Rules for trace consistent reasoning 0 Introduction - CiteSeerX

Rules for trace consistent reasoning R. Ramanujam The Institute of Mathematical Sciences C.I.T. campus Madras 600 113 India [email protected]

ABSTRACT Formulas of temporal logic which cannot distinguish between dierent interleavings of the same run are said to be trace consistent. So called partial-order methods can be applied for veri cation of such formulas, since checking such a property over an equivalence class of runs reduces to checking it for one representative. In this paper, we present inference rules that typify this kind of reasoning. The rules lead us to a complete axiomatization of a linear time temporal logic, all formulas of which are trace consistent. The axiomatization is presented in a layered manner so that we can attempt to isolate the global reasoning required.

0 Introduction In this paper, we study some aspects of local reasoning in the context of the Propositional Temporal Logic of Linear Time (PTL). Models for PTL are given by in nite runs (computations) of nite-state transition systems. For instance, the formula 2(p  3q) speci es the set of runs to be those such that every state along the run that satis es the property p is eventually followed by a state that satis es q. This has crucial implications for model checking, where we wish to check that every run of a given system satis es a given formula: for a formula as above, we need to check every path issuing out of a node satisfying p and see if a node satisfying q is reachable. The use of next-time operators in the formula can force this check along speci c paths. Such a view of PTL presents the models of formulas merely as nitely generated in nite sequences. This hides the fact that the transition systems which generate these computations themselves often possess some structure, which could perhaps considerably cut down the paths to be checked. PTL is mainly used to reason about behaviours of distributed systems, and transition systems modelling distributed programs have the following structure:

{ States of the system are given as tuples of local states. If there are n processes in the system, a global state is an n-tuple of local states. { A typical transition of the system is of the form (q ; : : : ; qn)!a (r ; : : : ; rn ), where a is an action of the system. Suppose (a)  f1; 2; : : :; ng is the set of processes (components) in the system that participate in the action a. It is then the case that for all j 62 (a), qj = rj . 1

1

In addition, if the processes communicate only via synchronization rather than message passing, the following additional property holds as well: { If (q1; : : : ; qn) !a (r1 ; : : : ; rn ) !b (s1; : : : ; sn), and (a) \ (b) = ;, then there a exists a global state (t1 ; : : : ; tn ) such that (q1 ; : : : ; qn ) !b (t1 ; : : : ; tn ) ! (s1 ; : : : ; sn ). We can now use this structure to reason as follows: whenever we are checking a property local to a speci c process i, we can `skip' over transitions along any run in which i is not taking part. For instance, in the formula 2(p  3q), suppose that the propositions p and q refer only to the local variables of process 1. Now consider the parallel program (intuitively) given by the expression cs as ! (ac)! jj(bc)! whose behaviour is given as a pair of transition systems, s0 ! 0 1 and t0 !b t1 !c t0 . Assume that a is a local action of process 1, b that of 2 and c, a synchronization between them (perhaps the update of a shared variable). Clearly, there are in nitely many runs of the system starting at (s0 ; t0 ). Examples are runs on the words (abc)! , (bac)! , (abcbac)! , (abc)100 (bac)50 (abc)! etc. However, the formula being considered cannot distinguish between all these runs, which are all dierent interleavings of the run on the word (abc)! . Any of these runs satisfy this formula i every one of these runs satisfy it. Thus checking the property on all runs reduces to checking it on any one of these runs. Based on this observation, many partial order methods have been developed for speeding up veri cation of PTL formulas([V90], [KP92], [GW94]). In this approach, we de ne an equivalence relation on the set of runs so that to verify a property for an equivalence class of runs, it suces to verify it for one run. However, this works only for those properties that are insensitive to interleavings, and it is only too easy to specify formulas in PTL which hold for some interleavings and not for others. For instance, in the system above, consider the formula 2(c  a ), where the proposition x denotes that the next transition of the run at that state is on action x. This singles out two runs, on the words (abc)(abc)! and (bac)(abc)! , among the equivalence class of runs referred to. For such formulas, the methods suggested above for pruning the state space do not apply. PTL formulas which cannot distinguish between dierent interleavings of the same run are called equivalence robust [P93], or trace consistent[T95]. Checking whether a given formula is trace consistent or not is decidable ([DGP95], [PWW96]), though of high complexity. In [R96c], we studied the alternative of considering stronger notions of satis ability (and associated notions of validity) for PTL, where one asks whether there is an equivalence class of runs satisfying a formula, rather than a single such run. In this context, it is important to

study trace consistent subsets of PTL, in which every formula, by choice, is trace consistent. When they can be identi ed syntactically as done with increasingly larger subsets in [T95], [T94] and [R96a], the structure of temporal connectives re ects the trace consistent reasoning involved. [TW97] presents an expressively complete logic where every formula is trace consistent. While the papers mentioned above study trace consistency principally from the viewpoint of PTL satis ability and model checking, in this paper, we take up the study from an axiomatic viewpoint. We believe that the insights gathered from deductive methods and model checking are both complementary and valuable. It has been argued that the major hopes for veri cation theory lie in combining deductive methods with model checking ([Ru96]). There is another motivation for the study of inference rules that involve trace consistent reasoning: they help us to isolate structurally those properties which we can reason about locally, componentwise in a distributed system, and those which must be analyzed globally. In this sense, this paper is a (modest) contribution to the theory of compositional reasoning about distributed systems. For the study, we have chosen a simple model of distributed systems and a structurally straightforward subset of PTL, presented earlier in [R96a]. This choice of logical language and models has been so that we can focus on the issues peculiar to local reasoning which are already quite nontrivial. The global nexttime modality is the major culprit in violation of trace consistency, and hence is replaced by a weaker, less global, next-time modality that preserves trace consistency. Otherwise, the logic is basically PTL for each agent and globally de ned to be boolean combinations of located formulas : for instance @i ^ @j (read  holds at i). The model is a distributed network consisting of a xed nite number of sequential components that synchronize by performing common actions together. Each component is a nite state automaton, and when a common (\handshake") action is performed, it is a `lock-step' transition involving several automata at once. This is a simple set-up, but axiomatizing the valid formulas is already quite non-trivial. The reason for this is that we cannot simply have an axiom system for each agent, namely that for PTL, and globally use the propositional calculus. When a is a synchronization between 1 and 2, the formulas `the next action of agent 1 is a', and `a is henceforth never enabled for agent 2' are by themselves satis able, but their conjunction is not. Such synchronization can in fact be seen as a local liveness property : if agent 1 needs to synchronize with 2, eventually both do so. This requires an induction principle for the logic, quite distinct from that required for eventuality. (Note that this is a kind of fairness property we reason about in the logic, as opposed to those which we assume externally.) Consider the standard induction rule of linear time temporal logic, which asserts that the eventuality modality steps through the successor modality. This rule is crucial for obtaining a complete axiomatization. (Ind)   

  2

To verify that a property  holds at s henceforth, it suces to show that it is an invariant (preserved by every transition) at any state reachable from s. Now,

this is the sort of reasoning we need to do on the global transition system of the distributed program, and we may expect that a rule of the above form, where instead of , we have a global invariant (maintained by global transitions) of the form k will do the job. However, the global is crucially used in the premise

^ k

above, and it is not as such available in trace consistent logics. This forms the central technical issue addressed in obtaining a complete axiomatization in this paper. On the other hand, a `local' version of the above rule, as given below, is sound, but too weak. The rule uses local premises, each saying that k is a local invariant, to conclude globally that their conjunction holds henceforth. (Ind) `k k  k ( k @k)  ( 2k @k)

^

^

k

k

Suppose we are at a global state (s1 ; : : : ; sn ) of a distributed program, and wish to assert that a property, say @i holds henceforth in ? , the set of all global states of the program, reachable from this state. The formula k @k

^ k

might well be an invariant in ? , but applying the rule requires that k @k be a local invariant for each k. But this is too strong a requirement, since there may be local states satisfying k @k from which a transition to a local state satisfying :k @k may well be possible, except that they never form part of global states in ? . Therefore, we go for a weaker premise, which involves a next-time modality less expressive than the global , but de nes next-instants for groups of agents that synchronize. i @i) (Ind) ( k @k)  [a](

^ k

^

^

a2

^

^ i2 a

( )

( k @k)  ( 2k @k) k k In fact, we will work with a logic where even such a restricted modality is not available globally, but we will get the same eect by an appropriately strengthened local next-state modality. In [R96a], we have studied trace consistent logics with greater expressiveness than the one presented here, with present and past tense modalities. While we certainly need to study reasoning in these enriched logics, the basic diculties in axiomatization are already present in the simpler logic studied here, so we content ourselves with it for this short presentation.

1 Preliminaries We begin with the notion of a distributed alphabet. Fix a nite set of locations or agents Loc = f1; : : :; ng; n > 0. A distributed alphabet is a tuple  = (1 ; : : : ; n ), where each i is a nite nonempty set of actions of agent i. When an action a is in i \ j ; i 6= j , we think of it as a synchronization between i and j . Given a distributed alphabet  , we often speak of the set

e

e

 def = 1 [ ::: [ n as the alphabet of the system. We also make implicit use of the associated function  :  ! 2f1;:::;ng de ned by (a) def = fi j a 2 i g. We will keep a xed n and a xed distributed alphabet for the discussion from now on.

e

The frames for our logics are networks of n transition systems over  . As usual, a transition system over a nite nonempty alphabet  is a pair T = (Q; !), where Q is a nite set of states, ! Q    Q is the transition a q 0 to mean that (q; a; q 0 ) 2!. A ( nite or in nite) run relation. We write q! a1 : : :. Let R a0 q ! from q0 2 Q is a sequence of transitions of the system: q0 ! T 1 denote the set of runs of T . Let  = (1 ; : : : ; n ) be a distributed alphabet. A system over  is a tuple T = (T1 ; : : : ; Tn ), where Ti = (Qi ; !i ) is a transition system over i , for i 2 Loc. The product transition relation of the system ! (Q1  : : :  Qn )    (Q1  : : :  Qn ) is de ned as usual : (q1 ; : : : ; qn ) !a (q10 ; : : : ; qn0 ) i 8i 2 (a) : qi !a i qi0 , and 8j 2= (a) : qj = qj0 . We can use the product transitions to de ne the global runs of T , and the set of all global runs is denoted RT . Given  2 RT , we can speak of the i-projection of , given by projecting down to the ith components of states and actions in i . (Essentially, erase all states not in Qi , and all actions not in i .) It is easy to check that this gives us an element of RT , and we will denote this by di. Note that di can be nite even if  is itself in nite. We can now de ne an equivalence relation  on runs of T :   0 i 8i; di = 0  di. This equates dierent interleavings of the same run. We will denote the equivalence class of  by []. a1 : : : ( nite or in nite). Similarly let  0 = a0 x ! Below let  be of the form x0 ! 1 a1 : : : x . We a0 x ! b1 : : :. By  (0 : : : m), we denote the initial segment x ! b0 y ! y0 ! m 1 0 1 use the notation xm [j ] to denote the j th component (local state) of the n-tuple in the mth instant. We now de ne some special functions describing the views of agents at different points of global time and relating dierent agents' views. The local clock functions clock;i : f0; 1; : : :g ! f0; 1; : : :g are de ned by: clock;i (0) def = 0. clock;i (k +1) def = clock;i (k)+1, if ak 2 i , and clock;i (k +1) def = clock;i (k), otherwise. We will speak of global instants and i-local instants with the implicit assumption of their relationship as given by these functions. Proposition 1.1 Suppose   0. If clock;i(k) = clock ;i(l), then we have (0 : : : k) di = 0 (0 : : : l)di. Thus, at any local instant m for agent i, the set f0 (0 : : : k) j 0 2 [], clock ;i (k) = mg, represents the global i-view of the system. While we have presented the programs here to be obtained by products of transition systems, the framework applies equally well to the class of n-variable programs introduced in [R96c]. We can think of each agent as managing a group of program variables, and a synchronization as an update of a shared variable. Further, we can weaken the product assumption to consider systems which are

e

e

i

0

0

de ned by global transitions that respect the forward diamond condition referred to in the previous section. However, we keep the more restricted presentation for the sake of uniformity with [R96a], where the logic was originally introduced.

2 The logics 2.1 The basic logic L0 Let P = (P1 ; : : : ; Pn ) be a tuple of countable sets of atomic propositions. We will speak of p 2 Pi as a proposition of agent i. We do not assume disjointness of Pi and Pj for distinct agents i and j , as there can be common meaningful propositions. (\Has terminated" is one such.) The i-formulas are de ned as follows: i ::= p 2 Pi j :  j  _ j hai ; a 2 i j U The global formulas are de ned from these using boolean combinations: (We use the convention that ; etc denote local formulas, whereas ; 0 etc are used for global formulas.)

L0 ::= @i;  2 i ; i 2 Loc j :  j 1 _ 2 Note that there are no modalities at the global level, and that formulas in

i cannot refer to any other agent j in the system. Further note that L0 is

parametrized by the distributed alphabet. Typically linear time logics have an modality rather than the actionindexed successor modality, as the successor state at any instant is unique in linear time models. Here, the main purpose of using hai is to describe synchronizations. When we encounter a formula of the form (hai)@1 ^ (hai )@2, where f1; 2g  (a), we understand that there will be a future instant when @1 ^ @2 will hold. A frame for the logic is a pair F = (T ; ), where T = (T1 ; : : : ; Tn ) is a system over  and  2 RT is an in nite run of system T . A model is a pair M = (F; V ), where F is a frame, and V = (V1 ; : : : ; Vn ); Vi : Qi ! 2P give the local valuations. Given a model M , we de ne its ith projection to be the tuple Mi = ((Ti ; di); Vi ). We rst de ne satisfaction of local formulas : Mi ; k j=i  denotes that the ia1 : : :. a0 q ! formula  is satis ed at (local) instant k for agent i. Below let di = q0 ! 1

e

{ { { { {

Mi ; k j=i p i p 2 Vi (qk ). Mi ; k j=i : i Mi ; k 6j=i . Mi ; k j=i  _ i Mi ; k j=i  or Mi ; k j=i . Mi ; k j=i hai i qk+1 exists, ak = a and Mi ; k + 1 j=i . Mi ; k j=i U i 9m such that k  m; Mi ; m j=i and for every l : k  l < m : Mi ; l j=i .

i

We now de ne the semantics of L0 formulas. Since there are no global modalities, the formulas are not de ned at every instant, but only at the initial state of the run.

{ M; 0 j= @i i Mi; 0 j=i . { M; 0 j= : i M; 0 6j= . { M; 0 j=  _  i M; 0 j=  or M; 0 j=  . 1

2

1

2

As usual, we say that a formula  is satis able if there exists a model M such that M; 0 j= . A formula is valid if and only if its negation is not satis able.

2.2 The logic L1 L0 is a very simple logic, but expressively weak. Speci cally, the fact that agents in the system learn about others' states on synchronization is not re ected in L0 -formulas. Indeed, the whole purpose of synchronizing is to exchange information, and hence we should be able to utilize this in reasoning. Below we propose an extension, where agents can \see" the local states of their partners in synchronization at the time they synchronize. Of course, this also means that they can see the other's future at that instant, and hence this gives a good deal of expressive power. Formally, the logic L1 is de ned as follows: i ::= p 2 Pi j :  j  _ j hai ; a 2 i ; AV ()  (a) j U L1 ::= @i;  2 i ; i 2 Loc j :  j 1 _ 2 AV (), the agent vocabulary of , is the set of agents mentioned in , and is inductively de ned in the obvious manner: AV (@i) def = fig; AV (:) def = AV (); AV (1 _ 2 ) def = AV (1 ) [ AV (2 ) The semantics needs to be suitably changed. Below we give only those parts of the de nition that require change. Fix a model M = (F; V ), where F = (T ; ) a0 x : : :. and  = x0 ! 1 { Mi; k j=i hai i 9l: clocki(l) = k, clocki (l + 1) = k + 1, al = a and M; l + 1 j= . Note that the expression 9l in the de nition can be replaced by `9 a unique l'; this means that the formula hai implies its dual formula [a], as we would expect in linear time temporal logics.

{ M; k j= @i i Mi; clocki (k) j=i . { M; k j= : i M; k 6j= . { M; k j=  _  i M; k j=  or M; k j=  . 1

2

1

2

In L1 , we not only have both local and global formulas in the syntax, but local formulas can refer to global formulas as well. Therefore, to avoid confusion, the reader is requested to note the following Notational Conventions: We will use ; etc to refer to local formulas and ; 0 etc denote global formulas. Let a 2 i , and  be a global formula. Then hai is an i-formula, and (hai)@i is a global formula, which we often abbreviate as haii . We use  to denote the i-formula hai.

_

a2i

The i-formula Truei is de ned to be p0 _:p0 , where p0 is a xed propositional letter in Pi . Now Truei @i is a global formula. Let a 2  . The abbreviation eni (a) is used to denote the i-formula hai(Truei @i). We further use the abbreviation (enj (a)@j ). Note that Truei@i is a enG(a) to denote the global formula

^

j 2(a)

valid formula, and that eni (a) asserts that the action a is enabled locally. The stronger assertion enG(a) says that a is enabled at the global state where it is asserted. We also de ne disG (a) def = :enG(a), and disi (a) def = :eni (a), to refer to disabled actions globally and locally. Derived connectives and dual modalities ( ^ ;   ; [a]; 3; 2) are standard. Note that global dependencies can be expressed nicely in this logic. For instance, suppose the distributed alphabet  is such that a 2 1 \ 2 ; b 2 2 \ 3 , c 2 3 \ 4 and p 2 P4 . Then a formula like hai1 hbi2 hci3 p@4 describes a sequence of dependent communications. In this manner one can `walk down' the global run as in TrPTL [T94]. The following propositions will be useful later on. The latter asserts that every formula of the logic L1 is trace consistent.

e

Proposition 2.1 Let k  0 and i 2 (a) such that M; k j= (hai)@i. Let m be the least instant such that m  k and am = a. Then M; m + 1 j= . Proposition 2.2 Consider models M = (T ; ; V ) and M 0 = (T ; 0; V ), where   0 2 RT . For any formula  of L , M; 0 j=  i M 0 ; 0 j= . 1

3 Axiom system for L1 We present the axiomatization only for the more expressive logic. The system is presented in a layered manner. We have one axiom system Axi for each agent i in the system, and in addition a global system Axg to reason about synchronization. We use the notation `i  to mean that the formula  2 i is a theorem of system Axi . Similarly, `  means that  is a theorem of the global system Axg . Both the systems use the theorems of each other recursively, and we refer to the combined system as AX .

Axi , The axiom schemes for agent i (A0i ) All the substitutional instances of the tautologies of PC (A1i ) [a](1  2 )  ([a]1  [a]2 ) (A2i ) eni (a)  disi (b) (a 6= b) (A3i ) hai  [a] (A4i ) U  _ ( ^ (U )@i) Inference rules (MPi ) ;   (NGi ) ` ; AV ()  (a); a 2 i [a]

Before we proceed to present the global axiom system, some remarks are in order. As mentioned in Section 0, for eventuality, we need induction rules that step through the more expressive next-time modality in L1 . Moreover, when we are at a global state where agent i is waiting for a synchronization with agent j , eventually such a synchronization must occur, and this again necessitates a form of induction. Such rules add to the complexity of reasoning in the logic.

Axg , Global axiom schemes (B 0) (:)@i  :@i (B 1) (_  _ )@i  (@i _ @i) (B 2) enG(a) a2

(B 3) enG(a)  (([a])@i 

Inference rules

^ ([a])@j)

j 2(a)

a 2 i

(MP ) ;   (GG) `i  @i j @j i  (GM )

^

_

^i2(haa ii)@ij62 a _ ( )

i2(a)

( )

Below let be of the form (Sy) (Ev)

j @j

^ k @k; let

j 62(a)

k

 disG(a) a 2 i ^ enG(b)  ([b] b )@k b 2 k ? i

b denote

^ j 2(b)

j @j:

 disi (a)@i  @i

^ enG(b)  ([b] b )@k b 2   (2)@i

Note that we do not have an analog of (A0) in Axg to derive tautologies, but \@-versions" of tautologies can be got as follows: for instance consider p  ::p, p 2 Pi . This is a theorem of Axi , and hence by rule (GG), (p  ::p)@i is derived. Now we use (B0) and (B1) to derive (p@i  (::p)@i). (B2) asserts that models are in nite runs of the system. (B3) says that at any global state when a is enabled (all the synchronizing agents being ready to perform a together), they must all agree on the global state resulting after the synchronization. The soundness of this axiom directly follows from Proposition 2.1.

The rule (GM) describes joint moves in the system. In particular, when an

a-move is made, this leaves the states of agents outside (a) unchanged, and

this is stated in (GM). This rule typi es the pattern of reasoning in a \true concurrency" based logic. Note that the validity of premise  disG (a) in rule (Sy) cannot by itself give the conclusion  disi (a)@i, despite such an appearance. The premise merely states that in all -states, some one of the agents in (a) is unwilling to do an a, whereas the latter is an assertion that at -states, the speci c agent i 2 (a) cannot decide on doing a, and hence implies that at -states, no agent in (a) may commit to a as its next action. This does require the extra premise leading to an induction argument.

Theorem 3.1 The combined system AX provides a sound and complete axiomatization of the valid formulas of L1 . The axioms are easily seen to be sound. Among the rules, checking that (Sy) preserves validity is worth remarking on. (Soundness of (Ev) follows similarly.) Assume such that the premises of (Sy) are valid, but not the conclusion. Then a1 : : : such that M; 0 j= ^ a0 x ! there exists a model M based on a run  = x0 ! 1 eni (a)@i. By the semantics of the modality, there exists k such that clocki (k) = clocki (0), ak = a, and for all l such that 0  l < k, al 62 i . M; k j= enG(a). Note that M; 0 j= and is of the form j @j . By the semantics of @-

^ j

formulas, for every j 62 (a0 ), M; 1 j= j @j as well. Now consider j 2 (a0 ). M; 0 j= enG (a0 ) and by the validity of the premise, M; 0 j= [a0 ] a0 @j . But then, by Proposition 2.1, M; 1 j= a0 @j and hence M; 1 j= j @j . Thus, we have shown that M; 1 j= . Proceeding this way, we get M; k j= , and by validity of premise, M; k j= disG(a), contradicting the fact that M; k j= enG(a). The crucial use of the enriched L1 modality in the rules (Sy) and (Ev) should be noted. The formula [b] b above is much stronger than the L0 for([b]j )@j . The latter form would also give a sound rule, but proves mula

^

j 2(b)

too weak to give completeness. With an in nitary version of the (Sy)-scheme, not in the sense of having in nitely many premises, but in parametrizing the rule by a number m (thus yielding one scheme for each m), we can obtain an axiomatization of L0-valid formulas. Details can be found in [R96b].

4 Completeness

_

For technical convenience, assume that i is enriched with ;  2 i , where

 is semantically equivalent to hai@i. Further assume that we have a2i

eni (a) 2 i for a 2 i , and enG (a) 2 L1 , for a 2  , with V oc(enG(a)) = (a). We can de ne, for any L1 -formula  and any  2 i , the sets of their subformulas CL() and CLi () by simultaneous induction in such a way that :

{ { { { { { { {

 2 CL() and  2 CLi (). if @i 2 CL() then f @ij 2 CLi ()g  CL(). if (hai0 )@i 2 CL() then CL(0 )  CL() and 8j 2 (a); enj (a)@j 2 CL(). if hai0 2 CLi () then fhai @i; j @i 2 CL(0 )g  CLi (). if 0 2 CL() then :0 2 CL(); a similar condition holds for CLi () and here :: is treated as identity. if 1 _ 2 2 CL() then 1 ; 2 2 CL(). if 1 _ 2 2 CLi () then 1 ; 2 2 CLi (). if 1 U 2 2 CLi () then 1 ; 2 , ( 1 U 2 ) 2 CLi (). It can be checked that CL() is linear in the size of . Fix a formula 0 2 L1 . We will refer to CL(0 ) simply as CL. By CLi , we refer to the union of sets CLi (), where @i 2 CL. Let X  CL. By X di, we refer to the subset f j @i 2 X g of CLi . Call A  CLi an i-atom i it is propositionally consistent, and satis es the conditions : { if both eni(a) and eni(b) are in A, then a = b. { U 2 A i ( 2 A or both  and (U ) are in A). Call X  CL an atom if and only if it is propositionally consistent, and: { enG(a) 2 X i for every i 2 (a), eni(a)@i 2 X . { for every i, X di is an i-atom. Let AT denote the set of all atoms and ATi denote the set of i-atoms. 0 a For X; Y 2 AT , de ne X ) Y i for every i 2 (a), the following conditions hold : for every hai in CLi , (hai)@i 2 X i  2 Y , and for every  in CLi , ( )@i 2 X i @i 2 Y , and for every j 62 (a), X dj = Y dj . This a B i there exist atoms X and Y such that induces a relation on i-atoms: A! i 0 a X ) Y; X di = A and Y di = B . We also say a 2  is enabled at X if enG (a) 2 X . Let G  AT; ))0. Call the graph (G; )) a pseudo-model for 0 , if the following conditions hold : 1. There exists X 2 G such that 0 2 X . 2. Every X 2 G has a successor in G. 3. Consider X 2 G and a 2  such that enG (a) 2 X . Then there exists Y 2 G a Y. such that X ) 4. Consider X 2 G and a 2  such that for some i 2 (a), eni (a) 2 X di. Then b X ) b0 X : : : ) a there exists a sequence X = X0 ) 1 k Y , k  0. 5. Consider X 2 G such that for some i, (U )@i 2 X . Then there exists a b X , k  0 such that @i 2 X . b0 X : : : ) sequence X = X0 ) 1 k k k

k

Lemma 4.1 If  is AX -consistent, then there exists a pseudo-model for  in (AT; )0 ). 0

0

Suppose the lemma holds. Then we can use the pesudo-model (G; )) to a1 : : : which has the following properties a0 X ) construct an in nite atom-run X0 ) 1 : 0 2 X0 ; whenever there exists eni (a) 2 Xk di there exists an l  k such that l is the next index after k with a = al ; whenever there exists (U )@i 2 Xk there exists an l  k such that @i 2 Xl and for all k  j < l, @i 2 Xj . Now consider Qi = fX dijX occurs in the constructed in nite rung. Qi  ATi . Consider the system de ned by T def = (T1 ; : : : ; Tn), where Ti = (Qi ; !i \(Qi  i  Qi )). a1 : : :, where Y = (X d1; : : : ; X dn). a0 Y ?! Clearly, RT contains a run  = Y0 ?! j j j 1 def Consider the model M = ((T ; ); V ), where for A 2 Qi , Vi (A) = A \ Pi . We can then show by (double) induction that for every k and for every  2 CL, M; k j=  if and only if  2 Xk . But then, since 0 2 X0 , we get M; 0 j= 0 , and we have a model for the consistent formula 0 and completeness of AX is proved. We now run through the proof of the lemma. Fix 0 , a consistent formula. Consider G def = fX 2 AT jX is a maximal AX -consistent subset of CLg. For any nite set of formulas Z , Z denotes the conjunction of all formulas in Z . For X 2 G, let X i denote the conjunction of formulas in the i-atom X di. Clearly, because of rule (GG), X i is a maximal Axi -consistent subset of CLi . Further, for X 2 G, let X denote the conjunction X k @k, and for a 2 ; X 2

G, let X a denote

^

^

b

k

X i @i. We see, thanks to axioms (B0) and (B1) that

i2 a ^ (haiY a)@i is consistent and b ` X  X . For X; Y 2 G de ne X )a Y i Xb ^ ( )

i2(a)

for every j 62 (a); X dj = Y dj . It is easy to check that every X 2 G is indeed an atom and that ))0 . The claim is that H = (G; )) is a pseudo-model for 0 . The rst two conditions for H being a pseudo-model for 0 are easily seen to be satis ed. 0 being a consistent formula and in CL, there exists a maximal consistent subset of CL containing 0 . If we prove the third condition, the second one follows from global axiom (B2). Suppose there exists X 2 G and a 2  such that a is enabled in X . Working within Axi , we can derive i-theorems of the form X i  hai?i , where ?i is a non-empty subset of G, and ?i denotes the disjunction X j is consistent. (hai?i )@i ^ of Y a , Y 2 ?i . We can then show that

e

e ^ j 62^ a i2 a ^ Y i @i ^ By rule (GM), we can show that there exists Y such that ^

( )

e

( )

i2(a)

j 62(a)

Xj

is consistent. Now the union of i-formulas from Y , i 2 (a), and j -formulas from X , j 62 (a) has been shown to be consistent and is a subset of CL. Hence there a Z , as required. exists Z 2 G containing this subset, and by de nition X ) To prove condition 4 above, suppose X 2 G and eni (a) 2 X di for some i. Form the least subset of ? of G such that X 2 ? , and if X1 2 ? and there exists a path in (G; )) from X1 to some X2 which involves no action in i , then X2 2 ? . If there exists Z 2 ? such that a is enabled in Z , we are done. We claim that this is indeed the case, by showing a contradiction otherwise.

De ne

=

def

^ Yk @k, where Yk = _ Z k . By assumption and condition Z 2?

k

(3) for pseudo-models, for every Z 2 ? , we have ` Z  disG (a), and hence `  disG(a). Suppose we can show that for each k and b 2 k ? i , the following formula is a theorem: ` ^ enG(b)  ([b] b )@k. Then we get from rule (Sy) and the fact that X 2 ? that X  disi (a)@i, which contradicts the assumption that eni (a) 2 X di. Now, suppose that the above formula is not a theorem for some k and b in (k ? i ). Then ^ enG(b) ^ (hbi: b )@k is consistent. If ? denotes the disjunction of all atoms in ? , we have ` ?  , and hence we nd that for some Z 2 ? , Z ^ enG (b) ^ (hbi: b )@k is consistent. From this we can conclude that b is enabled in Z , and (using rule GM) that there is a b-successor of Z which :Yj @j . But then this b-successor of Z must be an atom is consistent with

e

e

_

j 2(b)

outside ? . We thus have an atom Z 0 such that Z )b Z 0 where Z 0 62 ? . But then Z 2 ? , there is a (one-step) path from Z to Z 0 using b 62 i , and Z 0 62 ? , clearly contradicting the closure condition on ? . The proof that condition (5) holds is similar. This completes the proof of the lemma and establishes the completeness theorem for AX .

5 System Validity The axiom system presented here is meant for establishing pure logical validities, in the sense that theorems are formulas valid in all runs of all systems. This is of theoretical interest, whereas in practice, we are more interested in system validity where we are concerned with formulas satis ed by all runs of a given system. We now show that the presented system AX is valid for system validity as well. Let  = (1 ; : : : ; n ) be a distributed alphabet. By abuse of notation, we say a system over  is a pair S = (T ; V ), where T = (T1 ; : : : ; Tn ), Ti = (Qi ; !i ) is a transition system over i , and V = (V1 ; : : : ; Vn ); Vi : Qi ! 2P give the local valuations. Let RT denote the set of all in nite runs of T . For an L1 formula , we say S j=  i for every  2 RT , M; 0 j= , where M = (T ; ; V ) is the associated model. Such a formula is said to be S -valid. For an i-formula , we say S j=i  i S j= @i. Such an i-formula is said to be Si -valid.

e

e

i

Theorem 5.1 Let S be a given system. If  is a theorem of Axi , then S j=i , and if  is a theorem of Axg , we have S j= . Fix a system S . It is easy that every axiom of Axi is Si -valid, and every axiom of Axg is S -valid. To see that the inference rules of Axi preserve Si -validity, rst a1 : : : be a run of S and M the associated a0 x ! observe the following: let  = x0 ! 1 model. Now, for any L1 formula , and any k  0, M; k j=  i M 0 ; 0 j= , a x a!+1 : : :. Now, consider rule NG where M 0 is the model based on 0 = xk ! i k+1 k

k

and assume that  is S -valid, but that [a] is not Si -valid. Let M be a model based on a run  of S such that Mi ; 0 j=i hai:. Let k be the rst instant in  such that ak = a. Then, M; k + 1 j= :. But then by the observation above, we can construct a run 0 = xk+1 a!+1 : : : such that the induced model M 0 ; 0 6j= . contradicting S -validity of , and we are done. We now show that the rule GM preserves Sa-validity. For this rst observe 0 x : : : and a 2  such that that if M is any model based on run  = x0 ! 1 b a 0 0 M; 0 j= enG (a), then there exists a run  = x0 !y0 !y1 : : : such that 0  . This follows from the fact that we are considering product systems; if k is the earliest instant in  such that ak = a, then all the actions aj ; j < k are `independent' of a and hence can be `commuted'. Now consider rule GM and suppose the premise is S -valid but the conclusion is not. Then there is a model M based on a run  :j @j . Note that M; 0 j= enG(a), and (haii )@i ^ such that M; 0 j= k

^

^

i2(a)

j 62(a)

by the observation above, we can consider the model M 0 based on the equivalent run 0 . By proposition 2.2 (trace consistency) the formula above is satis ed at :j @j . We now consider the i ^ instant 0 in M 0 . But then M 0 ; 1 j=

^

^

i2(a)

j 62(a)

model M 00 based on the run 0 but starting at 1, and this violates the S -validity of the premise, and we are done. The other rules are proved to preserve S -validity in a similar fashion. Thus, the presented system is sound for S -validity. It is clear that as yet it is not complete for S -validity (since we need to add system dependent axioms capturing the given transition structure). Obtaining such a complete system poses an interesting question for future study. Acknowledgement: I thank the anonymous referees for most helpful comments. Section 5 was added thanks to a referee's suggestion.

References [DGP95] Diekert, V., Gastin, P. and Petit, A., \Rational and recognizable complex trace languages", Information and Computation, vol 116, #1, 1995, 134-153. [GW94] Godefroid, P. and Wolper, P., \A partial approach to model checking", Information and Computation, vol 110, 1994, 305-326. [KP92] Katz, S. and Peled, D., \Interleaving set temporal logic", TCS, vol. 73, #3, 1992, 21-43. [P93] Peled, D., \All from one and one from all: on model checking using representatives", Proc. CAV, LNCS 697, 1993, 409-423.. [PWW96] Peled, D., Wilke, T. and Wolper, P., \An algorithmic approach to proving closure properties of !-regular languages", Proc. CONCUR, LNCS 1119, 1996. [R96a] Ramanujam, R., \Locally linear time temporal logic", Proc. IEEE LICS, 1996, 118-127. [R96b] Ramanujam, R., \Axiomatization of a partial order based temporal logic", Bericht Nr 9605, Christian-Albrechts Universitat Kiel, June 1996.

[R96c]

Ramanujam, R., \Trace consistency and inevitability", Proc. FST and TCS, LNCS 1180, 1996, 250-261. [Ru96] Rushby, J., \Mechanized formal methods: progress and prospects", Proc. FST and TCS, LNCS 1180, 1996, 43-51. [T94] Thiagarajan, P.S., \A trace based extension of propositional linear time temporal logic", Proc. IEEE LICS, 1994, 438-447. [T95] Thiagarajan, P.S., \A trace consistent subset of PTL", Proc. CONCUR, LNCS 962, 1995, 438-452. [TW97] Thiagarajan, P.S. and Walukiewicz, I., \An expressively complete linear time temporal logic for Mazurkiewicz traces", Proc. IEEE LICS, 1997. [V90] Valmari, A., \A stubborn attack on state explosion", Proc. CAV, LNCS 531, 1990, 156-165.