A Fully Abstract Model for Graph-Interpreted Temporal Logic

A Fully Abstract Model for Graph-Interpreted Temporal Logic Fabio Gadducci1 , Reiko Heckel2 , and Manuel Koch1 1

Technical University of Berlin, Fachbereich 13 · Informatik, Franklinstraße 28/29, D-10587 Berlin, Germany {gfabio,mlkoch}@cs.tu-berlin.de 2 University of Paderborn, Fachbereich 17 Warburgerstraße 100, D-33098 Paderborn, Germany [email protected]

Abstract. Graph-interpreted temporal logic is an extension of propositional temporal logic for specifying graph transition systems (i.e., transition systems whose states are graphs). Recently, this logic has been used for the specification and compositional verification of safety and liveness properties of rule-based graph transformation systems. However, no calculus or decision procedure for this logic has been provided, which is the purpose of this paper. First we show that any sound and complete deduction calculus for propositional temporal logic is also sound and complete when interpreted on graph transition systems, that is, they have the same discriminating power like general transition systems. Then, structural properties of the state graphs are expressed by graphical constraints which interpret the propositional variables in the temporal formulas. For any such interpretation we construct a graph transition system which is typical and fully abstract. Typical here means that the constructed system satisfies a temporal formula if and only if the formula is true for all transition systems with this interpretation. By fully abstract we mean that any two states of the system that can not be distinguished by graphical constraints are equal. Thus, for a finite set of constraints we end up with a finite state transition system which is suitable for model checking.

1

Introduction

Graph transformations [15] are a graphical specification technique developed in the early seventies as generalization of Chomsky-grammars. This rule-based formalism provides an intuitive description for the manipulation of graph-like structures as they occur in databases, object-oriented systems, neural networks, software or distributed systems. In particular, in order to be more suitable for such kinds of applications, the algebraic approaches to graph transformation [4,2,3]

Research partially supported by the EC TMR Network GETGRATS (General Theory of Graph Transformation Systems) through the Technical University of Berlin and the University of Pisa.

H. Ehrig et al. (Eds.): Graph Transformation, LNCS 1764, pp. 310–322, 2000. c Springer-Verlag Berlin Heidelberg 2000

A Fully Abstract Model for Graph-Interpreted Temporal Logic

311

have been extended by various techniques for expressing static and dynamic consistency conditions of graphs and graph transformations [11,19,12,1,10,7,8,13]. In [7] Heckel presented a compositional verification approach for safety and liveness properties of graph transformation systems. The main focus was on how to derive global properties from local ones, while the question of how to verify local properties w.r.t. certain parts of the system was not considered. In this paper we try to close this gap by investigate techniques and tools for checking the validity of temporal properties w.r.t. graph transition systems. Further investigations with repect to this topic can be found in [7,13], where more detailed case studies are presented to motivate the concepts. A graph transition system is a transition system where the states are graphs equipped with variable assignments. The variables themselves form a graph as well, and the assignments are represented by (partial) graph homomorphisms. We are then able to specify properties of states by graphical constraints: Such constraint is just a pattern state (i.e., a partial graph morphism) which is satisfied by a second state if this provides at least the same structure of the first. This concept has originally been developed in [11] where graphical constraints were used in order to express static consistency properties. In [12,10] it was combined with propositional temporal logic, able to express also dynamic properties of systems. The long-term goal of this work is to develop analysis techniques for transition systems specified by graph grammars. A variety of such techniques already exists in the literature on temporal logic (see e.g. [17]). Thus, in order to be able to reuse these tools, in Section 4 we compare the graph-based temporal logic with the classical, propositional temporal logic and show that the notions of validity of formulas are the same in both cases. Most of the automated techniques for verifying temporal properties of systems assume transition systems with finite sets of states. Hence, for applying such techniques it is necessary to collapse infinite transition systems to finite ones by identifying states which are logically indistinguishable. A transition system is called fully abstract if it is completely collapsed in this sense, i.e., if any two states which cannot be distinguished by temporal properties are identified in the system. Thus, in general, this problem is stated w.r.t. all temporal formulas for a given set of propositional variables (see e.g, [18]). In this paper, we use graphical constraints in order to define the evaluation of propositional variables. Therefore we are interested in structural equivalence of states, i.e., whether two states are distinguishable by means of a given set of graphical constraints. Consequently, the results in this paper are largely independent of the temporal logic in use and could be easily transfered to more sophisticated logics. On the other hand, a transition system may represent a whole class of systems if it is typical for that class in the sense that it satisfies a formula if and only if this formula is satisfied by all transition systems of that class. Then, the typical system can be used to examine the validity (entailment, tautology, etc.) of formulas for the whole class of system by checking the corresponding property in the typical transition system only.

312

Fabio Gadducci et al.

In Section 5 we present a construction that, for a given interpretation of the propositional variables as graphical constraints, produces a transition system which is both typical and fully abstract. We argue that these two properties correspond, respectively, to the existence and uniqueness of transition system morphisms from all transition systems of the class to the typical, fully abstract one. In other words, the constructed system is a final object in a suitable category of transition systems. Moreover, the system is finite provided that we only use finitely many different constraints in the temporal specification.

2

Some Background on Propositional Temporal Logic

In the first part of this section we review the classical syntax and semantics for the propositional fragment of linear temporal logic, according to [17]. Definition 1 (temporal formula). Let Q be a (countable) set of propositional variables. A temporal formula (short formula) is a term generated by the following syntax Φ ::= Q|¬Φ|Φ1 ∧ Φ2 |Φ1 UΦ2 | Φ We let Φ, Φ1 . . . range over the set TF of formulas.

The operators ¬ and ∧ are the usual ones for negation and conjunction. The operators and U constitute instead the temporal part of the logic. Roughly, since the semantics is given in terms of an evaluation over (sequences of) states of a transition system, the next-time-operator demands that a formula holds in the immediate successor state, while the until-operator U requires that a formula eventually holds and until then a second formula is true. In the following, we apply the usual abbreviations for implication =⇒ and disjunction ∨. The boolean constant true can be defined as a logical tautology, for instance as q ∨ ¬q for propositional variables q in Q. The temporal sometimes-operator is defined by ✸Φ := trueUΦ, the always-operator by ✷Φ := ¬✸¬Φ. As we mentioned, the classical semantics is based on transition systems. A transition system consists of a set of states, possibly infinite, and a relation on these states representing state transitions. The validity of a formula refers then to runs generated by such a transition system intended as infinite sequences of states. The set R of runs for examining validity is a designated subset of all possible runs through the transition system. Definition 2 (transition system). A transition system is a triple T = S, →, R where S is a non-empty set of states, → ⊆ S × S is a transition relation, and R is a suffix closed set of runs. A run σ = σ(0)σ(1)... with σ(i) ∈ S is a maximal length path through the transition system. Its i-th suffix is given by σ|i = σ(i)σ(i + 1).... A transition system morphism h : S, →, R → S , → , R is a function h : S → S such that h(R) ⊆ R , where h(σ(0)σ(1)...) = h(σ(0)) h(σ(1))... for all σ = σ(0)σ(1)... ∈ R.


313

We always assume that every state occurs in some run. Transition system morphisms allow to simulate the runs of the source system within the target system, in order to preserve, as shown later, the notion of validity of a formula. Together with an evaluation of the variables, the transition system constitutes a temporal model. The evaluation assigns to each variable a subset of S, where the variable is deemed to be true at each element of this subset. Definition 3 (temporal model). Given a transition system T = S, →, R and a set of propositional variables Q, an evaluation V : Q → P(S) assigns to each variable a set of states V(q) ⊆ S. The pair M = T, V constitutes a temporal model. A morphism h : M → M of temporal models M = T, V and M = T , V is a transition system morphism h : T → T such that s ∈ V(q) ⇔ h(s) ∈ V (q) for all q ∈ Q, s ∈ S. The category of temporal models and their morphisms, with the obvious com position and identities, is denoted by TMQ . An evaluation denotes for each variable those states where the variable is deemed to be true. We have now all the components needed to inductively introduce the notion of satisfaction of temporal formulas Φ for a given computation σ. Definition 4 (satisfaction of temporal formula). Let M = T, V be a temporal model over Q, where T = S, →, R. A formula Φ is satisfied by a run σ ∈ R, denoted as σ |= Φ, if one of the following cases is verified: – – – – –

σ σ σ σ σ

|= q ⇔ σ(0) ∈ V(q) for all q ∈ Q |= ¬Φ ⇔ σ |= Φ |= Φ1 ∧ Φ2 ⇔ σ |= Φ1 and σ |= Φ2 |= Φ ⇔ σ|1 |= Φ |= Φ1 UΦ2 ⇔ ∃k ∈ IlN, σ|k |= Φ2 and for each j, 0 ≤ j < k, σ|j |= Φ1

The formula Φ is M-true, short |=M Φ, if σ |= Φ for all σ ∈ R. It is valid, denoted by |= Φ, if |=M Φ for all models M. The semantical idea behind morphisms of temporal models is invariance of satisfaction: For each temporal formula Φ and every run σ in M, σ |= Φ ⇔ h(σ) |= Φ. A proof system for a temporal language consists of a set of axioms schemes and inference rules. A proof of Φ is a finite sequence of formulae Φ1 , ..., Φn with Φ = Φn and where each Φi is either an axiom instance or the result of an application of a rule instance to premises belonging to the set {Φ1 , .., Φi−1 }. Φ is a theorem of this proof system, denoted by Φ, if there is a proof of Φ. A proof system is said to be sound w.r.t a satisfaction relation |= if every provable formula is valid and it is said to be complete w.r.t. |= if every valid formula is provable. A sound and complete proof system for the satisfaction relation |= is given in [17]. Given an at least countable set S (i.e., such that there exists an injective function c : IlN → S), it is easy to understand that we could restrict our attention

314


to the full sub-category TMSQ of TMQ , containing only those temporal models whose set of states is contained in S, without losing expressive power. In other words, a formula Φ is valid, that is |= Φ, if and only if |=M Φ for all models M ∈ TMSQ , denoted as |=S Φ. Of course, such a result simply says that we could restrict our attention to that family of models, whose set of elements is contained in IlN (and see again [17]). Nevertheless, such a formulation allows us to investigate the class of temporal models over a given interpretation; and to ask for the characterization of the minimal model satisfying a given formula under that interpretation. Such concerns will be the basis for our notion of graph interpretation of temporal logic, given in Section 4 and Section 5.

3

Putting Graphs into the View

This section introduces a toy example of a token ring algorithm for mutual exclusion (taken from [7]), to provide the basic ideas motivating the graph interpretation of temporal logic. This example is introduced more detailed in [8]. Another application of the concepts is given in [13], where they are applied to a case study of a distributed configuration management system. The overall structure of the system is specified by a type graph (see e.g., [9]) as shown below on the left. It may be read like an entity/relationship schema specifying the node and edge types which may occur in the instance graphs modeling system states. Processes are drawn as black nodes and resources as light boxes. An edge from a process to a resource models a request. An edge in the opposite direction means that the resource is currently held by the process. The token ring is a cyclic list of processes, where an edge between two processes points to the next process. For each resource there is a token, represented by an edge with a flag, which is passed from process to process along the ring. If a process wants to use a resource, it waits for the corresponding token. Mutual exclusion is ensured because there is only one token for each resource in the system.

TG

G1

G2

G3

On the right, a sequence of graphs is depicted modeling a possible evolution of a system with two processes and one resource. Formally, an instance of a type graph T G is represented as typed graph, i.e., a graph G together with a typing homomorphism tG : G → T G (indicated in the sample states by the symbols used for vertices). A morphism of typed graphs G, tG and H, tH is a graph homomorphism f : G → H which is compatible with the typing, that is, tH ◦ f = tG . Thus, graphs and graph morphisms typed over T G form a comma category Graph ↓ T G. In the following all graphs and all morphisms are assumed to be typed over a fixed type graph T G. The figure below shows an example of the temporal properties we would like to express. The left formula states for all processes p and resources r that always


315

there is a future state where process p gets hold of the token belonging to resource r. The formula in the middle says that whenever p requests a resource r and gets the corresponding token, then r is held by p in the very next computation step. The right formula states the desired liveness property: Whenever a process p requests a resource r, eventually it will get it, or withdraw its request.

q1

p

p

p

p

p

p

r

r

r

r

r

r

q2

q3

q4

q3

q4

Such properties are not expressible in propositional temporal logic but require a combination of propositional formulas with so-called graphical constraints for expressing structural properties of system states. Graphical constraints are based on the idea of “specification by example”: A constraint is a pattern for all states with a certain property (providing a certain structure). This approach is typical for rule-based systems, in particular rule-based graph transformation, where a rule is a minimal pattern of the transformations to be performed. In order to keep track of the processes and resources during the computation, in the example we used graphical variables p and r to denote them. Thus, a state of our system is not just a graph but incorporates an assignment of the graphical variables. Since we have to handle the deletion and creation of graphical objects, such assignments are modeled as partial morphisms from a graph of variables to the state graphs. The graph of variables X in the example consists of the process node p and resource node r with corresponding type. The morphisms are indicated by labeling the nodes of the target graph with their pre-image in X, e.g., q1 represents the (total) graph morphism from X to the depicted graph mapping p to the only process node and r to the only resource node.

4

An Interpretation over Graphs

We split this section in two distinct parts. The first one presents some (we believe) original results on the category of partial morphisms between graphs. The second applies these results, in order to provide a suitable notion of graph model for temporal formulas: the equivalence of such a model with the usual semantics presented in Section 2 is then proved. 4.1

A Pre-order Structure over Partial Morphisms

Formally, a partial graph morphism g from G to H is a total graph morphism g¯ : dom(g) → H from some subgraph dom(g) of G, called the domain of g, to H. g ¯ Hence, partial morphisms are often written as spans G ← dom(g) → H. The set of all partial morphisms with source X is denoted by PMor(X). Definition 5 (embedding relation). Let X be a graph. The embedding relation ✁X ⊆ PMor(X) × PMor(X) is defined as follows. Let a = (X ←

316

Fabio Gadducci et al. ¯ b

a ¯

Xa → Ya ) and b = (X ← Xb → Yb ), then a ✁X b if and only if Xa "→ Xb and there is a total graph morphism f : Ya → Yb such that the diagram below commutes. Xa } Nn _ } }} }} } }~ Xo ? _ Xb

a ¯

/ Ya f

¯ b

/ Yb

Thus, a ✁X b means that Ya can be embedded in Yb while respecting the “assignments” a and b, i.e., the second “state” provides at least all the structure of the first, and possibly some more. Notice that ✁X is a pre-order, since it is reflexive and transitive, but does not satisfy asymmetry (not even up-to graph isomorphism) The pre-order “✁X ” shall be used throughout the paper for modeling logical consequence (of constraints), satisfaction (of graphical constraints by states) and specialization (of states). When clear from the context, the index X will often be skipped. Proposition 1 (✁ has lub). Let X be a graph. The pre-order ✁X on partial morphisms PMor(X) has least upper bounds. a ¯

Proof. If A ⊆ PMor(X) is a set of partial graph morphisms a = (X ← Xa −→ u Ya ), its least upper bound is lub(A) = (X ← a∈A Xa −→ Y ) where Y is the a ¯ colimit object of the family of total morphisms ( a∈A Xa "→ Xa −→ Ya )a∈A and ¯ is the union of the total morphisms a ¯, characterized as the arrow u = a∈A a induced by the universal property of the colimit (see the diagram below for the case of A = {a, b} where the colimit is given by the outer pushout diagram). ¯ b / Yb / Xb Xa ∩ _ Xb _ Xa a ¯

Ya

/ Xa ∪ Xb = yb HH HH H = u HHH H# ya /Y

In order to seethat lub(A) is indeed an upper bound, observe that there is an inclusion Xa "→ a ∈A Xa for each a ∈ A. Moreover, a morphism ya : Ya → Y commuting the newly formed diagrams is obtained as colimit injection. That lub(A) is least upper bound follows by the fact that the union of subgraphs of X is least upper bound for inclusion of subgraphs, and by the universal property of colimits. ✷


317

Notice that if Xa = Xb , the graph Y is just the pushout of a ¯ and ¯b. On the other hand, if Xa and Xb are disjoint, then Y = Ya + Yb is the disjoint union. An example of the construction of a least upper bound can be found in Section 5. 4.2

Introducing Graph Models

Our graph model will be based on a suitable notion of transition system, whose states are assignments (that is, partial graph morphisms) from a fixed graph of variables X. Definition 6 (temporal graph model). A graph transition system under X is a transition system GT = S, →, R where S ⊆ PMor(X). A (temporal) graph model over X is a pair GM = GT, I, where I : Q → PMor(X) is an interpretation of the propositional variables. A morphism h : GM → GM of graph models GM = GT, I and GM = GT , I is a transition system morphism h : GT → GT such that I(q) ✁ s ⇔ I (q) ✁ h(s) for all q ∈ Q, s ∈ S. The category of graph models over X and their morphisms, with the obvious composition and identities, is denoted by GMX Q. It is easy to define a functor F : GMX Q → TMQ : for a graph model GM = GT, I, where GT = S, →, R, the induced temporal model F (GM) is the pair GT, VI , where VI (q) = {s ∈ S | I(q) ✁ s}. The functor F is neither full, nor faithful (since the morphisms in PMor(X) need not to preserve the pre-order structure). Nevertheless, it can TMQ be used to lift the notions of satisfiability over graph models: given a graph model GM = GT, I a run σ of GT satisfies a temporal formula Φ, written σ |=GM Φ, if the formula is satisfied in the induced temporal model, that is, σ |=F (GM) Φ. Similarly for the notion of GM-truth, |=GM Φ, or G-validity, |=G Φ. As anticipated above, a propositional variable q (abstractly representing a state property) is interpreted by a pattern state I(q) for the intended property. The structure of I(q) is inherited to all states s in which I(q) may be embedded, that is, where I(q) ✁ s. Thus, the evaluation VI (q) consists of all those states of the system which are reachable from I(q) via ✁. The following proposition states that the translation between graph and temporal model induced by the functor F is nevertheless surjective, up-to equivalence of systems. Proposition 2 (temporal model vs. graph model). For each temporal model M = T, V) there exists a graph model GM = GT, I over X such that the induced temporal model F (GM) = GT, VI is equivalent to M, in the sense that |=M Φ if and only if |=F (GM) Φ for all formulas Φ. As a consequence of Proposition 2, both notions of validity of formulas coincide. Theorem 1 (validity). A temporal formula Φ is valid, |= Φ, if and only if it is G-valid, |=G Φ.

318


Thus every sound and complete calculus for the satisfaction relation defined in Section 2 is also sound and complete for the class of temporal models induced by graph models. Typically, graph transition systems are generated by graph grammars providing a set of rules together with a start graph. All notions and results of this paper are fairly independent of the particular graph transformation approach one may choose in order to generate these systems. Nevertheless we would like to give an idea about the relationship between graph transition systems and graph grammars (even if space limitations inhibit us to provide a full set of definitions). The basic effect of applying a transformation rule to a graph is to remove certain graphical elements and to create some new elements which are linked in a suitable way to elements which have been preserved. Starting from a given graph G0 , in this way we may generate derivations G0 =⇒ G1 =⇒ G2 =⇒ . . . by repeated application of rules. A sequence of partial graph morphisms a0 a1 a2 . . . from a given graph of variables X into the graphs of the derivation is regarded as a run σ if the assignments are compatible with the deletion, preservation, and creation of items in the following sense. If Gi =⇒ Gi+1 is a graph transformation step with assignments ai : X → Gi and ai+1 : X → Gi+1 , then ai and ai+1 have to agree on all elements that are preserved from Gi to Gi+1 , only elements of Gi that are deleted by the step may be forgotten from ai to a1+1 , and only those elements that are new in Gi+1 may be used to extend the assignment ai+1 with respect to ai .

5

A Typical Graph Transition System

In this section we construct for an interpretation I a graph transition system that is typical for I in the sense that its induced model satisfies exactly those formulas that are satisfied by all models induced by transition systems with that interpretation. This transition system is minimal, in the sense that it is distinguished by the property of being the final object in GMX Q,I , the full subX category of GMQ containing all those models with interpretation I. The typical system is fully abstract with respect to satisfaction in the sense that any two states which are not distinguishable by constraints from the interpretation I are equal in the typical system. The idea for this abstraction is to build for every possible configuration of truth values of propositional variables a state which implements this configuration, i.e., where only such constraints are satisfied that interpret a variable which is true in the given configuration. Such states are constructed as least upper bounds of sets of states (seen as constraints) with respect to the relation ✁: from a logical point of view, we may think of lub(C) as the conjunction of the set C of constraints. The figure below shows the construction of the least upper bound for the two contstraints q2 and q3 used to interpret the propositional variables of the temporal formulas in Section 3. The graph X contains a process node p and a


319

resource node r. Since both constraints are total the construction of the least upper bound is just their pushout (cf. the proof of Proposition 1). It can be easily checked out that a state satisfies the least upper bound of q2 and q3 if and only if both the constraint q2 and the constraint q3 are satisfied.

q2

X

q3

p

p

r

r

p

p

r

r

lub(q3 ,q2)

Construction 2 (typical graph transition system) For an interpretation I : Q → PMor(X), let PI (Q) be the set of all subsets Q of Q which are closed under entailment, that is, where for all q ∈ Q, I(q) ✁ lub(Q ) implies q ∈ Q . Then, the typical graph transition system GTI = SI , →I , RI has as states all partial morphisms lub(I(Q )) for Q ∈ PI (Q), the transition relation →I = SI × SI is the full cartesian product, and RI is set of all paths through →I . Notice that the typical graph transition system has finitely many states whenever the set of constraints I(Q) used for interpreting the propositional variables is finite. The states of the typical transition system for the example of the previous section are shown below. The three graphs on the left in the upper row and the rightmost one in the lower row are the original constraints from the formula. The triangles among them indicate the “entailment” relation ✁. Constructing all least upper bounds we obtain the remaining four constraints, where the empty graph is obtained as the colimit over the empty family of morphisms. p

p

r

q1

p

r

q2

r

q4

p

p

p

r

r

r

p r

q3 Due to the construction of the states of the typical transition system as least upper bounds, they satisfy exactly those constraints from which they are constructed, i.e. I(q) ✁ lub(I(Q )) if and only if q ∈ Q for all q in Q and Q in PI (Q).

320


The following theorem characterizes the typical graph transition system for I as a final object in GMX Q,I . Theorem 3 (fully abstract transition system). The typical graph transition system GTI for an interpretation I is final in GMX Q,I , that is, for each graph transition system GT there exists a unique morphisms !GT : GT → GTI in GMX Q,I . Proof. For each graph transition system GT = S, →, R in |GMX Q,I | GT, VI we define a morphism !GT : GT → GTI . Let for a state a ∈ S the set Q(a) = {q ∈ Q | I(q) ✁ a}. Then Q(a) is closed under entailment, i.e., Q(a) ∈ PI (Q), and we define !GT (a) = lub(I(Q(a))). !GT is a model morphisms from GT, VI to GTI , VI since, by construction, I(q) ✁ a iff I(q) ✁ lub(I(Q(a))). Thus, !GT is a morphism of graph transition systems. Its uniqueness follows from the fact that for a set of propositional variables Q , lub(I(Q )) is the only state in GTI that satisfies exactly the constraints of this set. Since morphisms of graph transition systems have to preserve and reflect the satisfaction of propositional variables, the mapping a !→ lub(I(Q(a))) is forced by this condition. ✷ The unique morphism !GT collapses a potentially infinite graph transition system GT to a finite one, given by the image of GT under !GT . Finality is a categorical way of saying that GTI is both typical and fully abstract: The existence of the morphisms !GT : GT → GTI for all graph transition systems GT expresses the fact that GTI is typical. This is made precise in the corollary below. The uniqueness of these morphisms implies that GTI is fully abstract: If there are two different states indistinguishable by the constraints, there can be two different candidates for the definition of !GT . Corollary 1 (GTI is typical for I). The graph transition system GTI is typical among the transition systems with interpretation I in the sense that for all temporal formulas Φ, |=GTI ,I Φ if and only if |=I Φ, that is, |=GT,I Φ for all graph transition systems GT . Proof. “⇐=”: Since GTI is in GMX Q,I , the claim holds. “=⇒”: We show that a graph transition system S, →, R ∈ GMX Q,I with |=GT,I Φ implies |=GTI ,I Φ. If |=GT,I Φ, there is a run σ ∈ R such that σ |=I Φ. Since Theorem 3 provides a graph transition system morphism !GT : GT → GTI , and such morphisms preserve and reflect satisfaction of temporal formulas, !GT (σ) |=I Φ implying that |=GTI ,I Φ. ✷

6

Conclusion

The paper contributes to the ongoing work to develop a visual design technique for software systems that additionally supports the designer by analysis techniques. Visual design techniques [6,14,16] have a growing influence on the design


321

techniques for software systems. However, most of them do not provide concepts to model and verify dynamic system properties. This paper introduced a graphical interpretation for the propositional fragment of linear temporal logic, in order to express dynamic properties of graph transition systems. We showed that the semantics based on graphical transition systems is compatible with the classical semantics based on (general) transition systems. This allows us to reuse the classical calculi and tools for examining the validity of uninterpreted propositional temporal formulas. In order to take into account the interpretation by graphical constraints, we construct for every interpretation I a typical model which is finite if the interpretation uses only finitely many constraints. Based on these two results, techniques developed in the theory of the classical semantics of temporal logic may be applied. In [5,13], for example, a model checker is applied to the (temporal model induced by the) typical graph transition system in order to check a temporal formula. A further abstraction of the typical transition system can be achieved by analyzing the bisimilarity of states w.r.t. temporal properties in the sense of [18]. Moreover, it has to be investigated how the concepts and results of this paper can be used to analyze properties of a particular graph grammar, e.g., how to check the validity of a formula in the generated graphical transition system.

References 1. I. Claßen, M. Gogolla, and M. L¨ owe. Dynamics in information systems: Specification, construction, and correctness. Technical Report 96–01, Technische Universit¨ at Berlin, 1996. 311 2. A. Corradini, U. Montanari, F. Rossi, H. Ehrig, R. Heckel, and M. L¨ owe. Algebraic approaches to graph transformation, Part I: Basic concepts and double pushout approach. In Rozenberg [15], pages 163–245. 310 3. H. Ehrig, R. Heckel, M. Korff, M. L¨ owe, L. Ribeiro, A. Wagner, and A. Corradini. Algebraic approaches to graph transformation, Part II: Single pushout approach and comparison with double pushout approach. In Rozenberg [15], pages 247–312. 310 4. H. Ehrig, M. Pfender, and H.J. Schneider. Graph grammars: an algebraic approach. In 14th Annual IEEE Symposium on Switching and Automata Theory, pages 167– 180. IEEE, 1973. 310 5. F. Gadducci, R. Heckel, and M. Koch. Model checking graph-interpreted temporal formulas. In Prelim. Proc. 6th Int. Workshop on Theory and Application of Graph Transformation (TAGT’98), Paderborn, 1998. 321 6. The Object Management Group. OMG UML Specification, V. 1.3, 1999. 320 7. R. Heckel. Compositional verification of reactive systems specified by graph transformation. In Fundamental Approaches to Software Engineering, volume 1382 of LNCS, pages 138–153. Springer Verlag, 1998. 311, 314 8. R. Heckel. Open Graph Transformation Systems: A New Approach to the Compositional Modelling of Concurrent and Reactive Systems. PhD thesis, TU Berlin, 1998. 311, 314

322


9. R. Heckel, A. Corradini, H. Ehrig, and M. L¨ owe. Horizontal and vertical structuring of typed graph transformation systems. Math. Struc. in Comp. Science, 6(6):613– 648, 1996. Also Tech. Rep. 96-22, TU Berlin. 314 10. R. Heckel, H. Ehrig, U. Wolter, and A. Corradini. Integrating the specification techniques of graph transformation and temporal logic. In Proc. Mathematical Foundations of Computer Science (MFCS’97), Bratislava, volume 1295 of LNCS, pages 219–228. Springer Verlag, 1997. 311 11. R. Heckel and A. Wagner. Ensuring consistency of conditional graph grammars – a constructive approach. Proc. of SEGRAGRA’95 ”Graph Rewriting and Computation”, Electronic Notes of TCS, 2, 1995. http://www.elsevier.nl/locate/entcs/volume2.html. 311 12. M. Koch. Modellierung und Nachweis der Konsistenz von verteilten Transaktionsmodellen f¨ ur Datenbanksysteme mit algebraischen Graphgrammatiken. Technical Report 96-36, TU Berlin, 1996. Master’s thesis. 311 13. M. Koch. Integration of Graph Transformation and Temporal Logic for the Specification of Distributed Systems. PhD thesis, TU Berlin, 1999. 311, 314, 321 14. G. Rasmussen, B. Henderson-Sellers, and G.C.Low. An object-oriented analysis and design notation for distributed systems. Object Currents, 1(10), 1996. 320 15. G. Rozenberg, editor. Handbook of Graph Grammars and Computing by Graph Transformation, Volume 1: Foundations. World Scientific, 1997. 310, 321 16. J. Rumbaugh, M. Blaha, W. Premerlani, E. Eddy, and W. Lorenson. ObjectOriented Modeling and Design. Prentice Hall International, 1991. 320 17. C. Stirling. Modal and temporal logics. In Background: Computational structures, volume 2 of Handbook of Logic in Computer Science, pages 477–563. Clarendon Press, Oxford, 1992. 311, 312, 313, 314 18. J. van Benthem. Correspondence theory. In D. Gabbay and F. G¨ unther, editors, Handbook of Philosophical Logic, Vol. II, pages 167 – 248. Reidel, 1984. 311, 321 19. A. Wagner. A Formal Object Specification Technique Using Rule-Based Transformation of Partial Algebras. PhD thesis, TU Berlin, 1997. 311