Model Checking Properties on Reduced Trace Systems

Abstract

Temporal logic has become a well-established method for specifying the behavior of distributed systems. In this paper, we interpret a temporal logic over a partial order model that is a trace system. The satisfaction of the formulae is directly defined on traces on the basis of rewriting rules; so, the graph representation of the system can be completely avoided; moreover, a method is presented that keeps the trace system finite, also in the presence of infinite computations. To further reduce the complexity of model checking temporal logic formulae, an abstraction technique is applied to trace systems.

1. Introduction and Motivation

Linear time [1] and branching time [2] temporal logics are used for specifying and verifying concurrent and distributed systems: partial order models (trace systems are an example) are mostly used to give semantics to linear time logics, while interleaving models (such as transition systems) are widely used for branching time logics. To express properties inherent in concurrency, i.e., properties distinguishing concurrency from nondeterminism, a partial order interpretation for the logic fits better. This interpretation allows also a good definition of fairness properties as, for example, inevitability under the fairness assumption [3,4]: “in all computations the event a eventually occurs”.

Model checking is one of the main methods for the automated verification of concurrent systems [5]; it consists in checking whether a structure representing the system is a model for a logic formula. Model checking very large concurrent systems may cause the so-called “state explosion problem” and lead to a too big number of states of the structure. A variety of methods for reducing the state explosion problem have been developed [6,7,8,9,10]; in the context of branching time logics, in [11,12], the authors and others proposed a logic, called selective mu-calculus, equi-expressive to mu-calculus [13], but, such that each formula directly characterizes an abstraction of the system that maintains the truth value of the formula itself. Different action logics, such as [14], whose operators could be also used in a linear fashion to concisely express fairness properties, are not suitable to individuate system abstractions preserving the truth values of formulae. A further problem is the model checking of infinite representation of systems: for example, in trace systems, recursive behaviors are usually represented by means of an infinite set of finite traces (see [15], solutions for branching time logic are in [16]). Finally, it is known that, while a lot of interesting correctness properties, such as mutual exclusion and the absence of starvation, can be elegantly expressed by linear time formulae, the model checking of a linear time logic and that of a branching time logic [5,17,18] have different complexity. For example, given a transition system of size n and an alternation-free temporal logic formula of size m, model checking algorithms for the branching time logic (CTL)run in time $\mathcal{O}(nm)$, while those for the linear time logics (LTL) run in time $\mathcal{O}(n{2}^m)$. This result holds also in the case of generalized model checking [19].

In this work, we give a non-interleaving interpretation of selective mu-calculus formulae using the simplest and best known partial order model for computations, that is Mazurkiewicz’s trace system [3,15,20]. This model allows a compact representation of the system computations using only an element, called trace, to represent an equivalence class of sequences of events with respect to a dependence relation. A similar approach has been carried on with the logic CTL in [21]. More precisely, the author defines an extension of CTL by past modalities, called $CT{L}_P$, and interpreted over Mazurkiewicz’s trace systems. The author’s aim is to obtain the model checking of properties described in this logic with a linear complexity, as is that of CTL on transition systems: on the contrary, he proved that model checking for $CT{L}_P$ on traces is NP-hard, even if past modalities cannot be nested. Differently from [21], the aim of this article is to check the satisfaction of our formulae directly on traces, i.e., we suppose using a sequential memory representation for traces and no graph representation of the system, but only a representation of dependencies. Moreover, we employ a trace abstraction, induced by the selective formulae, and we simplify the traces by discarding, at each verification step, the events that are no more of interest for the successive verification. Furthermore, to avoid the management of infinite sets of traces, we use partial traces containing holes to give the semantics of recursive behaviors: the holes are expanded step-by-step, until the verification of the formula can be decided, and so, we have always to manage a finite set of traces. The checking method can be easily implemented by rewriting functions that transform each trace with a polynomial complexity in its dimension.

In Section 2, concurrent systems are defined by a simple event-based specification language, taken as an example and whose semantics is a trace system. In Section 3, the syntax of the selective mu-calculus is recalled, and the satisfaction of the formulae is defined on the corresponding trace system. In the successive section, this is shown as each trace can be abstracted with respect to a particular formula, but maintaining its truth value. The last section contains conclusions and comparisons of the presented approach with some related works.

2. Event Language

This section presents a very simple, event-based language that is not a real language, but an exercise one; nevertheless, it contains the basic features to represent behaviors of concurrent systems. The language is actually very similar to some of the most common process algebras. The semantics of the language is given in terms of trace systems.

2.1. Syntax of Expressions

Expressions are obtained composing a finite set $A=\{a,b,\dots \}$ of symbols, called the alphabet, by means of a set of operators. Each expression represents a possible behavior of the system, while the occurrence of a symbol in an expression represents the occurrence of an event of the system. The syntax to build up expressions is the following:

$$\begin{array}{ccc}e\hfill & ::=& nil\left|a\right|e.e|e+e|e\parallel e|rec(e)\hfill \end{array}$$

where a ranges over A. The language allows the definition of:

• the empty expression (the operator $nil$);
• the concatenation of two expressions (the operator “.”); for example, $e_1.e_2$, with $e_1=a$ and $e_2=b$, is the expression $a.b$;
• the choice between two expressions (the operator “+”); for example, $e_1+e_2$, with $e_1=a.c$ and $e_2=b$, is the expression $a.c+b$;
• the parallel composition of two expressions (operator “||”), where the events in each expression can occur independently, except the events with the same name that cause the synchronization of the two concurrent expressions; for example, $e_1\parallel e_2$, with $e_1=a.c$ and $e_2=b$, is the expression $a.c\parallel b$;
• the unbounded iteration of an expression (the operator “$rec$”).

We require that the following rules hold for the expressions:

$$\begin{array}{ccccc}1.e.nil=e\hfill & 2.nil\parallel e=e\hfill & 3.rec(nil)=nil\hfill & 4.e\parallel e=e\hfill & 5.e+e=e\hfill \end{array}$$

while $e+nil=e$ does not hold; the trace semantics of the language is given by the Definition 2 in the next section, and it guarantees the rules.

For each alphabet A, $A^{*}$ is the set of all finite sequences (strings) of symbols in A; for each string σ, $alph(\sigma )$ (the alphabet of σ) is the set of all symbols occurring in σ; this definition can be easily extended over expressions. We denote the set of all expressions by $\mathcal{E}$. In the following section, the semantics of the language is formally given.

2.2. Trace Semantics of Expressions

In this section, we define the trace semantics of expressions of the language.

The first step is the definition of the notion of dependence between events; the relation we use is taken from Mazurkiewicz’s trace theory [3,15].

Dependence.A dependence relation (dependence for short) over a finite alphabet A is any reflexive, symmetric relation $D\subseteq A\times A$. A dependence D over the alphabet A determines the symmetric and irreflexive relation $I_D\subseteq A\times A$, called the independence relation determined by D and defined as $I_D=A\times A-D$.

The ordered triple $(A^{*},.,ϵ)$, where ϵ is the empty string and . is the concatenation operation on strings, is the standard string monoid over A. Usually, the sign . for concatenation is omitted. Let A be an alphabet and $\sigma \in A^{*}$; then for any alphabet B we denote ${\Pi }_B(\sigma )$ the string projection of σ onto B, i.e., a string over $A\cap B$ obtained from σ deleting all symbols not belonging to B. If $A\cap B=\varnothing$, ${\Pi }_B(\sigma )=ϵ$, for any σ. A concurrent alphabet is any ordered pair $\Sigma =(A,D)$, where A is a finite set of symbols, called also the alphabet of Σ, and D is a dependence over A. Given $\Sigma =(A,D)$, the trace equivalence for Σ is the least congruence ${\equiv }_{\Sigma }$ in the string monoid over A, such that for all $a,b$:

$$(a,b)\in I_D\Rightarrow ab{\equiv }_{\Sigma }ba$$

In other words, it holds that $\sigma {\equiv }_{\Sigma }{\sigma }^{\prime }$ if there is a finite sequence of strings ${\sigma }_0,{\sigma }_1,\dots ,{\sigma }_n,n\ge 0$, such that ${\sigma }_0=\sigma ,{\sigma }_n={\sigma }^{\prime }$, and for each i, $1\le i\le n$, ${\sigma }_{i-1}={\delta }_{1}ab{\delta }_2$, ${\sigma }_i={\delta }_{1}ba{\delta }_2$, for some $(a,b)\in I_D$ and ${\delta }_1,{\delta }_2\in A^{*}$. Equivalence classes of ${\equiv }_{\Sigma }$ are called traces over Σ; given a string $\sigma \in A^{*}$, ${[\sigma ]}_{\Sigma }$ is the equivalence class of σ over Σ. When clear from the context, we omit Σ. The set $\Theta (\Sigma )={[A^{*}]}_{\Sigma }$ is the set of all traces over Σ. The concatenation of traces, denoted by $[{\sigma }_1][{\sigma }_2]$, is defined as $[{\sigma }_1{\sigma }_2]$. For any alphabet B, it holds that ${\Pi }_B([\sigma ])=[{\Pi }_B(\sigma )]$ and $alph([\sigma ])=alph(\sigma )$.

Dependence Closure.Given two dependencies, $D_1$ and $D_2$, defined on the alphabets $A_1$ and $A_2$, respectively, we call dependence closure the derived dependence on the alphabet $A_1\cup A_2$:

$$D_1{D}_2^{\circ }=D_1\cup D_2\cup \{(a_1,a_2),(a_2,a_1)|a_1\in A_1,a_2\in A_2\}$$

Trace System.A trace system $TS$ is any ordered pair $(\Sigma ,T)$, where $\Sigma =(A,D)$ is a concurrent alphabet and $T\subseteq \Theta (\Sigma )$ is a trace language over Σ.

To manage only finite sets of traces also in the presence of recursive behaviors, we extend the alphabet A by a set of special symbols (called holes): a hole represents the fact that the trace is incomplete and can be expanded; we also call this type of trace a partial trace. Each hole has the form ${\lfloor \rfloor }_x$, where x is the name of a trace language; in fact, any trace belonging to the language x can be used to fill the hole giving rise to another partial trace.

Some operations can be performed on trace systems.

• Given the trace system $TS=((A,D),T)$,

  –

  its unbounded iteration is the system:

  $$T{S}_1={(((A,D),T))}^{*}=((A\cup \{{\lfloor \rfloor }_T\},D\cup D^{\prime }),\{[ϵ],{\lfloor \rfloor }_T\})$$

  $$\mathrm{where}:$$

  $$D^{\prime }=\{({\lfloor \rfloor }_T,{\lfloor \rfloor }_T)\}\cup \{(a,{\lfloor \rfloor }_T),({\lfloor \rfloor }_T,a)|a\in A\}$$

The following example gives a first hint of the effect of the unbounded iteration of trace systems.

Example 1. Consider the trace system $T{S}_0=((A_0,D_0),T_0)$, with:

$A_0=\{a\}$, $D_0=\{(a,a)\}$ and $T_0=\{[a]\}$

$${(T{S}_0)}^{*}=((\{a\}\cup \{{\lfloor \rfloor }_{T_0}\},\{(a,a),({\lfloor \rfloor }_{T_0},{\lfloor \rfloor }_{T_0}),(a,{\lfloor \rfloor }_{T_0}),({\lfloor \rfloor }_{T_0},a)\}),\{[ϵ],{\lfloor \rfloor }_{T_0}\})$$

The actual traces of ${(T{S}_0)}^{*}$ are all of the partial traces that can be obtained by filling its hole by means of the traces of $T_0$: some examples are $[a{\lfloor \rfloor }_{T_0}],[aa{\lfloor \rfloor }_{T_0}],[aaa{\lfloor \rfloor }_{T_0}]$; Definition 1 will show the formal way in which more complete traces can be obtained. Other operations on trace systems are the following ones.

• Let $T{S}_1=({\Sigma }_1,T_1)$ and $T{S}_2=({\Sigma }_2,T_2)$, with ${\Sigma }_1=(A_1,D_1)$ and ${\Sigma }_2=(A_2,D_2)$, be two trace systems.

  –

  Their concatenation is the system:

  $$T{S}_1.T{S}_2=({\Sigma }^{\prime },T^{\prime })$$

  $$\mathrm{where}:{\Sigma }^{\prime }=(A_1\cup A_2,D_1{D}_2^{\circ }),\mathrm{and}{T}^{\prime }=\{{\tau }_1{\tau }_2|{\tau }_1\in T_1,{\tau }_2\in T_2\}$$

  –

  their nondeterministic composition is the system:

  $$T{S}_1+T{S}_2=({\Sigma }^{\prime },T^{\prime })$$

  $$\mathrm{where}{\Sigma }^{\prime }=(A_1\cup A_2,D_1\cup D_2),\mathrm{and}$$

  $$T^{\prime }=\{\tau |\tau \in T_1\vee \tau \in T_2\}$$

  –

  their parallel composition is the system:

  $$T{S}_1\parallel T{S}_2=({\Sigma }^{\prime },T^{\prime })$$

  $$\mathrm{where}{\Sigma }^{\prime }=(A_1\cup A_2,D_1\cup D_2),\mathrm{and}$$

  $$T^{\prime }=\{{\Pi }_{A_1}(\tau )\in T_1\wedge {\Pi }_{A_2}(\tau )\in T_2\}$$

Example 2. Consider the following trace systems :

• $T{S}_0=((A_0,D_0),T_0)$,
• $T{S}_1=((A_1,D_1),T_1)$, and
• $T{S}_2=((A_2,D_2),T_2)$, with
• $A_0=\{a\}$, $D_0=\{(a,a)\}$ and $T_0=\{[a]\}$;
• $A_1=\{a,b\}$, $D_1=\{(a,a),(b,b),(a,b),(b,a)\}$ and $T_1=\{[ab]\}$;
• $A_2=\{b,c\}$, $D_2=\{(b,b),(c,c),(b,c),(c,b)\}$ and $T_2=\{[bc]\}$.
• $T{S}_0.T{S}_2$ is the trace system $T{S}_3=((A_3,D_3),T_3)$ with
• $A_3=\{a,b,c\}$, $D_3=\{(a,a),(b,b),(c,c),(a,b),(b,a),(a,c),(c,a),(b,c),(c,b)\}$ and $T_3=\{[abc]\}$.
• $T{S}_0+T{S}_2$ is the trace system $T{S}_6=((A_6,D_6),T_6)$ with
• $A_6=\{a,b,c\}$, $D_6=\{(a,a),(b,b),(c,c),(b,c),(c,b)\}$ and $T_6=\{[a],[bc]\}$.
• $T{S}_1\parallel T{S}_2$ is the trace system $T{S}_4=((A_4,D_4),T_4)$ with
• $A_4=\{a,b,c\}$, $D_4=\{(a,a),(b,b),(c,c),(a,b),(b,a),(b,c),(c,b)\}$ and $T_4=\{[abc]\}$.
• $T{S}_0\parallel T{S}_2$ is the trace system $T{S}_5=((A_5,D_5),T_5)$ with
• $A_5=\{a,b,c\}$, $D_5=\{(a,a),(b,b),(c,c),(b,c),(c,b)\}$ and $T_5=\{[abc]\}$.

The expansion of the partial traces is obtained through the following definition: a completion step is performed by prefixing each hole ${\lfloor \rfloor }_T$ in the partial trace by means of an element of the trace language T; the same occurs for the holes possibly contained in T. Each expansion of the partial trace maintains the capability of a further expansion for each hole.

Definition 1 (one-unfolding)

Consider $TS=((A,D),T)$ and $\sigma \in A^{*}$, all the possible one-unfoldings of σ, denoted by $\widehat{\sigma }$, correspond to the set $\mathcal{U}(\sigma ,S)$, obtained as follows from an initial value of $S=\varnothing$:

$$\mathcal{U}(\sigma ,S)=\left\{\begin{array}{cc}\sigma \hfill & if \sigma contains no hole or\hfill \\ & \forall {\lfloor \rfloor }_x\in \sigma ,x\in S\hfill \\ \mathcal{U}(\sigma \left[{}^{{\sigma }_1{\lfloor \rfloor }_x}{/}_{{\lfloor \rfloor }_x}\right],S\cup \{x\})\hfill & \\ \cdots \hfill & if{\lfloor \rfloor }_x\in \sigma ,x\notin S,\forall i\in [1..n],{\sigma }_i\in x\hfill \\ \mathcal{U}(\sigma \left[{}^{{\sigma }_n{\lfloor \rfloor }_x}{/}_{{\lfloor \rfloor }_x}\right],S\cup \{x\})\hfill & \end{array}\right.$$

Following the previous definition, if $x=\{[dg],[df{\lfloor \rfloor }_y]\}$ and $y=\{[dc]\}$; for example, the trace $[abc{\lfloor \rfloor }_{x}d]$ may be transformed by filling the hole ${\lfloor \rfloor }_x$ with the first trace in the language x, so obtaining the partial trace $[abcdg{\lfloor \rfloor }_{x}d]$. When using the second partial trace in x, we obtain the partial trace $[abcdfdc{\lfloor \rfloor }_y{\lfloor \rfloor }_{x}d]$, since also the hole ${\lfloor \rfloor }_y$ must be filled one time. The one-unfolding procedure of a string always terminates after each hole in the initial trace (and each hole in the traces used to fill it) has been filled once.

The semantics of an expression is the trace system built on the basis of the syntactic structure of each expression.

Definition 2 (Semantics) Given the expression e, its semantics is the trace system $TS(e)=((A,D),T)$ built as follows:

$$\begin{array}{cccc}TS(nil)\hfill & =& ((\varnothing ,\varnothing ),\{[ϵ]\})\hfill & \\ TS(a)\hfill & =& ((\{a\},\{(a,a)\}),\{[a]\})\hfill & \\ TS(e_1.e_2)\hfill & =& TS(e_1).TS(e_2)\hfill & \\ TS(e_1+e_2)\hfill & =& TS(e_1)+TS(e_2)\hfill & \\ TS(e_1\parallel e_2)\hfill & =& TS(e_1)\parallel TS(e_2)\hfill & \\ TS(rec(e))\hfill & =& {(TS(e))}^{*}\hfill & \end{array}$$

We remark that the rule $e+nil=e$ does not hold; in fact, $TS(e+nil)$ always contains the empty trace, while $TS(e)$ may not.

The following example clarifies the semantics of the $rec$ operator.

Example 3. Consider the expression:

$$e=rec(a.rec(d))$$

$TS(rec(a.rec(d)))={(T{S}_0(a.rec(d)))}^{*}$

$T{S}_0(a.rec(d)))=T{S}_1(a).T{S}_2(rec(d))$

$T{S}_2(rec(d))={(T{S}_3(d))}^{*}$

If $TS=((A,D),T)$, we have: $\begin{array}{ccc}\hfill A& =& A_0\cup \{{\lfloor \rfloor }_{T_0}\}\hfill \\ \hfill D& =& D_0\cup \{({\lfloor \rfloor }_{T_0},{\lfloor \rfloor }_{T_0})\}\cup \{(a,{\lfloor \rfloor }_{T_0}),({\lfloor \rfloor }_{T_0},a)|\forall a\in A_0\}\hfill \\ \hfill T& =& \{[ϵ],{\lfloor \rfloor }_{T_0}\}\hfill \end{array}$

where, for each $0\le i\le 3$, $T{S}_i=((A_i,D_i),T_i)$ is defined as follows:

$\begin{array}{ccc}{A}_0\hfill & =& \{a,d,{\lfloor \rfloor }_{T_3}\}\hfill \\ A_1\hfill & =& \{a\}\hfill \\ A_2\hfill & =& A_3\cup \{{\lfloor \rfloor }_{T_3}\}\hfill \\ A_3\hfill & =& \{d\}\hfill \\ D_0\hfill & =& D_1{D}_2^{\circ }=\{(a,a),(d,d),({\lfloor \rfloor }_{T_0},{\lfloor \rfloor }_{T_0}),({\lfloor \rfloor }_{T_3},{\lfloor \rfloor }_{T_3}),(a,d),(d,a),\hfill \\ & & (a,{\lfloor \rfloor }_{T_3}),({\lfloor \rfloor }_{T_3},a),(a,{\lfloor \rfloor }_{T_0}),({\lfloor \rfloor }_{T_0},a),(d,{\lfloor \rfloor }_{T_0}),({\lfloor \rfloor }_{T_0},d),\hfill \\ & & ({\lfloor \rfloor }_{T_3},{\lfloor \rfloor }_{T_0}),({\lfloor \rfloor }_{T_0},{\lfloor \rfloor }_{T_3}),(d,{\lfloor \rfloor }_{T_3}),({\lfloor \rfloor }_{T_3},d)\}\hfill \\ D_1\hfill & =& \{(a,a)\}\hfill \\ D_2\hfill & =& D_3\cup \{({\lfloor \rfloor }_{T_3},{\lfloor \rfloor }_{T_3}),({\lfloor \rfloor }_{T_3},d),(d,{\lfloor \rfloor }_{T_3}),({\lfloor \rfloor }_{T_3},d))\}\hfill \\ D_3\hfill & =& \{(d,d)\}\hfill \\ T_0\hfill & =& \{[a],[a{\lfloor \rfloor }_{T_3}]\}\hfill \\ T_1\hfill & =& \{[a]\}\hfill \\ T_2\hfill & =& \{[ϵ],{\lfloor \rfloor }_{T_3}\}\hfill \\ T_3\hfill & =& \{[d]\}\hfill \end{array}$

The strings below are the one-unfoldings of ${\lfloor \rfloor }_{T_0}$:

$$a{\lfloor \rfloor }_{T_0},ad{\lfloor \rfloor }_{T_3}{\lfloor \rfloor }_{T_0}$$

3. Selective Mu-Calculus

The selective mu-calculus is a temporal logic proposed by the authors in [11,12] and interpreted on transition systems, as a branching time logic. That calculus has the characteristic that the actions relevant for checking a formula are the ones explicitly mentioned. We propose here a different interpretation that takes into account linear time; the following sub-section recalls the syntax of the calculus (called LTSC, for short) and the satisfaction of LTSC formulae on trace systems.

3.1. The Syntax of the Calculus

Here, slight simplifications are made on the syntax of the selective mu-calculus to avoid useless details. Consider the set A of events. The events $a,b$ range over A, and $S\subseteq A$ is a set of events with cardinality less than or equal to one. Moreover, Z belongs to a set of variable names. The calculus has the following syntax:

$$\begin{array}{ccc}\phi \hfill & ::=& \mathtt{tt}\left|\mathtt{ff}\right|Z|{\phi }_1\wedge {\phi }_2|{\phi }_1\vee {\phi }_2{|[a]}_S{\phi |\langle a\rangle }_S\phi |\nu Z.\phi |\mu Z.\phi \hfill \end{array}$$

A fixed point formula has the form $\mu Z.\phi$ ($\nu Z.\phi$), where the fixed point operator $\mu Z$ ($\nu Z$) binds free occurrences of Z in φ. An occurrence of Z is free if it is within the scope of no fixed point operator. A formula is closed if it contains no free variables. The formula $\mu Z.\phi$ is the least fixed point of the recursive equation $Z=\phi$, while $\nu Z.\phi$ is the greatest one. In the following, we consider only closed formulae and alternation-free mu-calculus formulae [22].

However, note that the syntax of the modal operators can be easily extended as follows (and so their meaning) to manage a set of events without affecting the remainder of the paper.

$$\begin{array}{c}{[\{{\alpha }_1,\dots ,{\alpha }_n\}]}_{\{{\beta }_1,\dots ,{\beta }_m\}}\phi =\hfill \\ ({[{\alpha }_1]}_{\{{\beta }_1\}}\phi \vee \cdots \vee {[{\alpha }_1]}_{\{{\beta }_m\}}\phi )\wedge \cdots \wedge ({[{\alpha }_n]}_{\{{\beta }_1\}}\phi \vee \cdots \vee {[{\alpha }_n]}_{\{{\beta }_m\}}\phi )\hfill \\ {\langle \{{\alpha }_1,\dots ,{\alpha }_n\}\rangle }_{\{{\beta }_1,\dots ,{\beta }_m\}}\phi =\hfill \\ ({\langle {\alpha }_1\rangle }_{\{{\beta }_1\}}\phi \wedge \cdots \wedge {\langle {\alpha }_1\rangle }_{\{{\beta }_m\}}\phi )\vee \cdots \vee ({\langle {\alpha }_n\rangle }_{\{{\beta }_1\}}\phi \wedge \cdots \wedge {\langle {\alpha }_n\rangle }_{\{{\beta }_m\}}\phi )\hfill \end{array}$$

Example 4. Some examples of formulae are shown in the following.

${\phi }_1=\nu Z.{\langle a\rangle }_{\varnothing }Z$: “there exists a run in which the event a, preceded by any event, can always occur”.

${\phi }_2={[c]}_{\{a\}}{\langle a\rangle }_{\varnothing }\mathtt{tt}$: “in any run where an event c, not preceded by the event a, occurs, the event a must always follow.

3.2. The Satisfaction of the Formulae on Trace Systems

To define the formula satisfaction on trace systems, we will build a particular trace presentation; the behavior of the operators that produce this presentation is based on a rewriting rule, which transforms a trace into an equivalent one.

Definition 3 (Rewriting rule). Consider $\Sigma =(A,D)$ and $\gamma ba{\gamma }^{\prime }\in A^{*}$.

$$\gamma ba{\gamma }^{\prime }\mapsto \gamma ab{\gamma }^{\prime }if(b,a)\in I_D$$

The rule transforms a string into an equivalent one, since:

$$(b,a)\in I_D\Rightarrow \gamma ba{\gamma }^{\prime }{\equiv }_{\Sigma }\gamma ab{\gamma }^{\prime }$$

The following function $\mathcal{D}$ uses the auxiliary function $\mathcal{M}$, shown in Table 1. The function $\mathcal{M}$, given a string β, marks all the events in β. If A is an alphabet, we write $A^{-}$ for the set $\{a|a\in A\wedge a\ne {\lfloor \rfloor }_x,\forall {\lfloor \rfloor }_x\in A\}$. Intuitively, $A^{-}$ is the set of all of the symbols of the alphabet A, except for the holes.

Table 1. Marking function.

Let A be an alphabet: consider $a\in A$ and $\beta \in A^{*}$. $$\begin{array}{lll}\mathcal{M}(a.\beta )& =& \overline{a}.\mathcal{M}(\beta )\\ \mathcal{M}(ϵ)& =& ϵ\end{array}$$

Table 1. Marking function.

Let A be an alphabet: consider $a\in A$ and $\beta \in A^{*}$. $$\begin{array}{lll}\mathcal{M}(a.\beta )& =& \overline{a}.\mathcal{M}(\beta )\\ \mathcal{M}(ϵ)& =& ϵ\end{array}$$

Definition 4. Consider $\Sigma =(A,D)$, $\sigma \in A^{*}$, $a\in A^{-}$, and $S\subseteq A^{-}$.

${\mathcal{D}}_{a,S}(\sigma )=$

$$\begin{gathered} \left\{\begin{array}{cc}[\mathcal{M}({\delta }_2).{\delta }_3]\hfill & (1)if\exists {\sigma }_{1}a{\sigma }_2{\equiv }_{\Sigma }\sigma ,{\Pi }_{\{a\}\cup S}({\sigma }_1)=ϵ;and\hfill \\ & (2)if\exists {\delta }_1{\delta }_{2}a{\delta }_3{\equiv }_{\Sigma }{\delta }_{1}a{\delta }_2{\delta }_3{\equiv }_{\Sigma }{\sigma }_{1}a{\sigma }_2,such that\hfill \\ & (a){\Pi }_{\{a\}\cup S}({\delta }_1{\delta }_2)=ϵ;and\hfill \\ & (\text{b})\mathit{no} \mathit{event} \mathit{in}{\delta }_1\mathit{can} \mathit{move} \mathit{forward}(\mathit{by} \mathit{means} \mathit{of} \mathit{the} \mathit{rewriting} \mathit{rule}), \\ to pass over a; and\hfill \\ & (c) no event in {\delta }_3 can move backward to pass over a\hfill \\ & (by means of the rewriting rule) apart the event in S.\hfill \\ null\hfill & \mathit{otherwise}\hfill \end{array}\right. \end{gathered}$$

${\mathcal{D}}_{a,S}(\sigma )$ manipulates traces exploiting a simple algorithm that moves events according to the rewriting rule. The result of ${\mathcal{D}}_{a,S}(\sigma )$ is a trace without the events occurring before a in any run (the events in ${\delta }_1$ do not matter for the successive verification), but that includes the events occurring in some run after a and in some run before a (they are the marked events in ${\delta }_2$, with the mark remembering that they do not necessarily occur where they are); it includes also (they are the events in ${\delta }_3$) the events that occur after a in any run and, if present, the event in S (such an event is required to occur after a in all runs of interest; this fact is guaranteed by the constraint expressed in Point a) of Definition 4). The complexity of the trace manipulations is polynomial in the number of elements of the trace itself in the worst case, when at each step, all of the events are moved up and down to verify if they can occur before and/or after a; linear in the better case, when only the reading of all of the events of the trace is required, since the rewriting rule cannot ever be applied. The following example shows, in more detail, the effect of $\mathcal{M}$.

Example 5. Consider the two concurrent alphabets:

${\Sigma }_1=(\{a,b,c\},\{(a,a),(b,b),(c,c),(a,b),(b,a)\})$ and:

${\Sigma }_2=(\{a,b,c\},\{(a,a),(b,b),(c,c),(b,c),(c,b)\}).$

• If $S=\varnothing$:
  ${\mathcal{D}}_{a,S}(cab)=[\overline{c}b]$, for ${\Sigma }_1$, and
  ${\mathcal{D}}_{a,S}(cab)=[\overline{c}\overline{b}]$, for ${\Sigma }_2$, while
  ${\mathcal{D}}_{b,S}(cab)=[\overline{c}]$, for ${\Sigma }_1$, and
  ${\mathcal{D}}_{b,S}(cab)=[\overline{a}]$, for ${\Sigma }_2$
• If $S=\{b\}$
  ${\mathcal{D}}_{a,S}(cab)=[\overline{c}b]$ for both ${\Sigma }_1$ and ${\Sigma }_2$, while
  ${\mathcal{D}}_{b,S}(cab)=[\overline{c}]$, for ${\Sigma }_1$, and
  ${\mathcal{D}}_{b,S}(cab)=[\overline{a}]$, for ${\Sigma }_2$

The formal satisfaction of a formula ψ by a trace $[\sigma ]$ is defined as follows. Note that we consider the event set $\tilde{X}=X\cup \overline{X}$, where $\overline{X}=\{\overline{x}|x\in X\}$ as the alphabet for strings, since it is possible to obtain strings containing marked events. In Table 2, auxiliary cleaning functions are shown that either eliminate the marks from the events of a string ($\mathcal{C}{l}^2$) before the next verification step is performed or eliminate the marked events at all ($\mathcal{C}{l}^1$), as shown in the following Example 6. In fact, the marked events must not be considered when checking for the satisfaction of a formula ${\langle a\rangle }_S\psi$.

Table 2. Cleaning functions.

Let A be an alphabet; consider $a,b\in A$ and $\beta \in A^{*}$. $$\begin{array}{lll}\mathcal{C}{l}^1(b,a.\beta )& =& a.\mathcal{C}{l}^1(b,\beta )\\ \mathcal{C}{l}^1(b,\overline{a}.\beta )& =& \mathrm{if} (a=b) \mathrm{then} \mathcal{C}{l}^1(b,\beta ) \mathrm{else} a.\mathcal{C}{l}^1(b,\beta )\\ \mathcal{C}{l}^1(b,ϵ)& =& ϵ\\ \mathcal{C}{l}^2(a.\beta )& =& a.\mathcal{C}{l}^2(\beta )\\ \mathcal{C}{l}^2(\overline{a}.\beta )& =& a.\mathcal{C}{l}^2(\beta )\\ \mathcal{C}{l}^2(ϵ)& =& ϵ\end{array}$$

Table 2. Cleaning functions.

Let A be an alphabet; consider $a,b\in A$ and $\beta \in A^{*}$. $$\begin{array}{lll}\mathcal{C}{l}^1(b,a.\beta )& =& a.\mathcal{C}{l}^1(b,\beta )\\ \mathcal{C}{l}^1(b,\overline{a}.\beta )& =& \mathrm{if} (a=b) \mathrm{then} \mathcal{C}{l}^1(b,\beta ) \mathrm{else} a.\mathcal{C}{l}^1(b,\beta )\\ \mathcal{C}{l}^1(b,ϵ)& =& ϵ\\ \mathcal{C}{l}^2(a.\beta )& =& a.\mathcal{C}{l}^2(\beta )\\ \mathcal{C}{l}^2(\overline{a}.\beta )& =& a.\mathcal{C}{l}^2(\beta )\\ \mathcal{C}{l}^2(ϵ)& =& ϵ\end{array}$$

Definition 5. Consider $\Sigma =(A,D)$, $a\in A^{-}$, $S\subseteq A^{-}$, $\sigma \in {\tilde{A}}^{*}$; moreover, $\widehat{\sigma }$ is any one-unfolding of σ.

$$\begin{array}{ccc}[\sigma ]\vDash \mathtt{tt}\hfill & & \\ [\sigma ]⊭\mathtt{ff}\hfill & & \\ [\sigma ]\vDash {\psi }_1\vee {\psi }_2\hfill & iff& [\sigma ]\vDash {\psi }_1 or [\sigma ]\vDash {\psi }_2\hfill \\ [\sigma ]\vDash {\psi }_1\wedge {\psi }_2\hfill & iff& [\sigma ]\vDash {\psi }_1 and [\sigma ]\vDash {\psi }_2\hfill \\ [\sigma ]\vDash {[a]}_S\psi \hfill & iff& \forall {\sigma }^{\prime }\in \widehat{\sigma },such that{\mathcal{D}}_{a,S}(\mathcal{C}{l}^2({\sigma }^{\prime }))\ne null,{\mathcal{D}}_{a,S}(\mathcal{C}{l}^2({\sigma }^{\prime }))\vDash \psi \hfill \\ [\sigma ]\vDash {\langle a\rangle }_S\psi \hfill & iff& \exists {\sigma }^{\prime }\in \widehat{\sigma },such that{\mathcal{D}}_{a,S}(\mathcal{C}{l}^1(a,{\sigma }^{\prime }))\ne nulland{\mathcal{D}}_{a,S}(\mathcal{C}{l}^1(a,{\sigma }^{\prime }))\vDash \psi \hfill \\ [\sigma ]\vDash \nu Z.\psi \hfill & iff& [\sigma ]\vDash \nu Z^n.\psi for all natural numbers n\hfill \\ [\sigma ]\vDash \mu Z.\psi \hfill & iff& [\sigma ]\vDash \mu Z^n.\psi for some natural number n\hfill \end{array}$$

where, for each n, $\nu Z^{\mathrm{n}}.\phi and \mu Z^{\mathrm{n}}.\phi$ are defined as:

$$\begin{array}{cc}\nu Z^0.\phi =\mathtt{tt}\hfill & \mu Z^0.\phi =\mathtt{ff}\hfill \\ \nu Z^{n+1}.\phi =\phi [\nu Z^n.\phi /Z]\hfill & \mu Z^{n+1}.\phi =\phi [\mu Z^n.\phi /Z]\hfill \end{array}$$

and the notation $\phi [\psi /Z]$ indicates the substitution of ψ for every free occurrence of the variable Z in φ.

Example 6. Reconsider the previous Example 5 and the formula:

$${\phi }_3={[a]}_{\varnothing }{[c]}_{\varnothing }{\langle b\rangle }_{\varnothing }\mathtt{tt}$$

to be checked on the trace $[cab]$. It holds that:

• ${\mathcal{D}}_{a,\varnothing }(cab)=[\overline{c}b]$, for the ${\Sigma }_1$, while ${\mathcal{D}}_{a,\varnothing }(cab)=[\overline{c}\overline{b}]$, for ${\Sigma }_2$.
• Then, after the cleaning,
• ${\mathcal{D}}_{c,\varnothing }(cb)=[\overline{b}]$, and
• ${\mathcal{D}}_{c,\varnothing }(cb)=[b]$.
• Finally, again after the cleaning,
• ${\mathcal{D}}_{b,\varnothing }(ϵ)=null$, and
• ${\mathcal{D}}_{b,\varnothing }(b)=ϵ$,
• thus $[cab]\vDash {\phi }_3$ for ${\Sigma }_2$, but $[cab]⊭{\phi }_3$ for ${\Sigma }_1$; in fact, the marked event $\overline{b}$ does not occur after c in
• any run.

The satisfaction of an LTSC formula by a trace system is defined as follows:

Definition 6. Let $TS=((A,D),T)$ be a trace system.

$$\begin{array}{ccc}TS\vDash \mathtt{tt}\hfill & & \\ TS⊭\mathtt{ff}\hfill & & \\ TS\vDash {\psi }_1\vee {\psi }_2\hfill & iff& TS\vDash {\psi }_1 or TS\vDash {\psi }_2\hfill \\ TS\vDash {\psi }_1\wedge {\psi }_2\hfill & iff& TS\vDash {\psi }_1 and TS\vDash {\psi }_2\hfill \\ TS\vDash {[a]}_S\psi \hfill & iff& \forall \tau \in T,\tau \vDash {[a]}_S\psi \hfill \\ TS\vDash {\langle a\rangle }_S\psi \hfill & iff& \exists \tau \in T,\tau \vDash {\langle a\rangle }_S\psi \hfill \\ TS\vDash \nu Z.\psi \hfill & iff& TS\vDash \nu Z^n.\psi for all natural numbers n\hfill \\ TS\vDash \mu Z.\psi \hfill & iff& TS\vDash \mu Z^n.\psi for some natural number n\hfill \end{array}$$

Example 7. Now reconsider the expression of Example 3:

$$e=rec(a.rec(d))$$

and suppose having to check on e the formula:

$${\phi }_4=\nu Z.{[d]}_{\varnothing }{\langle a\rangle }_{\varnothing }Z$$

Since $[ϵ]$ satisfies any formula, $e\vDash \nu Z^n.{[d]}_{\varnothing }{\langle a\rangle }_{\varnothing }Z,\forall n$, if $[a{\lfloor \rfloor }_{T_0}],[ad{\lfloor \rfloor }_{T_3}{\lfloor \rfloor }_{T_0}]$ satisfy $\nu Z^n.{[d]}_{\varnothing }{\langle a\rangle }_{\varnothing }Z$ ($a{\lfloor \rfloor }_{T_0} and ad {\lfloor \rfloor }_{T_3}{\lfloor \rfloor }_{T_0}$ are the one-unfoldings of ${\lfloor \rfloor }_{T_0}$).

Since ${\mathcal{D}}_{d,\varnothing }(\mathcal{C}{l}^2(a{\lfloor \rfloor }_{T_0}))=null$, we have to verify that:

$${\mathcal{D}}_{d,\varnothing }(\mathcal{C}{l}^2(ad{\lfloor \rfloor }_{T_3}{\lfloor \rfloor }_{T_0}))=[{\lfloor \rfloor }_{T_3}{\lfloor \rfloor }_{T_0}]\vDash {\langle a\rangle }_{\varnothing }[\nu Z^{n-1}.{[d]}_{\varnothing }{\langle a\rangle }_{\varnothing }Z]$$

Since ${\mathcal{D}}_{a,\varnothing }(\mathcal{C}{l}^1(a,d{\lfloor \rfloor }_{T_3}a{\lfloor \rfloor }_{T_0}))=[{\lfloor \rfloor }_{T_0}]$, and:

$$[{\lfloor \rfloor }_{T_0}]\vDash \nu Z^{n-1}.{[d]}_{\varnothing }{\langle a\rangle }_{\varnothing }Z$$

then:

$$[{\lfloor \rfloor }_{T_0}]\vDash \nu Z^n.{[d]}_{\varnothing }{\langle a\rangle }_{\varnothing }Z,\forall n$$

4. Transformation Rules to Obtain Abstract Trace Systems

In this section, we present a syntactic transformation algorithm, which, given a set ρ of events and an expression e, transforms e into $e^{\prime }$, where both e and $e^{\prime }$ satisfy the same set of LTSC formulae with events occurring in ρ. In general, the trace system corresponding to $e^{\prime }$ is smaller than the one corresponding to e. Our aim is two-fold: given a formula, to find a suitable set ρ and, given ρ, to eliminate from an expression a suitable superset of ρ. A suitable ρ depending on a formula is the following.

Occurring Events: $\mathcal{O}(\phi )$.Given an LTSC formula φ, $\mathcal{O}(\phi )$ is the union of all the events α and the sets S appearing in the modal operators (${[\alpha ]}_S\psi$, ${\langle \alpha \rangle }_S\psi$) occurring in φ.

Definition 7 (Transformation rule). Let $\Sigma =(A,D)$ be a concurrent alphabet and $\rho \subseteq A^{-}$ and e an expression over $A^{-}$. We define ${\mathcal{T}}_{\rho }(e)$ as:

$$\begin{array}{ccc}{\mathcal{T}}_{\rho }(\alpha )\hfill & =& \left\{\begin{array}{cc}nil\hfill & \alpha \notin \rho \hfill \\ \alpha \hfill & \alpha \in \rho \hfill \end{array}\right.\hfill \\ {\mathcal{T}}_{\rho }(e_1.e_2)\hfill & =& {\mathcal{T}}_{\rho }(e_1).{\mathcal{T}}_{\rho }(e_2)\hfill \\ {\mathcal{T}}_{\rho }(e_1+e_2)\hfill & =& {\mathcal{T}}_{\rho }(e_1)+{\mathcal{T}}_{\rho }(e_2)\hfill \\ {\mathcal{T}}_{\rho }(e_1\parallel e_2)\hfill & =& {\mathcal{T}}_{{\rho }^{\prime }}(e_1)\parallel {\mathcal{T}}_{{\rho }^{\prime }}(e_2)where{\rho }^{\prime }=\rho \cup (alph(e_1)\cap alph(e_2))\hfill \\ {\mathcal{T}}_{\rho }(rec(e))\hfill & =& rec({\mathcal{T}}_{\rho }(e))\hfill \end{array}$$

The previous rule maintains in the traces events belonging to a suitable superset of $\mathcal{O}(\phi )$: in fact, besides the occurring events of the formula, it maintains also the communication events .

The complexity of the transformation operator $\mathcal{T}$ is linear in the length of the specification. This result, together with Definition 6 of the satisfaction on traces, further reduces the complexity of the model checking of temporal logic formulae.

The following theorem deals with the abstraction of a trace system induced by the formula φ and obtained in two steps: the first step syntactically reduces the event expression; the second one reduces the trace system, which is the semantics of the expression.

Now, we extend the definition of projection to trace systems.

Definition 8. Let $TS=((A,D),T)$ be a trace system and $B\subseteq A$;

$${\Pi }_B(TS)=((B\cup \{{\lfloor \rfloor }_x|{\lfloor \rfloor }_x\in A\},{\Pi }_B(D)),{\Pi }_B(T))$$

where:

(1) 

${\Pi }_B(D)=\{(a,b)|(a,b)\in D and a,b\in B\}$;

(2) 

${\Pi }_B(T)=\{{\Pi }_B(w)|w\in T\}$, and $\forall {\lfloor \rfloor }_x\in A,x=\{{\Pi }_B(w)|w\in x\}$.

Theorem 1. Consider an expression e and an LTSC formula ψ.

$$TS(e)\vDash \psi ifandonlyif{\Pi }_{\mathcal{O}(\psi )}(TS({\mathcal{T}}_{\mathcal{O}(\psi )}(e)))\vDash \psi$$

Proof: see the Appendix.

Example 8. Consider the following expression:

$$e=rec(a.(b\parallel c^{\prime })\parallel c^{\prime }.a^{\prime }.(b^{\prime }\parallel c))$$

and try to prove the properties:

${\phi }_1=\nu Z.{\langle a\rangle }_{\varnothing }Z$: “there exists a run in which the event a, preceded by any event, can always occur”.

${\phi }_2={[a^{\prime }]}_{\{a\}}\mathtt{ff}$: “it is not possible to perform $a^{\prime }$ if a has not occurred before”.

By our methodology, we have to check:

• $TS(e)\vDash {\phi }_1$, and
• $TS(e)\vDash {\phi }_2$

through the checking of (see Theorem 1):

• ${\Pi }_{{\rho }_1}(T{S}_1({\mathcal{T}}_{{\rho }_1}(e)))\vDash {\phi }_1$, with ${\rho }_1=\mathcal{O}({\phi }_1)=\{a\}$
• ${\Pi }_{{\rho }_2}(T{S}_2({\mathcal{T}}_{{\rho }_2}(e)))\vDash {\phi }_2$, with ${\rho }_2=\mathcal{O}({\phi }_2)=\{a,a^{\prime }\}$

The transformation rules applied over e with ${\rho }_1$ obtain:

• ${\mathcal{T}}_{{\rho }_1}(e)$
• =    { applying Definition 7 and the rules set for the operators in Section 2.1}
• $rec(a.c^{\prime }\parallel c^{\prime })$

While, using ${\rho }_2$, similarly we obtain: ${\mathcal{T}}_{{\rho }_2}(e)=rec(a.c^{\prime }\parallel c^{\prime }.a^{\prime })$.

The trace language of $T{S}_1(rec(a.c^{\prime }\parallel c^{\prime }))$ is

$$\{[ϵ],{\lfloor \rfloor }_{T_3}\},where{T}_3=\{[a{c}^{\prime }]\}isthetracelanguageofT{S}_3(a.c^{\prime }\parallel c^{\prime }).$$

The trace language of $T{S}_2(rec(a.c^{\prime }\parallel c^{\prime }.a^{\prime }))$ is:

$$\{[ϵ],{\lfloor \rfloor }_{T_4}\},with{T}_4=\{[a{c}^{\prime }{a}^{\prime }]\}thatisthetracelanguageofT{S}_4(a.c^{\prime }\parallel c^{\prime }.a^{\prime }).$$

Finally, by applying Definition 6, we can prove that ${\Pi }_{{\rho }_1}(T{S}_1)\vDash {\phi }_1$ and ${\Pi }_{{\rho }_2}(T{S}_2)\vDash {\phi }_2$. In the first case, the trace $[{\lfloor \rfloor }_{T_3}]$ can be unfolded (the first one-unfolding is $[a{c}^{\prime }{\lfloor \rfloor }_{T_3}]$) step by step and simplified for the successive step (the next one-unfolding for the simplified trace produces the trace $[c^{\prime }a{c}^{\prime }{\lfloor \rfloor }_{T_3}]$). We can see that, at each step n, the formula is verified on:

$$\begin{array}{cc}\nu Z^0.\phi =\mathtt{tt}\hfill & \\ \nu Z^{n+1}.\phi =\phi [\nu Z^n.\phi /Z]\hfill \end{array}$$

Consequently, ${\phi }_1=\nu Z.{\langle a\rangle }_{\varnothing }Z$ holds on e. For ${\phi }_2={[a^{\prime }]}_{\{a\}}\mathtt{ff}$, both traces should verify the formula: it is easy to see that, for both $[ϵ]$ and $[a{c}^{\prime }{a}^{\prime }{\lfloor \rfloor }_{T_4}]$ (the one-unfolding of ${\lfloor \rfloor }_{T_4}$), ${\phi }_2$ holds.

5. Conclusions and Related Works

In this work, we define the notion of satisfaction for the formulae of a temporal logic calculus, when interpreted on a trace system, i.e., a partial order representation of the concurrent system. The calculus we use is a temporal logic, whose formulae directly characterize possible abstractions of the system preserving their truth values; more precisely, the events relevant for checking a formula are only the ones explicitly mentioned. Different action logics, such as [14], whose operators could be used in a linear fashion to concisely express fairness properties, are not suitable to individuate system abstractions preserving the truth values of formulae. We use a well-known partial order model for computations, that is Mazurkiewicz’s trace system [20]. Recently, Mazurkiewicz traces have been also extended with time in order to capture the concurrency and timing constraints among the services of systems [23].

It is known that model checking has a different complexity when using linear time or branching time logics [5,17,18]. For example, given a transition system of size n and an alternation-free temporal logic formula of size m, model checking algorithms for the branching time logic (CTL) run in time $\mathcal{O}(nm)$, while those ones for the linear time logics (LTL) run in time $\mathcal{O}(n{2}^m)$.

The works [24,25] relate branching and linear model checking. The authors study the problem of deciding whether a linear-time property, specified by either an automaton or an LTL formula, can be translated to a branching time logic formula and describe the translation when this exists. A disadvantage of this method is that a higher complexity of the formula is achieved, since its size must be increased by some prefix; moreover, also fairness requirements must be expressed by a new formula prefixed to the translation of the old one. Other works [26,27] check linear time formulae on a structure that is the unfolding of the Petri net representing the system, i.e., a partial order model. Nevertheless, this method requires the construction of a, possibly infinite, safe net to represent the behavior of the system. Solutions exist to this problem that exploit McMillan’s finite prefix [28]. The product automaton is obtained from the finite prefix and the Buchi automaton representing the formula. In [29,30], for example, the satisfaction of linear time mu-calculus formulae is checked using alternating Buchi automata. Some different approaches (for example, [20,31,32]) interpret the logic on the dependence graphs among events, instead of linearizations. Moreover, the state explosion problem is present also for this type of graph. A similar approach is the automata-theoretic one [25], which is based on the product between the finite state automaton representing the system and the one representing the formula. Furthermore, such an approach suffers from the state-explosion problem, due to the interleaving of concurrent events; several methods for the reduction of the state space have been suggested in this case [7,9,33,34].

A different approach could be that of using a partial order interpretation, where it is possible to distinguish concurrency from nondeterminism, trying to keep the advantage of not exploding the state space of the system due to the concurrency using trace systems. Our method exploits the compact notation of equivalence classes of behaviors; moreover, the satisfaction of a formula is decided by an algorithm that works directly on the traces (thus, a sequential memory representation) without constructing any type of graph; so saving space and time. The work pays further attention to the reduction of the state space of the system, since, as argued in [17,24], this is the greatest part of the complexity of the model checking procedure, provided that interesting properties are generally of a small size. For this purpose, we use selective mu-calculus to describe system properties, and trace systems are reduced by eliminating the events that do not alter the truth value of a given formula. Finally, it is worth noting that a lot of interesting properties, such as mutual exclusion and absence of starvation, can be elegantly expressed by linear time formulae that usually use a partial order interpretation; while the interleaving interpretation does not allow an easy expression of fairness properties; nevertheless, the use of the selective mu-calculus allows us to express properties, such as precedence and fairness, in a very compact way; for example, the fairness property “in all computation, eventually aoccurs” can be expressed through selective mu-calculus by the formula $\mu Z.({\langle -\rangle }_{\varnothing }\mathtt{tt}\wedge {[-a]}_{\varnothing }Z)$.

The works [9,10,34,35] also follow the partial order approach to model checking and consider only a representative among all interleavings of actions generated by a parallel composition. The properties that are well handled by these approaches do not concern precedence relations between actions, while they can be profitably used to prove, for example, deadlock freedom. In our approach, properties concerning precedence relations between actions are, in general, described by formulae that induce a consistent reduction of the trace system. On the contrary, the formula describing deadlock freedom induces no reduction, since it involves all events. Thus, the two approaches can be considered as complementary. Other approaches use symbolic model checking (for a survey on the use of this formal verification technique for linear temporal logic, see [36]), which is particularly suited to the verification of reactive systems or concurrent programs. In these approaches, the focus of the state explosion problem is shifted from the size of the state space to the size of the BDD representation, maintaining all problems of defining an automaton, recognizing the complement of the formula to be verified.

Abstraction is another successful technique for fighting the state explosion problem in model checking. In [37], the authors present a novel game-based approach to abstraction-refinement for the full μ-calculus, interpreted over three-valued semantics, successively improved in [38].

Pushdown systems are transition systems whose states include a stack of unbounded length; hence, they are strictly more expressive than finite state systems. One can argue that pushdown systems are a natural model for sequential programs with procedures where there is no restriction on the call hierarchy among the procedures. Arbitrary recursion is allowable, since the stack can keep track of active procedure calls. Differently form our approach, the main restriction of this kind of model is that it does not handle parallelism. In fact, in [39], the authors show applications of their model checking algorithm for pushdown systems only in the area of sequential program analysis. The model checking problem of pushdown systems against standard branching temporal logics has been intensively studied in the literature. It has been confirmed that, with pushdown systems, the model checking problem is much harder for branching-time temporal logics than for linear-time temporal logics. In particular, for the modal mu-calculus, the most powerful branching temporal logic used for verification, the problem is known to be EXPTIME-complete (even for a fixed formula) [40]. The problem remains EXPTIME-complete also for the logic, CTL. In [41], the author shows that the complexity of the pushdown model checking problem for CTL* is, in fact, 2EXPTIME-complete. A natural generalization of pushdown machines is pushdown machines with more than one stack [42]. This generalization, unfortunately, is not smooth in terms of the power of these machines: a pushdown automaton with two or more stacks is known to recognize all recursively enumerable languages. The model in its full generality is, thus, intractable. However, for certain model checking applications, pushdown automata with two or more stacks are useful. In [43], the model checking problem for specifications given by nondeterministic pushdown tree automata is studied. The author consider both finite-state (regular) and infinite-state (non-regular) systems. It is shown that for finite-state systems, the model checking problem is solvable in time exponential in both the system and the specification. On the other hand, the model checking problem for context-free systems is undecidable; already for a weak type of pushdown tree automata.

In [44], the authors consider the sabotage modal logic (SML) [45], which can arbitrarily delete edges of the model; thus, it has the ability to modify the model under evaluation. In [44], it was shown that the sabotage modality already strengthens modal logic in such a way that all nice model-theoretic properties and algorithmic complexities get lost. In fact, from the viewpoint of complexities, SML much more resembles first-order logic than modal logic (with the exception that the formula complexity remains in PTIME).

In [46], the authors examine the complexity of the module checking problem (i.e., model checking of open systems) for linear and branching temporal logics. They prove that the problem of module checking is EXPTIME-complete for specifications in CTL and 2EXPTIME-complete for specifications in CTL*. In [47], module checking has been extended to a setting where the environment has imperfect information about the state of the system, i.e., to the case where the environment has only a partial view of the system’s control states (see also [48] for related work regarding imperfect information). Recently, [49,50] extended model checking of pushdown systems by introducing open pushdown systems (with perfect information) that interact with their environment. It is shown in [49,50] that CTL pushdown module checking is 2EXPTIME-complete and, thus, much harder than pushdown model checking. In [51], the authors extend pushdown module checking to the imperfect information setting and pushdown store content. They study the complexity of this problem with respect to the branching-time temporal logics, CTL, CTL* and the propositional μ-calculus. They show that pushdown module checking becomes undecidable when the environment has imperfect information.

Improved model checking algorithms have been developed also for hierarchical systems [52,53,54]. Such systems are exponentially more succinct than standard state transition graphs, as repeated sub-systems are described only once.

In conclusion, our method consists of a variety of attacks to the complexity of the verification.

(1)

We work directly and only on traces to perform model checking, without representing either traces or systems by some sort of graph, so saving memory.

(2)

We obtain a finite trace system, also when using unbounded iteration. In such a way, we can perform model checking also in the presence of infinite computations.

(3)

We reduce the dimension of the trace system, in the number of traces and in the number of events in each trace. Beside the use of abstraction to reduce the number of events of the initial traces, we maintain in a trace at each verification step only the events useful for the following steps, so performing a kind of on-the-fly verification. In such way, we save space, but also verification time, since we decrease the number of times a formula has to be checked.

(4)

We manipulate traces to decide the satisfaction on a single trace with a polynomial complexity depending on the dimension of the formula and of the trace. The precise complexity of the method needs a deeper examination, since, in general, it depends on the level of concurrency of the systems and on the number of the $rec$ operators and of the possible one-unfoldings of each hole.