Translation Results for Modal Logics of Reactive

Translation Results for Modal Logics of Reactive Systems F. Laroussinie, S. Pinchinatyand Ph. Schnoebelen LIFIA-IMAG, Grenoble, France and University of Sussex, Brighton, UK

Extended version for AMAST'93, Enschede, NL, June 21{25, 1993.

Introduction Modal logics are an important tool in the analysis, speci cation and veri cation of reactive systems [Sti91]. Among many other applications, logics like HML have been used as a benchmark for semantic equivalences [HM85], as the speci cation language used in model checking tools [CPS93], and as a language in which to explain why two systems are not semantically equivalent [Hil87]. Regarding modal characterizations of semantic equivalences, the classical result is the adequacy theorem of Hennessy and Milner who showed that two states in a ( nitely branching) transition system are bisimilar, written p$q , i they satisfy the same HML formulas, written p HML q , where

p L q def , 8f 2 L (p j= f , q j= f ) Here we are mostly interested in modal logics with past-time (backward) operators. A few exist. They have been used (among other applications) to capture non-continuous properties of generalized transitions systems (JT in [HS85]), to capture history-preserving bisimulation in causality-based models (LP in [DNF90]) and to capture branching bisimulation by mimicking back-and-forth  -bisimulation (LB in [DNV90b]). In this paper we give three non-trivial translation theorems of the generic form L  L0 showing, given any formula f from some modal logic L, how to build an equivalent f 0 2 L0. This kind of problem has not received much attention in modal logics of reactive systems and the existing results in temporal logics with past mostly deal with linear-time logics. Our translations are de ned by rewrite rules (to apply with a given strategy) over formulas. A consequence is that the translations are easy to implement. Our motivations are not only theoretical. For example, by showing how to translate HMLbf (HML with past-time connectives) into its future-time fragment HML, we show how to easily expand the input language of any software tool (e.g. a veri er) LIFIA-IMAG, 46 Av. Felix Viallet, F-38000 Grenoble, FRANCE. Email:f ,phsg@li a.imag.fr School of Computing & Cognitive Sciences, University of Sussex, Falmer, Brighton, BN1 9QH, UK. Email:[email protected]. This author is supported by an INRIA grant.  y

1

handling HML properties. All the logics we consider are variants of HML:

HMLbf : a back-and-forth version of HML, in a framework with only visible labels, LU : a version of HML with an \Until" modality, in a framework with invisible labels ( 's), LBF : a version of HMLbf incorporating  's. Section 1 presents a translation from HMLbf into HML. Section 2 presents a translation from LU into LBF . Section 3 presents a translation from LBF into LU .

1 Backward modalities We consider a xed set A = fa; b; : : :g of labels. A labeled transition system (LTS) is an edge-labeled graph hQ; !i where Q = fp; q; : : :g is a set of states and ! Q  A  Q is the transition relation. We assume a xed LTS S .

1.1 Syntax of HMLbf HMLbf (read \HML back-and-forth") is HML with past-tense modalities1 and has the following grammar:

HMLbf 3 f; g ::= > j :f j f ^ g j haif j haif where a is any action from A. HML is the fragment of HMLbf where the hai operators are not allowed. We use f; g; ; ; '; ; : : : to denote HML formulas and we use the standard abbreviations: f _ g , ?, [a]f (for :hai:f ) and [a]f (for :hai:f ).

1.2 Semantics of HMLbf a1 a A modal logic with backward modalities states properties of a run  = [q0 ! q1


! qn] of S . A run like  is a partial computation of S starting from state q0 and currently in state qn . This partial computation can be extended (if qn is not a nal state) and we write  !a  0 when run  0 is  with a a transition qn ! qn+1 added. If n > 0 the run has a past (a history) and the backward modalities in HMLbf can be used to state properties of this past. Formally, for a run  and an HMLbf formula f , we de ne  j= f by induction on the structure of f :  j= > always,  j= :f i  6j= f ,  j= f ^ g i  j= f and  aj= g,  j= haif i there is a  ! 0 s.t. 0 j= f ,  j= haif i there is a 0 !a  s.t. 0 j= f . n

1

It was introduced in [DNV90b] for systems with  's (but note that HM Lbf is a subset of JT de ned in [HS85].)

2

In this framework, there is some asymmetry between past and future because (1) past is nite, while future needs not be, and (2) past is \deterministic", or xed by the history, while future is branching. In practice, we use HMLbf to express properties of states (mainly the initial state of the system) and not runs. For a state q 2 Q, the derived notion q j= f is given by

q j= f def , [q] j= f [q ] is just state q seen as a run, with no past. [DNV90b] mention that p HML q i p$q because (strong) bisimulation coincides with (strong) back-and-forth bisimulation [DNMV90]. This entails bf

p HML q i p HML q bf

(1)

We are looking for a more detailed comparison of the expressive power of HML and HMLbf . We consider whether formulas of HMLbf can be translated into HML. Of course, a formula like hai>, which says that the last step was an a-step cannot be written in HML where only properties about the possible futures can be expressed. But when we are expressing properties of states (without a past), we know that we never have q j= hai>. That is hai> can be translated into ?. This requires some de nitions:

De nition 1 Two formulas are globally equivalent, written f g f 0, i  j= f ,  j= f 0 for all runs in all LTS's. They are initially equivalent, written f i f 0 , i q j= f , q j= f 0 for all states in all LTS's.

For example, we have hai> i ? but hai> 6g ?. Clearly, f g f 0 implies f i f 0 but the converse is not true as we just saw. g is a congruence: when f g f 0 with f a subformula of g then g g g [f 0=f ]. This does not hold for i which is only a congruence w.r.t. boolean contexts. Now we can de ne what is a translation between two logics.

De nition 2 A logic L can be translated (resp. initially translated) into L0, written L g L0 (resp. L i L0), i for any f 2 L there is a f 0 2 L0 with f g f 0 (resp. f i f 0). Clearly, L g L0 implies L i L0. Also L i L0 implies L  L . In both cases, the reverse implication is not true in general. 0

HMLbf can be translated into HML:

Theorem 1 HMLbf i HML. The proof is in two steps. 3

Say a formula is pure-past (resp. pure-future) if it does not contain forward (resp. backward) modalities. Say it is separated if no backward modality occurs in the scope of a forward modality 2 (and write HMLsep bf for the fragment of HMLbf that contains only separated formulas).

Lemma 1 Any f 2 HMLbf is equivalent to a separated formula. Proof By structural induction on f . The cases when f has the form >, g1 ^ g2, or :g are obvious. f = haig: g can be separated (by ind. hyp.) into some g0. Then f g f 0 def = haig 0 is separated. f = haig: g can be separated (by ind. hyp.) into some g0. There are two subcases: ? Assume g0 has the form hb1i'1 ^


^ hbni'n ^ :hc1i'01 ^


^ :hcmi'0m ^ + where + is pure future. Write ci1 ; : : :; ci for the ci 's that are equal to a. Then (

k

'1 ^


^ 'n ^ :'i ^


^ :'i ^ hai haig0 g g00 def = ? 1

k

+

if bi = a for i = 1; : : :; n, otherwise.

f g g00 and g00 is separated. ? In the general case, g0 can be put in disjunctive normal form Wi Vj gi;j where every gi;j has the V W form hai', :hai', hai' or :hai'. The gi;j 's are separated. f g haig 0 g i hai j gi;j and  V each hai j gi;j falls in the previous subcase and can be separated.

Proposition 1 (Separation Lemma for HMLbf ) HMLbf g HMLsep bf

(2)

is the immediate corollary.

Remark 1 (2) does not hold for Gabbay's de nition of separated formulas: haihbi> has no equivalent as a boolean combination of pure-past and pure-future formulas.

Now we conclude the proof of Theorem 1 with

Proposition 2 HMLsep bf i HML. Proof Use haif i ? to eliminate (modulo i) any past-time modality which is not in the scope of a future-time modality. 2 Note that, in a linear-time framework, [Gab87, GPSS80] use a dierent, less general, de nition of separated formulas: a formula is separated (in Gabbay's sense) if it is a boolean combination of pure-past and pure-future formulas. Our de nition is required in branching-time frameworks.

4

2



-moves, from LU to LBF

For transition systems labeled over A def = A [ f g, [DNV90b] introduces LU and LBF , two modal logics characterizing branching bisimulation.

2.1 Syntax of LBF LBF is a version of HMLbf adapted to systems with silent moves. Its grammar is LBF 3 f; g ::= > j :f j f ^ g j hhkiif j hhkiif where k is any label from A def = A [ fg. We use [[k]]f and [[k]]f as standard abbreviations.

2.2 Semantics of LBF The semantics of the new modalities is given by:

 j= hhaiif  j= hhiif  j= hhaiif  j= hhiif

a  0 i there is a  ) ! )  s.t. 0 j= f ,  0 i there is a  )  s.t.  0 j= f , i there is a  0 ) !a )  s.t.  0 j= f , i there is a  0 )  s.t.  0 j= f .

where ) is the re exive and transitive closure of ! .

2.3 Syntax of LU LU has no backward modalities but it has a so-called \until" operator which is more powerful that the simple future-time operator of LBF . The grammar of LU is LU 3 f; g ::= > j :f j f ^ g j f hkig with k 2 A .

2.4 Semantics of LU The semantics is given by

 j= f haig i 9n > 0,  = 0 ! 1 !


n?1 !a n s.t. n j= g and i j= f for i < n;  j= f hig i 9n  0,  = 0 ! 1 !


n?1 ! n s.t. n j= g and i j= f for i < n. For technical reasons, we introduce LBU [Vaa92], a logic built by combining all modalities of LU and of LBF , so that both LBF and LU are fragments of a common superset:

LBU 3 f; g ::= > j :f j f ^ g j hhkiif j hhkiif j f hkig 5

with k 2 A . In LBU , the hhkii is not really needed because

hhkiif g >hki(>hif )

(3)

Considering that L and L coincide because they both coincide with branching bisimulation [DNV90b], a natural question is whether LU or LBF can be translated into the other. At rst, the authors of [DNV90b] tried to simply embed LU into LBF (see Theorem 2.19 in [DNV90a]) but later found a mistake in their proof. A translation exists but it is not trivial: U

BF

Theorem 2 LU g LBF . The proof is in two steps. Say an LBU formula is an FB-formula (FB is for \forward-backward") if (1) no until modality is in the scope of a backward modality, and (2) every backward modality is immediately (but disregarding boolean combinators) under a forward LBF modality (i.e. a hhkii, not an until). For example, hhaiihhaiihhaii(f haig ), f hai(hhaiig ) and hhaiihhaiihhaiif are not FB-formulas.

Lemma 2 Any FB-formula f in LBU is equivalent to an FB-formula in LBF . Proof We proceed by induction on f . The only interesting case is when f is an until-formula. Assume f is f1 hkif2. Then f1 and f2 are FB and by ind. hyp., we can nd equivalent FB-formulas f10 ; f20 2 LBF . Write instead of f20 and put f10 in disjunctive normal form. We get the general form: f

8 _ ^ > => [[kij ]]'ij : i=1:::n j 2J

g f10 hki

i

^

^ j 2Ji

0

9 > 0 ;hki ij ii'ij >

hhk0

(4)

for which we introduce the following simplifying abbreviations: [i ] def =

^ j 2Ji

h0ii def =

[[kij ]]'ij

^ j 2Ji

0

hhkij0 ii'0ij

We show by induction over n how to rewrite (4) into an FB-formula in LBF .

 First, consider the simpler case where n = 1 in f . Then if k = a 2 A we have 



f g [1] ^ hhaii [[]] ^ [[a]]h01i while if k =  we have

f g

8  > _> :[1 ] ^ hhii

^ [[]](

9 > 0 _ h1i) > ;

 Now in the general case with n > 1, we show how to rewrite (4) into a formula where the until is eliminated by introducing new until-formulas having n ? 1-ary disjunctions in their left-hand sides. If k = a 2 A we have

f

8 _ > > g > > :[i ] ^ i=1:::n

hhaii([[]] ^ [[a]]h0ii) _ hhii( i ^ [[]]( i _ h0ii)) 6

!9 > > > > ;

where i

def  _

=



[k ] ^ h0k i hi

(for any i 2 I )

k=1:::n k6=i

are the new until-formulas containing only n ? 1 members in the disjunction. Similarly, if k = , we have

f g _

_ 

i=1:::n

[i ] ^ hhii



i ^ [[]]( i

_ h0 i) i



Observe that all the formulas we introduce are FB. They are all in LBF except for the i 's. But by our second induction hypothesis, every i can be rewritten into an FB formula i0 2 LBF . With this we are done.

Corollary 1 LFB BU g LBF . FB where LFB BU is the set of all FB-formulas in LBU . It only remains to see that LU is a subset of LBU to conclude the proof of Theorem 2.

Remark 2 In fact we have LBU g LBF . But this needs new arguments. See Theorem 4 below.

3 From LBF to LU Theorem 3 LBF i LU . This problem was considered in [Vaa92] where a partial solution is proposed. Our approach was developed independently and uses our separation techniques. Write Lsep BU for the set of separated LBU formulas, i.e. of formulas with no backward modality under the scope of a forward (or until) modality. We show how to rewrite any LBU formula into an equivalent separated formula. The most dicult part here is to nd a strategy which ensures termination. For this we use an approach inspired from [Gab87]. In this section, we will use (3) from page 6 and consider that \until" is the only forward combinator in LBU . We will also need to introduce variables x1; : : :; xn in our formulas. Classically, f [x1] denotes a formula f where x1 occurs (possibly several times). Then f ['] is f where x1 has been replaced by '. We write f [x1; : : :; xn] g g[x1; : : :; xn] when f ['1; : : :; 'n] g g['1; : : :; 'n] for all '1; : : : 2 LBU .

Lemma 3 If f [x] is a pure-future LBU formula, then f [hhiix] is equivalent to some separated f 0[x; hhiix]

with f 0[x; y ] pure-future.

Proof By induction on f [x]. The only interesting case is when f [x] is an until-formula. First apply Lemma 3 to the arguments of the until. Now assume hhiix occurs in the right-hand side of the until. First of all, we need not consider disjunctions in the right-hand side because

'hki( 1 _ 2) g 'hki 1 _ 'hki 7

2

Then conjunctions in the right-hand side can be dealt with using hai(hhiix ^ ) g hai(x ^ )

hai(:hhiix ^ ) g hai(:x ^ )

(5)

hi(hhiix ^ ) g (hhiix ^ hi ) _ hi(x ^ hi ) hi(:hhiix ^ ) g :hhiix ^ ( ^ :x)hi( ^ :x) Now if hhiix occurs in the left-hand sides of the until, we only consider the general form: 9 8 :(hhiix ^ ') _ (:hhiix ^ '0 ) _ ;hki

(6)

which can always be obtained by boolean manipulations. We use hhiix ^ (' _ )hki 8 9 :(hhiix ^ ') _ (:hhiix ^ '0) _ ;hki g _ :hhiix ^ (:x ^ ('0 _ ))hki _ :hhiix ^ (:x ^ ('0 _ ))hi(x ^ (' _ )hki) We have no room here to show the rules for the general cases where hhiix occurs in both sides of the until (4 distinct combinations of (5) and (6)). In almost all cases, separation is achieved by a combination of the previous transformations. In some cases we need new transformations in the same spirit. Now we can generalize Lemma 3 into:

Lemma 4 If f [x] is a pure-future LBU formula, then f [hhkiix] is equivalent to some separated f 0[x; hhkiix; hhiix] with f 0[x; y; z] pure-future. Proof We have already proved the result when k = . If k = b 6= , we follow the lines we used in the proof of Lemma 3 except that we may introduce some hhiix subformulas in the scope of until

modalities. Let's consider the induction step assuming that f [x] is an until-formula: If hhbiix only appears in the right-hand side of the until, we use

hai(hhbiix ^ ) g hai(:hhbiix ^ ) g

(

? if a 6= b, (hi(x ^ hai )) _ (hhiix ^ hai ) if a = b.

(

hai if a 6= b, :hhiix ^ ( ^ :x)hai if a = b.

hi(hhbiix ^ ) g hhbiix ^ hi hi(:hhbiix ^ ) g :hhbiix ^ hi Now if hhbiix occurs in the left-hand sides of the until, we use 8 9 :(hhbiix ^ ') _ (:hhbiix ^ '0) _ ;hki







g hhbiix ^ (' _ )hki _ :hhbiix ^ ('0 _ )hki 8



Again, we omit the rules for the general cases where hhbiix occurs in both sides of the until. Once we are nished, we get some f 0 [x; hhkiix; hhiix] where f 0 [x; y; z ] is pure-future. Here y is not in the scope of until modalities but z may be. We use Lemma 3 to rewrite f 0[x; hhkiix; hhiix] into some separated f 00[x; hhkiix; hhiix]. We can build on this basic step:

Lemma 5 If f [x1; : : :; xn] is a pure-future LBU formula, then f [hhk1iix1; : : :; hhkniixn] is equivalent to some separated f 0 [x1; hhk1iix1 ; hhiix1 ; : : :; xn; hhkniixn ; hhiixn ] where f 0 [x1; y1; z1; : : :; xn; yn ; zn] is pure-future.

Proof By induction on n and using Lemma 4. Lemma 6 If f [x1; : : :; xn] is a pure-future LBU formula and if 1; : : :; then f [ 1; : : :; n] is equivalent to a separated formula.

n are pure-past LBU

formulas,

Proof By induction on the maximum number of nested backward modalities in the i's, and using

Lemma 5.

Lemma 7 If f [x1; : : :; xn] is a pure-future LBU formula and if 1; : : :; n are separated LBU formulas, then f [ 1; : : :; n] is equivalent to a separated formula.

Proof The i's may contain forward modalities in the scope of (nested) backward modalities. So that f is some f [ 1[f1;1; : : :; f1;k1 ]; : : :; n[fn;1; : : :; fn;k ]] where the fi;j 's are pure-future and where the i [zi;1; : : :; zi;k ]'s are pure-past. We apply Lemma 6 to f [ 1[z1;1; : : :; z1;k1 ]; : : :; n[zn;1; : : :; zn;k ]] and get a separated f 0 [z1;1; : : :; zn;k ]. Then f g f 0[f1;1; : : :; fn;k ] which is separated. n

i

n

n

Lemma 8 Any f in LBU is equivalent to a separated formula. Proof By induction on f . The dicult step has been dealt with in the previous lemma. Proposition 3 (Separation Lemma for LBU ) LBU g Lsep BU is the immediate corollary.

Proposition 4 Lsep BU i LU . Proof Use hhaii' i ? and hhii' i '. 9

n

These two propositions combine with the fact that LBF is a fragment of LBU to complete the proof of Theorem 3. Incidentally, we can now generalize Theorem 2 with

Theorem 4 LBU g lBF . 0 Proof Consider f 2 LBU . Then f is equivalent to some f 0 2 Lsep BU (Proposition 3). f is separated

and thus has the form ['1; : : :; 'n] where [x1; : : :; xn] is pure-past (and then in LBF ) and the 'i's are pure-future (and then in LU ). Theorem 2 implies that the 'i 's are equivalent to some '0i 's in LBF . Finally, f g ['01; : : :; '0n] 2 LBF .

Conclusion Translations between modal logics have not been investigated in the literature. Our three theorems clearly show that many interesting results can be found when modal logics with backward modalities are considered. We intend to pursue this line of research

 by investigating complexity issues (not dealt with in this introductory paper),  by relaxing our rewriting strategies and simplifying our proofs,  and especially by considering other richer logics: HML with recursion, logics for \truly parallel" models, : : : This last point seems promising. For example, F. Cherief, F. Laroussinie and S. Pinchinat proved that the logic LP from [DNF90] can be translated into a variant of HMLbf with hi modalities for pomsets . Regarding HML with recursion, we do not expect to develop translation algorithms based on rewrite rules. As an indication, let us mention that the linear-time -calculus with backward modalities can be translated (modulo i ) into the pure-future fragment [Var88] but the proof uses automata-theoretic techniques and it is not clear how to develop a translation operating on logic formulas.

References [CPS93]

R. Cleaveland, J. Parrow, and B. Steen. The concurrency workbench: A semanticsbased tool for the veri cation of concurrent systems. ACM Transactions on Programming Languages and Systems, 15(1):36{72, January 1993. [DNF90] R. De Nicola and G. L. Ferrari. Observational logics and concurrency models. In Proc. 10th Conf. Found. of Software Technology and Theor. Comp. Sci. Bangalore, India, LNCS 472, pages 301{315. Springer-Verlag, December 1990. [DNMV90] R. De Nicola, U. Montanari, and F. Vaandrager. Back and forth bisimulations. In Proc. CONCUR'90, Amsterdam, LNCS 458, pages 152{165. Springer-Verlag, August 1990. 10

[DNV90a] R. De Nicola and F. Vaandrager. Three logics for branching bisimulation. Research Report CS-R9012, CWI, 1990. [DNV90b] R. De Nicola and F. Vaandrager. Three logics for branching bisimulation (extended abstract). In Proc. 5th IEEE Symp. Logic in Computer Science, Philadelphia, PA, pages 118{129, June 1990. [Gab87] D. Gabbay. The declarative past and imperative future: Executable temporal logic for interactive systems. In Proc. Temporal Logic in Speci cation, Altrincham, UK, LNCS 398, pages 409{448. Springer-Verlag, April 1987. [GPSS80] D. Gabbay, A. Pnueli, S. Shelah, and J. Stavi. On the temporal analysis of fairness. In Proc. 7th ACM Symp. Principles of Programming Languages, Las Vegas, Nevada, pages 163{173, January 1980. [Hil87] M. Hillerstrom. Veri cation of CCS processes. M.Sc. Thesis, Aalborg University, 1987. [HM85] M. Hennessy and R. Milner. Algebraic laws for nondeterminism and concurrency. Journal of the ACM, 32(1):137{161, January 1985. [HS85] M. Hennessy and C. Stirling. The power of the future perfect in program logics. Information and Control, 67:23{52, 1985. [Sti91] C. Stirling. Modal and temporal logics. Research Report ECS-LFCS-91-157, Lab. for Foundations of Computer Science, Edinburgh, May 1991. To appear in, S. Abramsky, D. Gabbay and T. S. E. Maibaum (eds), \Handbook of Logic in Computer Science", Oxford University Press. [Vaa92] F. Vaandrager. Translating back and forth logic to HML with until operator. Unpublished note, 1992. [Var88] M. Vardi. A temporal xpoint calculus. In Proc. 15th ACM Symp. Principles of Programming Languages, San Diego, CA, pages 250{259, January 1988.

11