states in all transitions sequences.

For this purpose we letI : 2Proc −→ 2Proc be the corresponding semanticfunction, i.e.,

I(S) = [[F ]] ∩ [·Act·]S .

By Tarski´s Fixed Point Theorem this equation has exactly one largest solutiongiven by

FIX I =⋃

{S | S ⊆ I(S)} .

To show thatFIX I indeed characterizes precisely the set of processes for whichall states in all computations satisfy the propertyF , we need a direct (and obviouslycorrect) formulation of this set. This is given by the setInv defined as follows:

Inv = {p | p σ→ p′ impliesp′ ∈ [[F ]], for eachσ ∈ Act∗, p′ ∈ Proc}.

The correctness ofInv(F ) with respect to this description can now be formulatedas follows.

Theorem 6.2 For every labelled transition system(Proc, Act, { a→ | a ∈ Act}), itholds thatInv = FIX I.

Proof: We show the statement by proving each of the inclusionsInv ⊆ FIX IandFIX I ⊆ Inv separately.


Inv ⊆ FIX I: To prove this inclusion it is sufficient to show thatInv ⊆ I(Inv)(Why?). To this end, letp ∈ Inv . Then, for allσ ∈ Act∗ andp′ ∈ Proc,

pσ→ p′ implies thatp′ ∈ [[F ]] . (6.7)

We must establish thatp ∈ I(Inv), or equivalently thatp ∈ [[F ]] and thatp ∈ [·Act·]Inv . We obtain the first one of these two statements by takingσ = ε in (6.7) becausep

ε→ p always holds.

To prove thatp ∈ [·Act·]Inv , we have to show that, for each processp′ andactiona,

pa→ p′ impliesp′ ∈ Inv .

This is equivalent to proving that, for each sequence of actionsσ′ and processp′′,

pa→ p′ andp′ σ′

→ p′′ imply p′′ ∈ [[F ]].

However, this follows immediately by lettingσ = aσ′ in (6.7).

FIX I ⊆ Inv : First we note that, sinceFIX I is a fixed point ofI, it holds that

FIX I = [[F ]] ∩ [·Act·]FIX I . (6.8)

To prove thatFIX I ⊆ Inv , assume thatp ∈ FIX I and thatpσ→ p′. We

shall show thatp′ ∈ [[F ]] by induction on|σ|, the length ofσ.

Base caseσ = ε: Thenp = p′ and therefore, by (6.8) and our assumptionthatp ∈ FIX I, it holds thatp′ ∈ [[F ]], which was to be shown.

Inductive stepσ = aσ′: Thenpa→ p′′

σ′

→ p′ for somep′′. By (6.8) and ourassumption thatp ∈ FIX I, it follows thatp′′ ∈ FIX I. As |σ′| < |σ|andp′′ ∈ FIX I, by the induction hypothesis we may conclude thatp′ ∈ [[F ]], which was to be shown.

This completes the proof of the second inclusion.

The proof of the theorem is now complete. 2

6.4 A game characterization for HML with recursion

Let us recall the definition of Hennessy-Milner logic with one recursively definedvariableX. The formulae are defined using the following abstract syntax

F ::= X | tt | ff | F1 ∧ F2 | F1 ∨ F2 | 〈a〉F | [a]F ,

6.4. GAME CHARACTERIZATION FOR HML WITH RECURSION 129

wherea ∈ Act and there is exactly one defining equation for the variableX, whichis of the form

Xmin= FX

or

Xmax= FX ,

whereFX is a formula of the logic which may contain occurrences of thevariableX.

Let (Proc, Act, { a→| a ∈ Act}) be a labelled transition system andF a formulaof Hennessy-Milner logic with one (recursively defined) variableX. Lets ∈ Proc.We shall describe a game between an ‘attacker’ and a ‘defender’ which has thefollowing goal:

• the attacker is aiming to prove thats 6|= F , while

• the defender is aiming to prove thats |= F .

Theconfigurationsof the game are pairs of the form(s, F ) wheres ∈ Proc andFis a formula of Hennessy-Milner logic with one variableX. For every configura-tion we define the following successor configurations according to the structure ofthe formulaF (heres is ranging overProc):

• (s, tt) and(s, ff) have no successor configurations,

• (s, F1∧F2) and(s, F1∨F2) both have two successor configurations, namely(s, F1) and(s, F2),

• (s, 〈a〉F ) and (s, [a]F ) both have the successor configurations(s′, F ) foreverys′ such thats

a→ s′, and

• (s,X) has only one successor configuration(s, FX), whereX is defined via

the equationXmax= FX or X

min= FX .

A play of the game starting from(s, F ) is a maximal sequence of configurationsformed by the players according to the following rules.

• The attacker picks up a successor configuration for every current configura-tion of the form(s, F1 ∧ F2) and(s, [a]F ).

• The defender picks up a successor configuration for every current configura-tion of the form(s, F1 ∨ F2) and(s, 〈a〉F ).


Note that the successor configuration of(s,X) is always uniquely determined andwe will denote this move by(s,X) → (s, FX ). (It is suggestive to think of thesemoves that unwind fixed points as moves made by a referee for the game.) Simi-

larly successor configurations selected by the attacker will be denoted asA→moves

and by the defender asD→moves.

We also notice that every play either

• terminates in(s, tt) or (s, ff), or

• it can be the case that the attacker (or the defender) gets stuck in the currentconfiguration(s, [a]F ) (or (s, 〈a〉F )) whenevers

a9, or

• the play is infinite.

The following rules decide who is the winner of a play.

• The attacker is a winner in every play ending in a configuration of the form(s, ff) or in a play in which the defender gets stuck.

• The defender is a winner in every play ending in a configuration of the form(s, tt) or in a play in which the attacker gets stuck.

• The attacker is a winner in every infinite play provided thatX is defined via

Xmin= FX ; the defender is a winner in every infinite play provided thatX is

defined viaXmax= FX .

Remark 6.1 The intuition for the least and largest fixed point is as follows. If X isdefined as a least fixed point then the defender has to prove in finitely many roundsthat the property is satisfied. If a play of the game is infinite, then the defenderhas failed to do so, and the attacker wins. If insteadX is defined as a largest fixedpoint, then it is the attacker who has to disprove in finitely many rounds that theformula is satisfied. If a play of the game is infinite, then theattacker has failed todo so, and the defender wins. �

Theorem 6.3 [Game Characterization]Let (Proc, Act, { a→| a ∈ Act}) be a labelled transition system andF a formula ofHennessy-Milner logic with one (recursively defined) variable X. Let s ∈ Proc.Then the following statements hold.

• s |= F if and only if the defender has a universal winning strategy startingfrom (s, F ).

• s 6|= F if and only if the attacker has a universal winning strategy startingfrom (s, F ).


The proof of this result is beyond the scope of this introductory textbook. We referthe reader to (Stirling, 2001) for a proof of the above resultand more informationon model checking games.

6.4.1 Examples of use

In this section let us consider the following labelled transition system.

s

b

&&s1

b //

b

ee s2a // s3 a

ww

Example 6.3 We start with an example which is not using any recursively definedvariable. We shall demonstrate thats |= [b](〈b〉[b]ff ∧ 〈b〉[a]ff) by defining a

universal winning strategy for the defender. As remarked before, we will useA→

to denote that the successor configuration was selected by the attacker andD→ to

denote that it was selected by the defender. The game starts from

(s, [b](〈b〉[b]ff ∧ 〈b〉[a]ff)) .

Because[b] is the topmost operation, the attacker selects the successor configura-tion and he has only one possibility, namely

(s, [b](〈b〉[b]ff ∧ 〈b〉[a]ff))A→ (s1, 〈b〉[b]ff ∧ 〈b〉[a]ff) .

Now the topmost operation is∧ so the attacker has two possibilities:

(s1, 〈b〉[b]ff ∧ 〈b〉[a]ff)A→ (s1, 〈b〉[b]ff)

or(s1, 〈b〉[b]ff ∧ 〈b〉[a]ff)

A→ (s1, 〈b〉[a]ff) .

We have to show that the defender wins from any of these two configurations (wehave to find a universal winning strategy).

• From (s1, 〈b〉[b]ff) it is the defender who makes the next move; let him so

play (s1, 〈b〉[b]ff)D→ (s2, [b]ff). Now the attacker should continue buts2

b9

so he is stuck and the defender wins this play.

• From(s1, 〈b〉[a]ff) it is also the defender who makes the next move; let him

play (s1, 〈b〉[a]ff)D→ (s, [a]ff). Now the attacker should continue buts

a9

so he is stuck again and the defender wins this play.


Hence the defender has a universal winning strategy. �

Example 6.4 Let Xmin= 〈a〉tt ∨ 〈b〉X. This property informally says that it is

possible to perform a sequence ofb actions leading to a state where the actionais enabled. We will show thats |= X by defining a universal winning strategyfor the defender starting from(s,X). The strategy looks as follows (note that it

consists solely of the defender’s movesD→ or the referee’s→moves for expanding

the variableX, so it is truly a universal winning strategy):

(s,X)→ (s, 〈a〉tt ∨ 〈b〉X)D→ (s, 〈b〉X)

D→ (s1,X)→

→ (s1, 〈a〉tt ∨ 〈b〉X)D→ (s1, 〈b〉X)

D→ (s2,X)→

→ (s2, 〈a〉tt ∨ 〈b〉X)D→ (s2, 〈a〉tt) D→ (s3, tt) .

According to the definition(s3, tt) is a winning configuration for the defender.�

Example 6.5 Let Xmax= 〈b〉tt ∧ [b]X. This property informally says that along

every path where the edges are labelled by the actionb, the actionb never becomesdisabled. It is easy to see thats 6|= X and we will prove it by finding a universalwinning strategy for the attacker starting from(s,X). As before, the attacker’sstrategy will not give any selection possibility to the defender and hence it is auniversal one.

(s,X)→ (s, 〈b〉tt ∧ [b]X)A→ (s, [b]X)

A→ (s1,X)→

→ (s1, 〈b〉tt ∧ [b]X)A→ (s1, [b]X)

A→ (s2,X)→

→ (s2, 〈b〉tt ∧ [b]X)A→ (s2, 〈b〉tt) .

From the last configuration(s2, 〈b〉tt) the defender is supposed to continue but he

is stuck ass2b

9 and hence the attacker wins. �

Example 6.6 Let Xmax= 〈a〉tt∧ [a]X. This is the same property as in the previous

example (witha exchanged forb). We will show thats2 |= X by finding a universalwinning strategy for the defender from(s2,X). In the first round we expand thevariableX by the move(s2,X) → (s2, 〈a〉tt ∧ [a]X) and in the second round theattacker can play either

(s2, 〈a〉tt ∧ [a]X)A→ (s2, 〈a〉tt)

or(s2, 〈a〉tt ∧ [a]X)

A→ (s2, [a]X) .


It is easy to see that the defender wins from the configuration(s2, 〈a〉tt) by the

move (s2, 〈a〉tt) D→ (s3, tt), so we shall investigate only the continuation of the

game from(s2, [a]X). The attacker has only the move(s2, [a]X)A→ (s3,X).

After expanding the variableX the game continues from(s3, 〈a〉tt∧ [a]X). Againthe attacker can play either

(s3, 〈a〉tt ∧ [a]X)A→ (s3, 〈a〉tt)

or(s3, 〈a〉tt ∧ [a]X)

A→ (s3, [a]X) .

In the first case the attacker loses as before. In the second case, the only contin-

uation of the game is(s3, [a]X)A→ (s3,X). However, we have already seen this

configuration earlier in the game. To sum up, either the attacker loses in finitelymany steps or the game can be infinite. As we consider the largest fixed point, inboth cases the defender is the winner of the game. �

Example 6.7 Let Xmin= 〈a〉tt ∨ ([b]X ∧ 〈b〉tt). This property informally says that

along eachb labelled sequence there is eventually a state where the action a isenabled. We shall argue thats1 6|= X by finding a winning strategy for the attackerstarting from(s1,X). The first move of the game is

(s1,X)→ (s1, 〈a〉tt ∨ ([b]X ∧ 〈b〉tt)) ,

and then the defender has two options, namely

(s1, 〈a〉tt ∨ ([b]X ∧ 〈b〉tt)) D→ (s1, 〈a〉tt)

or(s1, 〈a〉tt ∨ ([b]X ∧ 〈b〉tt)) D→ (s1, [b]X ∧ 〈b〉tt) .

In the first case the defender loses as he is supposed to pick upana-successor ofthe states1 but s1

a9. In the second case the attacker proceeds as follows.

(s1, [b]X ∧ 〈b〉tt) A→ (s1, [b]X)A→ (s,X) .

The game now continues from(s,X) by the move

(s,X)→ (s, 〈a〉tt ∨ ([b]X ∧ 〈b〉tt)) .

Again, if the defender plays(s, 〈a〉tt∨ ([b]X ∧ 〈b〉tt)) D→ (s, 〈a〉tt) then he loses inthe next round, so the defender has to play

(s, 〈a〉tt ∨ ([b]X ∧ 〈b〉tt)) D→ (s, [b]X ∧ 〈b〉tt) .


The attacker continues by(s, [b]X∧〈b〉tt) A→ (s, [b]X)A→ (s1,X) and the situation

(s1,X) has already been seen before. This means that the game is infinite (unlessthe defender loses in finitely many rounds) and hence the attacker is the winner ofthe game (since we are considering a least fixed point). �

Exercise 6.7 Consider the labelled transition system

s

a

��

��

��

a

��888

8888

8888

8 t

a

��s1

b // s2

b

kk t1

a

��

a

ll

t2

Use the game characterization for HML with recursion to showthat

1. s1 satisfies the formula

Xmax= 〈b〉tt ∧ [b]X ;

2. s satisfies the formula

Ymin= 〈b〉tt ∨ 〈a, b〉Y ,

but t does not.

Find a recursively defined property thatt satisfies and argue that it does so usingthe game characterization of satisfaction presented above. �

6.5 Mutually recursive equational systems

As you may have noticed, so far we have only allowed one equation with onevariable in our recursive definitions. Amutually recursive equational systemhasthe form

X1 = FX1

...

Xn = FXn ,

6.5. MUTUALLY RECURSIVE EQUATIONAL SYSTEMS 135

whereX = {X1, . . . ,Xn} is a set of variables and, fori ≤ n, the formulaFXiis

inMX , and can therefore contain any variable fromX . An example of such anequational system is

X = [a]YY = 〈a〉X .

An equational system is sometimes given by specifying a (finite) set of variablesX together with a declaration. Adeclarationis a functionD : X → MX thatassociates a formula with each variable—D(X) = FX in the notation used above.

To define the semantics of such an equational system it is not enough to con-sider simply the complete lattice consisting of subsets of processes. Instead sucha system is interpreted overn-dimensional vectorsof sets of processes, wheren is

the number of variables inX . Thus the new domain isD = (2Proc)n (n-times

cross product of2Proc with itself) with a partial order defined ‘component wise’:

(S1, . . . , Sn) ≤ (S′1, . . . , S

′n) if S1 ⊆ S′

1 andS2 ⊆ S′2 and . . . andSn ⊆ S′

n .

(D,≤) defined in this way yields a complete lattice with the least upper bound andthe greatest lower bound also defined component wise:

⊔{(Ai1, . . . , A

in) | i ∈ I} = (

⋃{Ai1 | i ∈ I}, . . . ,⋃{Ai

n | i ∈ I}) and

d{(Ai1, . . . , A

in) | i ∈ I} = (

⋂{Ai1 | i ∈ I}, . . . ,⋂{Ai

n | i ∈ I}) ,

whereI is an index set. The semantic function[[D]] : D → D that is used to obtainthe largest and least solutions of the system of recursive equations described by thedeclarationD is obtained from the syntax in the following way:

[[D]]([[X1]], . . . , [[Xn]]) =

(OFX1([[X1]], . . . , [[Xn]]), . . . ,OFXn

([[X1]], . . . , [[Xn]])) , (6.9)

where each argument[[Xi]] (1 ≤ i ≤ n) can be replaced by an arbitraryS ⊆ Proc.By analogy with our previous developments, for each formulaF inMX , the set

OF ([[X1]], . . . , [[Xn]])

stands for the set of processes that satisfyF under the assumption that[[Xi]] is thecollection of processes satisfyingXi, for each1 ≤ i ≤ n.

For each formulaF that may contain occurrences of the variablesX1, . . . ,Xn,the setOF ([[X1]], . . . , [[Xn]]) is defined exactly as in Definition6.1, but with

OXi([[X1]], . . . , [[Xn]]) = [[Xi]] (1 ≤ i ≤ n) .


The function[[D]] turns out to be monotonic over the complete lattice(D,≤), andwe can obtain both the largest and least fixed point for the equational system in thesame way as for the case of one variable.

Consider, for example, the mutually recursive formulae described by the sys-tem of equations below:

Xmax= 〈a〉Y ∧ [a]Y ∧ [b]ff

Ymax= 〈b〉X ∧ [b]X ∧ [a]ff .

We wish to find out the set of states in the following labelled transition that satisfiesthe formulaX.

s

a

&&s1

b

ee s2aoo a // s3 b

ww

To this end, we can again apply the iterative algorithm for computing the largestfixed point of the function determined by the above system of equations. Note that,as formally explained before, such a function maps a pair of sets of states(S1, S2)to the pair of states

(〈·a·〉S2 ∩ [·a·]S2 ∩ {s, s2}, 〈·b·〉S1 ∩ [·b·]S1 ∩ {s1, s3}) . (6.10)

There

• S1 stands for the set of states that are assumed to satisfyX,

• S2 stands for the set of states that are assumed to satisfyY ,

• 〈·a·〉S2 ∩ [·a·]S2∩{s, s2} is the set of states that satisfies the right-hand sideof the defining equation forX under these assumptions, and

• 〈·b·〉S1∩ [·b·]S1∩{s1, s3} is the set of states that satisfies the right-hand sideof the defining equation forY under these assumptions.

To compute the largest solution to the system of equations above, we use the it-erative algorithm provided by Theorem6.1 starting from the top element in ourcomplete lattice, namely the pair

({s, s1, s2, s3}, {s, s1, s2, s3}) .

This corresponds to assuming that all states satisfy bothX andY . To obtain thenext approximation to the largest solution to our system of equations, we computethe pair (6.10) takingS1 = S2 = {s, s1, s2, s3}. The result is the pair

({s, s2}, {s1, s3}) .

6.5. MUTUALLY RECURSIVE EQUATIONAL SYSTEMS 137

Note that we have shrunk both components in our original estimate to the largestsolution. This means that we have not yet found the largest solution we are lookingfor. We therefore compute the pair (6.10) again taking the above pair as our newinput (S1, S2). You should convince yourselves that the result of this computationis the pair

({s, s2}, {s1}) .

Note that the first component in the pair has not changed sinceour previous ap-proximation, but thats3 has been removed from the second component. This isbecause at this point we have discovered, for instance, thats3 does not afford ab-labelled transition ending up in eithers or s2.

Since we have not yet found a fixed point, we compute the pair (6.10) again,taking({s, s2}, {s1}) as our new input(S1, S2). The result of this computation isthe pair

({s}, {s1}) .

Intuitively, at this iteration we have discovered a reason why s2 does not affordpropertyX—namely thats2 has ana-labelled transition leading to states3, which,as we saw before, does not have propertyY .

If we now compute the pair (6.10) again, taking({s}, {s1}) as our new input(S1, S2), we obtain({s}, {s1}). We have therefore found the largest solution to oursystem of equations. It follows that processs satisfiesX and processs1 satisfiesY .

Exercise 6.8

1. Show that((2Proc)n,≤,⊔

,d

), with ≤,⊔

andd

defined as described inthe text above, is a complete lattice.

2. Show that (6.9) defines a monotonic function

[[D]] : (2Proc)n −→ (2Proc)n .

3. Compute the least and largest solutions of the system of equations

X = [a]YY = 〈a〉X

over the transition system associated with the CCS term

A0 = a.A1 + a.a.0

A1 = a.A2 + a.0

A2 = a.A1 .

�


6.6 Characteristic properties

The characterization theorem for bisimulation equivalence in terms of Hennessy-Milner logic (Theorem5.1 on page111) tells us that if our transition system isimage finite, the equivalence classes of bisimulation equivalence are completelycharacterized by the logic—see (Hennessy and Milner, 1985)for the original refer-ence. More precisely, for image finite processes, the equivalence class that containsp consists exactly of the set of processes that satisfy the same formulae in HML asp—that is, letting[p]∼ = {q | q ∼ p}, we have that

[p]∼ = {q | p |= F impliesq |= F, for eachF ∈M} .

Exercise 6.9 Note that in the above rephrasing of the characterization theorem forHML, we only require that each formula satisfied byp is also satisfied byq, but notthat the converse also holds. Show, however, that ifq satisfies all the formulae inHML satisfied byp, thenp andq satisfy thesameformulae in HML. �

In this section we will show that if our transition system is finite, by extendingthe logic with recursion, we can characterize the equivalence classes for strongbisimulation with asingleformula. The formula that characterizes the bisimulationequivalence class forp is called thecharacteristic formula forp, and will use thefacility for mutually recursive definitions we introduced in Section6.5. (Since thematerial in this section depends on that in Section6.5, you might wish to reviewyour knowledge of the syntax and semantics for mutually recursive formulae whilereading the technical material to follow.) That such a characteristic formula isunique from a semantic point of view is obvious as the semantics for such a formulais exactly the equivalence class[p]∼.

Our aim in this section is therefore, given a processp in a finite transitionsystem, to find a formulaFp ∈MX for a suitable set of variablesX , such that forall processesq

q |= Fp iff q ∼ p .

Let us start by giving an example that shows that in general bisimulation equiva-lence cannot be characterized by a recursion free formula.

Example 6.8 Assume thatAct = {a} and that the processp is given by the equa-tion

Xdef= a.X .

We will show thatp cannot be characterized up to bisimulation equivalence by asingle recursion free formula. To see this we assume that such a formula exists and

6.6. CHARACTERISTIC PROPERTIES 139

� ��

� ��

� ��

� ��

� ��

? ? ?

? ?

?

� �6. . .

.

.

.

p p1 p2 pn

a a a a

a a

a

Figure 6.3: The processesp andpi for i ≤ n

show that this leads to a contradiction. Towards a contradiction, we assume thatfor someFp ∈M,

[[Fp]] = [p]∼ . (6.11)

In particular we have that

p |= Fp and (q |= Fp impliesq ∼ p, for eachq) . (6.12)

We will obtain contradiction by proving that (6.12) cannot hold for any formulaFp. Before we prove our statement we have to introduce some notation.

Recall that, by themodal depthof a formulaF , notationmd(F ), we mean themaximum number of nested occurrences of the model operatorsin F . Formallythis is defined by the following recursive definition:

1. md(tt) = md(ff) = 0,

2. md([a]F ) = md(〈a〉F ) = 1 + md(F ),

3. md(F1 ∨ F2) = md(F1 ∧ F2) = max{md(F1),md(F2)}.

Next we define a sequencep0, p1, p2, . . . of processes inductively as follows:


1. p0 = 0,

2. pi+1 = a.pi.

(The processesp andpi, for i ≥ 1, are depicted in Figure6.3.) Observe that eachprocesspi can perform a sequence ofi a-labelled transitions in a row and terminatein doing so. Moreover, this is the only behaviour thatpi affords.

Now we can prove the following:

p |= F impliespmd(F ) |= F, for eachF . (6.13)

The statement in (6.13) can be proven by structural induction onF and is left as anexercise for the reader. As obviouslyp andpn are not bisimulation equivalent foranyn (why?), the statement in (6.13) contradicts (6.12). Indeed, (6.12) and (6.13)imply thatp is bisimilar topk, wherek is the modal depth of the formulaFp.

As (6.12) is a consequence of (6.11), we can therefore conclude that no recur-sion free formulaFp can characterize the processp up to bisimulation equivalence.�

Exercise 6.10Prove statement (6.13). �

Exercise 6.11 (Recommended)Before reading on, you might want to try and de-fine a characteristic formula for some processes for which HML suffices. If youfancy this challenge, we encourage you to read Example6.9 to follow for inspira-tion.

Assume thata is the only action. For eachi ≥ 1, construct an HML formulathat is the characteristic formula for processpi in Figure 6.3. Hint: First give acharacteristic formula forp1. Next show how to construct a characteristic formulafor pi+1 from that forpi. �

Example6.8 shows us that in order to obtain a characteristic formula even forfinite labelled transition systems we need to make use of the recursive extension ofHennessy-Milner logic.

The construction of the characteristic formula involves two steps. First of all,we need to construct an equational system that describes theformula; next weshould decide whether to adopt the least or the largest solution to this system. Westart our search for the characteristic formula by giving the equational system, andchoose the suitable interpretation for the fixed points afterwards.

We start by assuming that we have a finite transition system

({p1, . . . , pn}, Act, → )


and a set of variablesX = {Xp1, . . . ,Xpn , . . .} that contains (at least) as many

variables as there are states in the transition system. Intuitively Xp is the syntacticsymbol for the characteristic formula forp and its meaning will be given in termsof an equational system.

A characteristic formula for a process has to describe both which actions theprocesscan perform, which action itcannot performand what happens to itafter ithas performedeach action. The following example illustrates these issues.

Example 6.9 If a coffee machine is given by Figure6.4, we can construct a char-acteristic formula for it as follows.

��

��

- �

?

k m t

gkm

q

Figure 6.4: The nice coffee machinegkm

Let gkm be the initial state of the coffee machine. Then we see thatgkm canperform anm-action and that this is the only action it can perform in thisstate. Thepicture also shows us that, by performing them action,gkm will necessarily endup in stateq. This can be expressed as follows:

1. gkm can performm and becomeq.

2. No matter howgkm performsm it becomesq.

3. gkm cannot perform any action other thanm.

If we let Xgkm andXq denote the characteristic formula forq andgkm respec-tively, Xgkm can be expressed as

Xgkm ≡ 〈m〉Xq ∧ [m]Xq ∧ [{t, k}]ff ,

where〈m〉Xq expresses property 1 above,[m]Xq expresses property 2 and[t, k]ffexpresses property 3. To obtain the characteristic formulafor gkm we have todefine a recursive formula forXq following the same strategy. We observe thatqcan perform two actions, namelyt andk, and in both cases it becomesgkm. Xq

can therefore be expressed as

Xq ≡ 〈t〉Xgkm ∧ 〈k〉Xgkm ∧ [{t, k}]Xgkm ∧ [m]ff .


In the recursive formula above, the first conjunct〈t〉Xgkm states that a process thatis bisimilar toq should be able to perform at-labelled transition and thereby end upin a state that is bisimilar togkm—that is, that satisfies the characteristic propertyXgkm for stategkm. The interpretation of the second conjunct is similar. Thethird conjunct instead states that all of the outgoing transitions from a state that isbisimilar toq that are labelled witht or k will end up in a state that is bisimilar togkm. Finally, the fourth and last conjunct says that a process that is bisimilar toqcannot perform actionm. �

Now we can generalize the strategy employed in the above example as follows. Let

Der(a, p) = {p′ | p a→ p′}

be the set of states that can be reached fromp by performing actiona. If p′ ∈Der(a, p) andp′ has a characteristic propertyXp′ , thenp has the property〈a〉Xp′ .We therefore have that

p |=∧

a,p′.pa→ p′

〈a〉Xp′ .

Furthermore, ifpa→ p′ thenp′ ∈ Der(a, p). Thereforep has the property

[a]∨

p′.pa→ p′

Xp′ ,

for each actiona. The above property states that, by performing actiona, processp(and any other process that is bisimilar to it) must become a process satisfying thecharacteristic property of a state inDer(a, p). (Note that ifp

a9, thenDer(a, p)

is empty. In that case, since an empty disjunction is just theformulaff , the aboveformula becomes simply[a]ff—which is what we would expect.)

Since actiona is arbitrary, we have that

p |=∧

a

[a]∨

p′.pa→ p′

Xp′ .

If we summarize the above requirements, we have that

p |=∧

a,p′.pa→ p′

〈a〉Xp′ ∧∧

a

[a]∨

p′.pa→ p′

Xp′ .

As this property is apparently a complete description of thebehaviour of processp, this is our candidate for its characteristic property.Xp is therefore defined as


a solution to the equational system obtained by giving the following equation foreachq ∈ Proc:

Xq ≡∧

a,q′.qa→ q′

〈a〉Xq′ ∧∧

a

[a]∨

q′.qa→ q′

Xq′ . (6.14)

The solution can either be the least or the largest one (or something in between forwhat we know at this stage).

The following example shows that the least solution to (6.14) in general doesnot yield the characteristic property for a process.

Example 6.10 Let p be the process given in Figure6.5. In this case, assuming for

��?p

a

Figure 6.5: Simple infinite processp

the sake of simplicity thata is the only action, the equational system obtained byusing (6.14) will have the form

Xpmin= 〈a〉Xp ∧ [a]Xp .

Since〈·a·〉∅ = ∅, you should be able to convince yourselves that[[Xp]] = ∅ isthe least solution to this equation. This corresponds to taking Xp = ff as thecharacteristic formula forp. However,p does not have the propertyff , whichtherefore cannot be the characteristic property forp. �

In what follows we will show that the largest solution to (6.14) yields the char-acteristic property for allp ∈ Proc. (Those amongst you who read Section4.3will notice that this is in line with our characterization ofbisimulation equivalenceas the largest fixed point of a suitable monotonic function.)This is the content ofthe following theorem, whose proof you can skip unless you are interested in themathematical developments.

Theorem 6.4 Let (Proc, Act,→) be a finite transition system and, for eachp ∈Proc, let Xp be defined by

Xpmax=

∧

a,p′.pa→ p′

〈a〉Xp′ ∧∧

a

[a]∨

p′.pa→ p′

Xp′ . (6.15)


ThenXp is the characteristic property forp—that is,q |= Xp iff p ∼ q, for eachq ∈ Proc.

The assumption thatProc andAct be finite ensures that there is only a finite num-ber of variables involved in the definition of the characteristic formula and that weonly obtain a formula with finite conjunctions and disjunctions on the right-handside of each equation.

In the proof of the theorem we will letDK be the declaration defined by

DK(Xp) =∧

a,p.pa→ p′

〈a〉Xp′ ∧∧

a

[a]∨

p′.pa→ p′

Xp′ .

From our previous discussion, we have thatXp is the characteristic property forpif and only if for the largest solution[[Xp]], wherep ∈ Proc, we have that[[Xp]] =[p]∼. In what follows, we writeq|=maxXp if q belongs to[[Xp]] in the largestsolution forDK .

In order to prove Theorem6.4, we shall establish the following two statementsseparately, for each processq ∈ Proc:

1. if q|=maxXp, thenp ∼ q, and

2. if p ∼ q, thenq|=maxXp.

As the first step in the proof of Theorem6.4, we prove the following lemma to theeffect that the former statement holds.

Lemma 6.1 Let Xp be defined as in (6.15). Then, for eachq ∈ Proc, we have that

q |=maxXp ⇒ p ∼ q .

Proof: Let R = {(p, q) | q |=maxXp}. We will prove thatR is a bisimulation, andthus thatp ∼ q wheneverq|=maxXp. To this end, we have to prove the followingtwo claims, whereb is an arbitrary action inAct andp1, q1 are processes inProc.

a) (p, q) ∈ R andpb→ p1 ⇒ ∃ q1. q

b→ q1 and(p1, q1) ∈ R.

b) (p, q) ∈ R andqb→ q1 ⇒ ∃ p1. p

b→ p1 and(p1, q1) ∈ R.

We prove these two claims separately.

a) Assume that(p, q) ∈ R andpb→ p1. This means that

q |=maxXp and pb→ p1 .


From the definitions ofXp andDK it follows that

q|=max(∧

a,p′.pa→ p′

〈a〉Xp′) ∧ (∧

a

[a]∨

p′.pa→ p′

Xp′) .

As pb→ p1 we get thatq |=max〈b〉Xp1

, which means that, for someq1 ∈Proc,

qb→ q1 andq1|=maxXp1

.

By the definition ofR, we have that there is aq1 such that

qb→ q1 and(p1, q1) ∈ R ,


b) Assume that(p, q) ∈ R andqb→ q1. This means that

q |=maxXp and qb→ q1 .

As before, sinceq |=maxXp, we have that

q |=max(∧

a,p.pa→ p′

〈a〉Xp′) ∧ (∧

a

[a]∨

p′.pa→ p′

Xp′) .

In particular, it follows that

q |=max[b]∨

p′.pb→ p′

Xp′ .

As we know thatqb→ q1, we obtain that

q1|=max

∨

p′.pb→ p′

Xp′ .

Therefore there must exist ap1 such thatq1|=maxXp1andp

b→ p1.

We have therefore proven that

∃p1. pb→ p1 and(p1, q1) ∈ R ,

which was to be shown


We have now shown thatR is a bisimulation, and therefore that

q |=maxXp impliesp ∼ q .

This proves the lemma. 2

The following lemma completes the proof of our main theorem of this section. Inthe statement of this result, and in its proof, we assume for notational conveniencethatProc = {p1, . . . , pn}.

Lemma 6.2 ([p1]∼, . . . , [pn]∼) ⊑ [[DK ]]([p1]∼, . . . , [pn]∼).

Proof: Assume thatq ∈ [p]∼, wherep is one ofp1, . . . , pn. To prove our claim, itis sufficient to show that

q ∈ (⋂

a,p′.pa→ p′

〈·a·〉[p′]∼) ∩ (⋂

a

[·a·]⋃

p′.pa→ p′

[p′]∼) .

(Can you see why?) The proof can be divided into two parts, namely:

1) q ∈ ⋂

a,p′.pa→ p′

〈·a·〉[p′]∼ and

2) q ∈ ⋂

a

[·a·] ⋃

p′.pa→ p′

[p′]∼ .

We proceed by proving these claims in turn.

1) We recall thatq ∼ p. Assume thatpa→ p′ for some actiona and processp′.

Then there is aq′, whereqa→ q′ andq′ ∼ p′. We have therefore shown that,

for all a andp′, there is aq′ such that

qa→ q′ and q′ ∈ [p′]∼ .

This means that, for eacha andp′ such thatpa→ p′, we have that

q ∈ 〈·a·〉[p′]∼ .

We may therefore conclude that

q ∈⋂

a,p′.pa→ p′

〈·a·〉[p′]∼ ,



2) Let a ∈ Act andqa→ q′.We have to show thatq′ ∈ ⋃

p′.pa→ p′

[p′]∼. To this end,

observe that, asqa→ q′ andp ∼ q, there exists ap′ such thatp

a→ p′ andp′ ∼ q′. For thisq′ we have thatq′ ∈ [p′]∼. We have therefore proven that,for all a andq′,

qa→ q′ ⇒ ∃p′. p

a→ p′ and q ∈ [p′]∼ ,

which is equivalent to

q ∈⋂

a

[·a·]⋃

p′.pa→ p′

[p′]∼ .

Statements 1) and 2) above give that :

([p1]∼, . . . , [pn]∼) ⊑ [[DK ]]([p1]∼, . . . , [pn]∼) ,

which was to be shown. 2

Theorem6.4can now be expressed as the following lemma, whose proof completesthe argument for that result.

Lemma 6.3 For eachp ∈ Proc we have that[[Xp]] = [p]∼.

Proof: By Lemma6.2we get that

([p1]∼, . . . , [pn]∼) ⊑ ([[XP1]], . . . , [[XPn ]]) ,

which means that

[p]∼ ⊆ [[Xp]]

for eachp ∈ Proc. (Why?) Furthermore Lemma6.1 gives that[[Xp]] ⊆ [p]∼ foreveryp ∈ Proc, which proves the statement of the lemma. 2

Exercise 6.12What is the characteristic formula for the processesp andq in Fig-ure6.1? �

Exercise 6.13Define characteristic formulae for the simulation and readysimu-lation preorders as defined in Definitions3.17and3.18, respectively. �


6.7 Mixing largest and least fixed points

Assume that we are interested in using HML with recursive definitions to specifythe following property of systems:

It is possible for the system to reach a state which has a livelock.

We already saw on page120how to describe a property of the form ‘it is possiblefor the system to reach a state satisfyingF ’ using the template formulaPos(F ),namely

Pos(F )min= F ∨ 〈Act〉Pos(F ) .

Therefore, all that we need to do to specify the above property using HML withrecursion is to ‘plug in’ a specification of the property ‘thestate has a livelock’ inlieu of F . How can we describe a property of the form ‘the state has a livelock’using HML with recursion? A livelock is an infinite sequence of internal steps ofthe system. So a statep in a labelled transition system has a livelock if it affords acomputation of the form

p = p0τ→ p1

τ→ p2τ→ p3

τ→ · · ·

for some sequence of statesp1, p2, p3 . . .. In other words, a statep has a livelocknow if it affords aτ -labelled transition leading to a statep1 which has a livelocknow. This immediately suggests the following recursive specification of the prop-erty LivelockNow:

LivelockNow = 〈τ〉LivelockNow .

As usual, we are faced with a choice in selecting a suitable solution for the aboveequation. Since we are specifying a state of affairs that should hold forever, in thiscase we should select the largest solution to the equation above. It follows that ourHML specification of the property ‘the state has a livelock’ is

LivelockNowmax= 〈τ〉LivelockNow .

Exercise 6.14What would be the least solution of the above equation? �

Exercise 6.15 (Mandatory) Consider the labelled transition system below.

s a // p

τ

XXτ // q τ // r

6.7. MIXING LARGEST AND LEAST FIXED POINTS 149

Use the iterative algorithm for computing the set of states in that labelled transitionsystem that satisfies the formula LivelockNow defined above. �

Exercise 6.16This exercise is for those amongst you who feel they need morepractice in computing fixed points using the iterative algorithm.

Consider the labelled transition system below.

s

τ

%%s1

τ

dd s2aoo τ // s3 τ

ww

Use the iterative algorithm for computing the set of states in that labelled transitionsystem that satisfies the formula LivelockNow defined above. �

In light of the above discussion, a specification of the property mentioned at thebeginning of this section using HML with recursive definitions can be given usingthe following system of equations:

Pos(LivelockNow)min= LivelockNow∨ 〈Act〉Pos(LivelockNow)

LivelockNowmax= 〈τ〉LivelockNow .

This looks natural and innocuous. However, first appearances can be deceiving!Indeed, the equational systems we have considered so far have only allowed us toexpress formulae purely in terms of largest or least solutions to systems of recur-sion equations. (See Section6.5.) For instance, in defining the characteristic for-mulae for bisimulation equivalence, we only used systems ofequations in whichthe largest solution was sought forall of the equations in the system.

Our next question is whether we can extend our framework in such a way thatit can treatsystems of equations with mixed solutionslike the one describing theformulaPos(LivelockNow) above. How can we, for instance, compute the set ofprocesses in the labelled transition system

s a // p

τ

XXτ // q τ // r

that satisfy the formulaPos(LivelockNow)? In this case, the answer is not overlydifficult. In fact, you might have already noted that we can compute the set ofprocesses satisfying the formulaPos(LivelockNow) once we have in our handsthe collection of processes satisfying the formula LivelockNow. As you saw inExercise6.15, the only state in the above labelled transition system satisfying the


formula LivelockNow isp. Therefore, we may obtain the collection of states satis-fying the formulaPos(LivelockNow) as theleastsolution of the set equation

S = {p} ∪ 〈·Act·〉S , (6.16)

whereS ranges over subsets of{s, p, q, r}. We can calculate the least solution ofthis equation using the iterative methods we introduced in Section6.2.

Since we are looking for the least solution of the above equation, we begin byobtaining our first approximationS(1) to the solution by computing the value of theexpression on the right-hand side of the equation whenS = ∅, which is the leastelement in the complete lattice consisting of the subsets of{s, p, q, r} ordered byinclusion. We have that

S(1) = {p} ∪ 〈·Act·〉∅ = {p} .

Intuitively, we have so far discovered the (obvious!) fact thatp has a possibility ofreaching a state where a livelock may arise becausep has a livelock now.

Our second approximationS(2) is obtained by computing the set obtained byevaluating the expression on the right-hand side of equation (6.16) when S =S(1) = {p}. The result is

S(2) = {p} ∪ 〈·Act·〉{p} = {s, p} .

Intuitively, we have now discovered the new fact thats has a possibility of reachinga state where a livelock may arise becauses has a transition leading top, which,as we found out in the previous approximation, has itself a possibility of reachinga livelock.

You should now be able to convince yourselves that the set{s, p} is indeed afixed point of equation (6.16)—that is, that

{s, p} = {p} ∪ 〈·Act·〉{s, p} .

It follows that{s, p} is the least solution of equation (6.16), and that the statessandp are the only ones in our example labelled transition system that satisfy theformula Pos(LivelockNow). This makes perfect sense intuitively becauses andp are the only states in that labelled transition system that afford a sequence oftransitions leading to a state from which an infinite computation consisting ofτ -labelled transitions is possible. (In case ofp, this sequence is empty sincep canembark in aτ -loop immediately.)

Note that we could find the set of states satisfyingPos(LivelockNow) by firstcomputing[[LivelockNow]], and then using this set to compute

[[Pos(LivelockNow)]] ,

6.7. MIXING LARGEST AND LEAST FIXED POINTS 151

because the specification of the formula LivelockNow was independent of thatPos(LivelockNow). In general, we can apply this strategy when the collectionof equations can be partitioned into a sequence of ‘blocks’ such that

• the equations in the same block are all either largest fixed point equations orleast fixed equations, and

• equations in each block only use variables defined in that block or in preced-ing ones.

The following definition formalizes this class of systems ofequations.

Definition 6.2 A n-nested mutually recursive equational systemE is ann-tuple

〈 (D1,X1,m1), (D2,X2,m2), . . . , (Dn,Xn,mn) 〉,

where theXis are pairwise disjoint, finite sets of variables, and, for each i ≤ n,

• Di is a declaration mapping the variables in the setXi to formulae in HMLwith recursion that may use variables in the set

⋃

1≤j≤iXj,

• mi = max or mi = min, and

• mi 6= mi+1.

We refer to(Di,Xi,mi) as theith block of E and say that it is a maximal block ifmi = max and a minimal block otherwise. �

Observe that our earlier specification of the formulaPos(LivelockNow) is givenin terms of a2-nested mutually recursive equational system. In fact, take X1 ={LivelockNow} andX2 = {Pos(LivelockNow)}. You can now easily check thatthe constraints in the above definition are met. On the other hand, the mixed equa-tional system

Xmax= 〈a〉Y

Ymin= 〈b〉X

does not meet these requirements because the variablesX andY are both definedin mutually recursive fashion, and their definitions refer to different types of fixedpoints. If we allow fixed points to be mixed completely freelywe obtain themodalµ-calculus(Kozen, 1983a), which was mentioned in Section6.1. In this book weshall however not allow a full freedom in mixing fixed points in declarations but re-strict ourselves to systems of equations satisfying the constraints in Definition6.2.Note that using the approach described above using our running example in this


section, such systems of equations have a unique solution, obtained by solvingthe first block and then recursively proceeding with the others using the solutionsalready obtained for the preceding blocks.

Finally if F is a Hennessy-Milner formula defined over a set of variablesY ={Y1, . . . , Yk} that are declared by ann-nested mutually recursive equational systemE, then[[F ]] is well-defined and can be expressed by

[[F ]] = OF ([[Y1]], . . . , [[Yk]]) , (6.17)

where[[Y1]], . . . , [[Yk]] are the sets of states satisfying the recursively defined for-mulae associated with the variablesY1, . . . , Yk.

Exercise 6.17Consider the labelled transition system in Exercise6.16. Use equa-tion (6.17) to compute the set of states satisfying the formula

F = 〈Act〉Pos(LivelockNow) .

�

Exercise 6.18Consider the following property expressed in natural language:

It is always the case that each request is eventually followed by agrant.

Express this property using HML with recursion. Next, construct a rooted labelledtransition system that satisfies the property and one that does not. Check yourconstructions by computing the set of states in the labelledtransition systems youhave built that satisfy the formula. �

6.8 Further results on model checking

We shall now present an overview of results connected to model checking for var-ious modal and temporal logics over several classes of processes, as we have donefor equivalence checking problems in Chapter3.6.

We consider only the logics mentioned in the above text. Theyform the fol-lowing natural expressiveness hierarchy:

• Hennessy-Milner logic (HML),

• Hennessy-Milner logic with one recursively defined variable (1HML), and

• the modalµ-calculus (Kozen, 1983b), i.e., Hennessy-Milner logic with arbi-trarily many nested and recursively defined variables.

6.8. FURTHER RESULTS ON MODEL CHECKING 153

These logics are typical representatives of the so calledbranching-timelogics. Theview of time taken by these logics is that each moment in time may branch intoseveral distinct possible futures. Therefore, the structures used for interpretingbranching-time logics can be viewed as computation trees. This means that inorder to check for the validity of a formula, one has to consider a whole tree ofstates reachable from the root. Another typical and well-known branching-timelogic is thecomputational tree logicor CTL (Clarke and Emerson, 1981), whichuses (nested)until as the only temporal operator, the next-time modality X andexistential/universal path quantifiers.

Another collection of temporal logics is that of the so called linear-time logics.The view of time taken by these logics is that each moment in time has a uniquesuccessor. Suitable models for formulae in such logics are therefore computationsequences. Here the validity of a formula is determined for aparticular (fixed) traceof the system and possible branching is not taken into account. A process satisfiesa linear-time formula if all of its computation sequences satisfy it. Linear temporallogic or LTL (Pnueli, 1977b) is probably the most studied logic of this type, inparticular with the connection to the automata-theoretic approach (Vardi, 1995)and its implementation in tools like SPIN (Holzmann, 2003) and COSPAN (Har’Eland Kurshan, 1987)

We shall first have a look at the decidability of model checking for the logicsHML, 1HML and the modalµ-calculus over finite labelled transition systems. Themodel checking problem for theµ-calculus, which is the most expressive of thosethree logics, is decidable and it belongs both to the class NPand co-NP. In factit was proved by Jurdzinski (Jurdzinski, 1998) that the problem is even in UP∩co-UP, which is the class of problems that can be decided by polynomial time non-deterministic Turing machines with the extra restriction that, for each input, thereis at mostoneaccepting computation of the Turing machine. It has been widelyconjectured that the problem is indeed decidable in deterministic polynomial time.However, this is still one of the major open questions in thistheory. The logicsHML and 1HML are fragments of theµ-calculus. Their model checking problemsare both decidable in polynomial (more precisely in linear)time on finite labelledtransition systems (Cleaveland and Steffen, 1992). It is worth remarking here thatthe model checking problem for LTL over finite labelled transition systems is in-stead PSPACE-complete (Sistla and Clarke, 1985).

The aforementioned results on the complexity of model checking are based onthe use of labelled transition systems as our model for reactive systems. However,in practice, most reactive systems contain several communicating components, andmay be modelled as parallel compositions of (restricted classes of) labelled transi-tion systems. As equivalence checking, model checking suffers from the so-calledstate explosion problem in the presence of concurrency. Hence a characterization


of the complexity of the model checking problem in the presence of concurrencyyields a more realistic assessment of the hardness of the task of model checking re-active systems. The picture that emerges from the results presented in the literatureon the complexity of model checking when the size of a concurrent process is mea-sured in terms of the ‘length of its description’, rather than in the size of the labelledtransition system that describes all of its possible computations, is somewhat bleak.The complexity of CTL model checking and of reachability forconcurrent pro-grams is PSPACE-complete (Kupferman, Vardi and Wolper, 2000; Kozen, 1977),and that of the (alternation-free)µ-calculus is EXPTIME-complete (Kupfermanet al., 2000).

If we consider the classes of sequential systems with infinitely many reach-able states like, e.g., pushdown automata, the model checking problem for theµ-calculus remains decidable. More precisely it is EXPTIME-complete (Walukiewicz,2001).

In fact even more powerful logics like monadic second order logic—see, forinstance, (Libkin, 2004, Chapter 7) for a textbook introduction—are still decidableover sequential infinite-state systems (Caucal, 1996; Muller and Schupp, 1985).The EXPTIME-hardness of model checkingµ-calculus formulae over pushdownautomata is valid even in the case that the size of the formulais assumed to beconstant (fixed). On the other hand, for fixed formulae and theBPA class (push-down automata with a single control state), the problem is decidable in polynomialtime (Burkart and Steffen, 1997; Walukiewicz, 2001). Modelchecking of HMLis PSPACE-complete for BPA, but, for a fixed formula, this problem is again inP (Mayr, 1998).

The situation is, however, not that promising once we move from sequentialinfinite-state systems to parallel infinite-state systems.Both for the class of Petrinets (PN) and for its communication-free fragment BPP (CCS with parallel com-position, recursion and action prefixing only) essentiallyall branching-time logicswith at least one recursively defined variable are undecidable. More precisely, theEG logic which can express the property whether there existsa computation duringwhich some HML formula is invariantly true is undecidable for BPP (Esparza andKiehn, 1995) (and hence also for PN). The EF logic which can essentially expressreachability properties is decidable for BPP (Esparza, 1997) but undecidable forPN (Esparza, 1994). On the other hand, the linear time logic LTL (with a certainrestriction) is decidable for Petri nets and BPP (Esparza, 1994). This is an examplewhen LTL turns out to be more tractable than branching-time logics. A thoroughdiscussion of the relative merits of linear- and branching-time logics from a com-plexity theoretic perspective may be found in, e.g., the paper (Vardi, 2001).

For further references and more detailed overviews we referthe reader for ex-ample to (Burkart et al., 2001; Burkart and Esparza, 1997).

Chapter 7

Modelling and analysis of mutualexclusion algorithms

In the previous chapters of this book, we have illustrated the use of the ingredientsin our methodology for the description and analysis of reactive systems by meansof simple, but hopefully illustrative, examples. As we havementioned repeatedly,the difficulty in understanding and reasoning reliably about even the simplest re-active systems has long been recognized. Apart from the intrinsic scientific andintellectual interest of a theory of reactive computation,this realization has servedas a powerful motivation for the development of the theory wehave presented sofar, and of its associated verification techniques.

In order to offer you further evidence for the usefulness of the theory you havelearned so far in the modelling and analysis of reactive systems, we shall now useit to model and analyze some well known mutual exclusion algorithms. These al-gorithms are amongst the most classic ones in the theory of concurrent algorithms,and have been investigated by many authors using a variety oftechniques—see, forinstance, the classic papers (Dijkstra, 1965; Knuth, 1966;Lamport, 1986). Here,they will give us the opportunity to introduce some modelling and verification tech-niques that have proven their worth in the analysis of many different kinds of reac-tive systems.

In order to illustrate concretely the steps that have to be taken in modellingand verification problems, we shall consider a very elegant solution to the mutualexclusion problem proposed by Peterson and discussed in (Peterson and Silber-schatz, 1985).

In Peterson’s algorithm for mutual exclusion, there are twoprocessesP1 andP2, two boolean variablesb1 andb2 and an integer variablek that may take thevalues1 and2. The boolean variablesb1 andb2 have initial value false, whereas the

155

156 CHAPTER7. MODELLING MUTUAL EXCLUSION ALGORITHMS

initial value of the variablek can be arbitrary. In order to ensure mutual exclusion,each processPi (i ∈ {1, 2}) executes the following algorithm, where we usej todenote the index of the other process.

while true dobegin

‘noncritical section’;bi := true;k := j;while (bj and k = j) do skip;‘critical section’;bi := false;

end

As many concurrent algorithms in the literature, Peterson’s mutual exclusion algo-rithm is presented in pseudocode. Therefore one of our tasks, when modelling theabove algorithm, is to translate the pseudocode description of the behaviour of theprocessesP1 andP2 into the model of labelled transition systems or into Milner’sCCS. Moreover, the algorithm uses variables that are manipulated by the processesP1 andP2. Variables are not part of CCS because, as discussed in Chapter 1.2,process calculi like CCS are based on the message passing paradigm, and not onshared variables. However, this is not a major problem. In fact, following themessage passing paradigm, we can view variables as processes that are willing tocommunicate with other computing agents in their environment that need to readand/or write them.

By way of example, let us consider how to represent the boolean variableb1 asa process. This variable will be encoded as a process with twostates, namely B1t

an B1f . The former state will describe the ‘behaviour’ of the variable b1 holdingthe value true, and the latter the ‘behaviour’ of the variable b1 holding the valuefalse. No matter what its value is, the variableb1 can be read (yielding informationon its value to the reading process) or written (possibly changing the value heldby the variable). We need to describe these possibilities inCCS. To this end, weshall assume that processes read and write variables by communicating with themusing suitable communication ports. For instance, a process wishing to read thevalue true from variableb1 will try to synchronize with the process representingthat variable on a specific communication channel, say b1rt—the acronym means‘read the value true fromb1’. Similarly, a process wishing to write the value falseinto variableb1 will try to synchronize with the process representing that variableon the communication channel b1wf—‘write false intob1’.

Using these ideas, the behaviour of the process describing the variableb1 canbe represented by the following CCS expressions:

CHAPTER7. MODELLING MUTUAL EXCLUSION ALGORITHMS 157

B1fdef= b1rf.B1f + b1wf.B1f + b1wt.B1t

B1tdef= b1rt.B1t + b1wf.B1f + b1wt.B1t .

Intuitively, when in state B1t, the above process is willing to tell its environmentthat its value is true, and to receive writing requests from other processes. Thecommunication of the value of the variable to its environment does not change thestate of the variable, whereas a writing request from a process in the environmentmay do so.

The behaviour of the process describing the variableb2 can be represented insimilar fashion thus:

B2fdef= b2rf.B2f + b2wf.B2f + b2wt.B2t

B2tdef= b2rt.B2t + b2wf.B2f + b2wt.B2t .

The CCS representation of the behaviour of the variablek is as follows:

K1def= kr1.K1 + kw1.K1 + kw2.K2

K2def= kr2.K2 + kw1.K1 + kw2.K2 .

Again, the process representing the variablek has two states, denoted by the con-stants K1 and K2 above, because the variablek can only take the two values1 and2.

Exercise 7.1You should now be in a position to generalize the above examples.Assume that we have a variablev taking values over a data domainD. Can yourepresent this variable using a CCS process? �

Having described the variables used in Peterson’s algorithm as processes, we arenow left to represent the pseudocode algorithms for the processesP1 andP2 asCCS expressions. Note that, in doing so, we are making a step of formalizationbecause pseudocode is a semi-formal notation without a precise syntax and se-mantics, whereas both the syntax and the semantics of CCS areunambiguouslyspecified.

In our CCS formalization of the behaviour of processesP1 andP2, we shall ig-nore what the processes do outside and within their criticalsections, and focus ontheir entering and exiting the critical section. After all,this is the interesting partof their behaviour as far as ensuring mutual exclusion is concerned! Moreover,


we shall assume, for the sake of simplicity, that processes cannot fail or termi-nate within the critical section. Under these assumptions,the initial behaviour ofprocessP1 can be described by the following CCS expression:

P1def= b1wt.kw2.P11 .

The above expression says that processP1 begins by writing true in variableb1 and2 in variablek. Having done so, it will enter a new state that will be representedby the constant P11. This new constant will intuitively describe the behaviourofprocessP1 while it is executing the following line of pseudocode:

while (bj and k = j) do skip.

To simulate this ‘busy waiting’ behaviour, we expect that process P11 will

• read the value of the variablesbj andk,

• loop back to P11 if bj is true andk is equal to2, and

• move to a new state, say P12, otherwise. In state P12, we expect that processP1 will enter and then exit the critical section.

The first thing to note here is that we need to make a decision asto the precisesemantics of the informal pseudocode expression

bj and k = j.

How is this boolean conjunction evaluated? Is it evaluated from left to right, orfrom right to left? Assuming that it is evaluated from left toright, is the secondconjunct evaluated if the first turns out to yield false? Different answers to thesequestions will produce different CCS processes. In what follows, we shall presenta CCS description for process P11 under the assumption that conjunctions are eval-uated from left to right, and that the second conjunct isnot evaluated if the valueof the first is equal to false. Under these assumptions, we canwrite

P11def= b2rf.P12 + b2rt.(kr2.P11 + kr1.P12) .

Exercise 7.2 Would it have been a good idea to define P11 thus:

P11def= b2rf.P12 + b2rt.kr2.P11 + b2rt.kr1.P12 ?

Argue for your answer. �

CHAPTER7. MODELLING MUTUAL EXCLUSION ALGORITHMS 159

To complete the description of the behaviour of the processP1 we are left to presentthe defining equation for the constant P12, describing the access to, and exit from,the critical section, and the setting of the variableb1 to false:

P12def= enter1.exit1.b1wf.P1 .

In the above CCS expression, we have labelled the enter and exit actions in a waythat makes it clear that it is processP1 that is entering and exiting the criticalsection.

The CCS process describing the behaviour of processP2 in Peterson’s algo-rithm is entirely symmetric to the one we have just provided,and is defined thus:

P2def= b2wt.kw1.P21

P21def= b1rf.P22 + b1rt.(kr1.P21 + kr2.P22)

P22def= enter2.exit2.b2wf.P1 .

The CCS process term representing the whole of Peterson’s algorithm consistsof the parallel composition of the terms describing the two processes running thealgorithm, and of those describing the variables. Since we are only interested in thebehaviour of the algorithm pertaining to the access to, and exit from, their criticalsections, we shall restrict all of the communication channels that are used to readfrom, and write to, the variables. We shall useL to stand for that set of channelnames. Assuming that the initial value of the variablek is 1, our CCS descriptionof Peterson’s algorithm is therefore given by the term

Petersondef= (P1 | P2 | B1f | B2f | K1) \ L .

Exercise 7.3 (Mandatory!) Give a CCS process that describes the behaviour ofHyman’s ‘mutual exclusion’ algorithm. Hyman’s algorithm was proposed in (Hyman,1966). It uses the same variables as Peterson’s.

In Hyman’s algorithm, each processPi (i ∈ {1, 2}) executes the algorithm inFigure7.1, where as above we usej to denote the index of the other process.�

Now that we have a formal description of Peterson’s algorithm, we can set our-selves the goal to analyze its behaviour—manually or with the assistance of a soft-ware tool that can handle specifications of reactive systemsgiven in the languageCCS. In order to do so, however, we first need to specify precisely what it means foran algorithm to ‘ensure mutual exclusion’. In our formalization, it seems naturalto identify ‘ensuring mutual exclusion’ with the followingrequirement:

At no point in the execution of the algorithm will both processesP1

andP2 be in their critical sections at the same time.


while true dobegin

‘noncritical section’;bi := true;while k 6= j do begin

while bj do skip;k:=i

end;‘critical section’;bi := false;

end

Figure 7.1: The pseudocode for Hyman’s algorithm

How can we formalize this requirement? There are at least twooptions for do-ing so, depending on whether we wish to use HML with recursionor CCS pro-cesses/labelled transition systems as our specification formalism. In order to gainexperience in the use of both approaches to specification andverification, in whatfollows we shall present specifications for mutual exclusion using HML with re-cursion and CCS.

7.1 Specifying mutual exclusion in HML

Hennessy-Milner logic with recursion is an excellent formalism for specifying ourinformal correctness condition for Peterson’s algorithm.To see this, observe, firstof all, that the aforementioned desideratum is really a safety property in that itintuitively states that a desirable state of affairs—namely that ‘it is not possiblefor both processes to be in their critical sections at the same time’—is maintainedthroughout the execution of the process Peterson. We already saw in Chapter6that safety properties can be specified in HML with recursionusing formulae ofthe form Inv(F ), whereF is the ‘desirable property’ that we wish to hold at allpoints in the execution of the process. Recall thatInv(F ) is nothing but a short-hand for the recursively defined formula

Inv(F )max= F ∧ [Act]Inv(F ) .

So all that we are left to do in order to formalize our requirement for mutual exclu-sion is to give a formulaF in HML describing the requirement that:

7.1. SPECIFYING MUTUAL EXCLUSION IN HML 161

It is not possible for both processes to be in their critical sections atthe same time.

In light of our CCS formalization of the processesP1 andP2, we know that processPi (i ∈ {1, 2}) is in its critical section precisely when it can perform action exiti.So our formulaF can be taken to be

Fdef= [exit1]ff ∨ [exit2]ff .

The formulaInv(F ) now states that it is invariantly the case that eitherP1 is notin the critical section or thatP2 is not in the critical section, which is an equivalentformulation of our correctness criterion.

Throughout this chapter, we are interpreting the modalities in HML over thetransition system whose states are CCS processes, and whosetransitions are weaktransitions of the form

α⇒ for any actionα includingτ . So a formula like[exit1]ff

is satisfied by all processes that do not afford aexit1⇒ -labelled transition—that is, by

those processes that cannot perform action exit1 no matter how many internal stepsthey do before.

Exercise 7.4Consider the formulaInv(G), whereG is

([enter1][enter2]ff) ∧ ([enter2][enter1]ff) .

Would such a formula be a good specification for our correctness criterion? Whatif we tookG to be the formula

(〈enter1〉[enter2]ff) ∧ (〈enter2〉[enter1]ff) ?

Argue for your answers! �

Now that we have a formal description of Peterson’s algorithm, and a specificationof a correctness criterion for it, we could try to establish whether process Petersonsatisfies the formulaInv(F ) or not.

With some painstaking effort, this could be done manually either by showingthat the set of states of the process Peterson is a post-fixed point of the set functionassociated with the mapping

S 7→ [[F ]] ∩ [·Act·]S ,

or by iteratively computing the largest fixed point of the above mapping. Thegood news, however, is that we donot need to do so! One of benefits of havingformal specifications of systems and of their correctness criteria is that, at least in


principle, they can be used as inputs for algorithms and tools that do the analysisfor us.

One such verification tool for reactive systems that is oftenused for educa-tional purposes is the so-called Edinburgh Concurrency Workbench (henceforthabbreviated to CWB) that is freely available at

http://homepages.inf.ed.ac.uk/perdita/cwb/.

The CWB accepts inputs specified in CCS and HML with recursivedefinitions,and implements, amongst others, algorithms that check whether a CCS processsatisfies a formula in HML with recursion or not. One of its commands (namely,checkprop) allows us to check, at the press of a button, that Peterson does indeedsatisfy propertyInv(F ) above, and therefore that it preserves mutual exclusion, asits proposer intended.

Exercise 7.5 Use the CWB to check whether Peterson satisfies the two candidateformulaeInv(G) in Exercise7.4. �

Exercise 7.6 (Mandatory) Use the CWB to check whether the CCS process forHyman’s algorithm that you gave in your answer to Exercise7.3 satisfies the for-mulaInv(F ) specifying mutual exclusion. �

7.2 Specifying mutual exclusion using CCS itself

In the previous section, we have seen how to specify and verify the correctness ofPeterson’s mutual exclusion algorithm using HML with recursion, and the modelchecking approach to the correctness problem. We have also hinted at the use-fulness of an automatic verification tool like the CWB in the verification of evenrather simple concurrent algorithms like Peterson’s algorithm. (Process Petersonhas 69 states, and cannot be considered a ‘large reactive system’. However, itsmanual analysis already requires a fair amount of work and care.)

As mentioned previously in this book (see Chapter3), implementation ver-ification is another natural approach to the specification and verification of re-active systems. Recall that, in implementation verification, both actual systemsand their specifications are represented as terms in the samemodel of concurrentcomputation—for instance as CCS terms or labelled transition systems. The cor-rectness criterion in this setting is that, in some suitableformal sense, the termdescribing the implementation is equivalent to, or a suitable approximation of, thatstanding for the specification of the desired behaviour. As we have seen in Chap-ter 3, in this approach an important ingredient in the theory of reactive systems


7.2. SPECIFYING MUTUAL EXCLUSION USING CCS ITSELF 163

is therefore a notion of behavioural equivalence or approximation between pro-cess descriptions. Such a notion of equivalence can be used as our yardstick forcorrectness.

Unfortunately, however, there is no single notion of behavioural equivalencethat fits all purposes. We have already met notions of equivalence like trace equiv-alence (Chapter3.2), strong bisimilarity (Chapter3.3) and observational equiva-lence (Chapter3.4). Moreover, this is just the tip of the iceberg of ‘reasonable’notions of equivalence or approximation between reactive systems. (The inter-ested, and very keen, reader may wish to consult van Glabbeek’s encyclopaedicstudies (Glabbeek, 1990; Glabbeek, 1993; Glabbeek, 2001) for an in-depth inves-tigation of the notions of behavioural equivalence that have been proposed in theliterature on concurrency theory.) So, when using implementation verification toestablish the correctness of an implementation, such as ourdescription of Peter-son’s mutual exclusion algorithm, we need to

1. express our specification of the desired behaviour of the implementation us-ing our model for reactive systems—in our setting as a CCS term—, and

2. choose a suitable notion of behavioural equivalence to beused in checkingthat the model of the implementation is correct with respectto the chosenspecification.

As you can see, in both of these steps we need to make creative choices—puttingpaid to the usual perception that verifying the correctnessof computing systems isa purely mechanical endeavour.

So let us try and verify the correctness of Peterson’s algorithm for mutual ex-clusion using implementation verification. According to the above checklist, thefirst thing we need to do is to express the desired behaviour ofa mutual exclusionalgorithm using a CCS process term.

Intuitively, we expect that a mutual exclusion algorithm like Peterson’s initiallyallows both processesP1 andP2 to enter their critical sections. However, once oneof the two processes, sayP1, has entered its critical section, the other can only enterafterP1 has exited its critical section. A suitable specification ofthe behaviour ofa mutual exclusion algorithm seems therefore to be given by the CCS term

MutexSpecdef= enter1.exit1.MutexSpec+ enter2.exit2MutexSpec. (7.1)

Assuming that this is our specification of the expected behaviour of a mutual ex-clusion algorithm, our next task is to prove that the processPeterson is equivalentto, or a suitable approximation of, MutexSpec. What notion of equivalence orapproximation should we use for this purpose?


You should be able to convince yourselves readily that strong bisimilarity ortrace equivalence as presented in Chapter3.2 will not do. (Why?) One possibleapproach would be to use observational equivalence (Definition 3.4) as our formalembodiment of the notion of correctness. Unfortunately, however, this wouldnotwork either! Indeed, you should be able to check easily that the process Petersonaffords the weak transition

Petersonτ⇒ (P12 | P21 | B1t | B2t | K1) \ L ,

and that the state that is the target of that transition affords an enter1-labelled tran-sition, but cannot perform a weak enter2-labelled transition. On the other hand,the only state that process MutexSpec can reach by performing internal transitionsis itself, and in that state both enter transitions are always enabled. It follows thatPeterson and MutexSpec arenot observationally equivalent.

Exercise 7.7 What sequence ofτ -transitions will bring process Peterson into state(P12 | P21 | B1t | B2t | K1) \ L? (You’ll need fiveτ -steps.)

Argue that, as we claimed above, that state affords an enter1-labelled transi-tion, but cannot perform a weak enter2-labelled transition. �

This sounds like very bad news indeed. Observational equivalence allows us toabstract away from some of the internal steps in the evolution of process Peterson,but obviously not enough in this specific setting. We seem to need a more abstractnotion of equivalence to establish the, seemingly obvious,correctness of Peterson’salgorithm with respect to our specification.

Observe that if we could show that the ‘observable content’ of each sequenceof actions performed by process Peterson is a trace of process MutexSpec, then wecould certainly conclude that Peterson does ensure mutual exclusion. In fact, thiswould mean that at no point in its behaviour process Petersoncan perform two exitactions in a row—possibly with some internal steps in between them. But whatdo we mean precisely by the ‘observable content’ of a sequence of actions? Thefollowing definition formalizes this notion in a very natural way.

Definition 7.1 [Weak Traces and Weak Trace Equivalence] Aweak traceof a pro-cessP is a sequencea1 · · · ak (k ≥ 1) of observable actions such that there existsa sequence of transitions

P = P0a1⇒ P1

a2⇒ · · · ak⇒ Pk ,

for someP1, . . . , Pk. Moreover, each process affords the weak traceε.We say that a processP is aweak trace approximationof processQ if the set of

weak traces ofP is included in that ofQ. Two processes areweak trace equivalentif they afford the same weak traces. �

7.2. SPECIFYING MUTUAL EXCLUSION USING CCS ITSELF 165

Note that the collection of weak traces coincides with that of traces for processesthat, like MutexSpec, do not afford internal transitions. (Why?)

We claim that the processes Peterson and MutexSpec are weak trace equivalent,and therefore that Peterson does meet our specification of mutual exclusionmoduloweak trace equivalence. This can be checked automatically using the commandmayeq provided by the CWB. (Do so!) This equivalence tells us that not only eachweak trace of process Peterson is allowed by the specification MutexSpec, but alsothat process Peterson can exhibit as a weak trace each of the traces permitted bythe specification.

If we are just satisfied with checking the pure safety condition that no traceof process Peterson violates the mutual exclusion property, then it suffices only toshow that Peterson is a weak trace approximation of MutexSpec. A useful prooftechnique that can be used to establish this result is given by the notion ofweaksimulation. (Compare with the notion of simulation defined in Exercise3.17.)

Definition 7.2 [Weak Simulation] Let us say that a binary relationR over the setof states of an LTS is aweak simulationiff whenevers1 R s2 andα is an action:


α⇒ s′2 such thats′1 R s′2.

We say thats′ weakly simulatess iff there is a weak simulationR with sR s′. �

Proposition 7.1 For all statess, s′, s′′ in a labelled transition system, the followingstatements hold.

1. States weakly simulates itself.

2. If s′ weakly simulatess, ands′′ weakly simulatess′, thens′′ weakly simu-latess.

3. If s′ weakly simulatess, then each weak trace ofs is also a weak trace ofs′.

In light of the above proposition, to show that Peterson is a weak trace approxima-tion of MutexSpec, it suffices only to build a weak simulationthat relates Petersonwith MutexSpec. The existence of such a weak simulation can be checked usingthe commandpre offered by the CWB. (Do so!)

Exercise 7.8Prove Proposition7.1. �

Exercise 7.9Assume thats′ weakly simulatess, ands weakly simulatess′. Is ittrue thats ands′ are observationally equivalent? Argue for your answer. �

Exercise 7.10Assume that the CCS processQ weakly simulatesP . Show thatQ + R weakly simulatesP andP + R, for each CCS processR. �


Exercise 7.11

1. Show that the processesα.P +α.Q andα.(P +Q) are weak trace equivalentfor each actionα, and termsP,Q.

2. Show that weak trace equivalence is preserved by all of theoperators ofCCS.

�

7.3 Testing mutual exclusion

Another approach to establishing the correctness of Peterson’s algorithm is to use anotion of ‘testing’. Recall that what we mean by ensuring mutual exclusion is thatat no point in the execution of process Peterson both processes will be in their criti-cal section at the same time. Such a situation would arise if there is some executionof process Peterson in which two enter actions occur one after the other withoutany exit action in between them. For instance, processP1 might perform actionenter1, and the next observable action might be enter2—causing both processes tobe in their critical section at the same time. A way to check whether this unde-sirable situation can ever occur in the behaviour of processPeterson is to make itinteract with a ‘monitor process’ that observes the behaviour of process Peterson,and reports an error if and when the undesirable situation arises. This is a concep-tually simple, but very useful, technique that has arisen invarious forms over andover again in the study of verification techniques for reactive systems, and probablyfinds its most theoretically satisfying embodiment in the classic automata-theoreticapproach to verification—see, for instance, the references(Vardi, 1991; Vardi andWolper, 1994).

So, how can we construct a monitor process that reports a failure in ensuringmutual exclusion if any arises? Intuitively, such a processwould observe the en-ter and exit actions performed by process Peterson. Whenever an enter action isobserved, the monitor process reaches a state in which it is ready to report thatsomething bad has happened if it observes that the other process can now enter itscritical section as well. If our monitor process observes the relevant exit action asexpected, it gladly returns to its initial state, ready to observe the next round of theexecution of the algorithm. A CCS process term describing the above behaviouris, for instance,

MutexTestdef= enter1.MutexTest1 + enter2.MutexTest2

MutexTest1def= exit1.MutexTest+ enter2.bad.0

MutexTest2def= exit2.MutexTest+ enter1.bad.0 ,

7.3. TESTING MUTUAL EXCLUSION 167

where we have assumed that our monitor process outputs on channel name bad,when it discovers that two enter actions have occurred without an intervening exit.

In order to check whether process Peterson ensures mutual exclusion, it is nowsufficient to let it interact with MutexTest, and ask whetherthe resulting system

(Peterson|MutexTest) \ {enter1, enter2, exit1, exit2}can initially perform the actionbad. Indeed, we have the following result:

Proposition 7.2 Let P be a CCS process whose only visible actions are contained

in the setL′ = {enter1, enter2, exit1, exit2}. Then(P | MutexTest) \ L′ bad⇒ iff

eitherPσ⇒ P ′ enter1⇒ P ′′ enter2⇒ or P

σ⇒ P ′ enter2⇒ P ′′ enter1⇒ , for someP ′, P ′′ andsequence of actionsσ in the regular language(enter1exit1 + enter2exit2)∗.

Proof: For the ‘if implication’, assume, without loss of generality, that

Pσ⇒ P ′ enter1⇒ P ′′ enter2⇒ P ′′′ ,

for someP ′, P ′′, P ′′′ and sequence of actionsσ ∈ (enter1exit1 +enter2exit2)∗. We

shall argue that(P | MutexTest) \L′ bad⇒. To see this, note that, using induction onthe length of the sequenceσ, it is not hard to prove that

(P | MutexTest) \ L′ τ⇒ (P ′ | MutexTest) \ L′ .

SinceP ′ enter1⇒ P ′′ enter2⇒ P ′′′, we have that

(P ′ | MutexTest) \ L′ τ⇒ (P ′′ | MutexTest1) \ L′ τ⇒ (P ′′′ | bad.0) \ L′ bad→ .

Combining the above sequences of transitions, we may conclude that

(P | MutexTest) \ L′ bad⇒ ,


Conversely, assume that(P | MutexTest)\L′ bad⇒. Sincebad.0 is the only stateof process MutexTest that can perform abad-action, this means that, for someP ′′′,

(P | MutexTest) \ L′ τ⇒ (P ′′′ | bad.0) \ L′ bad→ .

Because of the way MutexTest is constructed, this must be because, for someP ′

andP ′′ such that eitherP ′ enter1⇒ P ′′ enter2⇒ P ′′′ or P ′ enter2⇒ P ′′ enter1⇒ P ′′′,

(P | MutexTest) \ L′ τ⇒ (P ′ | MutexTest) \ L′τ⇒ (P ′′ | MutexTesti) \ L′ (i ∈ {1, 2})τ⇒ (P ′′′ | bad.0) \ L′ .


Using induction on the length of the transition

(P | MutexTest) \ L′ τ⇒ (P ′ | MutexTest) \ L′ ,

you can now argue thatPσ⇒ P ′, for some sequence of actionsσ in the regular

language(enter1exit1 + enter2exit2)∗. This completes the proof. 2

Exercise 7.12Fill in the details in the above proof. �

Aside: testable formulae in Hennessy-Milner logic

This section is for the theoretically minded readers, who would like a glimpse ofsome technical results related to testing formulae in HML with recursion, and ismeant as a pointer for further self-study.

Those amongst you that solved Exercise7.4 might have already realized that,intuitively, the monitor process MutexTest is ‘testing’ whether the process it ob-serves satisfies the formulaInv(G), whereG is

([enter1][enter2]ff) ∧ ([enter2][enter1]ff) .

A natural question to ask is whether each formula in the language HML with re-cursion can be tested as we just did with the above formulaInv(G). In order tomake this question precise, we need to define the collection of allowed testsandthe notion ofproperty testing. Informally, testing involves the parallel compositionof the tested process (described by a state in a labelled transition system or by aCCS process) with a test. Following the spirit of the classicapproach of De Nicolaand Hennessy (De Nicola and Hennessy, 1984; Hennessy, 1988), and our develop-ments above, we say that the tested state fails a test if the distinguished reject actionbad can be performed by the test while it interacts with it, and passes otherwise.The formal definition of testing then involves the definitionof what a test is, howinteraction takes place and when the test has failed or succeeded. We now proceedto make these notions precise.

Definition 7.3 [Tests] Atestis a finite, rooted LTST over the set of actionsAct∪{bad}, where bad is a distinguished channel name not occurring inAct. We useroot(T ) to denote the start state of the LTST . �

As above, the idea is that a test acts as a monitor that ‘observes’ the behaviour ofa process and reports any occurrence of an undesirable situation by performing abad-labelled transition.


In the remainder of this section, tests will often be concisely described usingthe regular fragment of Milner’s CCS—that is the fragment ofCCS given by thefollowing grammar :

T ::= 0 | α.T | T + T | X ,

whereα can be any action inAct as well as the distinguished actionbad, andXis a constant drawn from a given, finite set of process names. The right-hand sideof the defining equations for a constant can only be a term generated by the abovegrammar. For example, the process MutexTest we specified above is a regular CCSprocess, but the term

Xdef= a.(b.0 | X)

is not.We now proceed to describe formally how tests can be used to check whether

a process satisfies a formula expressed in HML with recursion.

Definition 7.4 [Testing Properties] LetF be a formula in HML with recursion,and letT be a test.

• For every states of an LTS, we say thats passes the testT iff

(s | root(T )) \ L bad; .

(Recall thatL stands for the collection of observable actions in CCS.) Oth-erwise we say thats fails the testT .

• We say that the testT testsfor the formulaF (and thatF is testable) iff forevery LTST and every states of T ,

s |= F iff s passes the testT .

• A collection of formulae in HML with recursion is testable iff each of theformulae in it is.

�

Example 7.1 The formula[a]ff is satisfied by those processes that do not affordan

a⇒-transition. We therefore expect that a suitable test for such a property is

T ≡ a.bad.0. Indeed, the reader will easily realize that(s | T ) \ L bad; iff s

a;, for

every states. The formula[a]ff is thus testable, in the sense of Definition7.4.The formula defined by the recursion equation

Fmax= [a]ff ∧ [b]F


is satisfied by those states which cannot perform aa⇒-transition, no matter how

they engage in a sequence ofb⇒-transitions. (Why?) A suitable test for such a

property is

Xdef= a.bad.0 + b.X ,

and the recursively defined formulaF is thus testable. �

Exercise 7.13Consider the following labelled transition system:

pb$$

qboo

a

��

rboo bzz

s

Compute the set of states in this labelled transition systemthat satisfy the property

Fmax= [a]ff ∧ [b]F .

Which of the states in that labelled transition system passes the test

Xdef= a.bad.0 + b.X ?

Argue for your answers! �

Exercise 7.14Prove the claims that we have made in the above example. �

In Example7.1, we have met two examples of testable formulae. But, can eachformula in HML with recursion be tested in the sense introduced above? Thefollowing instructive result shows that even some very simple HML properties arenot testable in the sense of Definition7.4.

Proposition 7.3 [Two Negative Results]

1. For every actiona in L, the formula〈a〉tt is not testable.

2. Leta andb be two distinct actions inL. Then the formula[a]ff ∨ [b]ff is nottestable.

Proof: We prove each statement in turn.


• PROOF OF(1). Assume, towards a contradiction, that the testT tests for theformula〈a〉tt. SinceT tests for〈a〉tt and0 6|= 〈a〉tt, we have that

(0 | root(T )) \ L bad⇒ .

Consider now the termP = a.0 + τ.0. As Pa→ 0, the processP satisfies

the formula〈a〉tt. However, P fails the testT because

(P | root(T )) \ L τ→ (0 | root(T )) \ L bad⇒ .

This contradicts our assumption thatT tests for〈a〉tt.

• PROOF OF(2). Assume, towards a contradiction, that the testT tests for theformula [a]ff ∨ [b]ff , with a 6= b. Since the statea.0 + b.0 does not satisfythe formula[a]ff ∨ [b]ff , it follows that

((a.0 + b.0) | root(T )) \ L bad⇒ . (7.2)

We now proceed to show that this implies that either the statea.0 fails thetestT or b.0 does. This we do by examining the possible forms transition(7.2) may take.

– CASE: ((a.0 + b.0) | root(T )) \ L bad⇒ becauseroot(T )bad⇒. In this

case, every state of an LTS fails the testT , and we are done.

– CASE: ((a.0 + b.0) | root(T )) \ L τ⇒ (0 | t) \ L bad→, because

root(T )a⇒ t for some statet of T . In this case, we may infer that

(a.0 | root(T )) \ L τ⇒ (0 | t) \ L bad→

and thus thata.0 fails the testT .

– CASE: ((a.0 + b.0) | root(T )) \ L τ⇒ (0 | t) \ L bad→, because

root(T )b⇒ t for some statet of T . In this case, reasoning as above, it

is easy to see thatb.0 fails the testT .

Hence, as previously claimed, eithera.0 fails the testT or b.0 does. Sinceboth a.0 and b.0 satisfy the formula[a]ff ∨ [b]ff , this contradicts our as-sumption thatT tests for it.

The proof is now complete. 2


The collection of formulae insafety HML is the set of formulae in HML withrecursion that do not contain occurrences of∨, 〈α〉 and variables defined usingleast fixed point recursion equations.

Exercise 7.15 (Strongly Recommended)Can you build a test (denoted by a pro-cess in the regular fragment of CCS) for each formula insafety HML withoutrecursion? Hint: Use induction on the structure of formulae. �

It turns out that, with the addition of recursive formulae defined using largest fixedpoints, the collection of testable formulae in HML with recursion is precisely theone you built tests for in the previous exercise! This is the import of the followingresult from (Aceto and Ingolfsdottir, 1999).

Theorem 7.1 The collection of formulae in safety HML is testable. Moreover,every testable property in HML with recursion can be expressed in safety HML.

Thus we can construct tests for safety properties expressible in HML with recur-sion. We refer the interested readers to (Aceto and Ingolfsdottir, 1999) for moredetails, further developments and references to the literature.

Part II

A Theory of Real-time Systems

173

Chapter 8

Introduction

In the first part of this book, we have motivated and developeda general purposetheory that can be used to describe, and reason about, reactive systems. The keyingredients in our approach were

• an algebraic language, namely Milner’s CCS, for the syntactic description ofreactive systems,

• automata/labelled transition systems for describing the dynamic behaviourof process terms,

• Structural Operational Semantics, allowing us to associate systematically alabelled transition system with each process term in a syntax directed fash-ion,

• notions of behavioral equivalence to compare process behaviours, and

• modal and temporal logics to specify desired properties of reactive systems.

These ingredients gave the foundations for the formal modelling and verificationof reactive systems, and are the bedrock for the developmentof (semi-)automaticverification tools for reactive systems.

The theory that we have developed so far, however, does not allow us to de-scribe naturally all of the important aspects in reactive computation. Consider, forinstance, some by now ubiquitous examples of reactive systems, namely embeddedsystems like the ABS and air bags in cars, cruise control systems, digital watches,mobile phones, the monitors of your computers, production lines and video gameconsoles. These are all examples ofreal-time systems. A real-time system is a sys-tem whose correct behaviour does not only depend on the logical order in which

175


events are performed, but also on their timing. Think for a moment about the ex-pected behaviour of an air bag system in a car. Such a system isintended to inflatethe air bags in case of a car crush, but this behaviour is not just expected to occur“eventually”. Rather, we should like to have some (hopefully small) hard boundson the timing of its occurrence. A suitable correctness criterion for such a systemmight therefore be that

If the car crushes, the airbag must be inflated within 50 milliseconds,

say, rather than a not so reassuring “the air bag will be eventually inflated”.Another instructive, and suggestive, example of a real-time system is that of a

control program that we already met when introducing the general notion of reac-tive system. Recall that, at a high level of abstraction, thebehaviour of a controlprogram can be seen to be governed by the following pseudo-code algorithm skele-ton.

loopread the sensors’ values at regular intervalsdepending on the sensors’ values trigger the relevant actuators

forever

In the above description, we have some implicit and qualitative description of thereal-time behaviour of a control program. Such a program canbe thought of asbeing in an “idle mode” in between consecutive readings of the values of the sen-sors. When the “idle interval” is over, the system polls the values of the sensors,triggers the relevant actions interacting with its environment, and then re-entersits “idle mode”. Such a system is a typical example of anhybrid system—thatis, a discrete system that interacts with a continuously evolving one, namely itsenvironment. (In the jargon of control theory, the environment is usually referredto as theplant.) As we shall see in what follows, the expected behaviour of theaforementioned control program will serve as a useful example to explain someof the choices that researchers have made in designing appropriate models for thedescription of reactive, real-time computation.

Chapter 9

CCS with Time Delays

9.1 Intuition

All of the types of reactive systems that we have mentioned above should give us asufficient motivation to describe and analyze formally real-time reactive computa-tions. In the first part of the book, we have introduced a collection of languages andmodels based on the flexible and intuitive idea of communicating state machines,and argued, by means of several examples, that the resultingformalisms can beused to describe and analyze non-trivial reactive systems.When real-time con-straints become important to the proper functioning of reactive systems, we shouldlike to continue building on the time-honoured formalisms we have introducedpreviously. But, are those formalisms sufficiently powerful to describe timing con-straints in computation? Can we use them to specify, for instance, features liketime-outs?

Consider, by way of example, a light switch that has the following behaviour:

If the switch is off, and is pressed once, then the light will turn on. Ifthe switch is then pressed again “soon after” the light was turned on,then the light becomes brighter. Otherwise, the light is turned off bythe next button press.

A way of describing this behaviour using CCS is to construct aprocess with threestates—say, Off, Light and Bright—describing the three possible states mentionedin the above English description of the behaviour of the system. Modelling thebehaviour of the switch in the Off or Bright states is easy:

Offdef= press.Light and

Brightdef= press.Off .

177

178 CHAPTER 9. CCS WITH TIME DELAYS

How can we describe the behaviour of the system in the Light state? One approachwould be to write the following CCS term:

Lightdef= τ.press.Off + press.Bright ,

which describes the possible effects that pressing the button can have when thesystem is in the Light state. Note, however, that the above description does notcapture the requirement that if the user presses the button “quickly” after the lightis on, then the light will become brighter. (Rather, it intuitively states that thesystem may internally choose to switch off the light at the next button press.) Thisis a timing requirement on consecutive button presses, and CCS offers no facilityfor describing it. What kind of constructs can we add to CCS inorder to describesystems like the light switch above, whose behaviour is timedependent?

One of the most important principles underlying the development of CCS, andof all of the models and languages we have met so far, is that ofparsimony. Thesemodels are built on a small collection of operators that are sufficient to describethe computational phenomena under study. Using this principle, we should like toextend a language like CCS, and the model of labelled transition systems, with theleast amount of machinery that allows us to describe time dependent behaviour.As we shall see, the lessons we learned from the behaviour in time of the skeletoncontrol program will help us a lot in deciding how to extend CCS and labelledtransition systems with timing.

Intuitively, we have argued that one can view a real-time system like the afore-mentioned skeleton of a control program as having a two-phase behaviour. In fact,that system alternates between phases in which the system isidle—that is, it doesnot perform any action—and time passes, and those in which the system performssequences of actions triggering the relevant actuators andpossibly chooses be-tween different courses of action before returning to its idle mode. As in CCS, itis a useful abstraction to consider the sequence of actions performed by the systemas being instantaneous in time.

We already know how to describe syntactically action occurrences by means ofthe action prefixing operator of CCS. What is the minimum amount of machinerythat we can add to our language in order to give a faithful description of the passageof time? A possible, conservative answer is to view the passage of time as beingsome kind of “action” that a system may perform. This action can be specified bymeans of a new prefixing operator that describes time delays—sayε(d), wheredis a real number that specifies the amount of time that needs toelapse before the“idling time” is over. For example, using this new type of prefixing operator, thebehaviour of the light switch in state Light could be described by means of the

9.2. TIMED LABELLED TRANSITION SYSTEMS 179

equation

Lightdef= ε(1.4).τ.press.Off + press.Bright , (9.1)

assuming that pressing the button “quickly” means doing so within 1.4 seconds,say. The reason why we included here also the actionτ might not be completelyobvious at this moment and will be explained later on. Intuitively, the reader shouldthink of τ as an action that cannot be delayed and must be performed as soon asit becomes available. This introduces the notion of urgency, which is useful fordescribing features like time-outs.

The term on the right-hand side of the above equation, however, needs to begiven a semantics in order for its behaviour to be understood. In particular, thisinvolves giving the formal semantics of the delay operator and describing how itinteracts with the other constructs of the language. Moreover, we need to choosea suitable semantic model that can be used to describe formally the behaviour ofterms in a timed version of CCS. Last but not least, a choice has to be made as tothe structure to be used to model Time. In what follows, we shall use the setR≥0

of non-negative real numbers as our time domain. This appears as a natural choice,if we think of the flow of time as being continuous. However, some researchersprefer to work with a discrete notion of time, and this can be modelled by using theset of natural numbersN as time domain.

9.2 Timed Labelled Transition Systems

In the first part of this book, we have used labelled transition systems to model thebehaviour of reactive systems. Since this model of computation is very intuitiveand flexible, we should like to use a variation on it in order togive semantics toreal-time reactive systems. In light of the above discussion, it is natural to assumethat we can describe the passage of time by adding special “delay” transitions to themodel. Such transitions could, for instance, be used to givethe formal semanticsof the delay prefixing operatorsε(d), with d ∈ R≥0, used in equation (9.1). Theresulting structure is a timed version of the model of LTSs. This we now proceedto describe formally.

Definition 9.1 A timed (labelled) transition system(TLTS) is a triple

(Proc, Lab, { a−→| a ∈ Lab}) ,

where

• Proc is a set ofstates(or processes),


• Lab = Act ∪ R≥0 is a set oflabels(consisting ofactionsandtime delays),and

• a−→ ⊆ Proc× Proc, for eacha ∈ Lab, is a binary relation on states calledthe transition relation.

�

As usual, we write

• sa−→ s′ if a ∈ Act and(s, s′) ∈ a−→, and

• sd−→ s′ if d ∈ R≥0 and(s, s′) ∈ d−→.

Transitions of the typesa−→ s′ are ordinary transitions that are due to the perfor-

mance of actions, and those of the formsd−→ s′, with d ∈ R≥0, are time-elapsing

transitions describing how a system evolves as time passes.A little reflection,however, leads us to conclude that not all structures of the above kind reflect ourintuition as to the passage of time. Assume, for instance, that a states in a timed

LTS affords a transition of the forms1.4−→ s′. (Such a state could, for instance, de-

scribe the timing behaviour of the process Light in equation(9.1).) That transitiontells us that a system in states can wait for1.4 units of time, and thereby evolveinto s′. However, if a system can wait for1.4 seconds, say, then it is natural toexpect that it can delay for, say,0.8 seconds and thereby reach a state that can thenproceed to wait for0.6 seconds, and becomes′ in doing so. This means that timeis additive, and that the transition relation of a TLTS ought to satisfy the followingtime additivity requirement:

if sd−→ s′ and0 ≤ d′ ≤ d thens

d′−→ s′′ d−d′−→ s′, for some states′′. (9.2)

Note thatd′ could be0. Since it is reasonable to assume that a state can only reachitself without delay, we also postulate that

s0−→ s, for each states. (9.3)

A final requirement that is imposed on TLTSs captures the way asystem can evolvejust by idling as time passes. In order to motivate this requirement, consider thecontrol program we have already discussed. When in idle mode, that program isintuitively just updating the value of some timer that measures the amount of timethat needs to elapse before the system polls the values of itssensors next. Eachtime delay therefore brings the system to a unique next state, in which intuitivelythe value of the timer has decreased by the amount of delay. This example indicates

9.3. SYNTAX AND SOS RULES 181

that delay transitions aredeterministic—that is, for alls, s′, s′′ and for eachd ∈R≥0,

if sd−→ s′ ands

d−→ s′′ thens′ = s′′. (9.4)

In what follows, we shall restrict our attention to TLTSs that satisfy requirements(9.2)–(9.4).

Example 9.1 Consider the following timed transition system

(Proc, Lab, { a−→| a ∈ Lab})

whereProc = R≥0, Lab = {a} ∪ R≥0 such thata−→= {(5, 0)} and for all

d ∈ R≥0 we defined−→= {(d′, d′′) ∈ R≥0×R≥0 | d′+d = d′′}. The picture shows

a fragment of the timed transition system defined above. Notethat we have includedonly very few timed transitions, in fact there are infinitely(or rather uncountably)many transitions that should be added to the picture.

0 1 2 3 4 5

3

::0

��

1

@@

2

@@

0.5

@@

1

@@

a

yy0

�� . . .

It is easy to verify that the transition system above satisfies conditions (9.2), (9.3)and (9.4). The only ordinary action is calleda and whenever the system is at timepoint5, it can move the control to the initial state.

9.3 Syntax and SOS rules

In the remainder of this section, we shall specify TLTSs using a timed version of thelanguage CCS that is essentially Wang Yi’s Timed CCS (henceforth abbreviated toTCCS) (Wang, 1990; Wang, 1991a; Wang, 1991b). As indicated in our discussionin Section9.1, the only constructs that we shall add to the syntax of the languageCCS presented in Definition2.3 are the delay prefixing operatorsε(d), with d ∈R≥0.

Formally, the collectionP of Timed CCS expressionsis given by the grammarfor CCS expressions given in Definition2.3extended with the following formationrule

if P is inP andd ∈ R≥0, thenε(d).P is inP.


In what follows, we shall not distinguish the termsP andε(0).P .As for standard CCS, we assume that the behaviour of each process constant is

given by a defining equation

Kdef= P .

Definition 9.2 An occurrence of a constantK in an expressionP is guardedif itoccurs within a sub-expression ofP of the formα.Q. �

In what follows, we shall restrict ourselves to consideringonly processes involvingconstants whose defining equations contain only guarded occurrences of constants.These expressions are calledguarded.

Example 9.2 Consider the following timed CCS expression.

(a.K1 + (K2 | b.K3) + K1) | (ε(4.2).(K4 | 0) + ε(1.2).K3)

The first occurrence (from the left) of the constantK1 is guarded, while its secondoccurrence is not guarded. The single occurrence ofK2 is not guarded either.Both occurrences ofK3 are guarded, as well as the single occurrence ofK4. Alltogether, the whole expression is not guarded.

Exercise 9.1 Convince yourselves that the specification of the process Light givenin (9.1) is a guarded Timed CCS expression. �

By analogy with standard CCS, we expect that the behaviour ofthe process Lightgiven in (9.1) is determined by that of the right-hand side of its defining equation,namely the expression

ε(1.4).τ.press.Off + press.Bright .

The action transitions of this expression are determined bythe same SOS ruleswe used for standard CCS. (See Table2.2.) Moreover, since we identifyP withε(0).P , we have that

Pα→ P ′

ε(0).Pα→ P ′

So, as you can easily check,

ε(1.4).τ.press.Off + press.Brightpress→ Bright . (9.5)

Since the other press-labelled transition is only available after1.4 units of timehave elapsed and an internal action has occurred, we expect that this is the only

9.3. SYNTAX AND SOS RULES 183

Table 9.1: SOS Rules for TCCS (d, d′ ∈ R≥0)

Pd′→ P ′

ε(d).Pd+d′→ P ′ ε(d).P

d′→ ε(d− d′).Pd′ ≤ d

Pd→ P ′

Kd→ P ′

Kdef= P

α.Pd→ α.P

α 6= τPi

d→ P ′i for eachi ∈ I

∑

i∈I Pid→∑

i∈I P ′i

Pd→ P ′

P [f ]d→ P ′[f ]

Pd→ P ′

P \ Ld→ P ′ \ L

action transition that is initially possible for that term.However, the above termcan delay some amount of timed ≤ 1.4 by virtue of the transition

ε(1.4).τ.press.Off + press.Brightd→ ε((1.4 − d)).τ.press.Off + press.Bright .

Note that, unlike action transitions, delay transitions like the one above donotresolve nondeterministic choices. This is in line with our intuition that delay tran-sitions ought to be deterministic. In the above example, thetransition (9.5) isavailable immediately, and it remains available afterd units of time have elapsed.

Whend equals0, we expect that, after the internal action has occurred, thepress-labelled transition leading to the Off state becomesenabled, and thereforethat the transitions

ε(0).τ.press.Off + press.Brightτ→ press.Off

press→ Off

are possible.To formally capture our intuitive understanding of the effect of delay transitions

over TCCS expressions, we introduce the collection of SOS rules in Table9.1. (Forthe sake of clarity, we restrict for the moment to expressions that contain neitheroccurrences of the parallel composition operator nor ofτ prefixes.) A transition

Pd→ Q, with d ∈ R≥0, holds for TCCS expressionsP,Q if, and only if, it can be

proven using these rules.The SOS rules for standard actions are the same as for CCS.

Exercise 9.2Prove the transition

Lightd→ ε((1.4 − d)).τ.press.Off + press.Bright ,

with d ≤ 1.4, using the above rules. �


Exercise 9.3 (Strongly Recommended)Prove the followingpersistencypropertyof action transitions:

For all processesP,Q, actiona and delayd, if Pa→ and P

d→ Q,thenQ

a→.

For simplicity, you may restrict yourselves to consideringprocess terms that do notcontain occurrences of constants. �

Consider a process expression of the form∑

i∈I

ε(di).αi.Pi .

Intuitively, we may think of the operational rules in Table9.1 as implementingthe following idea of the expected behaviour of this process. The process has astopwatch, orclock, that is used to measure the amount of time that has elapsedsince it last embarked in an action. As time progresses and the process idles, thevalue of the stopwatch increases. When this value is greaterthan, or equal to,di for somei ∈ I, then actionαi becomes enabled and can be performed. If thishappens, the process enters statePi, the stopwatch is reset, and the future behaviouris determined according to the same approach. Note that thisintuitive descriptionof the dynamics of processes is fully in line with our view that the behaviour ofprocesses consists of two alternating phases consisting ofidling (when time passes)and action (when actions are performed instantaneously). Moreover, in the absenceof parallel composition, the above approach to the description of the behaviour ofprocesses can be “implemented” by using only one clock.

However, parallel composition is fundamental for the description of interactingreactive systems, and we therefore now examine what happenswhen we considerreal-time parallel systems.

9.4 Parallel composition

Assume now that we have a user of our light switch whose behaviour is describedby the following expression

FastUserdef= press.ε(0.3).press.FastUser.

We expect that the FastUser will be able to synchronize with the switch in the Offstate immediately, resulting in the transition

(FastUser| Off) \ pressτ→

((ε(0.3).press.FastUser) | Light

)\ press .

9.4. PARALLEL COMPOSITION 185

In the target state of the above transition, thepress-transition of the left-hand ex-pression is only available after a delay of0.3 time units. As we have already seenin Exercise9.2, the process Light can delay as much and reach the state

ε(1.1).τ.press.Off + press.Bright .

It is natural to expect the whole system can therefore perform the delay transition


)\ press

0.3→((press.FastUser) | (ε(1.1).τ.press.Off + press.Bright)

)\ press .

(Recall that we identify an expressionP with ε(0).P .) In the target state of theabove transition, the FastUser is eager to press the button once more, and the press-transition of the switch leading to the Bright state is enabled. This means that thetwo transitions can synchronize without further delay, yielding theτ -transition

((press.FastUser) | (ε(1.1).τ.press.Off + press.Bright)

)\ press

τ→ (9.6)(FastUser| Bright

)\ press . (9.7)

This is nicely in agreement with our intuition.Note, however, that both parallel components of the expression

(press.FastUser) | (ε(1.1).τ.press.Off + press.Bright)

can delay indefinitely. How can we formally capture our intuition that theτ -transition (9.6) must occur immediately, and therefore that the above term cannotdelay even though both of its parallel components can? The solution adopted byWang Yi in the design of TCCS and by the researchers who developed other pro-cess calculi for real-time systems (see, e.g., (Hennessy and Regan, 1995; Nicollinand Sifakis, 1994; Schneider, 1995)) is to postulate that the evolution of processesobeys the so-calledmaximal progress assumption. Intuitively, this means that if aprocess is ready to perform an action that is entirely under its control immediately,then it will do so without further delay. In the setting of Timed CCS, the only actionthat is entirely under the control of a process is the internal τ -action. Therefore,the maximal progress assumption for this calculus can be formalized like:

For each TCCS processP , if Pτ→ thenP

d9 for anyd > 0.

In particular, in light of (9.6), this means that the expression

((press.FastUser) | (ε(1.1).τ.press.Off + press.Bright)

)\ press


cannot delay any positive amount of time.The maximal progress assumption is built in the operationalsemantics of Timed

CCS by means of the following rules:

τ.P0→ τ.P

Pd→ P ′, Q

d→ Q′ and NoSync(P,Q, d)

P | Q d→ P ′ | Q′

where the predicate NoSync(P,Q, d) intuitively expresses that no synchronizationbetweenP andQ becomes available by delaying less thand time units. Formally,NoSync(P,Q, d) holds if, and only if,

For each0 ≤ d′ < d and expressionsP ′, Q′, if Pd′→ P ′ andQ

d′→ Q′,thenP ′ | Q′ τ

9.

Exercise 9.4 Argue, using the SOS rules for Timed CCS, that


)\ press

0.49

and that the expression((press.FastUser) | (ε(1.1).τ.press.Off + press.Bright)

)\ press

cannot delay a positive amount of time.How long can the expressionε(π).τ.0 + a.0 delay? �

In order to familiarize ourselves better with the role played by the maximal progressassumption in describing the dynamics of processes, let us consider the possible in-terplay between the switch and a SlowUser whose behaviour isdescribed by thefollowing expression

SlowUserdef= press.ε(1.7).press.SlowUser .

As before, the SlowUser will be able to synchronize with the switch in the Off stateimmediately, resulting in the transition

(SlowUser| Off

)\ press

τ→((ε(1.7).press.SlowUser) | Light

)\ press .

In the target state of the above transition, thepress-transition of the left-hand ex-pression is only available after a delay of1.7 time units. However, because ofthe maximal progress assumption, the process Light can delay at most1.4 units oftime. (Why?) Delaying that much yields the transition

((ε(1.7).press.SlowUser) | Light

)\ press

1.4→((ε(0.3).press.SlowUser) | (ε(0).τ.press.Off + press.Bright)

)\ press .

9.4. PARALLEL COMPOSITION 187

Since the right-hand process can perform aτ -transition, no further delay is pos-sible, and the slow user cannot press the button leading to the Bright state. Thesystem can now internally reach the state

((ε(0.3).press.SlowUser) | (press.Off)

)\ press .

You should now be able to argue that the next button press issued by the user willbring the switch in the Off state.

How Many Clocks?

Consider, by way of example, a process expression of the form

(∑

i∈I

ε(di).αi.Pi) | (∑

j∈J

ε(ej).βj .Qi) .

We have already seen that, intuitively, the timing behaviour of each of the twoparallel components can be described by using a single clockthat is reset eachtime the relevant component performs one action. So, intuitively, the behaviour ofthe above parallel process can be described by using two local clocks, sayx andy,as follows:

• The process can idled units of time, for somed ∈ R≥0, provided that thefollowing conditions are met:

– If di is smaller than the value ofx plus d, thenαi 6= τ—that is, noτ -transition of the left-hand expression becomes enabled bydelayingless thand units of time—,

– If ej is smaller than the value ofy plus d, thenβj 6= τ—that is, noτ -transition of the right-hand expression becomes enabled by delayingless thand units of time—, and

– If di is smaller than the value ofx plus d, andej is smaller than thevalue ofy plusd, thenαi andβj are not complementary—that is, nosynchronization becomes enabled as the processes delay less thandunits of time.

• If the process has idledd units of time, then

– Update the values of the clocksx andy by addingd to them,

– Perform one of the actions that becomes enabled after this delay, if any,and


– Reset the clock of the processes that were involved in that action. Inparticular, if the action was a synchronization, then bothx andy arereset.

In fact, one clock is not sufficient to implement the above procedure. Moreover, asshown in (Godskesen and Larsen, 1992), in general the more parallel componentswe have in our system, the more clocks we need to “implement” its behaviour. Aformal proof of this fact is beyond the scope of this introductory text.

9.5 Discussion

At least syntactically, Timed CCS is a simple extension of Milner’s original CCSthat, as we have seen, can be used to describe some aspects of time dependent be-haviour in the evolution of reactive systems. For instance,we have described howto specify time-outs in the calculus by means of a combination of urgent actions(the internal actionτ , in the setting of TCCS) and the maximal progress assump-tion. From an expressiveness viewpoint, however, the resulting calculus is notcompletely satisfactory. For example, the simple timed labelled transition systemdepicted in Example9.1cannot be described, up to isomorphism, using TCCS. Tosee this, recall that in Exercise9.3, you showed that a sub-class of TCCS processterms affords the following persistency property of actiontransitions:

For all processesP,Q, actiona and delayd, if Pa→ andP

d→ Q, thenQ

a→.

In fact, a slightly more elaborate argument shows that each TCCS process termaffords the above property. On the other hand, the timed labelled transition systemdepicted in Example9.1doesnothave the above persistency property. In fact, state5 in that timed labelled transition system has an outgoinga-labelled transition, butnone of the states that it can reach by delaying a positive amount of time has thattransition.

This lack of expressiveness of TCCS is somewhat unsatisfactory since thetimed labelled transition system depicted in Example9.1 can intuitively be cap-tured by the following very informal, but hopefully naturaland unambiguous, pro-cess description that uses a stopwatch:

1. Set the stopwatch to0;

2. Let time pass—the amount of time that has elapsed is recorded by the stop-watch;

9.5. DISCUSSION 189

3. If the value of the stopwatch is5, then actiona may be performed. In thatcase, go to step 1 above, and continue from there. If actiona is not performedat time5, then idle forever.

If our desideratum is to have a formalism for the specification of real-time sys-tems in which that type of process can be described, then TCCSfalls short of ourexpectations.

Moreover, one can argue that the use of urgent actions and of the maximalprogress assumption in the implementation of features liketime-outs is somewhatartificial. It would be more intuitive to have a formalism in which features liketime-outs can be described without recourse to assumptionslike action urgency ormaximal progress.

The above example and our previous discussions seem to suggest that an au-tomaton based formalism with some explicit notion of clocks(or stopwatches) thatcan be used to determine when transitions are available and when they are disabledmight be a natural and powerful specification formalism for real-time behaviours.In the following section, we shall introduce one such formalism—namely, that oftimed automata that were introduced by Alur and Dill in theirseminal paper (Alurand Dill, 1994).

Chapter 10

Timed Automata

XXX Kim XXX could write some brief historical remarks about timed automata?

10.1 Motivation

Timed automata are essentially nondeterministic finite automata equipped with afinite number of real valued clocks so that transitions can beconditioned on clockvalues and performing a particular transition can reset selected clocks. We shallnow intuitively introduce the formalism, showing how the light switch from theprevious section can be described using the formalism of timed automata withoutrecourse to assumptions like urgency of some actions or maximal progress. Graph-ically, we may suggest to model the light switch like in Figure 10.1.

Initially the switch is in the control location Off and, under certain circum-stances, it can reach the other two locations Light and Bright. From the initiallocation, performing the action press will cause the clockx to be reset to zero.This means that the value of the clockx will be zero whenever we enter location

_^]\XYZ[WVUTPQRSOffpress x:=0 //_^]\XYZ[Light

pressx≤1.4 //

press

x>1.4||

_^]\XYZ[Bright

press

gg

Figure 10.1: Light switch

191

192 CHAPTER 10. TIMED AUTOMATA

Light. Therefore, the value of the clockx represents the amount of time that haspassed since we entered that location. The expressionsx > 1.4 andx ≤ 1.4 arecalled guards and they restrict the possibility of performing a transition. If the timethat has elapsed since we entered the location Light is smaller than or equal to1.4then, after pressing the switch, we move to the location Bright. If the clock valueis greater than1.4 and the switch is pressed, we have to move to the location Off,because the guard labelling the edge from Light to Bright is not satisfied, and thatedge is therefore disabled.

In what follows, we shall formalize this simple and intuitive model and developthe basic theory of timed automata.

10.2 Syntax of Timed Automata

As we have seen above, the main ingredients that timed automata add to the stan-dard model of nondeterministic finite automata are the clocks, clock constraints(guards) and clock resets. These notions can be formally defined as follows.

Let us fix a finite setC = {x, y, . . .} which represents the clock names that wecan use in the automaton.

Definition 10.1 The setB(C) of clock constraints(or guards) over the set ofclocksC is defined by the abstract syntax

g, g1, g2 ::= x ⊲⊳ n | g1 ∧ g2

wherex ∈ C is a clock,n ∈ N and⊲⊳∈ {≤, <,=, >,≥}. �

Example 10.1 The following expressions belong toB(C), whereC = {x, y, z}:

• x ≤ 5,

• x ≥ 0 ∧ x < 5 and

• x > 3 ∧ y = 2.

We shall often write the constraints in the usual mathematical notation. For exam-plex ≥ 0 ∧ x < 5 can be written as0 ≤ x < 5.

Exercise 10.1 Is x ≤ 1.4 a syntactically correct constraint? �

Each clock from the setC is assumed to store the amount of time elapsed fromthe last moment when the clock was reset. This can be formallyexpressed as afunction v : C → R≥0, which we shall call a(clock) valuation. The value of a

10.2. SYNTAX OF TIMED AUTOMATA 193

particular clockx is denoted byv(x). Assume, for example, thatC = {x, y}, andconsider a valuationv such thatv(x) = 1.34 andv(y) = 5.333. We shall oftendenote the valuationv simply by[x = 1.34, y = 5.333].

Note that the values of clocks can be arbitrary non-negativereal numbers. So,for instance,[x = π, y =

√2] is a valuation.

In what follows, we will need two important operations, calleddelayandreset,which help us to manipulate clock valuations. Letv be a clock valuation. Byv + dwe denote a clock valuation where the value of every clock is increased by a givenreal numberd. For a given subsetr of clocks, we usev[r] to denote the clockvaluation where the values of clocks fromr are set to zero and the values of theother clocks are the same as inv. Formally,

• for eachd ∈ R≥0, the valuationv + d is defined by

(v + d)(x) = v(x) + d, for eachx ∈ C ;

• for eachr ⊆ C, the valuationv[r] is defined by

v[r](x) =

{0 if x ∈ rv(x) otherwise.

Remark 10.1 In case thatr = {x} is a singleton set, we shall often use an alter-native notation for reset such that instead ofv[{x}] we writev[x 7→ 0]. �

Now that we have in place the notions of clock constraints andclock valua-tions, we can naturally define when a clock constraint satisfies a given valuation,or alternatively how the constraint evaluates under the valuation.

Definition 10.2 Let g ∈ B(C) be a clock constraint for a given set of clocksCand letv : C → R≥0 be a clock valuation.Evaluationof clock constraints (v |= g)is defined inductively on the structure ofg by

v |= x ⊲⊳ n iff v(x) ⊲⊳ nv |= g1 ∧ g2 iff v |= g1 andv |= g2

wherex ∈ C is a clock,n ∈ N, g1, g2 ∈ B(C) and⊲⊳∈ {≤, <,=, >,≥}. Notethat the sign⊲⊳ on the left-hand side is a purely syntactic symbol while⊲⊳ on theright-hand side represents the standard corresponding arithmetic comparison onR≥0.

If v |= g holds, we often write that “v satisfiesg”. As usual, we writev 6|= gwhenv does not satisfy the constraintg. �


Example 10.2 Let C = {x, y}, and consider the valuationv = [x = 1.2, y =3.01]. We can easily see that

• v |= x > 1 ∧ x ≤ 2,

• v |= x > 0 ∧ y ≥ 3 and

• v 6|= y ≤ 3 ∧ x ≥ 1.

Exercise 10.2Can you give an example of a clock constraint that is satisfiedbyevery valuation? What about one that is satisfied by no valuation? �

Definition 10.3 Two clock constraintsg1 andg2 areequivalentif, and only if, theyare satisfied by the same valuations—that is, for each valuation v,

v |= g1 ⇔ v |= g2 .

�

Example 10.3 The clock constraintsx ≤ 5∧x ≥ 5 andx = 5 are equivalent, andso arey ≥ 5 ∧ y ≥ 0 andy ≥ 5. (Why?) �

Exercise 10.3 (Strongly Recommended)

1. A constraintg is interval closedif, for each valuationv and non-negativereal numberd, it holds thatv |= g andv + d |= g imply thatv + d′ |= g, foreach0 ≤ d′ ≤ d.

Prove that each constraint inB(C) is interval closed.

2. Show that there is no constraint inB(C) expressing thatx is not equal to2.

3. Let us define the relation≤ over the collection of valuations as:

v ≤ v′ iff v(x) ≤ v′(x) , for eachx ∈ C .

Prove that the relation so defined is a partial order.

4. A constraintg is downward closedif v′ |= g andv ≤ v′ implyv |= g, for allvaluationsv, v′.

Give examples of constraints that are downward closed. Are there con-straints that arenot downward closed?


5. Show that constraints of the formx < n are not definable in terms of theother guards inB(C). That is, argue that a constraint of the formx < n isnot equivalent to any constraint generated by the followinggrammar:

g, g1, g2 ::= x ⊲⊳ n | g1 ∧ g2 ,

wherex ∈ C is a clock,n ∈ N and⊲⊳∈ {≤,=, >,≥}.

�

We are now ready to provide a formal definition of timed automata.

Definition 10.4 A timed automatonover a finite set of clocksC and a finite set ofactionsAct is a quadruple

(L, ℓ0, E, I)

where

• L is a finite set oflocations, ranged over byℓ,

• ℓ0 ∈ L is theinitial location,

• E ⊆ L× B(C)× Act× 2C × L is a finite set ofedges, and

• I : L→ B(C) assignsinvariantsto locations.

We usually writeℓg,a,r−→ ℓ′ instead of(ℓ, g, a, r, ℓ′) ∈ E. For such an edge,ℓ is

called thesource location, g is theguard, a is theaction, r is the set of clocks to bereset andℓ′ is thetarget location. �

Timed automata are often given in their graphical representation like in Figure10.1.Locations are drawn as nodes in the graph, and the initial location is marked witha double circle. Edges in the graph have attributes: the beginning of an edge isassigned a guard, in the middle of the edge there is an action name and resets arewritten at the end of the edge using the notationx := 0 for each clock that shouldbe reset. Invariants are placed next to their correspondinglocations. (Their rolein the behaviour of timed automata will become clear in what follows. For themoment, you may think of them as imposing restrictions on thevalues that theclocks may have in control locations.) Irrelevant guards and invariants—that is,those that are always satisfied—are omitted in the picture.

Example 10.4 The light switch from Figure10.1 can be formally described asfollows (letgt = x ≥ 0 be a guard that is true in any valuation):


• C = {x}

• L = {Off, Light, Bright}

• ℓ0 = Off

• E = {Offgt,press,{x}−→ Light, Light

x>14,press,∅−→ Off,

Lightx≤14,press,∅−→ Bright, Bright

gt,press,∅−→ Off}

• I(Off) = I(Light) = I(Bright) = gt.

Remark 10.2 Note that in the example above we have replaced the time point1.4with 14. This is due the to requirement that constants in the guards be natural num-bers. This is, however, not a real restriction. We can also consider guards whereconstants are rational numbers (irrational numbers in guards would be impossibleto write in a finite way). In this case, we can always multiply all the constants in theguards by an appropriate number in order to raise them to natural numbers. Suchstretching of time does not have any significant influence on the behaviour, it isessentially like saying that, instead of a clock value beingequal to0.145 seconds,it is equal to145 milliseconds. �

We shall now discuss the intended behaviour of timed automata. Intuitively, atimed automaton can be in exactly one of its control locations at each stage of itscomputation. However, knowing the present control location is not enough to de-termine which of the outgoing edges can be taken next, if any.A snapshot of thecurrent state of the computation should also remember the present clock values.Therefore, a suitable notion ofstateof the computation of a timed automaton con-sists of a pair(ℓ, v), with ℓ being the control location the automaton is in, andvbeing the valuation determined by the current clock values.The pair(ℓ, v) is alegal state of the timed automaton only if the valuationv satisfies the invariant oflocation ℓ. (Initially, the control location isℓ0 and the value of each clock is0.)If there is an edge whose source location equals the current locationℓ, and whoseguard is satisfied by the current valuationv, then we can follow that edge, therebychanging the current location to the target location of the edge and resetting the setof clocks labelling the edge. Another possibility is to delay in the current locationby increasing simultaneously the value of all clocks by a given amount of timed,without changing the control location. This is possible only if the invariant of thecurrent location is satisfied by the valuationv + d. (Since invariants are intervalclosed—see Exercise10.3—, this also means that the invariant is satisfied by all ofthe intermediate valuationsv + d′ with 0 ≤ d′ ≤ d.) For example, if the current


value of the clockx is 0, and the invariant of the present location isx ≤ 1, then thetimed automaton can delay1 time unit, but not1.00001 units of time.

The reader might have already observed that essentially we have intuitivelydefined a timed transition system generated by a given timed automaton. Theseideas can be formalized as follows.

Definition 10.5 Let A = (L, ℓ0, E, I) be a timed automaton over a set of clocksC and a set of actionsAct. We define the timed transition systemT (A) generatedby A asT (A) = (Proc, Lab, { a−→| a ∈ Lab}) where

• Proc = {(ℓ, v) | (ℓ, v) ∈ L × (C → R≥0) andv |= I(ℓ)}—i.e., statesareof the form (ℓ, v) whereℓ is a location of the timed automaton andv is avaluation that satisfies the invariant ofℓ,

• Lab = Act ∪ R≥0 is the set of labels, and

• the transition relation is defined as follows:

– (ℓ, v)a−→ (ℓ′, v′) if there is an edge(ℓ

g,a,r−→ ℓ′) ∈ E such thatv |= g,v′ = v[r] andv′ |= I(ℓ′)

– (ℓ, v)d−→ (ℓ, v + d) for all d ∈ R≥0 such thatv |= I(ℓ) andv + d |=

I(ℓ).

Let v0 denote the valuation such thatv0(x) = 0 for all x ∈ C. If v0 satisfies theinvariant of the initial locationℓ0, we shall call(ℓ0, v0) the initial state (or initialconfiguration) of T (A). �

Example 10.5 Consider the timed automatonA defined in the following picture(there is one edge labeled bya with the guardx ≤ 1 which resets the clockx andthe invariant in the locationℓ0 is x ≤ 2).

x ≤ 2 GFED@ABC?>=<89:;ℓ0

a

x≤1

x:=0xx

A fragment of the transition systemT (A) follows (there are in fact infinitely manydifferent reachable states for everyx in the interval[0, 2]).

(ℓ0, [x = 0])0.6 //

a

��(ℓ0, [x = 0.6])

0.4 //

a

{{(ℓ0, [x = 1])

0.3 //

a

ff (ℓ0, [x = 1.3])0.7 // (ℓ0, [x = 2])

0


Note that from the state(ℓ0, [x = 1.3]) it is not possible to perform the transi-tion under the actiona and the state(ℓ0, [x = 2]) is essentially stuck as the onlyavailable transition is a time elapsing step with the time delay 0.

There is a fundamental difference between the situations where a clock constraintis used in the guard or in the invariant. This can be demonstrated by means of thesimple example in Figure10.2. In the timed automaton a) on the left,x ≤ 1 isa guard. There is no restriction on time elapsing steps and hence arbitrarily longdelays are possible. This means that, as long as the value of the clockx is smallerthan or equal to1, we can perform the transitiona and reset the clockx. However,if the total time delay after the last reset of the clock is strictly greater than1 then itis not possible to enable the actiona in the future and the only available transitionsare the delay steps. In the timed automaton b) on the right,x ≤ 1 is used in theinvariant. This means that it is never possible to delay morethan1 time unit andhence during each execution the actiona is always available.

Exercise 10.4LetA be a timed automaton. Prove thatT (A) is a TLTS in the senseof Definition9.1. �

Exercise 10.5Give a timed automatonA whose associated TLTST (A) is, moduloa renaming of the names of the states, precisely that in Example 9.1. �

Exercise 10.6 Is there a timed automaton whose associated TLTS has only onestate? Argue for your answer. �

Exercise 10.7 (For the Keenest)Show how to translate TCCS expressions intotimed automata in a syntax directed fashion. Your translation should be such thatthe timed labelled transitions determined by the source TCCS expression and thetarget timed automaton are isomorphic. Use your translation and your answer toExercise10.5 to argue that the formalism of timed automata is more expressivethan TCCS. �

Exercise 10.8 In Exercise10.3(2), you proved that there is no constraint inB(C)expressing thatx 6= 2. Assume now that, using the formalism of timed automata,we wish to model a situation in which an actiona is enabled in some locationℓunlessx = 2. Is this possible? If so, how would you do so? �

Perhaps ADD A MORE COMPLEX EXAMPLE OF TIMED AUTOMATON??


a) GFED@ABC?>=<89:; a

x≤1

x:=0xx

b) x ≤ 1 GFED@ABC?>=<89:; ax:=0xx

0 1

1

2 3 4 5

a) x ≤ 1 in the guard

elapsed time

value of clockx

0 1

1

2 3 4 5

b) x ≤ 1 in the invariant

elapsed time

value of clockx

Figure 10.2: Clock constraint in the guard vs. in the invariant


10.3 Timed and Untimed Trace Equivalence

We shall now investigate behavioural aspects of timed automata. Even though weoften refer to timed automata, these notions are independent of the actual formalismused and they can be defined purely in terms of timed labelled transition systems.

A natural way to begin with is to define timed traces of timed transition sys-tems, similarly as we have considered traces for ordinary labelled transition sys-tems.

Let A = (L, ℓ0, E, I) be a timed automaton over a set of clocksC and a set ofactionsAct.

Definition 10.6 A sequence(t1, a1)(t2, a2)(t3, a3) . . . whereti ∈ R≥0 andai ∈Act is called a finite or infinitetimed trace ofA iff there is a finite or infinitetransition sequence

(ℓ0, v0)d1−→ (ℓ1, v1)

a1−→ (ℓ2, v2)d2−→ (ℓ3, v3)

a2−→ (ℓ4, v4)d3−→ (ℓ5, v5)

a3−→ . . .

in T (A) such thatv0(x) = 0 for all x ∈ C and, for eachi,

ti = ti−1 + di wheret0 = 0.

�

The intuition is that the real numberti represents the absolute time (thetime-stamp) at whichai happened since the start of the computation of the automatonA. Note that the sequence of time-stampst1, t2, . . . is nondecreasing.

Example 10.6 Consider the light switch from Figure10.1. The following sequencecan be easily seen to be a finite timed trace.

(2.3, press)(2.5, press)(2.51, press)(5.6, press)(5.6, press)(7.0, press) .

In fact any nondecreasing sequence of time-stamps induces atimed trace of thistimed automaton. (Why?)

If we consider the timed automata a) and b) from Figure10.2 then e.g. thesequence

(0.2, a)(0.5, a)(1.5, a)(1.5, a)(2.0, a)

is a finite timed trace of both a) and b). In fact, it is not too hard to argue that thosetwo timed automata afford the same timed traces. (Do so!)

We can now define the notion of timed language equivalence.

10.3. TIMED AND UNTIMED TRACE EQUIVALENCE 201

Definition 10.7 The set of all finite and infinite timed traces of a timed automatonA is denoted byL(A) and is called thetimed language ofA. Timed automataA1

andA2 aretimed language equivalentiff L(A1) = L(A2). �

As remarked above, the two timed automata in Figure10.2 are timed languageequivalent.

Sometimes we would like to abstract away from the particulartime points whenactions happen and consider only the action sequences that can be performed fromthe initial configuration of a given timed automaton. For this purpose, we shalldefine untimed traces and untimed trace equivalence over timed automata.

Definition 10.8 We say thata1a2a3 . . . is an untimed trace ofA iff there existt1, t2, t3, . . . ∈ R≥0 such that(t1, a1)(t2, a2)(t3, a3) . . . is a timed trace ofA. �

Definition 10.9 The set of all untimed traces ofA is denoted byLu(A) and calledthe untimed language ofA. Timed automataA1 and A2 are untimed languageequivalentiff Lu(A1) = Lu(A2). �

The proof of the following theorem is straightforward and follows directly fromthe definitions.

Theorem 10.1 Any two timed language equivalent automata are also untimedlan-guage equivalent.

Exercise 10.9Prove the above theorem. �

The converse of the above theorem does not hold as demonstrated by the followingexample.

Example 10.7 Consider the following two timed automata.

a) GFED@ABC?>=<89:; a

x≤1

x:=0xx

b) GFED@ABC?>=<89:; a

x=1

x:=0xx

We can easily observe that automaton a) affords the timed trace(0, a), but automa-ton b) does not. Therefore the two automata are not timed language equivalent.Note, however, that they are untimed language equivalent. Moreover, each timedtrace of automaton b) is also a timed trace of automaton a).

Exercise 10.10Prove the claims that we have made in the previous example.�

As in the case of ordinary labelled transitions systems, language equivalence is notalways the most suitable notion of behavioural equivalenceto consider because,as argued in Sect.3.2, it does not faithfully describe the deadlock behaviour ofprocesses. We therefore proceed to introduce the notions oftimed and untimedstrong bisimilarity.


10.4 Timed and Untimed Bisimilarity

From our discussion so far in this chapter, we know that the semantics of timedautomata is given in terms of timed labelled transition systems, which can, in fact,be viewed as standard labelled transition systems. Hence the first notion of bisimi-larity can be naturally defined as strong bisimilarity. In the timed case, we shall callit timed bisimilarity. This implies that in timed bisimilarity both ordinary actionsand time elapsing steps are considered as visible actions, which means that we canobserve the precise duration of time delays.

Definition 10.10 Timed automataA1 andA2 are timed bisimilar iff their initialstates in the timed transition systemsT (A1) andT (A2) generated byA1 andA2

are strongly bisimilar in the sense of Definition3.2. �

In order to understand better the notion of timed bisimilarity, we will present a fewexamples.

Example 10.8 Consider the following timed automata with initial locationsA andA′ over the set of clocksC = {x}.

GFED@ABC?>=<89:;A

a

x=1

��

GFED@ABC?>=<89:;A′

a

x=1

x:=0��GFED@ABCB

a

x≤2

x:=0��

GFED@ABCB′

a

x≤1

��GFED@ABCC GFED@ABCC ′

We shall argue that the given timed automata are timed bisimilar. In order to do so,we have to establish that their initial states(A, v0) and(A′, v0) wherev0(x) = 0are strongly bisimilar. This can be demonstrated, e.g., by defining a relationR ofstrong bisimulation as follows:

{((A, [x = d]), (A′, [x = d])

)| d ∈ R≥0} ∪

{((B, [x = d + 1]), (B′, [x = d])

)| d ∈ R≥0} ∪

{((C, [x = d]), (C ′, [x = d′])

)| d, d′ ∈ R≥0} .

One can easily see that((A, v0), (A

′, v0))∈ R and we leave it to the reader to

verify thatR is indeed a strong bisimulation. (Do so!)

10.4. TIMED AND UNTIMED BISIMILARITY 203

Example 10.9 Consider the following two timed automata.

GFED@ABC?>=<89:;A

a

x≤1

x:=0��


a

x≤2

x:=0��GFED@ABCB GFED@ABCB′

We will demonstrate that the initial states of those automata are not timed bisimilarby finding a universal winning strategy for the attacker in the strong bisimulationgame starting from the pair(A, [x = 0]) and (A′, [x = 0]). In the first round

the attacker plays the delay transition(A, [x = 0])1.7−→ (A, [x = 1.7]) and the

defender can only answer by(A′, [x = 0])1.7−→ (A′, [x = 1.7]). The game con-

tinues in the second round from the pair(A, [x = 1.7]) and (A′, [x = 1.7]). Nowthe attacker can switch sides and play(A′, [x = 1.7])

a−→ (B′, [x = 0]). Thedefender cannot answer to this move from(A, [x = 1.7]). Hence the attacker hasa universal winning strategy. This implies that(A, [x = 0]) 6∼ (A′, [x = 0]), andthe given timed automata are not timed bisimilar.

The reason why the two transition systems above are not timedbisimilar is thatin case of timed bisimilarity a particular time elapsing step in one automaton hasto be matched by a timed elapsing step of exactly the same duration in the other.This might sometimes be too strict an assumption since delays can be arbitraryreal numbers, and one might try to relax this requirement. One possibility is torequire that a time delay in one process has to be matched by a time delay in theother process but possibly of a different duration. We shallcall this notionuntimedbisimilarity and proceed to define it formally.

There are essentially two equivalent ways to define untimed bisimilarity: wecan either modify the notion of strong bisimilarity or modify the underlying timedtransition systems. We will sketch the second possibility here.

Let T = (Proc, Lab, { a−→T | a ∈ Lab}) be a timed transition system whereLab = Act∪R≥0. Assume thatε is a new action such thatε 6∈ Lab. We constructthe untimed labelled transition system

Tε = (Proc, Act ∪ {ε}, { a−→| a ∈ Act ∪ {ε}})

thus:

• for each transitionsa−→T s′ in T , wherea ∈ Act, we add the transition

sa−→ s′ also toTε, and


• for each transitionsd−→T s′ in T , whered ∈ R≥0, we add the transition

sε−→ s′ for the new actionε to Tε.

(Note thatsε−→ s holds for each states. Can you see why?) This means that

the label of each time elapsing transition inT is replaced byε and all the otherstandard transitions are preserved.

Definition 10.11 Let A1 andA2 be timed automata with untimed transition sys-temsTε(A1) andTε(A2). We say thatA1 andA2 areuntimed bisimilariff theirinitial states in the untimed transition systemsTε(A1) and Tε(A2) are stronglybisimilar in the sense of Definition3.2. �

Example 10.10 We will demonstrate that the timed nonbisimilar automata fromExample10.9 are equivalent w.r.t. untimed bisimilarity. Consider the followingrelation R.

{((A, [x = d]), (A′, [x = d′])

)| 0 ≤ d ≤ 1, 0 ≤ d′ ≤ 2} ∪

{((A, [x = d]), (A′, [x = d′])

)| d > 1, d′ > 2} ∪

{((B, [x = d]), (B′, [x = d′])

)| d, d′ ∈ R≥0} .

It remains to verify thatR is a strong bisimulation over the corresponding untimedtransition systems and that the initial states belong toR. We will examine onecase of the analysis necessary to show thatR is a strong bisimulation. Considerthe pair (A, [x = d]) and (A′, [x = d′]) for somed andd′ such that0 ≤ d ≤ 1and0 ≤ d′ ≤ 2. There are three possible types of moves from(A, [x = d]) (thesituation from(A′, [x = d′]) is symmetric).

• The move(A, [x = d])a−→ (B, [x = 0]) can be matched by(A′, [x =

d′]) a−→ (B′, [x = 0]) and the resulting pair surely belongs toR.

• The move(A, [x = d])d′′−→ (A, [x = d + d′′]) such thatd + d′′ ≤ 1 can be

matched by(A′, [x = d′])0−→ (A′, [x = d′]) and the resulting pair belongs

to R. This answer is possible because all time elapsing steps areobservedonly as the actionε.

• The move(A, [x = d])d′′−→ (A, [x = d + d′′]) such thatd + d′′ > 1 can be

matched by, e.g.,(A′, [x = d′])3−→ (A′, [x = d′ + 3]) for the same reasons

as above, and the resulting pair of states belongs toR.

The reader is invited to finish the analysis of the remaining cases.

10.4. TIMED AND UNTIMED BISIMILARITY 205

As illustrated by the above example, there are untimed bisimilar timed automatathat are not timed bisimilar. On the other hand, one can observe the validity of thefollowing theorem.

Theorem 10.2 Any two timed bisimilar timed automata are also untimed bisimilar.

Proof: Any relation which is a timed bisimulation is also an untimedbisimulation.One can easily argue for this fact, e.g., by using bisimulation games. Whenever thedefender has an answer to an attack under a time elapsing action d then the samedefence is also valid when the time elapsing label is replaced with ε. 2

Exercise 10.11Argue for each of the following claims in the positive case orgivea counter example in the negative case.

• If two timed automata are timed bisimilar then they are also timed traceequivalent.

• If two timed automata are timed bisimilar then they are also untimed traceequivalent.

• If two timed automata are untimed bisimilar then they are also untimed traceequivalent.

• If two timed automata are untimed bisimilar then they are also timed traceequivalent.

• If two timed automata are timed trace equivalent then they are also untimedbisimilar.

�

Exercise 10.12Let T be a timed transition system. Let us consider a labelledtransition systemT ′ where every time-delay actiond ∈ R≥0 is replaced with thesilent actionτ . We now define that two statesp and q from the timed transitionsystemT are time abstracted bisimilarif and only ifp and q are weakly bisimilarin T ′ in the sense of Definition3.4.

• Is the notion of time abstracted bisimilarity equivalent tountimed bisimilar-ity?

• If yes, prove your claim. If no, give a counter example.

�


10.5 Region Graph

Even the simplest timed automata generate timed transitionsystems with infinitely(even uncountably) many reachable states. This is due to thefact that states oftimed automata contain not only the control location but also the particular valua-tion of clocks. In general we have uncountably many different valuations alreadyin the situation when only one clock is considered (the valueof this clock can bein general any number fromR≥0).

Since good formalisms for the description of reactive systems should also sup-port methods for their algorithmic analysis, a natural question the reader may askat this point is the following:

Is any automatic verification approach like bisimilarity checking, modelchecking or reachability analysis possible at all over timed automata?

Surprisingly, the answer to this question is positive, and in what follows we shalldiscuss a fundamental approach—due to Alur and Dill (Alur and Dill, 1990; Alurand Dill, 1992; Alur and Dill, 1994) and called theregion graph technique—,which will enable us to draw such a conclusion. XXX Kim XXX addsome refer-ence here, please.

The key idea behind the region technique is very simple: eventhough the col-lection of valuations for a given timed automaton is uncountably infinite, it can bepartitioned into finitely many equivalence classes in such away that any two valu-ations from the same equivalence class will not create any “significant difference”in the behaviour of the system.

Assume a given timed automatonA over a set of clocksC. Formally, ourgoal will be to define effectively anequivalence relation≡ over clock valuations,≡⊆ (C → R≥0)× (C → R≥0), such that

1. v ≡ v′ implies that the states(ℓ, v) and(ℓ, v′) are untimed bisimilar for eachlocationℓ of the automatonA, and

2. ≡ has only finitely many equivalence classes—i.e., the set

{[v]≡ | v ∈ (C → R≥0)} ,

where[v]≡ = {v′ | v′ ≡ v}, is finite. We shall call[v]≡ the equivalenceclass represented byv.

Before embarking in the definition of the equivalence relation≡, we first introducesome necessary notation.

10.5. REGION GRAPH 207

Definition 10.12 Let d ∈ R≥0 be a real number. By⌊d⌋ we denote the integerpart ofd andfrac(d) stands for the fractional part ofd. Any d ∈ R≥0 can be nowwritten asd = ⌊d⌋+ frac(d). �

Example 10.11 By the above definition,⌊2.345⌋ = 2 and frac(2.345) = 0.345.

We shall now proceed to motivate the definition of the relation≡ in stepwise fash-ion.

Let A be a timed automaton and letx ∈ C be one of its clocks. We definecx ∈ N as the largest constant against which the clockx is ever compared either inthe guards or in the invariants present inA. For instance,cx is 2 (respectively,1)for the timed automaton on the left (respectively, on the right) in Example10.9.

The first observation we can make is that the specific value of the clockx isirrelevant for the behaviour of the timed automaton, if thatvalue is strictly greaterthan the constantcx. In other words, for each clock constraintg in the automatonA, the satisfiability ofg doesnot depend on the concrete value of the clockx aslong as it is greater thancx. For instance, in the timed automaton on the left inExample10.9a valuation that assigns a value greater than2 to x satisfies none ofthe clock constraints in that timed automaton.

Hence a first approximation of the relation≡ can be as follows:

v ≡ v′ if, and only if,v(x) = v′(x), wheneverv(x) ≤ cx or v′(x) ≤ cx .(10.1)

Equivalently, and perhaps more explicitly, we have thatv ≡ v′ holds whenever, foreach clockx, eitherv(x) = v′(x) or bothv(x) andv′(x) are greater thancx.

The above argument used to motivate the definition of≡ implies thatv ≡ v′

means that, for each locationℓ in the timed automaton, the states(ℓ, v) and(ℓ, v′)are indeed untimed bisimilar. (Prove this!) However, the equivalence relation≡still has infinitely many equivalence classes, and therefore does not satisfy the sec-ond requirement listed above. (Why?)

In order to motivate our further improvement upon the definition of ≡, let usconsider the following timed automaton:.

GFED@ABC?>=<89:;ℓ0

a

x≤1

xxb

x≤2

&&

In this automatoncx = 2. Consider the following two configurations of the timedautomaton above:(ℓ0, [x = 0.12]) and(ℓ0, [x = 0.97]). A short reflection makesus realize that these configurations are untimed bisimilar.(Argue for this claim!)Similarly (ℓ0, [x = 1.23]) and(ℓ0, [x = 1.467]) are surely untimed bisimilar. This


might motivate us to claim that the fractional parts of the clocks are irrelevant andto formulate the following refinement of condition (10.1):

v ≡ v′ if, and only if, for eachx ∈ C, (10.2)

⌊v(x)⌋ = ⌊v′(x)⌋, or bothv(x) andv′(x) are greater thancx.

We can now see that≡ has finitely many equivalence classes as required (only theinteger parts of the clocks up to a given constant matter). The question is whetherv ≡ v′ does indeed imply that, for each locationℓ, the states(ℓ, v) and (ℓ, v′)are untimed bisimilar. The answer is, unfortunately, negative. For example, thevaluations[x = 1] and[x = 1.4] should be equivalent according to our definitionof ≡, but in the timed automatonA the state(ℓ0, [x = 1]) can still perform theactiona while (ℓ0, [x = 1.4]) cannot.

This leads us to the observation that if the fractional part of a clock is equal to0,we should consider this as a “special” situation because theguards can distinguishsuch a clock value from a clock which has the same integer partbut non-zerofractional part. Therefore we add the following requirement to condition (10.2):

v ≡ v′ only if, for eachx ∈ C such thatv(x) ≤ cx, (10.3)

(frac(v(x)) = 0 ⇔ frac(v′(x)) = 0) .

Note that, in the presence of (10.2), we need only require that the above conditionis met for each clockx with v(x) ≤ cx. Indeed, requirement (10.2) already ensuresthat wheneverv ≡ v′ andv(x) ≤ cx, thenv′(x) ≤ cx.

Exercise 10.13Prove the claim we have just made. �

The number of equivalences classes of≡ still remains finite because we are refiningan equivalence relation that already had finitely many equivalence classes. How-ever, the equivalence relation≡ is still too coarse as demonstrated by the followingtimed automaton:

GFED@ABC?>=<89:;ℓ0ax=1 // GFED@ABCℓ1

by=1 // GFED@ABCℓ2

Consider the valuationsv1 = [x = 0.8, y = 0.3] andv2 = [x = 0.5, y = 0.9]. Youshould be able to convince yourselves that, by the requirements (10.2) and (10.3),we have thatv1 ≡ v2. However, the states(ℓ0, v1) and(ℓ0, v2) arenot untimedbisimilar. This can be easily seen since state(ℓ0, v1) can first delay0.2 time units,perform the actiona, further delay0.5 time units, and finally perform the actionb.On the other hand the configuration(ℓ0, v2) cannot match this behaviour becausein order to perform the actiona we have to delay exactly0.5 time units, which


means that the value of the clocky necessarily grows to1.4, disabling actionbforever.

The reason why we have this problem is due to the fact thatv1(x) > v1(y)while v2(x) < v2(y). This indicates that the ordering of the fractional parts be-tween two different clocks plays an important role. This motivates us to add thefollowing requirement on top of (10.2) and (10.3):

v ≡ v′ only if, for all x, y ∈ C with v(x) ≤ cx andvy ≤ cy, (10.4)

(frac(v(x)) ≤ frac(v(y)) ⇔ frac(v′(x)) ≤ frac(v′(y))) .

In fact, this is all that we have to do in order to establish ourgoal that≡ has finitelymany equivalence classes and still preserves untimed bisimilarity. We now providea summary of the final definition, and we also state the main theorem to the effectthat the equivalence relation≡ has the desired properties (full proof can be founde.g. in citexxx XXX Kim XXX which reference to put here?).

Definition 10.13 Let A be a timed automaton. We say that two clock valuationsvandv′ are equivalent, and writev ≡ v′, iff

1. for eachx ∈ C, we have that either bothv(x) andv′(x) are greater thancx

or

⌊v(x)⌋ = ⌊v′(x)⌋ ;

2. for eachx ∈ C such thatv(x) ≤ cx we have

frac(v(x)) = 0 iff frac(v′(x)) = 0 ; and

3. for all x, y ∈ C such thatv(x) ≤ cx andv(y) ≤ cy we have

frac(v(x)) ≤ frac(v(y)) iff frac(v′(x)) ≤ frac(v′(y)) .

�

Remark 10.3 Note that ifv ≡ v′, then, for allx, y ∈ C such thatv(x) ≤ cx andv(y) ≤ cy, we have that

v(x) = v(y) iff v′(x) = v′(y) .

Can you justify this claim? �


Exercise 10.14Let A be a timed automaton and letg be one of its clock con-straints. Assume thatv ≡ v′ andv |= g. Show thatv′ |= g also holds.

Would this property continue to hold if we allowed for clock constraints of theform x − y ⊲⊳ n, wherex, y ∈ C are clocks,n ∈ N and ⊲⊳∈ {≤, <,=, >,≥}?Argue for your answer. �

Theorem 10.3 LetA be a timed automaton. The equivalence relation≡ partitionsthe clock valuations ofA into finitely many equivalence classes. Moreover, when-everv and v′ are in the same equivalence class (that is,v ≡ v′ holds), then, forany locationℓ of A, the configurations(ℓ, v) and(ℓ, v′) are untimed bisimilar.

In what follows we shall refer to the equivalence classes induced by≡ asregions.

Definition 10.14 An ≡-equivalence class[v]≡ represented by some clock valua-tion v is called aregion. �

Each region can be uniquely characterized by a finite collection of clock constraintsthat it satisfies. For instance, consider the valuationv over two clocksx, y such thatv(x) =

√2 andv(y) = 1.3. Assume that bothcx andcy are equal to2. Then, each

valuationv′ that is equivalent tov satisfies the constraint(1 < y < x < 2), and wewill use [1 < y < x < 2]≡ to denote the region[v]≡.

Exercise 10.15Check that each valuationv′ that is equivalent to the valuationvintroduced in the paragraph above does satisfy the constraint (1 < y < x < 2), asclaimed. �

Example 10.12 Consider a timed automaton with only one clockx such thatcx =3. There are exactly 8 regions consisting of4 corner points,3 closed line segmentsand1 open line segment, namely

• [x = 0]≡, [x = 1]≡, [x = 2]≡, [x = 3]≡

• [0 < x < 1]≡, [1 < x < 2]≡, [2 < x < 3]≡

• [3 < x]≡.

Graphically, we can draw a picture like this.

0 1 2 3 x

Exercise 10.16Consider a timed automaton with only one clockx, and constraintsx > 0 andx ≤ 2. How many regions does this determine? What are they? �


Example 10.13 Consider a timed automaton with two clocksx and y such thatcx = 2 and cy = 1. There are exactly28 regions consisting of6 corner points,9 closed line segments,5 open line segments,4 closed areas and4 open areas,namely

• [x = 0, y = 0]≡, [x = 1, y = 0]≡, [x = 2, y = 0]≡, [x = 0, y = 1]≡,[x = 1, y = 1]≡, [x = 2, y = 1]≡

• [0 < x < 1, y = 0]≡, [1 < x < 2, y = 0]≡, [0 < x < 1, y = 1]≡,[1 < x < 2, y = 1]≡, [x = 0, 0 < y < 1]≡, [x = 1, 0 < y < 1]≡,[x = 2, 0 < y < 1]≡,

• [0 < x < 1, 0 < y < 1, x = y]≡, [1 < x < 2, 1 < y < 2, x = y]≡

• [2 < x, y = 0]≡, [2 < x, y = 1]≡, [x = 0, 1 < y]≡, [x = 1, 1 < y]≡,[x = 2, 1 < y]≡

• [0 < x < 1, 0 < y < 1, x > y]≡, [0 < x < 1, 0 < y < 1, x < y]≡,[1 < x < 2, 0 < y < 1, frac(x) > frac(y)]≡, [1 < x < 2, 0 < y <1, frac(x) ≤ frac(y)]≡

• [2 < x, 0 < y < 1]≡, [0 < x < 1, 1 < y]≡, [1 < x < 2, 1 < y]≡,[2 < x, 1 < y]≡.

This can be graphically depicted as follows.

0

0

1

1

2

2

3

3 4 x

y

Exercise 10.17The regions for a timed automaton with two clocksx andy suchthat cx = 3 andcy = 2 look as follows.


0

0

1

1

2

2

3

3 4 x

y

How many regions are there in the picture? �

As indicated by the above examples, each region of a timed automatonA can beuniquely represented by specifying the following items of information:

• for each clockx, one constraint from the set

{x = n | n ∈ {0, 1, . . . , cx}}∪{n < x < n + 1 | n ∈ {0, 1, . . . , cx − 1}} ∪ {cx < x} ,

• for each pair of distinct clocksx andy that, for somen < cx andm < cy,satisfy constraints of the formn < x < n + 1 andm < y < m + 1, anindication of whetherfrac(v(x)) is smaller than or equal tofrac(v(y)) ornot, for each valuationv in that region.

Exercise 10.18Assume a timed automaton with a set of clocksC = {x, y} andthe corresponding constantscx andcy. Find a general expression which describesthe number of regions for the given constantscx andcy. (Hint: count the numberof possible combinations of constraints of the above form.) �

We shall now define the fundamental concept of aregion graph. The main idea isthat every configuration of the form(ℓ, v) will be replaced by a so calledsymbolicstate(ℓ, [v]≡) in the region graph where[v]≡ is the region represented byv. When-ever we have a time elapsing or a standard transition betweentwo configurations,we shall also have a transition between the corresponding symbolic states. Thiscan be formally described as follows.


Definition 10.15 Theregion graphof a timed automatonA over a set of clocksCand actionsAct is a labelled transition systemTr(A) = (Proc, Act∪{ε}, { a⇒| a ∈Act ∪ {ε}) where

• Proc = {(ℓ, [v]≡) | ℓ ∈ L, v : C → R≥0}, i.e., states are symbolic states,and

• ⇒ on symbolic states is defined as follows:

– for each labela ∈ Act, we have(ℓ, [v]≡)a⇒ (ℓ′, [v′]≡) if, and only if,

(ℓ, v)a−→ (ℓ′, v′), and

– (ℓ, [v]≡)ε⇒ (ℓ, [v′]≡) if, and only if, (ℓ, v)

d−→ (ℓ, v′), for somed ∈R≥0.

�

Exercise 10.19 (Recommended)Prove that the relationε⇒ in Tr(A) is reflexive

and transitive. �

Example 10.14 Consider the following timed automatonA.

ONMLHIJKGFED@ABCℓ0

ax=1 y:=0++ONMLHIJKℓ1

b

y=0��

c y=1x:=0, y:=0

kk

The regions with assigned numbers look as follows.

0

0

1

1

1 2

43

5

6

7 89

10

11

12 13

14

15

16

1718

x

y


A fragment of the region graph reachable from the initial configuration (ℓ0, 1) =(ℓ0, [x = y = 0]≡) is depicted below.

(ℓ0, 1)ε +3 (ℓ0, 9)

ε +3 (ℓ0, 4)ε +3

a

qy kkkkkkkkkkkkkkkkkkkkkkkkkk

kkkkkkkkkkkkkkkkkkkkkkkkkk(ℓ0, 18)

ε

�

(ℓ1, 2)ε +3

b

IQ(ℓ1, 16)

ε +3 (ℓ1, 11)ε +3

c

em SSSSSSSSSSSSSSSSSSSSSSSSSS

SSSSSSSSSSSSSSSSSSSSSSSSSS

(ℓ1, 18)

ε

�

In order to make the picture simple, the reflexive closure of theε⇒ transitions

is omitted in the drawing. In particular, there should be also the followingε-transitions:(ℓ0, 1)

ε−→ (ℓ0, 4), (ℓ0, 1)ε−→ (ℓ0, 18), (ℓ0, 9)

ε−→ (ℓ0, 18), (ℓ1, 2)ε−→

(ℓ1, 11), (ℓ1, 2)ε−→ (ℓ1, 18), (ℓ1, 16)

ε−→ (ℓ1, 18), andε-loops in every state.

Exercise 10.20Construct the region graph of the following timed automaton.

ONMLHIJKGFED@ABCℓ0

0<x≤1ay:=0ss

x=1∧y=1b

x:=0,y:=0 33

�

Theorem 10.4 The region graphTr(A) of any timed automatonA is finite and canbe algorithmically constructed. Moreover, for each location ℓ and valuationv, itis the case that(ℓ, v) in the untimed transition systemTu(A) is strongly bisimilarto (ℓ, [v]≡) in the transition systemTr(A).

Proof: A proof to the effect that the region graphTr(A) of any timed automatonA is finite and can be algorithmically constructed may be foundin the classic ref-erence (Alur and Dill, 1994). That(ℓ, v) in the untimed transition systemTu(A)is strongly bisimilar to(ℓ, [v]≡) in the transition systemTr(A) follows from Theo-rem10.3and from the fact that strong bisimilarity is an equivalencerelation (The-orem3.1(1)). 2

Corollary 10.1 Untimed bisimilarity between two timed automata is decidable.


Proof: Theorem10.4shows that untimed bisimilarity between two timed automatacan be algorithmically reduced to strong bisimilarity between the corresponding re-gion graphs. Since the region graph of an arbitrary timed automaton is finite, theclaim follows. 2

Another important application of region graphs is to probably to the most studiedquestion in the theory and practice of timed automata—namely, the reachabilityproblem.

Given a timed automatonA we write(ℓ, v) −→ (ℓ′, v′) whenever

• (ℓ, v)a−→ (ℓ′, v′) for some actiona, or

• (ℓ, v)d−→ (ℓ′, v′) for somed ∈ R≥0.

The reachability problem for timed automata is defined as follows. We are givena timed automatonA = (L, ℓ0, E, I) over a set of clocksC and a configuration(ℓ, v). The question is to decide whether(ℓ, v) is reachable from the initial config-uration, i.e., whether(ℓ0, v0) −→∗ (ℓ, v) wherev0(x) = 0 for all x ∈ C.

Having the region graph technique at hand, we can now see the validity of thefollowing lemma (for a detailed proof we refer the reader to citexxx XXX KimXXX which reference to put here?).

Lemma 10.1 Let A be a timed automaton and(ℓ, v) a configuration. It holds that(ℓ0, v0) −→∗ (ℓ, v) in A if and only if (ℓ0, [v0]≡) ⇒∗ (ℓ, [v]≡) in its region graphTr(A).

A direct corollary of the above lemma is that, as first shown byAlur and Dillin (Alur and Dill, 1994), the reachability problem for timedautomata is decidable.

Corollary 10.2 The reachability problem for timed automata is decidable.

Region graphs provide a finite and elegant abstraction of infinite timed transitionsystems generated by timed automata, which enables us to prove decidability of,e.g., reachability, timed and untimed bisimilarity, untimed language equivalenceand language emptiness (see the next section for references).

On the other hand, region graphs have very large state spaces. The state-spaceexplosion is exponential in the number of clocks and in the maximal constantsappearing in the guards. Indeed, as shown by Alur and Dill in (Alur and Dill, 1994),we get the following bound on the size.

Proposition 10.1 Lat A be a timed automaton withn clocks. LetC be the set ofclocks inA. The number of regions ofA is smaller than, or equal to,

n! · 2n · Πx∈C(2cx + 2) .


Researchers XXX Kim XXX, please add a reference therefore developed a morecompact representation of regions by means of so calledzones. A zone is describedby aclock constraintg ∈ B(C), and it defines a set of valuations as follows:

[g] = {v | v |= g}.

In a similar way as we defined a region graph, we can now introduce a so calledzone graph. Essentially all tools that build on the theory of timed automata—for example, Kronos (Bozga, Daws, Maler, Olivero, Tripakisand Yovine, 1998)and UPPAAL (Behrmann et al., 2004)—nowadays use zones in their verificationengines. Let us conclude this section by mentioning that zones are often stored inthe memory in a data structure calledDifference Bound Matrix(Bellman, 1957;Dill, 1989; Yannakakis and Lee, 1993) (or simply DBM). We refer the interestedreader to (Dill, 1989; Yannakakis and Lee, 1993) for furtherdetails about DBMrelated issues.

Exercise 10.21Show that each zone[g] = {v | v |= g} is convex—that is, arguethat, for all valuationsv, v′ that satisfyg and each real number0 < λ < 1, thevaluationv′′ defined by

v′′(x) = λv(x) + (1− λ)v′(x), for each clockx,

also satisfiesg. �

10.6 Overview of the Main Results

Perhaps XXX Kim XXX could provide a more educated summary of the mainresults here?

Theorem 10.5 (Alur and Dill (Alur and Dill, 1994)) Timed language equivalenceis undecidable.

Theorem 10.6 (Cerans (Cerans, 1993))Timed bisimilarity for timed automata isdecidable in EXPTIME (deterministic exponential time).

Theorem 10.7 (Larsen and Yi (Larsen and Wang, 1997))Untimed bisimilarity fortimed automata is decidable in EXPTIME (deterministic exponential time).

Theorem 10.8 (Alur, Dill’94) Untimed language equivalence for timed automatais decidable. (XXX Kim XXX complexity and reference???)

Theorem 10.9 (Alur, Dill) Reachability for timed automata is decidable in PSPACE(polynomial space). (XXX Kim XXX reference)

10.7. NETWORKS OF TIMED AUTOMATA 217

10.7 Networks of Timed Automata

Many real-life systems consist of a number of independent components running inparallel and communicating whenever necessary. For example, a production linemay consist of a number of independent sensors and actuatorsfor single purposeoperation that have to synchronize in order to complete the whole production task.Such a composed behaviour, of course, depends also on timingfeatures and weshould like to be able to model it by suitably combining descriptions of its compo-nents.

Process algebras like CCS and its TCCS extension with timingfeatures providethis possibility by means of the operation of parallel composition. The communi-cation is implemented by one parallel component raising a synchronization requeston a particular channel and another component accepting therequest on the samechannel. Both components can then simultaneously perform the communicationtransitions and we assume that the duration of the synchronization action is0 timeunits—that is, communication is instantaneous. This form of communication isalso calledhand-shakesynchronization. If we want to force the communication ona particular channel, we can further use the restriction operator on that channel asdemonstrated earlier in Section2.2.

In the case of timed automata, our formalism so far enables usto model only asingle component. Having in place the inspiration from CCS and TCCS, we shalldevelop a more general model consisting of a collection of timed automata runningin parallel with one another. Such automata may also synchronize with each other.We shall call this kind of system anetwork of timed automata.

By way of example, consider the following two timed automatawith initiallocationsA andB.

GFED@ABC?>=<89:;A

a!

x≥3

��

GFED@ABC?>=<89:;B

a?

x≥4

��GFED@ABCA′ GFED@ABCB′

Note that the actions labelling the edges in the two timed automata are now tak-ing two forms. The actiona! means that by performing the transition the processA wants to synchronize on channela with some other process (in our case withthe processB) offering the actiona? in exchange. (By convention, we think ofactiona! as standing for an “output on channela”, whereasa? stands for an ‘in-put on channela”.) The processes can then communicate using the hand-shakesynchronization. Moreover, all channels are implicitly assumed to be restricted


at the highest level; hence the synchronization is always forced in networks oftimed automata. In fact, we can describe the above behaviourin terms of TCCS as

(A | B) \ {a} whereAdef= ε(3).a.A′ andB

def= ε(4).a.B′.

Let us now consider another example, namely the light switchand the fast userfrom Section9.4. The TCCS definition of the light switch can be directly rewritteninto the timed automaton in the upper part of the picture. Thefast user (in the lowerpart of the picture) is performing the action press! exactlyevery3 time units.

_^]\XYZ[WVUTPQRSOffpress? x:=0 //_^]\XYZ[Light

press?x≤14 //

press?

x>14||

_^]\XYZ[Bright

press?

gg

y ≤ 0 _^]\XYZ[WVUTPQRSUpress! y:=0 //_^]\XYZ[U’

press!y=3 y:=0��

y ≤ 3

Note that we have “stretched” the time by multiplying all constants by10 in orderto have only integer constants in our model (see Remark10.2). We are also using anew clocky instead ofx in the automaton modelling the fast user. This is becausewe want to avoid a clash among the parallel components (should the user be usingthe same clockx, its reset would also influence the behaviour of the light switch).

The intended behaviour of the above network is as follows. The fast userpresses the switch at time0 and the upper automaton changes its location to Light.At the same moment the user enters the locationU ′. After another3 time units theuser presses again the switch and the automata enter simultaneously the locationsBright andU ′, respectively. After yet another3 time units the user presses theswitch again and both automata synchronize and enter the locations Off andU ′,respectively. The system behaviour then continues in a similar manner. Not sur-prisingly, the semantics of the network can be given via a timed labelled transitionsystem. The structure of the states is now richer, as it contains pairs of locations ofthe respective timed automata together with information onthe current value of theclocks in both automata, and, as in the case of CCS, the communication appearsfor an external observer as the actionτ . A fragment of the system looks as follows,where we have omitted the values of the clocks for the sake of readability.


(Off, U)τ // (Light, U ′) 3 // (Light, U ′) τ // (Bright, U ′)

3

��(Off, U ′)

τ

OO

(Off, U ′)3

oo (Bright, U ′)τoo

Exercise 10.22Add the information on the clock values to the states in the frag-ment of the timed labelled transition system above. �

We shall now proceed to formalize the notion of a network of timed automata.Assume that our set of actions consists of a finite set of channel namesChan(followed by the symbol ‘!’ or ‘ ?’, which indicates whether the action uses thechannel for output or input, respectively) and of a finite setN of ordinary actionnames, formally

Act = {c! | c ∈ Chan} ∪ {c? | c ∈ Chan} ∪N .

By analogy with CCS, we say that the actionsc! andc? arecomplementary. Weshall useα, β to range overAct.

Definition 10.16 Let n be a positive integer and, for eachi ∈ {1, . . . , n}, let

Ai = (Li, ℓi0, Ei, Ii)

be timed automata over a set of clocksC and a set of actionsAct. We call theircompositionA = A1 | A2 | · · · | An a network of timed automatawith n parallelcomponents. �

As we already mentioned above, the semantics to the parallelcompositionA =A1 | A2 | · · · | An will be given by means of a timed labelled transition system.The following definition formalizes the behaviour of a network of timed automata.

Definition 10.17 Let A = A1 |A2 | · · · |An, whereAi = (Li, ℓi0, Ei, Ii) for each

i ∈ {1, . . . , n}, be a network of timed automata over a set of clocksC and actionsAct = {c! | c ∈ Chan} ∪ {c? | c ∈ Chan} ∪ N . We define the timed labelledtransition systemT (A) generated by the networkA asT (A) = (Proc, Lab, { a−→|a ∈ Lab}) where

• Proc = {(ℓ1, ℓ2, . . . , ℓn, v) | (ℓ1, ℓ2, . . . , ℓn, v) ∈ L1×L2×· · ·×Ln×(C →R≥0) andv |= ∧

i∈{1,...,n}Ii(ℓi)}—i.e., statesare of the form(ℓ1, . . . , ℓn, v),

where eachℓi is a location in the component (timed automaton)Ai andv is avaluation over the set of clocksC that satisfies the invariants of all locationsℓi present in the state,


• Lab = N ∪ {τ} ∪ R≥0 is the set of labels, and

• the transition relation is defined as follows:

– (ℓ1, . . . , ℓi, . . . , ℓn, v)a−→ (ℓ1, . . . , ℓ

′i, . . . , ℓn, v′) if a ∈ N and there

is an edge(ℓig,a,r−→ ℓ′i) ∈ Ei in thei’th component automaton such that

∗ v |= g, v′ = v[r] and

∗ v′ |= Ii(ℓ′i) ∧

∧

k 6=i

Ik(ℓk);

– (ℓ1, . . . , ℓi, . . . , ℓj , . . . , ℓn, v)τ−→ (ℓ1, . . . , ℓ

′i, . . . , ℓ

′j , . . . , ℓn, v′) if i 6=

j and there are edges(ℓigi,α,ri−→ ℓ′i) ∈ Ei and(ℓj

gj ,β,rj−→ ℓ′j) ∈ Ej suchthat

∗ α andβ are complementary,

∗ v |= gi ∧ gj , v′ = v[ri ∪ rj] and

∗ v′ |= Ii(ℓ′i) ∧ Ij(ℓ

′j) ∧

∧

k 6=i,j

Ik(ℓk);

– (ℓ1, . . . , ℓn, v)d−→ (ℓ1, . . . , ℓn, v + d) for all d ∈ R≥0 such that the

v + d′ |= ∧

i∈{1,...,n}Ii(ℓi) for each real numberd′ in the interval[0, d].

Let v0 denote the valuation such thatv0(x) = 0 for all x ∈ C. If v0 satisfies theinvariants of all the initial locationsℓi

0, we shall call(ℓ10, ℓ

20, . . . , ℓ

n0 , v0) the initial

state(or initial configuration) of T (A). �

Even though the definition of the transition relation for networks of timed automatamight look more technical than usual, the intuition behind it is easy to understand.The first part says that any component can make an independentmove as long asit happens under an ordinary action fromN , the move is enabled by the guard inthe corresponding component, all clocks that are reset in the component are resetalso in the composed state and we do not violate any invariant. The second part ofthe definition is for the situation when two components are willing to perform aninput and output action on a particular channel. The guards have to be satisfied asbefore, the collection of reset clocks is the union of the clocks that are reset in bothautomata and the invariants have to be satisfied as before. Moreover, in analogywith CCS and TCCS, this transition is supposed to be internaland is visible onlyunder the silent actionτ . Finally, the last part of the definition allows arbitrarytime delays as long as the invariants of all components are not violated as timeprogresses.


Exercise 10.23 (Mandatory) Use the formal definition above to draw a fragmentof the timed labelled transition system for the network of timed automata consistingof the light switch and the fast user. Determine all of the transitions in the timedlabelled transition system for the network of timed automata on page217. �

Networks of timed automata are a very useful extension of themodel of timedautomata, and nowadays essentially all available tools forverification of timed au-tomata use the above defined network (or a variant of it) to model real-life realtime systems. Among such tools, let us mention at least UPPAAL (Behrmannet al., 2004), KRONOS (Bozga et al., 1998) and CMC (Laroussinie and Larsen,1998), and we refer the reader to the relevant literature forfurther details. Thenotions of timed and untimed bisimilarity as well as of region graphs, zones andthe reachability algorithms based on them can be directly transfered to the networkscenarios. The advantages of networks of timed automata formodelling of systemsare accompanied also by a collection of pleasing theoretical results. For example,the reachability problems for a single timed automaton as well as for a network areboth PSPACE-complete (the reader is referred to (Aceto and Laroussinie, 2002) forfurther details on the complexity of verification problems for networks of timed au-tomata), so—at least from the theoretical complexity pointof view—the increasein the complexity of verification problems is not as dramaticas the reader mighthave thought at the first glance. The theoretically-minded reader might wish tocompare this situation to the one that arises in the verification of untimed con-current systems. In that setting, the modelling power that is gained moving fromsingle automata to networks of automata has a price: the complexity of verificationproblems increases dramatically over networks. You can finda discussion of thisissue, and pointers to further reading in the paper (Aceto and Laroussinie, 2002).

Exercise 10.24Let A = A1 | A2 | · · · | An, whereAi = (Li, ℓi0, Ei, Ii) for each

i ∈ {1, . . . , n}, be a network of timed automata over a set of clocksC and actionsAct = {c! | c ∈ Chan}∪{c? | c ∈ Chan}∪N . Can you define a timed automatonB such thatT (A) andT (B) are isomorphic? How many locations doesB have ifeach timed automatonAi has, say, ten nodes? �

Exercise 10.25Implement the network of timed automata consisting of the fastuser and the light switch in the verification toolUPPAAL available at

http://www.uppaal.com/.

Simulate the behaviour of the system using the tool, and use the tool to checkwhether this network contains deadlocks. �


Chapter 11

Hennessy-Milner Logic withTime

In Sections10.3–10.4, we have introduced some notions of behavioural equiva-lence over real-time systems specified by means of timed automata. These equiv-alences are based on various adaptations to the timed setting of the classic notionsof trace equivalence and strong bisimilarity over labelledtransition systems—aspresented in Sections3.2–3.3 of this book—, and may be used to perform imple-mentation verification for real-time systems. This is useful because, at least inprinciple, a formalism like that of timed automata can be used to describe bothactual systems and their specifications, and, as we have seenin Section10.6, thesenotions of behavioural equivalence are decidable over (networks) of time automatawith the notable exception of timed trace equivalence (see Theorem10.5).

However, as we already noted in the setting of modelling and verification forclassic, untimed reactive systems, when establishing the correctness of our systemwith respect to a specification using the methodology of implementation verifica-tion, we are somehow forced to specify the overall behaviourof the system underconsideration. In a real-time setting, this often means that our specifications needto consider many details pertaining to the timing behaviourof the implementationunder analysis. This may lead to overly complex and subtle specifications. More-over, sometimes we are only interested in specifying the expected behaviour of thesystem in certain specific circumstances.

Suppose, for instance, that all we want to know about our system is that eacha-labelled transition is followed by ab-labelled transition within 2 time units. Ex-pressing this requirement, and similar ones, in terms of observational equivalenceis rather unnatural. Indeed, this aspect of the behaviour ofa system seems bestchecked by exploring the state space of the (network of) timed automata describ-

223

224 CHAPTER 11. HENNESSY-MILNER LOGIC WITH TIME

ing the system. In the setting of classic reactive systems, we saw in Section5 thatthe so-called Hennessy-Milner Logic (HML) is a suitable formalism for specifyingproperties of reactive systems. Indeed, not only does HML allow us to expressnatural requirements on the behaviour of reactive systems,but, as originally shownby Hennessy and Milner in one of the most satisfying results in the theory of con-current processes, it captures precisely all of the behavioural properties of reactivesystems that are relevant with respect to bisimilarity—recall Theorem5.1.

Since HML is a convenient formalism for the description of behavioural prop-erties of reactive systems modelled semantically as labelled transition systems, andthe semantics of timed automata is given in terms oftimed labelled transition sys-tems (see Definition9.1), it is natural to try to define a notion of HML for real-timesystems. In what follows, our aim will be to motivate and introduce this variationon HML, argue by means of examples that it allows us to specifyproperties of real-time systems modelled as timed labelled transition systemsor timed automata, andstudy its relationship with timed bisimilarity. As we shallsee, the overall collectionof results that we shall obtain mirrors, and is just as satisfying as, that presented inSection5.

11.1 Basic Logic

As you might recall from our developments in Section5, Hennessy-Milner logicis a modal logic that is obtained by adding to the syntax of boolean logic twomodal operators that allow us to express properties of reactive systems (modelledas labelled transition systems) that relate to the effect that performing actions hason their behaviour. More specifically, we recall, for the sake of clarity, that

• a process satisfies a formula of the form〈a〉F for somea ∈ Act iff it affordsana-labelled transition leading to a state satisfyingF , and that

• a process satisfies a formula of the form[a]F for somea ∈ Act iff all of itsa-labelled transitions lead to a state satisfyingF .

Hence, formulae of the form〈a〉F express “possible behaviour” of processes,whereas formulae of the form[a]F describe their “necessary behaviour”—that is,properties that must hold for each of theira-derivatives.

Timed labelled transition systems, as presented in Definition 9.1, are just ordi-nary labelled transition systems that have transitions whose labels can be also timedelays. If we are to follow the lead of Hennessy and Milner in defining a modallogic for describing their properties, it seems therefore reasonable to augment thesyntax of HML with two new modalities that can be used to express possible and

11.1. BASIC LOGIC 225

necessary behaviour of systems as time progresses. Following the notation intro-duced by Laroussinie, Larsen and Weise in (Laroussinie et al., 1995), these twonew “time modalities” will be denoted by∃∃ and∀∀, respectively.

By analogy with the two classic action modalities, we expectthat

• a process satisfies a formula of the form∃∃F iff it can delay some amount oftime thereby reaching a state satisfyingF , and that

• a process satisfies a formula of the form∀∀F iff no matter how long it delaysit will always reach a state satisfyingF .

For instance, we would expect that the initial states of the following two timedautomata (introduced in Example10.9)

GFED@ABC?>=<89:;A

a

x≤1

x:=0��


a

x≤2

x:=0��GFED@ABCB GFED@ABCB′

both satisfy the formula∃∃〈a〉tt (as both those states can perform actiona imme-diately), but that neither of them satisfies the formula∀∀〈a〉tt (as both of them candelay2.1 timed units, say, and reach a state where thea-action is no longer possi-ble).

However, the mere addition of these two action modalities toHML does notsuffice to express all of the timing properties of systems that we should like todescribe. For instance, we previously mentioned the property

“eacha-labelled transition is followed by ab-labelled transition within2 time units,”

as an example of a property that we wish to express using our variant on HML.A brief examination of the behaviour of the two timed automata above leads us toexpect that the automaton on the right enjoys the following property:

“an a-labelled transition is possible after a delay of2 time units.”

On the other hand, the initial state of the automaton on the left should not affordthis property.

Both of the aforementioned properties make explicit reference to time delays,and it seems therefore reasonable to extend our variant on HML with some wayof expressing “quantitative real-time constraints.” The design decisions taken by


Alur and Dill in their development of timed automata provideus with suitableinspiration here. Timed automata use clock resets and guards to specify real-timeconstraints on the behaviour of real-time systems. For instance, we might specifythat ab-action should follow ana-action within2 time units by resetting a clockxupon the performance of ana-labelled edge leading to a locationℓ, and adjoininga guard likex ≤ 2 to b-labelled edges that emanate fromℓ. We shall thereforeaugment our variant on HML with clock constraints (whose syntax will take theform given in Definition10.1), and clock resets. A formula of the form

x in F

will intuitively say that a state in a timed labelled transition system should satisfyF after setting the value ofx to zero. For instance, the formula

y in ∃∃(y > 1 ∧ 〈a〉tt)

states intuitively that it is possible to delay more than onetime unit thereby reach-ing a state in which ana-labelled transition is possible. We shall for simplicityassume that the clocks used in the formulae are disjoint withthe clocks that appearin timed automata (should they be used to generate the underlying timed transitionsystems).

We are now ready to present the syntax of Hennessy-Milner logic with time.

Definition 11.1 The set of Hennessy-Milner formulae with time (from now onreferred to asMt) over a set of actionsAct and a set of formula clocksD is givenby the following abstract syntax:

F ::= tt | ff | F ∧G | F ∨G | 〈a〉F | [a]F | ∃∃F | ∀∀F | x in F | g

wherea ∈ Act, x ∈ D andg ∈ B(D). �

In writing formulae, we shall sometimes use the same abbreviations introducedin Definition 5.1. In particular, we recall, for the sake of clarity, that ifA ={a1, . . . , an} ⊆ Act (n ≥ 0), we use the abbreviation〈A〉F for the formula〈a1〉F ∨ . . . ∨ 〈an〉F and[A]F for the formula[a1]F ∧ . . . ∧ [an]F . (If A = ∅,then〈A〉F = ff and[A]F = tt.)

We are interested in using the above logic to describe properties of states in aTLTS over the set of actionsAct. The semantics of a formula in the languageMt

is given by characterizing the collection of states that satisfy it. We have alreadypresented the intuitive meaning of all of the constructs in the logic; however, thereis still a subtlety that needs to be dealt with before we can present the formaldefinition of the semantics of our variant on HML with time.


Clock constraints are first-class formulae in our language,and we wish to beable to determine whether a state in a TLTS satisfies a clock constraint. But whendoes a state satisfy the constrainty > 1, say? In our example formula

y in ∃∃(y > 1 ∧ 〈a〉tt) ,

we used this constraint as part of the formula to specify thatwe wish that a statefrom which ana-labelled transition is possible be reached after delayingmore thanone time unit.

The answer to the question above is classic in logic: in orderto determinewhether a state satisfies a guard we need to make reference to avaluation for theclocks in the setD. The valuation will be used to check whether clock constraintsare met or not.

The semantics of formulae is given with respect to a given timed labelled tran-sition system

(Proc, Lab, { a−→| a ∈ Lab})

An extended stateoverProc is a pair(p, u), wherep is a state inProc, andu is atime assignment forD—that is, a mappingD → R≥0. The set of extended statesoverProc will be noted byES(Proc). We shall use[[F ]], whereF is a formula inMt, to denote the set of extended states overProc that satisfyF . This we nowproceed to define formally.

Definition 11.2 We define[[F ]] ⊆ ES(Proc) for F ∈Mt by:

[[tt]] = ES(Proc) [[F ∨G]] = [[F ]] ∪ [[G]]

[[ff ]] = ∅ [[〈a〉F ]] = 〈·a·〉[[F ]]

[[F ∧G]] = [[F ]] ∩ [[G]] [[[a]F ]] = [·a·][[F ]]

[[∃∃F ]] = 〈·ε·〉[[F ]] [[∀∀F ]] = [·ε·][[F ]]

[[x in F ]] = {(p, u) | (p, u[x 7→ 0]) ∈ [[F ]]} [[g]] = {(p, u) | p ∈ Proc, u |= g}

where we use the set operators

〈·a·〉, [·a·], 〈·ε·〉, [·ε·] : P(ES(Proc))→ P(ES(Proc))


defined by

〈·a·〉S = {(p, u) ∈ ES(Proc) | ∃p′. pa→ p′ and(p′, u) ∈ S},

[·a·]S = {(p, u) ∈ ES(Proc) | ∀p′. pa→ p′ implies(p′, u) ∈ S},

〈·ε·〉S = {(p, u) ∈ ES(Proc) | ∃d ∈ R≥0. ∃p′ ∈ Proc. pd→ p′ and

(p′, u + d) ∈ S}, and

[·ε·]S = {(p, u) ∈ ES(Proc) | ∀d ∈ R≥0. ∀p′ ∈ Proc. pd→ p′ implies

(p′, u + d) ∈ S}.

We write(p, u) |= F iff (p, u) ∈ [[F ]].Two formulae areequivalentif, and only if, they are satisfied by the same

extended states in every timed labelled transition system. �

Definition 11.3 A statep in a timed labelled transition system satisfies a formulaF (written p |= F ) iff (p, u0) |= F whereu0 is a clock valuation mapping eachformula clock to zero. �

Note that the above definitions apply equally well to the timed labelled transi-tion systemT (A) generated from a time automatonA. For this TLTS, however,extended states take the (notationally slightly unpleasant) form ((ℓ, v), u), wherevis a valuation for the set of clocksC in A, andu is a valuation for the set of clocksD used in writing the formulae inMt. From now on, we shall always tacitly as-sume that the set of clocks used in formulae is disjoint from that used in timedautomata. This means that reset operations on clocks from one of thesesets willnot have any effect on clocks in the other. So, when specialized over a TLTS of theform T (A), the semantics of a formula of the formx in F becomes

[[x in F ]] = {((ℓ, v), u) | ((ℓ, v), u[x 7→ 0]) ∈ [[F ]]} . (11.1)

Note how the reset operation only applies to clockx, whereas the values of eachclock in the automatonA remain unchanged because we are asking that

((ℓ, v), u[x 7→ 0]) ∈ [[F ]] .

Definition 11.4 A timed automatonA satisfies a formulaF ∈Mt iff

((ℓ0, v0), u0) |= F ,

whereℓ0 is the initial location inA, andv0, u0 are clock valuations mapping eachclock variable in the automaton and in the formula to zero, respectively. �


To understand better the above definition of the semantics offormulae inMt, it isinstructive to use the formal definition of the semantics ofMt to establish that theinitial state of the timed automaton


a

x≤2

x:=0��GFED@ABCB′

satisfies the formulay in ∃∃(3 ≥ y > 1 ∧ 〈a〉tt). To see that this holds, we use(11.1) to derive that

((A′, [x = 0]), [y = 0]) |= y in ∃∃(3 ≥ y > 1 ∧ 〈a〉tt) iff

((A′, [x = 0]), [y = 0]) |= ∃∃(3 ≥ y > 1 ∧ 〈a〉tt) .

Now observe that to establish that

((A′, [x = 0]), [y = 0]) |= ∃∃(3 ≥ y > 1 ∧ 〈a〉tt)

it suffices only to find ad ∈ R≥0 such that

((A′, [x = d]), [y = d]) |= 3 ≥ y > 1 ∧ 〈a〉tt . (Why?)

It is easy to find such ad. In fact, eachd in the interval(1, 2] would do because ifd lies in that interval then[y = d] |= 3 ≥ y > 1 and(A′, [x = d])

a→ (B′, [x = 0])both hold.

As you might have already noticed, the above reasoning does in fact showthat any extended state of the form((A′, [x = 0]), [y = d]) satisfies the formulay in ∃∃(3 ≥ y > 1 ∧ 〈a〉tt), regardless of the value ofd. This is because the useof the formula clocky in the clock constraint3 ≥ y > 1 is within the scope of ay in construct. We call formulae in which each occurrence of a formula clockzin a clock constraint is within the scope of az in constructclosed. For example,the formulay in ∃∃y = 1 is closed, whereasy = 1 and(y in ∃∃y = 1) ∧ (y ≤ 2)are not.

If F is a closed formula, then the collection of extended states satisfying it isindependent of the valuationu for the formula clocks. This means that, ifF isclosed, for each statep in a TLTS and valuationsu, u′ for the formula clocks, wehave that

(p, u) |= F iff (p, u′) |= F .


Therefore, whenF is closed it makes sense to speak of a states satisfyingF , andwe shall tacitly do so in what follows. For a timed automatonA and closed formulaF , the suggestive shorthandA |= F will be used in lieu of((ℓ0, v0), u0) |= F . Inwhat follows, whenever we say that a state in a TLTS satisfies aformula, we shallalways assume that the formula is closed unless specified otherwise.

Exercise 11.1Prove that, as claimed above, ifF is a closed formula, then thecollection of extended states satisfying it is independentof the valuationu for theformula clocks. Does this hold for arbitrary formulae inMt? �

Let us now try to use the logicMt to express formally the following property of astate in a TLTS:

“eacha-labelled transition is followed by ab-labelled transition within2 time units,”

We can express that ab-labelled transition is available within 2 time units by meansof the closed formula

y in ∃∃(y ≤ 2 ∧ 〈b〉tt) .

Indeed, you should be able to convince yourselves that a state s satisfies the above

formula if, and only if,sd→ s′

b→ for some states′ and real numberd in the interval[0, 2]. (Do so!) All we need to do now to express the desired propertyis to realizethat the natural language requirement “eacha-labelled transition” can be expressedin terms of the[a]-operator of HML. The resulting formula is therefore

[a](y in ∃∃(y ≤ 2 ∧ 〈b〉tt)) .

As a further example, consider the following timed automaton

x ≤ 2 GFED@ABC?>=<89:;ℓ0

a

x≤1

x:=0xx

We already argued in Example10.5that this timed automaton can delay two unitsof time thereby reaching a state in which noa-labelled transition is possible. Thiscan be expressed in the languageMt by means of the formula

y in ∃∃(y = 2 ∧ [a]ff) .

You should also be able to argue that the timed automaton above also satisfies theformula∃∃[a]ff . (Do so!) Does it also satisfy the formula

[a](y in ∃∃(y = 1 ∧ 〈a〉tt)) ?


Exercise 11.2Use the logicMt to formulate properties of the timed automatain Example10.9, and argue that the automata have (respectively, do not) havethose properties using the semantics of the logicMt. Can you give examples ofproperties that both timed automata afford? �

Exercise 11.3

1. Consider the formulaey in y = 0 andy in y > 0. Can you offer equivalentformulations of the properties described by these formulae?

2. Argue that the formulae∃∃∃∃F and∃∃F are equivalent for each formulaF .Are the formulae∀∀∀∀F and∀∀F also equivalent?

3. Show that[·ε·]ES(Proc) and 〈·ε·〉ES(Proc) are both equal toES(Proc).What are the formulae∀∀tt and [a]tt equivalent to?

4. Argue that(p, u) |= ∀∀〈a〉tt iff (p, u) 6|= ∃∃[a]ff .

5. Prove that formulaex in (y in ∃∃F ) andy in (x in ∃∃F ) are equivalentfor any formulaF . Are the following two formulaex in ∃∃(y in ∃∃F ) andy in ∃∃(x in ∃∃F ) also equivalent? If yes, prove it—if not, give a counterexample.

�

As we did on page108for standard Hennessy-Milner logic, it is sometimes usefulto have an alternative characterization of the satisfaction relation|= presented inDefinition 11.2. This can be obtained by defining the binary relation|= relatingextended states to formulae by structural induction on formulae as follows.

• (p, u) |= tt for each(p, u)

• (p, u) |= ff for no (p, u)

• (p, u) |= F ∧G iff (p, u) |= F and(p, u) |= G

• (p, u) |= F ∨G iff (p, u) |= F or (p, u) |= G

• (p, u) |= 〈a〉F iff pa→ p′ for somep′ such that(p′, u) |= F

• (p, u) |= ∃∃F iff pd→ p′ for somep′ andd ∈ R≥0 such that(p′, u + d) |= F

• (p, u) |= ∀∀F iff (p′, u + d) |= F for eachd ∈ R≥0 andp′ such thatpd→ p′

• (p, u) |= y in F iff (p, u[y 7→ 0]) |= F


• (p, u) |= g iff u |= g

Exercise 11.4Show that the above definition of the satisfaction relation is indeedequivalent to that given in Definition11.2. [Hint: Use induction on the structureof formulae.] �

Note that, as was the case with classic Hennessy-Milner logic (see page109), log-ical negation isnot one of the constructs in the abstract syntax forMt. However,on page109we argued that the languageM is closed under negation, in the sensethat, for each formulaF ∈ M, there is a formulaF c ∈ M that is equivalent tothe negation ofF . This result carries over to the setting ofMt. The formulaF c

is defined by structural induction onF by extending the clauses dealing with theconstructs of classic Hennessy-Milner logic on page109as follows.

(∃∃F )c = ∀∀F c

(∀∀F )c = ∃∃F c

(y in F )c = y in F c

(y ≤ n)c = y > n

(y < n)c = y ≥ n

(y = n)c = (y < n) ∨ (y > n)

(y > n)c = y ≤ n

(y ≥ n)c = y < n

Note that the “negation” of the clock constrainty = n is not itself a clock con-straint, but rather a formula inMt. This is inevitable because, as we saw in Exer-cise10.3, the negation ofy = n cannot be expressed as a clock constraint. (Thisis a good time for you to go back and solve that exercise if you have not done soalready!)

Example 11.1 The negation of the formulay in ∃∃(y = 2 ∧ 〈a〉tt) is the formulay in ∀∀(y < 2 ∨ y > 2 ∨ [a]ff). �

Exercise 11.5Negate the formula∀∀[a]ff ∨ x in ∃∃(x = 1 ∧ 〈a〉tt). �

Proposition 11.1 Let (Proc, Lab, { a−→| a ∈ Lab}) be a timed labelled transitionsystem. Then, for every formulaF ∈Mt, it holds that[[F c]] = ES(Proc) \ [[F ]].

Proof: The proposition can be proven by structural induction onF . The detailsare left as an exercise to the reader. 2

Exercise 11.6

11.2. TIMED BISIMILARITY VS. HENNESSY-MILNER LOGIC WITH TIME233

1. Prove Proposition11.1.

2. Prove, furthermore, that(F c)c = F for every formulaF ∈Mt. [Hint: Usestructural induction onF .]

�

As a consequence of Proposition11.1, we have that, for each extended state(p, u)and formulaF , exactly one of(p, u) |= F and(p, u) |= F c holds. In fact, eachextended state is exclusively contained either in[[F ]] or in [[F c]].

Exercise 11.7 (Recommended)Another natural way to introduce time delay op-erators∃∃ and∀∀which can specify particular time durations would be to associatethese operators with time intervals. For example the formula ∃∃[3,5)F would meanthat it is possible to perform a time delay greater or equal to3 but strictly less than5 time units such that the formulaF holds afterwards. Similarly∀∀(2,7)F standsfor the fact that after all possible time delays, strictly between2 and7 time units,the formulaF must hold.

1. Define formally the syntax and semantics of the above mentioned variant ofHML with time.

2. Prove that for any such formula one can construct an equivalent formulafromMt. [Hint: use structural induction.]

�

11.2 Timed Bisimilarity vs. Hennessy-Milner Logic withTime

In Exercise11.2, you were asked, amongst other things, to find properties distin-guishing the two timed automata in Example10.9. Those automata are not timedbisimilar.

Consider, as another example, the two timed automata

GFED@ABC?>=<89:; a

x≤1

x:=0xx

x ≤ 1 GFED@ABC?>=<89:; ax:=0xx

whose behaviour we analyzed in Figure10.2. Based on that analysis, you shouldbe able to convince yourselves easily that these two timed automata are not timed

234 CHAPTER11.2. TIMED BISIMILARITY VS. LOGIC

bisimilar. A formula in the languageMt that distinguishes these two timed au-tomata isy in ∃∃(y > 1). In fact, the timed automaton on the left-hand sidesatisfies this formula, but the one on the right-hand side does not because it cannotdelay for more than one time unit.

Exercise 11.8Prove the above claim formally using the semantics of formulae. �

Again, faced with two timed automata that are not timed bisimilar, we have beenable to find a formula in the logicMt that distinguishes them, in the sense that onetimed automaton satisfies it, but the other does not. Is this true in general? Andwhat can we say about two timed automata that satisfy precisely the same formulaeinMt? Are they guaranteed to be timed bisimilar?

In Section5, we saw that classic HML characterizes bisimilarity over image-finite processes—see Definition5.3 for the formal definition of this class of pro-cesses. This was the import of an elegant characterization theorem due to Hennessyand Milner (Theorem5.1). The acid test for our development of the languageMt

is whether a similar characterization theorem holds for timed bisimilarity. We shallnow proceed to show that this is indeed the case—at least if weuse timed automataas our model for real-time systems.

We first show that, in the technical sense stated in the following theorem, twotimed bisimilar states in an arbitrary timed labelled transition system satisfy thesame formulae inMt.

Theorem 11.1 Let (Proc, Lab, { a−→| a ∈ Lab}) be a timed labelled transitionsystem. Assume thatp, q are timed bisimilar states inProc. Let u be a clockvaluation for the formula clocks inD. Then the extended states(p, u) and(q, u)satisfy exactly the same formulae (both closed and opened) inMt.

Proof: Assume thatp, q are timed bisimilar states inProc. Let u be a clock val-uation for the formula clocks inD. Assume that(p, u) |= F for some formulaF ∈ Mt. Using structural induction onF , we prove that(q, u) |= F . By sym-metry, this is enough to establish that(p, u) and(q, u) satisfy the same formulae inMt.

The proof proceeds by a case analysis on the form ofF . We only present thedetails for the caseF = ∀∀G for some formulaG. Our inductive hypothesis isthat, for all statesr ands, if r ands are timed bisimilar and(r, u′) |= G for somevaluationu′ of the formula clocks, then(s, u′) |= G. Using this hypothesis, we

shall prove that(q, u) |= ∀∀G. To this end, assume thatqd→ q′ for some stateq′

andd ∈ R≥0. We wish to show that(q′, u+d′) |= G. Now, sincep andq are timed

bisimilar andqd→ d′, there is a processp′ such thatp

d→ p′ andp′ is timed bisimilarto q′. (Why?) By our assumption that(p, u) |= ∀∀G, we have that(p′, u + d) |= G.

CHAPTER11.2. TIMED BISIMILARITY VS. LOGIC 235

The inductive hypothesis yields that(q′, u+d) |= G. Sinceq′ andd were arbitrary,and we may conclude that(q, u) |= ∀∀G, which was to be shown. 2

By instantiating the above result to the TLTSs that give semantics to timed au-tomata, we get the following result.

Corollary 11.1 Let A andA′ be timed bisimilar timed automata. ThenA andA′

satisfy exactly the same formulae inMt.

Exercise 11.9Assume thatp, q are timed bisimilar states in a TLTS. Suppose, fur-thermore, that each formula inMt satisfied byp is also satisfied byq. Prove thatp andq satisfy the same formulae inMt. �

In the setting of image-finite labelled transition systems,Theorem5.1 tells us thattwo states that satisfy the same formulae in Hennessy-Milner logic are bisimilar.However, the converse of Theorem11.1doesnot hold over TLTSs, regardless ofwhether they are image-finite or not.

Intuitively, this lack of expressiveness of the logicMt is due to the assumptionswe have made about the syntax of clock constraints. Recall that the syntax of clockconstraints allows us to compare the values of clocks with integer values. Thedelay transitions that are possible in an TLTS are, however,labelled by arbitrarynon-negative real numbers. This means, for instance, that there is nothing thatprevents us from specifying a TLTS like this:

• the set of states of the TLTS is{(A, d), (B, d) | d ∈ R≥0} ∪ {End},

• for eachd <√

2, there are transitions(A, d)a→ End and(B, d)

a→ End,

• (B,√

2)a→ End holds, and

• for eachd, d′ ∈ R≥0, we have that

(A, d)d′→ (A, d + d′) ,

(B, d)d′→ (B, d + d′) and

Endd′→ End .

Observe, first of all, that the states(A, 0) and(B, 0) are not timed bisimilar. Indeed

(B, 0)√

2→ (B,√

2)a→ End

whereas the only state that(A, 0) can reach by delaying√

2 units of time is(A,√

2),from which noa-labelled transition is possible. You should be able to convince

236 CHAPTER11.2. TIMED BISIMILARITY VS. LOGIC

yourselves that this is the only difference in the behaviourof the two states(A, 0)and(B, 0). Therefore, we could logically distinguish the behaviour of these twostates only if the logicMt allowed us to express a property stating, informally, that

“by delaying exactly√

2 time units one can reach a state from whichana-labelled transition is possible.”

Using the languageMt, we are able to specify such properties for integer delays,and after appropriate “change of the time scale” for rational delays (and you areencouraged to try and do so!), but not for irrational delays.Therefore our intuitionsuggests that the states(A, 0) and(B, 0) satisfy the same properties expressible inMt. Indeed, the intuition is confirmed by the following result.

Proposition 11.2 The states(A, 0) and(B, 0) satisfy the same properties express-ible inMt.

Proof: (Sketch)The theorem follows from the following stronger claim:

For eachd <√

2 and valuationu for the formula clocks, the extendedstates((A, d), u) and((B, d), u) satisfy the same formulae inMt.

The theorem follows immediately from the above claim by taking d = 0 andu =u0. The proof of the claim is left as an exercise for the keenest amongst our readers.(See Exercise11.10.) 2

Exercise 11.10 (For the Keenest)Show the claim made in the above proof. Tothis end, you might find it useful to begin by proving the claimby induction on thestructure of formulae assuming the following auxiliary statements:

1. (A,√

2) and(B, d) are timed bisimilar for eachd >√

2,

2. for eachd, e >√

2, the states(A, d) and(B, e) are timed bisimilar, and

3. for eachd <√

2, clock valuationsu, u′ and formulaF ,

((A,√

2), u) |= F and((A, d), u′) |= F imply ((B,√

2), u) |= F .

Next you should proceed to establish each of the above auxiliary statements. Forthe last statement, use structural induction onF . �

To sum up what we have learned from the above discussion, we have no hope ofachieving a characterization theorem for timed bisimilarity in terms of the logicMt over arbitrary timed labelled transition systems. However, this is not as bad asit sounds! Indeed, timed labelled transition systems are a very expressive formal-ism for real-time systems, and cannot in general be finitely described—for instance,

CHAPTER11.2. TIMED BISIMILARITY VS. LOGIC 237

by means of timed automata. Since timed automata provide a good formalism forthe finite description of timed labelled transition systems, and the syntactic restric-tions that we have imposed on the clock constraints are exactly the same as thosepresent in the syntax of the logicMt, we might expect that a converse of Theo-rem11.1holds over (states of) timed automata. The following resultstates that thisis indeed the case.

Theorem 11.2 Let A andB be two timed automata that satisfy the same formulaein the logicMt. ThenA andB are timed bisimilar.

Proof: Kim: What would be a good reference for this result? 2

As an immediate consequence of the above theorem and of Corollary 11.1, wecan now obtain the following result—offering a counterpartof the characterizationtheorem of Hennessy and Milner for timed automata.

Corollary 11.2 Two timed automata are timed bisimilar if, and only if, they satisfythe same formulae in the languageMt.

An interesting, and useful, consequence of Theorem11.2above is that whenevertwo timed automata arenot timed bisimilar, then we can always find a formula inthe languageMt that one satisfies, but the other does not. This formula, whichis often referred to as adistinguishing formula, gives a reason why the two timedautomata are not timed bisimilar, and can be algorithmically constructed. (Thedetails of the algorithmic construction for the synthesis of distinguishing formulaeare beyond the scope of this introductory textbook. We referthe interested readersto the paper (Godskesen and Larsen, 1995) for more information.)

We have already seen examples of such distinguishing formulae in this section.Such formulae play an important role in implementation verification. Indeed, if weuse timed bisimilarity as our notion of equivalence betweenreal-time systems, andthe timed automaton describing an implementation of a system is not equivalentto the specification automaton, then a distinguishing formula offers a reason whythe implementation is not correct with respect to the given specification. Thatformula can be used as debugging information to locate the source of the error inthe implementation, and correct it.

Exercise 11.11Would Theorem11.1hold if all we knew about the statesp andqwere that they are untimed bisimilar? �

Exercise 11.12Find a sub-language ofMt that characterizes untimed bisimilar-ity over TLTSs. �

238 CHAPTER11.3. HML WITH TIME AND RECURSION

Exercise 11.13In Example9.1, we saw how to view the set of non-negative realnumbers as a TLTS. Using the same ideas, we can view the intervals [0,

√2) and

[0,√

2] as two TLTSs with the number0 as their distinguished initial state.

1. Are these two TLTSs timed bisimilar?

2. If your answer is no, can you find a formula inMt that distinguishes them?

Motivate your answers! �

11.3 Adding Recursively Defined Formulae to HML withTime

In the previous text on Hennessy-Milner logic we successfully extended the lan-guage to handle recursively defined formulae. In what follows we aim at introduc-ing formulae with one recursively defined variable also for Hennessy-Milner logicwith time.

Consider the timed automaton below (this automaton will be our running ex-ample in this section).

ℓ GFED@ABC?>=<89:; a

x≤1

x:=0xx

Using the logicMt we are able to express that, in its initial state, no matter how thisautomaton performs twoa-actions in a row, the time delay between those actionoccurrences will be of at most one time unit. A formula in the languageMt statingthis property is

TwoAsdef= [a](y in ∀∀[a](y ≤ 1)) . (11.2)

(We encourage you to show that the initial state of the above timed automatondoes satisfy this formula using the formal definition of the satisfaction relationfor formulae inMt over states of timed automata.) However, a little reflectionshould convince you that the above property does not just hold for the initial stateof the timed automaton we are considering. Rather, this property holds for all ofthe states of the timed labelled transition system that gives semantics to that timedautomaton. In other words, we expect that the automaton under consideration hasthe following property:

“It is always the case that whenever twoa-actions occur in a row, thenthe time delay between them is of at most one time unit.”

CHAPTER11.3. HML WITH TIME AND RECURSION 239

This natural property, however, cannot be expressed in the languageMt. In fact,even though the modal operators∃∃ (“there is a delay”) and∀∀ (“for each delay”)allow us to examine the behaviour of a state of a timed automaton for arbitrarilylong delays, anMt formula can only describe afinite part of the overall behaviourof a process that is due to the performance of actions.

You might recall that we discussed a similar shortcoming forHML in Sec-tion 6. As was the case for HML, a single formula in the languageMt can onlydescribe properties of a fixed finite fragment of the computations of a real-time sys-tem that are due to action occurrences. As we discussed in Section 6, how muchof the behaviour of a real-time system we can explore using a single formula isentirely determined by its so-called modal depth—that is, by the maximum nestingof action modalities in it.

The formula we stated informally above is an example of asafetyor invari-ant property. In Section6, we saw that a natural specification language in whichone can express properties like the aforementioned one is HML extended with afacility for the recursive definition of properties. Following the developments inthat section, we shall now extend the languageMt with recursion in similar fash-ion. In order to keep our presentation as simple and intuitive as possible, we shallconsider the language obtained by extendingMt with a single recursively definedformula, specified by the identifierX. As in the setting of HML with recursion,this identifier will denote a set of states (namely those thatsatisfy the property itexpresses), and can be used in the definition of formulae using the abstract syntaxof the languageMt.

How can we specify a timing property recursively? Let us consider, by way ofexample, the formal description of the aforementioned property

“It is always the case that whenever twoa-actions occur in a row, thenthe time delay between them is of at most one time unit.”

A state of a timed automaton satisfies this property if

• whenever it does twoa-actions in a row, the time delay between them is ofat most one time unit,

• if each state that it can reach by delaying some amount of timehas the prop-erty, and

• if each state that it can reach by performing an action also has that property.

Assuming, for the sake of simplicity, thata is the only action the timed automatonperforms, this means that the property above should satisfythe following recursiveequation:

X ≡ TwoAs∧ ∀∀X ∧ [a]X (11.3)


where the property TwoAs is the one given in (11.2). As claimed in our previousdiscussion, the first conjunct on the right-hand side of the recursive equation abovestates that if the present state performs twoa-actions in a row, then the time delaybetween them is of at most one time unit. The second conjunct states the require-ment that the property is preserved by arbitrary delays, andthe third that it stillholds true after the performance of the actiona.

As you might recall from our discussion in Section6, the above recursive equa-tion is meant to specify a set of states in a timed automaton—namely, the set ofstates that satisfy the propertyX is supposed to express. By analogy with our de-velopments of the theory of HML with recursion, the formulaX is supposed tostand for a setS of states of a timed automaton such that

S = [[TwoAs]] ∩ [·ε·]S ∩ [·a·]S (11.4)

where[[TwoAs]] stands for the set of states that satisfy the formula TwoAs in(11.2).Note that the empty set of states satisfies the above “set equation”. This is due tothe fact that[·ε·]∅ = ∅. However, this is certainlynot the meaning we have in mindfor the formulaX!

Observe that the empty set is the least solution of the above set equation. Byanalogy with our developments in the setting of HML with recursion, we expectinstead that the solution we have in mind for the set equationcorresponding to therecursive equation defining the propertyX is the largestone. This is because theproperty thatX is intended to formalize is a safety property. (See the discussionin Section6.1.) In the timed labelled transition system that gives semantics toour running example, it turns out that the largest set of states that satisfies the setequation (11.4) is the setProc of all of states of that automaton. This is because[[TwoAs]] is equal toES(Proc) since, for eachd ∈ R≥0,

(ℓ, [x = d])a→ impliesd ≤ 1 .

As we shall see in what follows, the same techniques from standard fixed pointtheory, that turned out to be very useful in making sure that the set equations asso-ciated with recursively defined formulae in HML have least and largest solutions,can be applied here.

Formally, the syntax of Hennessy-Milner logic with time andone variableXis given by the following grammar:

F ::= X | tt | ff | F ∧G | F ∨G | 〈a〉F | [a]F | ∃∃F | ∀∀F | x in F | g

wherea ∈ Act, x ∈ D andg ∈ B(D).


In what follows, we shall interpret formulae in the above language over thecollection of extended states associated with a given timedautomatonA—for in-stance, the one in our running example. LetProc denote the set of states of thetimed automaton under consideration. Semantically a formula F (that may containthe variableX) is interpreted as a functionOF : ES(Proc) → ES(Proc) that,given a set of extended states that are assumed to satisfyX, gives us the set ofextended states that satisfyF . The functionOF may be defined as follows alongthe lines of Definition6.1.

Definition 11.5 For eachS ⊆ ES(Proc) and formulaF , we defineOF (S) induc-tively by:

OX(S) = S

Ott(S) = ES(Proc)

Off (S) = ∅OF1∧F2

(S) = OF1(S) ∩ OF2

(S)

OF1∨F2(S) = OF1

(S) ∪ OF2(S)

O〈a〉F (S) = 〈·a·〉OF (S)

O[a]F (S) = [·a·]OF (S)

O∃∃F (S) = 〈·ε·〉OF (S)

O∀∀F (S) = [·ε·]OF (S)

Ox in F (S) = {(p, u) | (p, u[x 7→ 0]) ∈ OF (S)}Og(S) = {(p, u) | u |= g} .

�

Exercise 11.14Use the above definition to calculateOF ({((ℓ, [x = 0]), [y =0])}), whereF is the formula on the right-hand side of the defining equationfor Xin (11.3). �

Exercise 11.15Assume thatS1 andS2 are subsets ofES(Proc) with S1 includedin S2. Argue that

〈·ε·〉S1 ⊆ 〈·ε·〉S2

[·ε·]S1 ⊆ [·ε·]S2 and

{(p, u) | (p, u[x 7→ 0]) ∈ S1} ⊆ {(p, u) | (p, u[x 7→ 0]) ∈ S2} .

Use these observations, together with your answers to Exercise 6.5, to show thatOF is monotonic for eachF . (In other words, for all subsetsS1, S2 of ES(Proc),if S1 ⊆ S2 thenOF (S1) ⊆ OF (S2).) �


Exercise 11.16Show that(P(ES(Proc)),⊆) is a complete lattice. �

We now know that, for eachF , the functionOF is monotonicover the completelattice(P(ES(Proc)),⊆). As mentioned above, and by analogy with our develop-ments in Section6.2, the idea underlying the definition of the functionOF is thatif [[X]] ⊆ ES(Proc) gives the set of extended states that satisfyX, thenOF ([[X]])will be the set of extended states that satisfyF . As wed did in the setting ofstandard HML with recursion, syntactically we shall assumethat [[X]] is implicitlygiven by a recursive equation forX of the form

Xmin= FX or X

max= FX .

As argued by example above, such an equation can semantically be interpreted asthe following set equation.

[[X]] = OFX([[X]]) (11.5)

AsOFXis a monotonic function over a complete lattice we know that (11.5) has

solutions—that is, thatOFXhas fixed points. In particular Tarski’s Fixed Point

Theorem gives us that there are thelargestfixed point and theleastfixed-pointgiven respectively by

⋃{S ⊆ ES(Proc) | S ⊆ OFX(S)} and

⋂{S ⊆ ES(Proc) | OFX(S) ⊆ S} .

Let us use the former expression above to argue formally thatthe largest fixed pointof the functionOF , whereF is the formula on the right-hand side of the definingequation forX in (11.3), over the set of extended states for our running example isindeed the whole collection of extended states, as claimed.To this end, it sufficesonly to show that

ES(Proc) ⊆ OF (ES(Proc)) .

(Why?) We have already argued that[[TwoAs]] is equal toES(Proc), so usingDefinition 11.5, you should be able to convince yourselves that

OF (ES(Proc)) = [·ε·]ES(Proc) ∩ [·a·]ES(Proc) .

Observe now that both[·ε·]ES(Proc) and [·a·]ES(Proc) are equal toES(Proc)(Exercise11.3). ThereforeOF (ES(Proc)) is justES(Proc), as claimed.

Characteristic Properties for Timed Bisimilarity

In Section6.6, we saw how to characterize the equivalence classes for strong bisim-ulation with asingleformula in HML with recursive definition. The formula that


characterizes the bisimulation equivalence class for a state in a finite labelled tran-sition system was called itscharacteristic formula.

It is natural to ask whether the languageMt extended with recursively de-fined formulae is expressive enough to allow us to obtain a similar result for timedbisimilarity over timed automata. Indeed, achieving such aresult would give usyet another indication that our design choices for the logicMt are “good”, at leastin that this language affords properties that are akin to those of classic Hennessy-Milner logic—with or without recursively defined formulae.

For the sake of simplicity, we shall focus in this section on timed automatawithout invariants—that is, on time automata whose location invariants are alltautologies—, and over a single actiona.

Consider, by way of example, the timed automaton used as our running exam-ple in this section.

ℓ GFED@ABC?>=<89:; a

x≤1

x:=0xx

A formula characterizing nodeℓ in this timed automaton up to timed bisimilarityshould offer a description of:

1. all the actions that are enabled in the node,

2. which node is entered by taking a given edge, together withthe clock resetsassociated with it, and

3. the fact that arbitrary delays are allowed in the node.

The resulting characteristic formula is presented below, where we consider eachXℓ to be our recursively defined variable. The formula consistsof three conjuncts,each associated to one of the above properties:

Xℓmax= (x ≤ 1⇒ (〈a〉x in Xℓ)) ∧

[a](x ≤ 1 ∧ (x in Xℓ)) ∧

∀∀Xℓ .

The above formula encodes the behaviour of the timed automaton as follows. Thefirst conjunct in the formula on the right-hand side of the recursive equation statesthat if the value of the clockx is no larger than1, then the timed automaton canperform ana-labelled transition, and reach a state that satisfies the characteristic


formula for nodeℓ after resetting the clockx. (Note that this conjunct encodesthe self loop in the timed automaton.) The second conjunct isintended to expressthat the self loop edge is the only one in this timed automaton. This is done bysaying that no matter how ana-action is performed, this is done within one timeunit from the last time the clockx was reset, and it will lead to a state that satisfiesthe characteristic formula for nodeℓ after resetting clockx. The third and lastconjunct expresses the fact that, no matter how long we delay, we should stillsatisfy the characteristic formula for nodeℓ.

The following theorem states that the above recursively defined formula is char-acteristic for our running example modulo timed bisimilarity.

Theorem 11.3 Let A be a timed automaton whose set of clocks does not includex. Let ℓ′ be a node ofA. Assume thatd ∈ R≥0 andu is a valuation for the clocksof A. Then(ℓ, [x = d]) is timed bisimilar to(ℓ′, u) if, and only if, the extendedstate((ℓ′, u), [x = d]) satisfiesXℓ.

Proof: We first show that the extended state((ℓ′, u), [x = d]) satisfiesXℓ when-ever(ℓ, [x = d]) is timed bisimilar to(ℓ′, u). To this end, it suffices only to arguethat

S ⊆ OF (S) ,

whereF is the formula on the right-hand side of the recursive definition for Xℓ,and the setS is defined as:

S = {((ℓ′, u′), [x = d′]) | (ℓ, [x = d′]) is timed bisimilar to(ℓ′, u′)} .

(Convince yourselves of this claim!)Assume that((ℓ′, u′), [x = d′]) ∈ S. We shall prove that((ℓ′, u′), [x = d′])

is also contained inOF (S). By the definition of the functionOF , this amounts toarguing that

1. ((ℓ′, u′), [x = d′]) ∈ Ox≤1⇒(〈a〉x in Xℓ)(S),

2. ((ℓ′, u′), [x = d′]) ∈ O[a](x≤1∧(x in Xℓ))(S) and

3. ((ℓ′, u′), [x = d′]) ∈ O∀∀Xℓ(S).

We shall limit ourselves to presenting the details of the verification of the first ofthese claims. (You are invited to fill in the details of the proof of the latter twoclaims yourselves.)

Observe, first of all, that((ℓ′, u′), [x = d′]) ∈ Ox≤1⇒(〈a〉x in Xℓ)(S) holdstrivially if d′ > 1. (Why?) Assume therefore thatd′ ≤ 1. In this case, we wish toargue that

((ℓ′, u′), [x = d′]) ∈ O〈a〉x in Xℓ(S) .


By the definition of the functionO, this holds precisely when, for some state(ℓ′′, u′′) of the timed automatonA,

(ℓ′, u′)a→ (ℓ′′, u′′) and((ℓ′′, u′′), [x = 0]) ∈ S .

(Check this claim!) To see that the above criterion is met by the state(ℓ′, u′), weargue as follows. Sinced′ ≤ 1, we have that

(ℓ, [x = d′])a→ (ℓ, [x = 0]) .

By the definition ofS, the states(ℓ′, u′) and (ℓ, [x = d′]) are timed bisimilar.Therefore, there exists a state(ℓ′′, u′′) of the timed automatonA such that

(ℓ′, u′) a→ (ℓ′′, u′′) and(ℓ′′, u′′) is timed bisimilar to(ℓ, [x = 0]) .

Again by the definition ofS, we may conclude that

((ℓ′′, u′′), [x = 0]) ∈ S ,

which was to be shown.Our order of business will now be to show that if the extended state((ℓ′, u), [x =

d]) satisfiesXℓ, then(ℓ, [x = d]) is timed bisimilar to(ℓ′, u). To this end, it sufficesonly to prove that the relation

R = {((ℓ, [x = d]), (ℓ′, u) | ((ℓ′, u), [x = d]) |= Xℓ}

is a timed bisimulation. The proof is left as a strongly recommended exercise forthe reader. 2

Exercise 11.17 (Strongly Recommended)Complete the proof of the above theo-rem. �

This theorem and the construction of the characteristic formula for our runningexample are specific instances of the general construction of characteristic formu-lae, and of the theorem showing its correctness, presented in (Aceto, Ingolfsdottir,Pedersen and Poulsen, 2000). Related results may be found in(Aceto, Bouyer,Burgueno and Larsen, 2003; Laroussinie et al., 1995)—the latter reference offers,to the best of our knowledge, the first construction of characteristic formulae fortimed automata, modulo timed bisimilarity presented in theliterature.

Exercise 11.18Give characteristic formulae for the timed automata in Exam-ple10.9, and prove a version of Theorem11.3for them. (You might find it useful todefine a characteristic formula for each location in the timed automata. You won’tneed recursion!) �


Exercise 11.19 (Characteristic Formulae for Timed Simulation) A timed sim-ulationover the states of some timed labelled transition system is arelationR suchthat whenevers1 R s2 anda ∈ Lab, then:

- if s1a→ s′1 thens2

a→ s′2 for somes′2 such thats′1 R s′2.

States1 is simulated bys2 iff the pair (s1, s2) is contained in a timed simulation.For timed automataA1 andA2, we say thatA1 is simulated byA2 iff the initial

state ofA1 is simulated by that ofA2.Give a characteristic formula for our running example modulo timed simula-

tion, and prove a version of Theorem11.3for it. �

Examples of Real-time Temporal Properties

The basic constructs of the logicMt extended with recursive definitions can beused to define high level temporal operators, which may be used to simplify thewriting of logical specifications. Here we confine ourselvesto showing how todefine the temporal operatorsuntil , before andInv : (in the following formulae,tis a non-negative integer)

F until Gmax= G ∨ (F ∧ [Act](F until G) ∧ ∀∀(F until G))

F until≤t G = x in ((F ∧ x ≤ t) until G)

before t F = tt until≤t F

Inv(F )max= F ∧ [Act]Inv(F ) ∧ ∀∀Inv(F ) .

The intuitive meaning of the above temporal operators is as follows.

• F until G is true iff, no matter how long the systems delays or what actiontransitions it takes,F is satisfied at least untilG becomes true. Since weare specifying this property using a greatest fixed point, the formulaF maybe satisfied forever andG might never become true. The above formulais therefore an example of a so-calledweak until. (See the discussion onpage121.)

• F until≤t G is the time bounded version of the above property. There we arestating thatF is satisfied at least untilG holds, and moreoverG is guaranteedto hold withint time units.

• The formula before t F states thatF will hold within t time units. This is anexample of a time bounded eventuality property.

• Finally, Inv(F ) states that the formulaF holds invariantly. (This is just areal-time version of the invariance property that we already met in Section6.)

11.4. OVERVIEW OF THE MAIN RESULTS 247

The second and the third property introduced above are examples of so-calledbounded livenessproperties. This kind of properties arises quite often whenwetry to describe expected behaviours of real-time systems. Recall that a typicalliveness properties states intuitively that “something good will eventually happen.”For instance, a liveness property could specify that each request to access someresource is eventually granted. In real-time setting, however, we are often not justinterested in knowing that our requests will be granted at some unspecified timein the future. Rather, we expect that we are granted access towhatever service weneed within a specified time bound! As a concrete example, consider the behaviourof an airbag system in a car described by the property

If the car crushes, the airbag must be inflated within 50 milliseconds.

This property is an example of a bounded liveness property, and can be describedusing the formula

Inv([crush](before50 〈inflate〉tt)

).

Indeed, the above formula states that no matter how the system evolves—that is, inall reachable states—, then each crush action can be followed by an inflate actionwithin 50 time units.

11.4 Overview of the Main Results

We can add something here if you think that it is appropriate, and that it fitswith the rest of the chapter. What do you say?

Chapter 12

Modelling and Analysis ofFischer’s Algorithm

Mutual exclusion algorithms, like those we discussed in Chapter7, have the schematicbehaviour described by the following pseudocode:

while true dobegin

remainder regiontrying regioncritical sectionexit region

end

Such algorithms are supposed to satisfy the following two properties:

• Mutual exclusion: No two processes are in their critical section at the sametime.

• Deadlock freedom: If some process is in its trying region, then eventuallysome process is in its critical section. (Note that the process in the criticalsection might be different from the one initially in its trying region.) More-over, if a process is in its exit region, then that process will eventually enterits remainder region.

Known asynchronous mutual exclusion algorithms forn processes, requireO(n)read/write registers andO(n) operations to access the critical section. These boundsmake them rather impractical for large scale applications,where the number ofprocesses could be very large. This raises the question of whether it is possible

249

250 12. FISCHER’S ALGORITHM

to achieve mutual exclusion in asynchronous systems consisting of n processes byusing a smaller number of shared registers and/or fewer thanO(n) operations toaccess the critical section. Unfortunately, this is impossible for “classic reactivesystems” in an asynchronous setting. In fact, Burns and Lynch showed the follow-ing theorem in (Burns and Lynch, 1989; Burns and Lynch, 1993):

Theorem 12.1 [Burns and Lynch] There is no asynchronous algorithm providingmutual exclusion with deadlock-freedom forn ≥ 2 processes, using fewer thannshared read/write registers.

This theorem is a classic example of animpossibility result—a type of results thatNancy Lynch has contributed in abundance to the literature on distributed com-putation. (See, for instance, the impossibility results mentioned in her encyclo-pedic book (Lynch, 1996).) Despite their apparently negative nature, such resultsplay a fundamental role in the theory and practice of computing science becausethey set precise limits to what is possible to achieve using some computationalparadigm—thus preventing futile efforts to overcome computational barriers thatcannot, in fact, be broken within a given computational model. For example, The-orem 12.1 above tells us that there is no point in trying to come up with asyn-chronous, deadlock-free mutual exclusion algorithms thatuse fewer thann sharedread/write registers because such algorithms do not exist!

However, as repeatedly stated by Richard Hamming in his general writings onscience and engineering—see, for instance, (Hamming, 1997, page 305)—, all im-possibility proofs must rest on a number of assumptions, andthese assumptionsmay or may not apply in the particular situation under analysis or in the chosencomputational model. For instance, the above result by Burns and Lynch appliesto “deadlock free” algorithms. If we remove this, admittedly very reasonable, as-sumption, then there is a mutual exclusion algorithm that uses no shared register atall. It suffices only to make the execution of all of the processes enter a livelock atthe start of the protocol, and none will access its critical section! This “solution” tothe mutual exclusion problem is, however, completely unacceptable—so much sothat nobody would actually consider it a proper solution anyway. We can, however,ask the following natural question:

Can the lower bound in Theorem12.1for deadlock free mutual exclu-sion be overcome by considering other computational modelsthan theone underlying the aforementioned result by Burns and Lynch?

This is a typical question that arises from impossibility and lower bound theorems,and is another example of how apparently negative results can help stimulate thesearch for new computational paradigms and the explorationof their computingpower.

12.1. MUTUAL EXCLUSION USING TIMING 251

12.1 Mutual Exclusion Using Timing

According to Lynch and Shavit in (Lynch and Shavit, 1992), Michael Fischer seemsto have been the first researcher who overcame the lower boundof n registersfor deadlock free mutual exclusion by assuming timing constraints. His, by nowclassic, algorithm uses just one shared multi-writer register id, whose initial valueis0. In order to ensure mutual exclusion, each processPi (i ∈ {1, . . . , n}) executesthe following algorithm, where we use delay to stand for a positive integer constant:

while true dobegin

“noncritical section”;L: if id 6= 0 then goto L;1: id := i;2: pause(delay);3: if id 6= i then goto L;“critical section”;id := 0;

end

In the above pseudocode algorithm the statementpause(delay) makes the processwait for the amount of time specified by the constant delay. But, what should bethe value of such constant? Since Fischer’s algorithm is a real-time one, we mightexpect that its behaviour depends crucially on an appropriate choice for this timingparameter.

In order to find a suitable value for the constant delay, we assume an upperboundc, wherec is a positive integer, for the time between successive stepsof theexecution of a process while it is trying to access its critical section. Intuitively, aprocess that takes steps everyc time units is executing slowly. In Fischer’s algo-rithm, we choose the value of the constant delay to be larger thanc, the longest timethat a process may take to perform a step while trying to enterits critical section.The key idea behind this choice for the parameter delay is that by the time processihas reached Line 3 in the pseudocode algorithm, each processj that has passed thetest in Line L and might writej in variable id has already done so since delay> c,andc is the longest time that such a step may take. Therefore, whenever processi finds that id= i in Line 3, then it can safely enter its critical section becauseall of the other processes are either before Line L, or after Line 1 with their indexoverwritten by processi—so they will fail the test on Line 3.

The algorithm we have just presented is conceptually very simple. However, asyou will see later on, Fischer’s algorithm has the drawback that it fails to guarantee


gfedàbc_^]\XYZ[Lid=0 x:=0 //gfedàbc1, x ≤ c

id:=i, x:=0

��

gfedàbcCS

id:=0

OO

gfedàbc2id=i, x>c

oo

not(id=i), x>c

ccGGGGGGGGGGGGGGGGGGGGGG

Figure 12.1: The Timed AutomatonAi for Processi

mutual exclusion if the timing constraints on which its workings are predicated arenot met.

It is well-known that Fischer’s algorithm is deadlock-free, and ensures mutualexclusion provided its timing assumptions are met. Moreover, as shown by Lynchand Shavit in (Lynch and Shavit, 1992, Theorem 4.6), its timing behaviour is nearlyoptimal. Our order of business here is to model Fischer’s algorithm using networksof timed automata, as supported by the verification tool UPPAAL, and to hint at theautomatic verification of its behaviour using that tool.

12.2 Modelling Fischer’s Algorithm

Fischer’s mutual exclusion algorithm forn processes can be modelled as a networkof timed automata—see Chapter10.7. Each of then timed automata in the networkwill describe the behaviour of one of the processes running Fischer’s algorithmdescribed above in pseudocode. The timed automatonAi running the code forprocessi in Fischer’s algorithm will use a local clockx to guarantee that the upperbound between successive steps of the process while it is trying to enter its criticalsection isc, and will have access to the shared integer variable id. The timedautomatonAi is depicted in Figure12.1.

The label of all of the edges is immaterial for this algorithm, and is thereforeomitted from the picture in Figure12.1. For consistency with previous notation,you can assume that all of the edges have labelτ . In that picture, we use theshort-hand “not (id = i), x > c” as an abbreviation for the boolean condition

(id < i ∨ id > i) ∧ x > c .

The edge from location2 to location L should therefore be read as standing for two

12.2. MODELLING FISCHER’S ALGORITHM 253

edges: one that applies when id< i andx > c, and the other that is enabled whenid > i andx > c. For pictorial convenience, we have also written the invariantx ≤ c, in node1 within the node itself.

As you might already noticed, the timed automaton in Figure12.1is based ona slight extension of the model we introduced in Chapter10. In fact, the timedautomatonAi uses an integer variable id as well as one clockx. The integer vari-able id can be updated when the automaton follows an edge, andits current valuecan be tested to determine whether an edge from the present location is enabled ornot. This slightly extended model of timed automata is supported by the verifica-tion tool UPPAAL, and makes it easier to model algorithms like Fischer’s mutualexclusion algorithm that rely on the use of shared variables.

Nodes L, 1 and 2 in the timed automaton in Figure12.1 model the similarlynumbered steps in the pseudocode for Fischer’s algorithm, and the timed automa-ton Ai begins its execution in location L. (As you might have already noticed,location L has no outgoing edge that is enabled when id has value different from0.The “busy waiting” loop in the behaviour of the pseudocode algorithm is modelledby delaying in location L of automatonAi.) The invariantx ≤ c in node1 is usedto model the upper bound on the time that a step of the process can take while itis trying to enter the critical section. Such an invariant ensures that processi canbe in location 2 for at mostc time units. Location 2 in the automatonAi describessteps 2 and 3 in the pseudocode for Fischer’s algorithm. In fact, since the privateclock x of automatonAi is reset upon entering location 2, the guardx > c on theoutgoing edges from that location ensures that the process is delayed more thancunits of time before testing the value of the shared variableid. If after that amountof time, the value of id isi, then the process can safely enter its critical section—abstractly modelled here by the location CS—by following its edge from location2 to location CS. The edge from location CS back to location L implements theexit from the critical section and the resetting of the shared variable id.

Fischer’s algorithm forn processes is modelled as the network of timed au-tomata

A1 | A2 | · · · | An .

We recall that states of this network consist of ann-tuple of locations(ℓ1, . . . , ℓn),where eachℓi is a location of automatonAi (i ∈ {1, . . . , n}), and a valuationfor the set of clocks{x1, . . . , xn}, where we usexi to stand for the local clockx of automatonAi. However, unlike for the networks of classic timed automataintroduced in Section10.7, this is not enough to give a complete snapshot of thebehaviour of this system. In fact, since the value of the shared variable id deter-mines whether certain edges are enabled or not in the component automata, a stateof the network must record, in addition, the current value ofthe shared variable id.


In what follows, we shall write a state of the networkA1 | A2 | · · · | An thus:

(ℓ1, . . . , ℓn, x1 = c1, . . . , xn = cn, id = i) ,

wherec1, . . . , cn are non-negative real numbers, andi ∈ {1, . . . , n}. The initialstate of the network is

(L, . . . , L, x1 = 0, . . . , xn = 0, id = 0) ,

because the initial value of each clock and of the variable idis 0.

12.2.1 Proving Mutual Exclusion UsingUPPAAL

Now that we have a model of Fischer’s algorithm as a UPPAAL network of timedautomata, our order of business will be to analyze the behaviour of this modelto verify that it indeed affords the mutual exclusion property. Before doing so,however, we need to specify precisely what it means for our network of timedautomata to guarantee mutual exclusion.

As we saw already in Chapter7, temporal logics like Hennessy-Milner logicwith recursive definitions provide a natural language in which one can specifyproperties of reactive systems like mutual exclusion. In fact, everything we saidthere appliesmutatis mutandisto the setting of real time systems described as net-works of timed automata. It would therefore be tempting, andmost natural, todescribe the mutual exclusion property for our model of Fischer’s algorithm usingthe real-time version of Hennessy-Milner logic with greatest fixed points that wepresented in Chapter11.

Note, however, that the network of timed automata describing Fischer’s algo-rithm for n processes is aclosed system. This means that that network is not willingto communicate with its environment. Moreover, interaction between the automatain the network takes place via the shared variable id.

On the other hand, Hennessy-Milner logic and its variants are action basedtemporal logics—at least in our textbook presentation. This means that formulaein variants of Hennessy-Milner logic describe properties pertaining to the commu-nication potential of processes via the labelled modalities 〈a〉 and[a]. At first sight,this makes these logics unsuitable for describing properties of systems that, like ourmodel of Fischer’s algorithm, exhibit no observable communication behaviour.

What we should like to express for Fischer’s algorithm is an invariant propertythat states that

“No matter how the network evolves, at no point of its computationtwo different component automata will be in their location CS at thesame time.”


We have already seen how to express invariance properties inHennessy-Milnerlogic with time (see Section11.3), but how do we express the requirement that

“two different component automata cannot be in their location CS atthe same time”?

One possibility would be to modify our model by adding self-loop edges to locationCS in the timed automatonAi. These edges could be labelled with some observablesynchronization action, say ini!, used to signal to the environment that automatonAi is in its critical section. One could then express mutual exclusion using theproperty

Inv(∧

1≤i<j≤n

([ini!]ff ∨ [inj!]ff)) .

(You should try to convince yourself that the above propertywould indeed statethat at most one automaton is in its critical section in each state of the computationof Fischer’s algorithm.)

However, if we aim at verifying the correctness of Fischer’smutual exclusionalgorithm using an automatic verification tool like UPPAAL, we are forced to usea specification language for the properties to be model checked that is accepted bythe tool itself. Unfortunately, UPPAAL models can only be closed systems, and thelanguage supported by that tool for the writing of specifications does not allow usto write formulae like the invariant property above.

The specification language of the tool UPPAAL, however, permits the use ofatomic predicateswhose truth value over states can be determined locally. Anexample such predicate isAi.CS (i ∈ {1, . . . , n}), stating that theith automatonin the network is presently in location CS. Formally, a state

(ℓ1, . . . , ℓn, x1 = c1, . . . , xn = cn, id = i) ,

of our network satisfies the atomic predicateAi.CS if, and only if,ℓi = CS.Using boolean combinations of these atomic predicates, we can therefore state

that at most one of the component automata is currently in itscritical section bymeans of the formula

MutexNow=∧

1≤i<j≤n

(¬Ai.CS∨ ¬Aj.CS) ,

where the symbol¬ stands for logical negation.One can therefore express mutual exclusion using the property

Inv(MutexNow) .


Since the specification language for queries supported by the tool UPPAAL followsthe syntax of Timed Computation Tree Logic (or TCTL)—see thereference (Alur,Courcoubetis and Dill, 1993)—, the above property is actually written thus:

A2MutexNow .

In the above formula, the initialA states that the formula2MutexNow must besatisfied inall of the computation paths of the network. The truth value of theproperty2MutexNow is therefore evaluated over a single path. The2 modalityhere indicates that the property MutexNow should be true inall of the states alongthe path. Following this informal explanation, you should be able to convinceyourself that the above formula states the following property:

“In all computation paths, and in each state along each path,at mostone process is in its critical section.

This is precisely what “ensuring mutual exclusion” means. Further information onthe actual syntax of the specification language for queries used by UPPAAL may befound in the tutorial paper (Behrmann et al., 2004).

Exercise 12.1Read the tutorial paper (Behrmann et al., 2004) carefully. InstalltheUPPAAL tool, and experiment with the demo examples that come with the tool.�

Exercise 12.2

1. Create aUPPAAL model for Fischer’s algorithm based on the one proposedin the textbook. In your model you may assume that the networkconsists of4 processes and that the value of the constantc is 2.

2. Upload the predefined collection for queries for Fischer’s algorithm thatcomes with the tool. Check whether your model of Fischer’s algorithm af-fords all of the stated properties.

�

TO DO: PERHAPS ADD SOME REFERENCE TO HENRIK EJERSBO’SPAPER ON FISCHER’S ALGORITHM.

12.2.2 An Erroneous Version of Fischer’s Algorithm

We have already mentioned that timing plays a crucial role inthe workings ofFischer’s mutual exclusion algorithm. Indeed, this algorithm fails to ensure mutual


gfedàbc_^]\XYZ[Lid=0 x:=0 //gfedàbc1, x ≤ c

id:=i, x:=0

��

gfedàbcCS

id:=0

OO

gfedàbc2id=i, x>=c

oo

not(id=i), x>=c

ccGGGGGGGGGGGGGGGGGGGGGG

Figure 12.2: Erroneous Timed AutomatonAwi for Processi

exclusion if its timing assumptions are not satisfied. In particular, it is crucial that,on line 2 of the pseudocode algorithm, processi be delayed by some amount oftime that is strictly larger than the constantc—namely, the longest time that ittakes for a process to take a step while it is trying to enter its critical section. Tosee this, consider an erroneous version of Fischer’s protocol modelled by the timedautomatonAw

i in Figure12.2. Note that the only difference between that timedautomaton and the one in Figure12.1is in the guards labelling the edges that stemfrom node2. In particular, the process may now check whether the sharedvariableid has valuei after a delay ofexactlyc units of time.

We shall now exhibit a sequence of transitions for our model of this erroneousversion of Fischer’s algorithm that doesnot preserve mutual exclusion.

Assume, for the sake of simplicity, that there are only two processes runningthis version of Fischer’s algorithm. The overall network oftimed automata is there-fore Aw

1 | Aw2 , and its initial state is given by

(L,L, x1 = 0, x2 = 0, id = 0) ,

where, fori ∈ {1, 2}, we writexi for the local clockx of automatonAwi . Since

the value of id is0, and the edge from location L to location 1 does not change it,the networkAw

1 | Aw2 can perform the following two transitions:

(L,L, x1 = 0, x2 = 0, id = 0) → (1, L, x1 = 0, x2 = 0, id = 0)

→ (1, 1, x1 = 0, x2 = 0, id = 0) .

In state(1, 1, x1 = 0, x2 = 0, id = 0), automatonAw1 may follow the edge from

location 1 to location 2, and thereafter the system may delayfor c time units. Thus

258 12.3. TIMING BASED MUTEX ALGORITHMS

the networkAw1 | Aw

2 can perform the following two transitions:

(1, 1, x1 = 0, x2 = 0, id = 0) → (2, 1, x1 = 0, x2 = 0, id = 1)c→ (2, 1, x1 = c, x2 = c, id = 1) .

Since the value ofx1 is c and that of id is 1, automatonAw1 may now enter its

critical section:

(2, 1, x1 = c, x2 = c, id = 1)→ (CS, 1, x1 = c, x2 = c, id = 1) .

At this point of the computation, automatonAw2 may decide to follow the edge

from location 1 to location 2, and thereafter the system may delay forc time units.Thus the networkAw

1 | Aw2 can perform the following two transitions:

(CS, 1, x1 = c, x2 = c, id = 1) → (CS, 2, x1 = c, x2 = 0, id = 2)c→ (CS, 2, x1 = 2c, x2 = c, id = 2) .

Note now that automatonAw2 can also enter the critical section because the value

of x2 is c and that of id is 2:

(CS, 2, x1 = 2c, x2 = c, id = 2)→ (CS, CS, x1 = 2c, x2 = c, id = 2) .

In the target state of the above transition, bothAw1 and Aw

2 are in their criticalsection, leading to the claimed failure of mutual exclusion. (You should now beable to argue that a similar behaviour is possible for an arbitrary network ofnprocesses. Do so!)

We may therefore conclude that, as claimed previously, the correctness of Fis-cher’s mutual exclusion algorithm depends crucially on itstiming assumptions. Inthe following section, you will be working with, amongst others, a modificationof this algorithm proposed by Lynch and Shavit that guarantees mutual exclusionregardless of whether the timing assumptions on the speed ofthe processes are metor not.

Exercise 12.3 Implement the erroneous version of Fischer’s algorithm forn = 4and c = 2 in UPPAAL. Use the tool to determine that the system does not affordmutual exclusion, and to find a (shortest/fastest) trace leading to a state where atleast two processes are in their critical section at the sametime. �

12.3 Further Exercises on Timing Based Mutual Exclu-sion Algorithms

In the previous sections, we have seen how to use timing information to ensuremutual exclusion in an asynchronous setting by means a trulysimple and beautiful

12.3. TIMING BASED MUTEX ALGORITHMS 259

while true dobegin

start:x := i;await (y = 0);y := i;if x 6= i then delay(2 ·∆);

if y 6= i then goto start;await (¬z)

else z := true;“critical section”;z := false;if y = i then y := 0;

end

Table 12.1: Program for Processi (Alur and Taubenfeld)

algorithm due to Michael Fischer. In Fischer’s solution, before it can enter thecritical section, a process accesses the single shared variable id thrice, and delaysitself some amount of time that is larger than the upper boundon the time thatprocesses need to execute a step. Note that, in Fischer’s algorithm, a process delaysitself even if it is the only one that is currently trying to enter the critical section.

Another elegant, timing based mutual exclusion algorithm has been proposedby Alur and Taubenfeld in (Alur and Taubenfeld, 1992; Alur and Taubenfeld,1996). The solution to the mutual exclusion problem proposed by those authorsassumes that there is an upper bound∆ on the time required for reading or writinga variable in the shared memory. Furthermore, Alur and Taubenfeld suppose thatthis bound∆ is known to all of the processes in the system. Access to the sharedmemory takes a non-zero time, and there is no lower bound on the time needed toexecute a step. As in the pseudocode for Fischer’s algorithm, processes can de-lay themselves by performing an explicitdelay(d) statement, whered is a positiveinteger.

Alur and Taubenfeld’s mutual exclusion algorithm uses three shared registers;the registersx, y hold integers—withy having initially the value0—, and registerz holds a boolean value that is initially the valuefalse. In order to ensure mutualexclusion, each processPi (i ∈ {1, . . . , n}) executes the pseudocode algorithm inTable12.1.

Note that, unlike in Fischer’s algorithm, in the absence of competing processesthat want to enter their critical section, in the algorithm by Alur and Taubenfeld aprocess can always enter and exit its critical section without having to delay itself.

260 12.3. TIMING BASED MUTEX ALGORITHMS

while true dobegin

start:x := i;await (y = 0);y := i;if x 6= i then delay(∆);

if y 6= i then goto start;delay(∆);await (¬z)

else z := true;“critical section”;z := false;if y = i then y := 0;

end

Table 12.2: Program for Processi (Revised Algorithm)

In fact, in that case, the process writesx, readsy, writesy, readsx (finding it equalto i because no other process started the protocol to enter the critical section),writesz and enters its critical section.

Alur and Taubenfeld proved in (Alur and Taubenfeld, 1992; Alur and Tauben-feld, 1996) that the algorithm in Table12.1and is deadlock free. Moreover, theyreport a mechanical verification of their proof forn = 3 processes using the verifi-cation tool COSPAN (Alur, Itai, Kurshan and Yannakakis, 1995).

Exercise 12.4Model the algorithm in Table12.1in UPPAAL for n = 3 processesand ∆ = 2. Verify that it preserves mutual exclusion. Increase the number ofprocesses to four and five, and repeat the verification. �

Exercise 12.5Take the model you produced in your solution to the previous ex-ercise, and modify it so that at least one of the memory accesses of the processestakes at most one time unit. Does the resulting algorithm still preserve mutual ex-clusion? Experiment with different choices of “fast steps”. Do your conclusionsdepend on the steps that are chosen to be “fast”? �

Exercise 12.6Consider the variation of the algorithm by Alur and Taubenfeld of-fered in Table12.2. Model it usingUPPAAL for n = 3 processes and∆ = 2. Verifythat it preserves mutual exclusion. Increase the number of processes to four andfive, and repeat the verification. �

12.3. TIMING BASED MUTEX ALGORITHMS 261

Despite being very elegant and fast, the algorithms by Fischer and Alur/Taubenfeldsuffer, however, from an important drawback: they fail to guarantee mutual exclu-sion if the timing constraints upon which their workings arepredicated are notsatisfied. (Indeed, the solutions you gave to Exercises12.3and12.5should havealready convinced you of this!)

According to Lynch and Shavit, a timing based mutual exclusion algorithmshould guarantee mutual exclusion regardless of the timingconstraints. In (Lynchand Shavit, 1992), they offered a simple and efficient timingbased mutual ex-clusion algorithm that guarantees mutual exclusion regardless of the timing con-straints. Their algorithm uses two shared integer registers x, y, whose value isinitially 0. Moreover, as in Fischer’s algorithm, delay stands for a positive integerconstant. The pseudocode for processi in their algorithm is as follows:

while true dobegin

“noncritical section”;L: if x 6= 0 then goto L;1: x := i;2: pause(delay);3: if x 6= i then goto L;4: if y 6= 0 then goto L;5: y := 1;6: if x 6= i then goto L;7: “critical section”;8: y := 0;9: x := 0;

end

Exercise 12.7Model the algorithm by Lynch and Shavit inUPPAAL for n = 3processes and delay= 2. Verify that it preserves mutual exclusion, for differentupper bounds on the time that it takes for processes to execute steps in their entryto the critical section. Increase the number of processes tofour and five, and repeatthe verification. �

Chapter 13

Suggestions for student projects

This appendix will contain descriptions of the student mini-projects that are presentlyavailable from the following web pages:

• http://www.cs.aau.dk/∼luca/SV/miniproject.html,

• http://www.cs.aau.dk/∼srba/courses/SV-05/mini.html,

• http://www.cs.aau.dk/∼srba/courses/SV-05/mini1.html.

The text below offers a preliminary description of a couple of these proposals formini-projects. All of the mini-projects involve the use of software tools for verifi-cation and validation. In our courses, we usually introducethe students to the useof the Concurrency Workbench (CWB)1 and to UPPAAL2, but other tools could beused just as well.

13.1 Alternating bit protocol

In this mini-project you are asked to model the alternating bit protocol in the CCSlanguage and verify it using the CWB. The alternating bit protocol is a simple yeteffective protocol for managing the retransmission of lostmessages. Consider asenderS and a receiverR, and assume that the communication medium fromS toR is initialized so that there are no messages in transit. The alternating bit protocolworks as follows:

• Each message sent byS contains an additional protocol bit, 0 or 1.

1http://homepages.inf.ed.ac.uk/perdita/cwb/2http://www.uppaal.com/

263

http://www.cs.aau.dk/~luca/SV/miniproject.html

http://www.cs.aau.dk/~srba/courses/SV-05/mini.html

http://www.cs.aau.dk/~srba/courses/SV-05/mini1.html



264 CHAPTER 13. SUGGESTIONS FOR STUDENT PROJECTS

• WhenS sends a message, it sends it repeatedly (with its corresponding bit)until it receives an acknowledgment (ACK) fromR that contains the sameprotocol bit as the message being sent.

• WhenR receives a message, it sends an acknowledgment ACK toS and in-cludes the protocol bit of the received message. When a message is receivedfor the first time, the receiver delivers it for processing, while subsequentmessages with the same bit are simply acknowledged.

• WhenS receives an acknowledgment containing the same bit as the mes-sage it is currently transmitting, it stops transmitting that message, flips theprotocol bit, and repeats the protocol for the next message.

There is no direct communication between the sender and the receiver; all messagesmust travel through the medium.

Your tasks are as follows:

1. Implement the alternating bit protocol in the CWB. You canabstract awayfrom the content of the messages and focus only on the additional control bit.To model the decision when the sender retransmits the message, use eithernondeterminism or, ever better, a special process called Timer. The processTimer will communicate with the sender on a channel called timeout, andsignal when a message should be retransmitted. You can also try to modelthe checksum verification using nondeterminism. Information on checksumverification is available from the URL

http://www.answers.com/topic/alternating-bit-protocol.

2. Suggest a specification of the protocol and check whether it is equivalentto your implementation using a suitable equivalence notionavailable in theCWB. In particular, consider the following degrees of reliability of the com-munication medium and answer this question for all of these choices:

(a) perfect channels (all received messages are delivered),

(b) lossy channels (received messages can be lost without any warning)and

(c) lossy and duplicating (in addition the received messagecan be deliv-ered several times).

http://www.answers.com/topic/alternating-bit-protocol

13.2. GOSSIPING GIRLS 265

3. Check for possible deadlocks (stuck configurations) and livelocks (a possi-bility of an infinite sequence ofτ -labelled transitions) by formulating theproperties as recursive formulae in Hennessy-Milner logic, and by verifyingwhether the implementation satisfies these formulae.

Useful web pages A brief, but clear, description of the protocol including check-sum may be found at the URL

http://www.answers.com/topic/alternating-bit-protocol.

A graphical simulation of the protocol is available at the URL

http://www.cs.stir.ac.uk/∼kjt/software/comms/jasper/ABP.html.

(Note that the control bits in the acknowledgment of the messages are switched.)

13.2 Gossiping girls

In this mini-project you are asked to model and analyze the following gossipinggirls problem in UPPAAL.

Problem description A number of girls, sayG1, G2, . . . , Gn (n ≥ 2), initiallyknow one distinct secret each. You can assume that the secrets are subsets of{1, . . . , n}, and that initially girlGi knows{i}, for eachi ∈ {1, . . . , n}. Each girlhas access to a phone that can be used to call another girl to share their secrets.Every time two girls talk to each other they always exchange all of the secrets theyknow. Thus, after the phone call, they both know all secrets they knew togetherbefore the phone call. The girls can communicate only in pairs (no conferencecalls are allowed), but it is possible that different pairs of girls talk concurrently.

Your tasks are as follows:

• Model the problem as a network of timed automata in UPPAAL, and useUPPAAL to find the smallest number of phone calls needed for four girls toknow all secrets.

• Refine your model so that each phone call lasts exactly 60 seconds (for sim-plicity this time duration is independent of the number of exchanged secrets).Find the minimum time needed to solve the gossiping girls problem for fourgirls.

http://www.answers.com/topic/alternating-bit-protocol

http://www.cs.stir.ac.uk/~kjt/software/comms/jasper/ABP.html

266 CHAPTER 13. SUGGESTIONS FOR STUDENT PROJECTS

• Experiment with the UPPAAL search options breath-first and depth-first searchand with the diagnostic trace settings fastest and shortest. Try to solve theproblem for five girls.

Hints

• Design a single template for all girls.

• For each girl, remember the currently known secrets in a local integer vari-able. (Use a binary encoding such that if a girl knows the secrets of, forinstance, girls 1 and 3 but does not know the secrets of girls 2and 4, thevalue in the integer variable will be 0101 in binary—that is,5 in decimalrepresentation. You might find the operation|, for a bitwise OR, useful.)

• In order to model value passing when two girls make a phone call, you mightwant to read section 6.2 in (Behrmann et al., 2004).

Bibliography

Aceto, L., Bouyer, P., Burgueno, A. and Larsen, K. G. (2003). The power ofreachability testing for timed automata,Theoretical Computer Science300(1-3): 411–475.

Aceto, L. and Ingolfsdottir, A. (1999). Testing Hennessy-Milner logic with recur-sion., in W. Thomas (ed.),Foundations of Software Science and Computa-tion Structure, Second International Conference, FoSSaCS’99, Held as Partof the European Joint Conferences on the Theory and Practiceof Software,ETAPS’99, Amsterdam, The Netherlands, March 22–28, 1999, Proceedings,Vol. 1578 ofLecture Notes in Computer Science, Springer-Verlag, pp. 41–55.

Aceto, L., Ingolfsdottir, A., Pedersen, M. L. and Poulsen, J. (2000). Characteristicformulae for timed automata,RAIRO, Theoretical Informatics and Applica-tions34(6): 565–584.

Aceto, L. and Laroussinie, F. (2002). Is your model checker on time? on thecomplexity of model checking for timed modal logics,Journal of Logic andAlgebraic Programming52–53: 7–51.

Alur, R., Courcoubetis, C. and Dill, D. (1993). Model-checking in dense real-time,Information and Computation104(1): 2–34.

Alur, R. and Dill, D. (1990). Automata for modeling real-time systems,in M. Pa-terson (ed.),Proceedings17th ICALP, Warwick, Vol. 443 ofLecture Notes inComputer Science, Springer-Verlag, pp. 322–335.

Alur, R. and Dill, D. (1992). The theory of timed automata,in J. de Bakker,C. Huizing, W. d. Roever and G. Rozenberg (eds),Proceedings REX Work-shop on Real-Time: Theory in Practice,Mook, The Netherlands, June 1991,Vol. 600 ofLecture Notes in Computer Science, Springer-Verlag, pp. 45–73.

Alur, R. and Dill, D. L. (1994). A theory of timed automata,Theoretical ComputerScience126(2): 183–235. Fundamental Study.

267

268 BIBLIOGRAPHY

Alur, R., Itai, A., Kurshan, R. P. and Yannakakis, M. (1995).Timing verification bysuccessive approximation,Information and Computation118(1): 142–157.

Alur, R. and Taubenfeld, G. (1992). Results about fast mutual exclusion, IEEEReal-Time Systems Symposium, pp. 12–22.

Alur, R. and Taubenfeld, G. (1996). Fast timing-based algorithms, DistributedComputing10(1): 1–10.

Andersen, H. R. (n.d.). An introduction to binary decision diagrams. Ver-sion of October 1997 with minor revisions April 1998. 36 pp. Available athttp://www.itu.dk/people/hra/notes-index.html.

Baeten, J. C. (2004). A brief history of process algebra,Report CSR 04-02, Eind-hoven University of Technology.

Baeten, J. C., Bergstra, J. and Klop, J. W. (1987). On the consistency of Koomen’sfair abstraction rule,Theoretical Computer Science51(1/2): 129–176.

Baeten, J. C., Bergstra, J. and Klop, J. W. (1993). Decidability of bisimulationequivalence for processes generating context-free languages,Journal of theACM 40(3): 653–682.

Baeten, J. C. and Klop, J. W. (eds) (1990).Proceedings CONCUR 90,Amsterdam,Vol. 458 ofLecture Notes in Computer Science, Springer-Verlag.

Baeten, J. C. and Weijland, P. (1990).Process Algebra, Cambridge Tracts in The-oretical Computer Science 18, Cambridge University Press.

Balcazar, J. L., Gabarro, J. and Santha, M. (1992). Deciding bisimilarity is P-complete,Journal of Formal Aspects of Computing Science4(6A): 638–648.

Bar-Hillel, Y., Perles, M. and Shamir, E. (1961). On formal properties of simplephrase structure grammars,Zeitschrift fur Phonetik, Sprachwissenschaft, undKommunikationsforschung14: 143–177.

Behrmann, G., David, A. and Larsen, K. G. (2004). A tutorial on UPPAAL, inM. Bernardo and F. Corradini (eds),SFM, Vol. 3185 of Lecture Notes inComputer Science, Springer, pp. 200–236.

Bellman, R. (1957).Dynamic Programming, Princeton University Press.

Bergstra, J. and Klop, J. W. (1982). Fixed point semantics inprocess algebras,Report IW 206, Mathematisch Centrum, Amsterdam.

http://www.itu.dk/people/hra/notes-index.html

BIBLIOGRAPHY 269

Boudol, G. and Larsen, K. G. (1992). Graphical versus logical specifications,The-oretical Computer Science106(1): 3–20.

Bozga, M., Daws, C., Maler, O., Olivero, A., Tripakis, S. andYovine, S. (1998).Kronos: A model-checking tool for real-time systems.,in A. J. Hu and M. Y.Vardi (eds),CAV, Vol. 1427 ofLecture Notes in Computer Science, Springer,pp. 546–550.

Bryant, R. E. (1992). Symbolic boolean manipulation with ordered binary-decisiondiagrams.,ACM Comput. Surv.24(3): 293–318.

Burkart, O., Caucal, D., Moller, F. and Steffen, B. (2001). Verification on infinitestructures,in J. Bergstra, A. Ponse and S. Smolka (eds),Handbook of ProcessAlgebra, Elsevier Science, chapter 9, pp. 545–623.

Burkart, O., Caucal, D. and Steffen, B. (1995). An elementary decision procedurefor arbitrary context-free processes,Proceedings of the 20th InternationalSymposium on Mathematical Foundations of Computer Science(MFCS’95),Volume 969 ofLecture Notes in Computer Science, Springer-Verlag, pp. 423–433.

Burkart, O. and Esparza, J. (1997). More infinite results,Bulletin of the Euro-pean Association for Theoretical Computer Science62: 138–159. Columns:Concurrency.

Burkart, O. and Steffen, B. (1997). Model checking the full modal mu-calculusfor infinite sequential processes,Proceedings of the 24th International Col-loquium on Automata, Languages and Programming (ICALP’97), Vol. 1256,Springer-Verlag, pp. 419–429.

Burns, J. E. and Lynch, N. A. (1989). Mutual exclusion using indivisible reads andwrites,Proceedings of the 18th Annual Allerton Conference on Communica-tions, Control and Computing, pp. 833–842.

Burns, J. E. and Lynch, N. A. (1993). Bounds on shared memory for mutual ex-clusion,Information and Control107(2): 171–184.

Caucal, D. (1996). On infinite transition graphs having a decidable monadic theory,Proceedings of the 23th International Colloquium on Automata, Languagesand Programming (ICALP’96), Vol. 1099, Springer-Verlag, pp. 194–205.

Cer ans, K. (1993). Decidability of bisimulation equivalences for parallel timerprocesses,Computer aided verification (Montreal, PQ, 1992), Vol. 663 ofLecture Notes in Comput. Sci., Springer, Berlin, pp. 302–315.

270 BIBLIOGRAPHY

Christensen, S. (1993).Decidability and Decomposition in Process Algebras, PhDthesis, The University of Edinburgh.

Christensen, S., Hirshfeld, Y. and Moller, F. (1993). Bisimulation is decidable forbasic parallel processes,Proceedings of the 4th International Conference onConcurrency Theory (CONCUR’93), Vol. 715 ofLecture Notes in ComputerScience, Springer-Verlag, pp. 143–157.

Christensen, S., Huttel, H. and Stirling, C. (1995). Bisimulation equivalenceis decidable for all context-free processes,Information and Computation121(2): 143–148.

Clarke, E., E.A. Emerson and A.P. Sistla (1986). Automatic verification of finite-state concurrent systems using temporal logic specifications,ACM Transac-tions on Programming Languages and Systems8(2): 244–263.

Clarke, E. and Emerson, E. (1981). Design and synthesis of synchronization skele-tons using branching time temporal logic,in D. Kozen (ed.),Proceedings ofthe Workshop on Logics of Programs, Vol. 131 of LNCS, Springer-Verlag,pp. 52–71.

Clarke, E., Gruemberg, O. and Peled, D. (1999).Model Checking, MIT Press.

Cleaveland, R., Parrow, J. and Steffen, B. (1993). The concurrency workbench: Asemantics-based tool for the verification of concurrent systems.,ACM Trans-actions on Programming Languages and Systems15(1): 36–72.

Cleaveland, R. and Steffen, B. (1992). A linear–time model–checking algorithmfor the alternation–free modal mu–calculus,Proceedings of Computer AidedVerification (CAV’91), Vol. 575, Springer-Verlag, pp. 48–58.

Davey, B. A. and Priestley, H. A. (2002).Introduction to Lattices and Order, secondedn, Cambridge University Press, New York.

De Nicola, R. and Hennessy, M. (1984). Testing equivalencesfor processes,The-oretical Computer Science34: 83–133.

Dijkstra, E. W. (1965). Solutions of a problem in concurrentprogramming control,Communications of the ACM8(9): 569.

Dijkstra, E. W. (1971). Hierarchical ordering of sequential processes,Acta Infor-matica1(2): 115–138.

BIBLIOGRAPHY 271

Dill, D. (1989). Timing assumptions and verification of finite-state concurrentsystems,Proc. Workshop Automatic Verification Methods for Finite StateSystems, Grenoble, LNCS 407.

Esparza, J. (1994). On the decidability of model checking for several -calculi andpetri nets,CAAP, Vol. 787 ofLNCS, Springer-Verlag, pp. 115–129.

Esparza, J. (1997). Decidability of model-checking for infinite-state concurrentsystems,Acta Informatica34: 85–107.

Esparza, J. and Kiehn, A. (1995). On the model checking problem for branch-ing time logics and basic parallel processes,International Conference onComputer-Aided Verification (CAV’95), Vol. 939 ofLecture Notes in Com-puter Science, pp. 353–366.

FOC (1977).Proceedings18 th Annual Symposium on Foundations of ComputerScience, IEEE.

Fokkink, W. (2000). Introduction to Process Algebra, Texts in Theoretical Com-puter Science. An EATCS Series, Springer-Verlag, Berlin.

Gelernter, D. (1985). Generative communication in Linda.,ACM Transactions onProgramming Languages and Systems7(1): 80–112.

Glabbeek, R. v. (1990). The linear time – branching time spectrum, in Baeten andKlop (1990), pp. 278–297.

Glabbeek, R. v. (1993). The linear time – branching time spectrum II: the seman-tics of sequential processes with silent moves,in E. Best (ed.),ProceedingsCONCUR 93,Hildesheim, Germany, Vol. 715 ofLecture Notes in ComputerScience, Springer-Verlag, pp. 66–81.

Glabbeek, R. v. (2001). The linear time–branching time spectrum. I. The seman-tics of concrete, sequential processes,Handbook of Process Algebra, North-Holland, Amsterdam, pp. 3–99.

Glabbeek, R. v. (2005). A characterisation of weak bisimulation congruence.,inA. Middeldorp, V. van Oostrom, F. van Raamsdonk and R. C. de Vrijer (eds),Processes, Terms and Cycles, Vol. 3838 ofLecture Notes in Computer Sci-ence, Springer, pp. 26–39.

Godskesen, J. C. and Larsen, K. G. (1992). Real-time calculiand expansion the-orems,Foundations of software technology and theoretical computer science(New Delhi, 1992), Vol. 652 of Lecture Notes in Comput. Sci., Springer,Berlin, pp. 302–315.

272 BIBLIOGRAPHY

Godskesen, J. C. and Larsen, K. G. (1995). Synthesizing distinguishing formulaefor real time systems,Nordic Journal of Computing2(3): 338–357.

Greenlaw, R., Hoover, H. J. and Ruzzo, W. R. (1995).Limits to Parallel Computa-tion: P-Completeness Theory, Oxford University Press.

Groote, J. and Huttel, H. (1994). Undecidable equivalences for basic process alge-bra,Information and Computation115(2): 353–371.

Hamming, R. W. (1997).The Art of Doing Science and Engineering (Learning toLearn), Gordon and Breach Science Publishers.

Harel, D. and Pnueli, A. (1985). On the development of reactive systems,Log-ics and models of concurrent systems (La Colle-sur-Loup, 1984), Vol. 13 ofNATO Adv. Sci. Inst. Ser. F Comput. Systems Sci., Springer-Verlag, Berlin,pp. 477–498.

Har’El, Z. and Kurshan, R. P. (1987). Cospan user’s guide,Technical report, AT&TBell Laboratories, Murray Hill, NJ.

Harju, T. (2006). Ordered sets, Available fromhttp://users.utu.fi/harju/orderedsets/Mainorder.pdf.77 pages.

Hennessy, M. (1988).Algebraic Theory of Processes, MIT Press, Cambridge,Massachusetts.

Hennessy, M. and Milner, R. (1985). Algebraic laws for nondeterminism and con-currency,Journal of the ACM32(1): 137–161.

Hennessy, M. and Regan, T. (1995). A process algebra for timed systems,Infor-mation and Computation117(2): 221–239.

Hirshfeld, Y. (1994). Petri nets and the equivalence problem, Proceedings of the7th Workshop on Computer Science Logic (CSL’93), Vol. 832 of LectureNotes in Computer Science, Springer-Verlag, pp. 165–174.

Hirshfeld, Y., Jerrum, M. and Moller, F. (1996a). A polynomial algorithm for de-ciding bisimilarity of normed context-free processes,Theoretical ComputerScience158: 143–159.

Hirshfeld, Y., Jerrum, M. and Moller, F. (1996b). A polynomial algorithm fordeciding bisimulation equivalence of normed basic parallel processes,Math-ematical Structures in Computer Science6: 251–259.

http://users.utu.fi/harju/orderedsets/Mainorder.pdf

BIBLIOGRAPHY 273

Hoare, C. (1978). Communicating sequential processes,Communications of theACM 21(8): 666–677.

Hoare, C. (1985). Communicating Sequential Processes, Prentice-Hall Interna-tional, Englewood Cliffs.

Holzmann, G. J. (2003).The SPIN Model Checker, Addison-Wesley.

Hunt, H. B., Rosenkrantz, D. J. and Szymanski, T. G. (1976). On the equiva-lence, containment, and covering problems for the regular and context-freelanguages,Journal of Computer and System Sciences12: 222–268.

Huttel, H. (1994). Undecidable equivalences for basic parallel processes,Proceed-ings of the 2nd International Symposium on Theoretical Aspects of Com-puter Software (TACS’94), Vol. 789 ofLecture Notes in Computer Science,Springer-Verlag, pp. 454–464.

Huynh, D. and Tian, L. (1995). On deciding readiness and failure equivalences forprocesses inΣP

2 , Information and Computation117(2): 193–205.

Hyman, H. (1966). Comments on a problem in concurrent programming control,Communications of the ACM9(1).

Jancar, P. (1995). Undecidability of bisimilarity for Petri nets and some relatedproblems,Theoretical Computer Science148(2): 281–301.

Jancar, P. (2003). Strong bisimilarity on basic parallel processes is PSPACE-complete,Proceedings of the 18th Annual IEEE Symposium on Logic inComputer Science (LICS’03), IEEE Computer Society Press, pp. 218–227.

Jurdzinski, M. (1998). Deciding the winner in parity gamesis in UP∩ co-UP,Information Processing Letters68(3): 119–124.

Kanellakis, P. C. and Smolka, S. A. (1990). CCS expressions,finite state processes,and three problems of equivalence,Information and Computation86(1): 43–68.

Keller, R. (1976). Formal verification of parallel programs, Communications ofthe ACM 19(7): 371–384.

Knaster, B. (1928). Un theoreme sur les fonctions d’ensembles,Annales SocietatisMathematicae Polonae6: 133–134. In French.

Knuth, D. E. (1966). Additional comments on a problem in concurrent program-ming control,Communications of the ACM9(5): 321–322.

274 BIBLIOGRAPHY

Kozen, D. (1977). Lower bounds for natural proof systems,in FOC (1977),pp. 254–266.

Kozen, D. (1983a). Results on the propositional mu-calculus, Theoretical Com-puter Science27: 333–354.

Kozen, D. (1983b). Results on the propositional mu-calculus, Theoretical Com-puter Science27: 333–354.

Kupferman, O., Vardi, M. Y. and Wolper, P. (2000). An automata-theoretic ap-proach to branching-time model checking,Journal of the ACM47(2): 312–360.

Lamport, L. (1986). The mutual exclusion problem: Part II — statement and solu-tions,Journal of the ACM33(2): 327–348.

Laroussinie, F. and Larsen, K. G. (1998). CMC: A tool for compositional model-checking of real-time systems,in S. Budkowski, A. R. Cavalli and E. Najm(eds),Formal Description Techniques and Protocol Specification,Testing andVerification, FORTE XI / PSTV XVIII’98, IFIP TC6 WG6.1 Joint Interna-tional Conference on Formal Description Techniques for Distributed Systemsand Communication Protocols (FORTE XI) and Protocol Specification, Test-ing and Verification (PSTV XVIII), 3-6 November, 1998, Paris, France, Vol.135 of IFIP Conference Proceedings, Kluwer, pp. 439–456.

Laroussinie, F., Larsen, K. G. and Weise, C. (1995). From timed automata to logic -and back,in J. Wiedermann and P. Hajek (eds),Mathematical Foundations ofComputer Science 1995, 20th International Symposium, Vol. 969 ofLectureNotes in Computer Science, Springer, Prague, Czech Republic, pp. 529–539.

Laroussinie, F. and Schnoebelen, P. (2000). The state-explosion problem from traceto bisimulation equivalence,Proceedings of the 3rd International Conferenceon Foundations of Software Science and Computation Structures (FoSSaCS2000), Berlin, Germany, March 2000, Vol. 1784 ofLecture Notes in Com-puter Science, Springer-Verlag, pp. 192–207.

Larsen, K. G. (1990). Proof systems for satisfiability in Hennessy–Milner logicwith recursion,Theoretical Computer Science72(2–3): 265–288.

Larsen, K. G. and Wang, Y. (1997). Time-abstracted bisimulation: implicit speci-fications and decidability,Inform. and Comput.134(2): 75–101.

Libkin, L. (2004). Elements of Finite Model Theory, Texts in Theoretical Com-puter Science. An EATCS Series, Springer-Verlag.

BIBLIOGRAPHY 275

Lions, J. L. (n.d.). ARIANE 5 flight 501 failure: Re-port by the inquiry board, Available on-line athttp://www.ima.umn.edu/∼arnold/disasters/ariane5rep.html.

Luttik, B. (2006). What is algebraic in process theory?,Bull. Eur. Assoc. Theor.Comput. Sci. EATCS88: 66–83.

Lynch, N. A. (1996). Distributed Algorithms, The Morgan Kaufmann Series inData Management Systems, Morgan Kaufmann, San Francisco, CA.

Lynch, N. A. and Shavit, N. (1992). Timing-based mutual exclusion,IEEE Real-Time Systems Symposium, pp. 2–11.

Magee, J. and Kramer, J. (1999).Concurrency: State Models and Java Programs,John Wiley.

Mayr, R. (1998). Strict lower bounds for model checking BPA,Proceedings of theMFCS’98 Workshop on Concurrency, Vol. 18 of ENTCS, Springer-Verlag.

Mayr, R. (2000). Process rewrite systems,Information and Computation156(1): 264–286.

Milner, R. (1989).Communication and Concurrency, Prentice-Hall International,Englewood Cliffs.

Muller, D. and Schupp, P. (1985). The theory of ends, pushdown automata, andsecond order logic,Theoretical Computer Science37(1): 51–75.

Nicollin, X. and Sifakis, J. (1994). The algebra of timed processes,ATP: theoryand application,Information and Computation114(1): 131–178.

Nielson, H. and Nielson, F. (1992).Semantics with Applications: A Formal In-troduction, Wiley Professional Computing, John Wiley & Sons, Chichester,England.

Paige, R. and Tarjan, R. E. (1987). Three partition refinement algorithms,SIAMJournal of Computing16(6): 973–989.

Park, D. (1981). Concurrency and automata on infinite sequences,in P. Deussen(ed.),5th GI Conference,Karlsruhe, Germany, Vol. 104 ofLecture Notes inComputer Science, Springer-Verlag, pp. 167–183.

Patterson, D. A. (2005). 20th century vs. 21st century C&C: The SPUR manifesto,Communications of the ACM48(3): 15–16.

http://www.ima.umn.edu/~arnold/disasters/ariane5rep.html

276 BIBLIOGRAPHY

Peterson, J. and Silberschatz, A. (1985).Operating Systems Concepts, 2nd editionedn, Addison Wesley.

Plotkin, G. D. (1981). A structural approach to operationalsemantics,ReportDAIMI FN-19, Computer Science Department, Aarhus University.

Plotkin, G. D. (2004a). The origins of structural operational semantics,Journal ofLogic and Algebraic Programming60–61: 3–15. The paper is available fromhttp://www.dcs.ed.ac.uk/home/gdp/publications/.

Plotkin, G. D. (2004b). A structural approach to operational semantics,Journal ofLogic and Algebraic Programming60–61: 17–139. This is a revised versionof the original DAIMI memo (Plotkin, 1981).

Pnueli, A. (1977a). The temporal logic of programs,in FOC (1977), pp. 46–57.

Pnueli, A. (1977b). The temporal logic of programs,Proceedings of the 18thAnnual Symposium on Foundations of Computer Science (FOCS’77), IEEEComputer Society, pp. 46–57.

Pratt, V. R. (1995). Anatomy of the Pentium bug,in P. D. Mosses, M. Nielsen andM. I. Schwartzbach (eds),TAPSOFT’95: Theory and Practice of SoftwareDevelopment, 6th International Joint Conference CAAP/FASE, Aarhus, Den-mark, May 22–26, 1995, Proceedings, Vol. 915 ofLecture Notes in ComputerScience, Springer-Verlag, pp. 97–107.

Reisig, W. (1985).Petri Nets: An Introduction, EATCS Monographs on Theoreti-cal Computer Science, Volume 4, Springer-Verlag.

Roscoe, B. (1999).The Theory and Practice of Concurrency, Prentice-Hall Inter-national, Englewood Cliffs.

Schneider, S. (1995). An operational semantics for timed CSP, Information andComputation116(2): 193–213.

Schneider, S. (1999).Concurrent and Real-time Systems: the CSP Approach, JohnWiley.

Senizergues, G. (1998). Decidability of bisimulation equivalence for equationalgraphs of finite out-degree,Proceedings of the 39th Annual IEEE Symposiumon Foundations of Computer Science, IEEE, pp. 120–129.

Sipser, M. (2005).Introduction to the Theory of Computation, second edn, CourseTechnology.

http://www.dcs.ed.ac.uk/home/gdp/publications/

BIBLIOGRAPHY 277

Sistla, A. P. and Clarke, E. M. (1985). The complexity of propositional lineartemporal logics,J. ACM 32(3): 733–749.

Srba, J. (2002a). Strong bisimilarity and regularity of basic parallel processes isPSPACE-hard,Proceedings of the 19th International Symposium on Theoret-ical Aspects of Computer Science (STACS’02), Vol. 2285 ofLecture Notesin Computer Science, Springer-Verlag, pp. 535–546.

Srba, J. (2002b). Strong bisimilarity and regularity of Basic Process Algebrais PSPACE-hard,Proceedings of the 29th International Colloquium on Au-tomata, Languages and Programming (ICALP’02), Volume 2380 ofLectureNotes in Computer Science, Springer-Verlag, pp. 716–727.

Srba, J. (2002c). Undecidability of weak bisimilarity for pushdown processes,Pro-ceedings of the 13th International Conference on Concurrency Theory (CON-CUR’02), Vol. 2421 ofLecture Notes in Computer Science, Springer-Verlag,pp. 579–593.

Srba, J. (2004).Roadmap of Infinite results, Vol. Vol 2: Formal Models and Se-mantics, World Scientific Publishing Co. An online up-to-date version isavailable athttp://www.brics.dk/∼srba/roadmap/.

Stirling, C. (1995). Local model checking games,Proceedings of the 6th Inter-national Conference on Concurrency Theory (CONCUR’95), Vol. 962 ofLNCS, Springer-Verlag, pp. 1–11.

Stirling, C. (2000). Decidability of bisimulation equivalence for pushdown pro-cesses,Research Report EDI-INF-RR-0005, School of Informatics, Edin-burgh University.

Stirling, C. (2001).Modal and Temporal Properties of Processes, Springer-Verlag.

Tarski, A. (1955). A lattice-theoretical fixpoint theorem and its applications,PacificJournal of Mathematics5: 285–309.

Thomas, W. (1993). On the Ehrenfeucht-Fraısse game in theoretical computerscience (extended abstract),Proceedings of the 4th International Joint Con-ference CAAP/FASE, Theory and Practice of Software Development (TAP-SOFT’93), Vol. 668 ofLecture Notes in Computer Science, Springer-Verlag,pp. 559–568.

van Glabbeek, R. and Weijland, W. (1996). Branching time andabstraction inbisimulation semantics,Journal of the ACM43(3): 555–600.

http://www.brics.dk/~srba/roadmap/

278 BIBLIOGRAPHY

Vardi, M. Y. (1991). Verification of concurrent programs: The automata-theoreticframework,Annals of Pure and Applied Logic51(1–2): 79–98.

Vardi, M. Y. (1995). An automata-theoretic approach to linear temporal logic,inF. Moller and G. M. Birtwistle (eds),Banff Higher Order Workshop, Vol.1043 ofLecture Notes in Computer Science, Springer, pp. 238–266.

Vardi, M. Y. (2001). Branching vs. linear time: Final showdown, in T. Margariaand W. Yi (eds),TACAS, Vol. 2031 ofLecture Notes in Computer Science,Springer, pp. 1–22.

Vardi, M. Y. and Wolper, P. (1994). Reasoning about infinite computations,Infor-mation and Computation115(1): 1–37.

Walukiewicz, I. (2001). Pushdown processes: Games and model-checking.,Infor-mation and Computation164(2): 234–263.

Wang, Y. (1990). Real-time behaviour of asynchronous agents, in Baeten and Klop(1990), pp. 502–520.

Wang, Y. (1991a).A calculus of real time systems, PhD thesis, Chalmers Univer-sity of Technology, Goteborg, Sweden.

Wang, Y. (1991b). CCS + time = an interleaving model for real time systems,in J. Leach Albert, B. Monien and M. Rodrıguez (eds),Proceedings18th

ICALP, Madrid, Vol. 510 ofLecture Notes in Computer Science, Springer-Verlag.

Yannakakis, M. and Lee, D. (1993). An efficient algorithm forminimizing real-time transition systems,in C. Courcoubetis (ed.),Proceedings of the FifthInternational Conference Computer Aided Verification,Elounda, Greece,July 1993, Vol. 697 ofLecture Notes in Computer Science, Springer-Verlag,pp. 210–224.

Index

A. Tarski,90action,25action prefixing operator,10Amir Pnueli,6

B. Knaster,90branching

bisimilarity, 72bisimulation,72

CCS,9–35semantics,28syntax,26value passing,32–35

channel name,25characteristic formula,143choice operator,11complementary name,25complete lattice,88

David Harel,6Donald Knuth,4

Edinburgh Concurrency Workbench,4equational system

mutually recursive,134

functionfixed point of,89monotonic,89partial,5relabelling,26

greatest lower bound (glb),87

Hennessy-Milner logic (HML)negation in,109recursive

game characterization,129–131semantics,123–126syntax,122

semantics,103, 108syntax,102

image finite process,110

labelled transition system (LTS),22least upper bound (lub),87logics

branching-time,153linear-time,153

modal depth,115

observational equivalence,seeweak bisim-ilarity

partially ordered set (poset),85process algebra,7process constant,seeprocess nameprocess name,25

reactive system,6relation

binary,38congruence,39equivalence,38

weak trace,164preorder,38

279

280 INDEX

ready simulation,60reflexive,38simulation,60

weak,165symmetric,38transitive,38

restriction operator,13Robin Milner,8

semantics,4state of an LTS,22

initial, 23reachable,24start,23

strong bisimilarity,seestrong bisimula-tion equivalence

strong bisimulation,43equivalence,43game,74

syntax,4

test,168testable property,169Tony Hoare,8trace,40

completed,42weak,164

transition graph,see labelled transitionsystem (LTS)

Uppaal,4

weak bisimilarity,65weak bisimulation,65

game,79weak transition relation,64

reactive systems: modelling, speciﬁcation and veriﬁcation...

Documents