Checking Properties within Fairness and Behavior Abstractions

ing from Figure 3. What distinguishes the two abstractions is the nature of the homomorphism. In the case of Figure 2 the homomorphism preserves properties satisfied within fairness, whereas it does not do so in the case of Figure 3. In Section 8 we will elaborate on this and show that one can conclude that properties satisfied within fairness by the abstract system also hold on the concrete system, precisely when the homomorphism is weakly continuation-closed, 3. PRELIMINARIES For defining our concepts, we need several notions from language theory [Berstel 1979; Eilenberg 1974; Harrison 1978; Thomas 1990]. Let L ⊆ Σ be a language and let Lω ⊆ Σ ω be an ω-language. Definition 3.1. The left quotient of L by a wordw ∈ Σ is defined by cont(w,L) = {v ∈ Σ | wv ∈ L}. The left quotient of Lω by w ∈ Σ is similarly defined by cont(w,Lω) = {x ∈ Σ ω | wx ∈ Lω}. The left quotient describes the possible continuations of a word in a language. When considering system behaviors, it describes “what can happen after w has happened”. Therefore we denote the left quotient of L by w by cont(w,L), “the set of continuations of w in L”, instead of the notation w(L) common in language theory. The notation pre(L) designates the set of prefixes of words in L. A language L is called prefix-closed if and only if L = pre(L). For an ω-word x, pre(x) designates the set of all finite prefixes of x and, for an ω-language Lω, pre(Lω) designates the set of all finite prefixes of ω-words in Lω. The Eilenberg-limit [Eilenberg 1974] of a language L is the set lim(L) = {x ∈ Σ | ∃w ∈ pre(x) : w ∈ L}. Here, “∃...” abbreviates: “there exist infinitely many different ...”. For a word w and an ω-word x, we denote their nth letter by wn and xn respectively. Finally, the notation x(n...), n ∈ IN , represents the suffix xnxn+1xn+2 . . . of an ω-word x ∈ Σ ω starting with the n letter of x. To describe properties, we use propositional linear-time temporal logic (PLTL) [Emerson 1990; Pnueli 1977]. PLTL-formulas are defined with respect to a set AP of atomic propositions. All atomic propositions and the proposition true are PLTL-formulas. If ξ and ζ are PLTL-formulas, then so are ¬(ξ), (ξ) ∧ (ζ), e(ξ) and (ξ)U (ζ). There exist additional operators that are abbreviations of particular operator combinations: (ξ) ∨ (ζ) ≡ ¬((¬(ξ)) ∧ (¬(ζ))), (ξ) ⇒ (ζ) ≡ (¬(ξ)) ∨ (ζ), (ξ) ⇔ (ζ) ≡ ((ξ) ⇒ (ζ)) ∧ ((ζ) ⇒ (ξ)), 3(ξ) ≡ (true)U (ξ), 2(ξ) ≡ ¬(3(¬(ξ))), (ξ)B (ζ) ≡ ¬((¬(ξ))U (ζ)). PLTL-formulas are interpreted over infinite sequences of truth values for the atomic propositions, i.e. over functions of the type IN → 2 or, equivalently over ω-words defined on the alphabet 2 . For convenience, we will also interpret PLTL formulas over infinite words defined on an arbitrary alphabet Σ with the help of a labeling function λ : Σ → 2 . The semantics of a PLTL formula with respect to ACM Transactions in Computational Logic, Vol. TBD, No. TBD, TBD TBD. 6 · U. Ultes-Nitsche and P. Wolper an infinite word x ∈ Σ and a labeling function λ : Σ → 2 is then the following. (Read “|=” as “satisfies.”) x, λ |= true. If η is an atomic proposition, then x, λ |= η if and only if η ∈ λ(x1). If η = ¬(ξ), then x, λ |= η if and only if it is not the case that x, λ |= ξ. If η = (ξ) ∧ (ζ), then x, λ |= η if and only if x, λ |= ξ and x, λ |= ζ. If η = e(ξ), then x, λ |= η if and only if x(2...), λ |= ξ. If η = (ξ)U (ζ), then x, λ |= η if and only if there exists i ∈ IN such that x(i...), λ |= ζ and, for all j < i, x(j...), λ |= ξ. The meaning of the other operators can be derived from their definition. We will write Lω, λ |= η if and only if x, λ |= η, for all x ∈ Lω. Definition 3.2. A property P over an alphabet Σ is a subset of Σ. An ωlanguage Lω ⊆ Σ satisfies P if and only if Lω ⊆ P . For an alphabet Σ and a labeling function λ : Σ → 2 , the property represented by a PLTL-formula η over AP is the set Lη = {x ∈ Σ | x, λ |= η}. 4. RELATIVE LIVENESS AND SAFETY In this section, we review the definition of relative liveness properties of an ωlanguage, as well as their counterpart relative safety properties. Based on the notion of a relative liveness property, we will define the satisfaction of properties within fairness. Let Lω ⊆ Σ be an ω-language representing the behavior of a system and let P ⊆ Σ be a property. Definition 4.1. A property P is a relative liveness property of Lω (we write this already as a satisfaction relation: Lω|= RL P) if and only if ∀w ∈ pre(Lω) : ∃x ∈ cont(w,Lω) : wx ∈ P . Definition 4.2. A property P is a relative safety property of Lω if and only if ∀x ∈ Lω, if x 6∈ P , then ∃w ∈ pre(x) : ∀z ∈ cont(w,Lω) : wz 6∈ P . Remark 4.3. If Lω = Σ , then the definitions of relative liveness and relative safety become exactly the definitions of liveness and safety given in [Alpern and Schneider 1985]. To prove the decidability of relative liveness and safety for regular ω-languages, we use the following characterizations of these properties. Lemma 4.4. P is a relative liveness property of Lω if and only if pre(Lω) = pre(Lω ∩ P). Proof. By definition, Lω|= RL P if and only if, for all w ∈ pre(Lω), there exists x ∈ cont(w,Lω) such that wx ∈ P . Hence we have w ∈ pre(Lω ∩ P), for all w ∈ pre(Lω). This is equivalent to pre(Lω) ⊆ pre(Lω ∩ P). On the other hand, pre(Lω ∩ P) ⊆ pre(Lω), and thus pre(Lω) = pre(Lω ∩ P). If pre(Lω) = pre(Lω ∩P), then w ∈ pre(Lω ∩P), for all w ∈ pre(Lω). Therefore, for all w ∈ pre(Lω), there exists an x ∈ cont(w,Lω) such that wx ∈ P and hence P is a relative liveness property of Lω. ACM Transactions in Computational Logic, Vol. TBD, No. TBD, TBD TBD. Checking Properties within Fairness and Behavior Abstractions · 7 Lemma 4.5. P is a relative safety property of Lω if and only if Lω ∩ lim(pre(Lω ∩ P)) ⊆ P . Proof. By definition, P is a relative safety property of Lω if and only if ∀x ∈ Lω : ( x 6∈ P ⇒ ( ∃w ∈ pre(x) : ∀z ∈ cont(w,Lω) : wz 6∈ P ) ). By taking the counterpositive of the implication this is equivalent to ∀x ∈ Lω : ( ( ∀w ∈ pre(x) : ∃z ∈ cont(w,Lω) : wz ∈ P ) ⇒ x ∈ P ). The part ( ∀w ∈ pre(x) : ∃z ∈ cont(w,Lω) : wz ∈ P ) is equivalent to the condition pre(x) ⊆ pre(Lω ∩P). Thus, P is a relative safety property of Lω if and only if ∀x ∈ Lω : ( ( pre(x) ⊆ pre(Lω ∩ P) ) ⇒ x ∈ P ). All ω-words x in Lω such that pre(x) ⊆ pre(Lω ∩ P) can be represented by the set Lω ∩ lim(pre(Lω ∩ P)). Thus, P is a relative safety property of Lω if and only if Lω ∩ lim(pre(Lω ∩ P)) ⊆ P . Theorem 4.6. Given an ω-regular language Lω and an ω-regular property P given by nondeterministic Büchi automata or PLTL formulas, determining if P is a relative liveness or safety property is decidable and is a PSPACE-complete problem. Proof. The characterizations given by Lemma 4.4 and Lemma 4.5 reduce the problem to questions decidable in PSPACE [Thomas 1990; Garey and Johnson 1979] (notice that for PLTL formulas one can build in PSPACE an automaton for the formula and for its complement [Vardi and Wolper 1994]). Hardness can be established by a reduction from regular language inclusion [Garey and Johnson 1979]. Note that Lemma 4.4 provides the link between relative liveness and machine closure. Indeed, recall the following definition [Abadi and Lamport 1988; Abadi and Lamport 1990; Alur and Henzinger 1995]. Definition 4.7. Let Λ ⊆ Lω ⊆ Σ, for an alphabet Σ. (Lω,Λ) is called a machine closed live structure if and only if pre(Lω) ⊆ pre(Λ). We thus have that P ⊆ Σ is a relative liveness property of Lω if and only if (Lω, P ∩ Lω) is a machine closed live structure (see Lemma 4.4). General properties can always be represented as the intersection of a liveness and a safety property [Alpern and Schneider 1985]. As given precisely below, the relativized version of this result is that a property holds for an ω-language if it is both a relative liveness and a relative safety property of the language. Theorem 4.8. An ω-language Lω satisfies a property P (Lω ⊆ P) if and only if P is a relative safety and a relative liveness property of Lω. Proof. If Lω ⊆ P , then, trivially, P is a relative safety and a relative liveness property of Lω. If P is a relative safety property of Lω, then Lω ∩ lim(pre(Lω ∩ P)) ⊆ P (Lemma 4.5). If, additionally, P is a relative liveness property of Lω, then, by Lemma 4.4, pre(Lω) = pre(Lω ∩ P). Therefore, we can replace pre(Lω ∩ P) ACM Transactions in Computational Logic, Vol. TBD, No. TBD, TBD TBD. 8 · U. Ultes-Nitsche and P. Wolper by pre(Lω) in the safety condition and obtain Lω ∩ lim(pre(Lω)) ⊆ P . Because Lω ∩ lim(pre(Lω)) = Lω, we finally obtain Lω ⊆ P . As shown in [Henzinger 1992], relative liveness and safety properties also have an elegant definition within the Cantor topology, i.e. the topological space over Σ compatible with the following metric [Eilenberg 1974]. (For topological notions see [Kelley 1955].) Definition 4.9. Let common(x, y) designate the longest common prefix of two ω-words x and y in Σ. We define the metric d(x, y) by ∀x, y ∈ Σ, x 6= y : d(x, y) = 1 |common(x, y)|+ 1 ∀x ∈ Σ : d(x, x) = 0. Lemma 4.10. A property P is a relative liveness property of an ω-language Lω if and only if Lω ∩ P is a dense set in Lω. Proof. Let Lω|= RL P , and let x ∈ Lω. Then pre(Lω) = pre(Lω ∩ P). Thus, pre(x) ⊆ pre(Lω ∩ P), and we have ∀w ∈ pre(x) : ∃y ∈ Lω ∩ P : w ∈ pre(y). We get, for all x ∈ Lω and all ε > 0 (ε is related to 1 |w|+1), that there is a y ∈ Lω ∩ P such that d(x, y) < ε. So Lω ∩ P is a dense set in Lω. Let Lω ∩ P be a dense set in Lω. Then, for all x ∈ Lω and all ε > 0, there exists y ∈ Lω ∩ P such that d(x, y) < ε. Let x be in Lω, let w be in pre(x) and let ε = 1 |w|+1 . Because Lω ∩ P is a dense set in Lω, there exists y ∈ Lω ∩ P such that w ∈ pre(y). Thus pre(Lω) ⊆ pre(Lω ∩ P). Because pre(Lω ∩ P) ⊆ pre(Lω), we have pre(Lω) = pre(Lω ∩ P). By Lemma 4.4, P is a relative liveness property of Lω. Lemma 4.11. A property P is a relative safety property of an ω-language Lω if and only if Lω ∩ P is a closed set in Lω. Proof. P is a relative safety property of Lω if and only if ∀x ∈ Lω : ( x 6∈ P ⇒ ( ∃w ∈ pre(x) : ∀z ∈ cont(w,Lω) : wz 6∈ P ) ). If P is the complement of P with respect to Lω, i.e. P = Lω ∩ (Σ \ P), which is equivalent to P = Lω \ (Lω ∩ P), then P is a relative safety property of Lω if and only if ∀x ∈ Lω : (x ∈ P ⇒ (∃w ∈ pre(x) : ∀z ∈ cont(w,Lω) : wz ∈ P)). If we define this condition topologically, then P is a relative safety property of Lω if and only if ∀x ∈ P : ∃ε > 0 : ∀y ∈ Lω : d(x, y) < ε ⇒ y ∈ P . Thus, P is a relative safety property of Lω if and only if P is an open set in Lω. Because P = Lω \ (Lω ∩P) is the complement of Lω ∩P with respect to Lω, we finally obtain that P is a relative safety property of Lω if and only if Lω ∩ P is a closed set in Lω. Relative safety having been introduced to complete the picture around relative liveness, we will now use relative liveness as a satisfaction relation, calling it satisfaction within fairness. Definition 4.12. We say that Lω satisfies P within fairness if and only if Lω|= RL P . ACM Transactions in Computational Logic, Vol. TBD, No. TBD, TBD TBD. Checking Properties within Fairness and Behavior Abstractions · 9 We have chosen the phrase “within fairness” to stress the fact that for a property satisfied “within fairness” to be fully satisfied, the only missing element is a form of fairness condition on the set of behaviors being considered. Note that since a safety property never requires a fairness condition, a safety property satisfied within fairness by a set of behaviors is also fully satisfied by that set of behaviors. To prove this, recall the definition of a safety property ([Alpern and Schneider 1985], adapted to our notation): Definition 4.13. Property P ⊆ Σ is called a safety property if and only if, for all x ∈ Σ, x 6|= P implies ∃w ∈ pre(x) : ∀y ∈ Σ : wy 6|= P . We then have the following. Lemma 4.14. If P is a safety property, then Lω|= RL P if and only if Lω |= P. Proof. Let Lω|= RL P , i.e. pre(Lω) = pre(Lω ∩ P). Assume Lω 6|= P . Let x ∈ Lω such that x 6|= P . Because P is a safety property, there exists w ∈ pre(x) such that ∀y ∈ Σ : wy 6|= P . So w is not a prefix of an ω-word in P and thus it is not in pre(Lω ∩ P). Since w is in pre(Lω) we have that pre(Lω) 6= pre(Lω ∩ P) which contradicts Lω|= RL P . So Lω |= P must hold. If Lω |= P , then Lω|= RL P follows immediately. 5. IMPLEMENTING SYSTEMS THAT SATISFY PROPERTIES WITHIN FAIRNESS If a property is satisfied by a set of behaviors within fairness, our expectation is that a fair implementation of this set of behaviors will satisfy the property in the classical sense. Unfortunately, this is not true for every implementation, even if one assumes strong fairness. As an example, consider the set of behaviors {a, b}. It is not sufficient to impose strong fairness on the minimal automaton representing {a, b} in order to satisfy all properties that are satisfied within fairness by {a, b}. For instance, 3(a ∧ ( ea)) would not be satisfied, even though it is satisfied within fairness by {a, b}. The reason for this is that, even if fairness is used, more state information needs to be kept in order to be able to satisfy the property 3(a∧( ea)). However, it is always possible to add sufficient state information to a system in order to turn properties that are satisfied within fairness into properties that are satisfied in the classical sense under fairness. The following theorem makes this precise. Theorem 5.1. Let Lω be a limit closed finite-state set of behaviors (one accepted by a finite state automaton without acceptance conditions, i.e. by a finite-state labeled transition system) and let P be an ω-regular property. Then, if P is satisfied within fairness by Lω, there exists a finite-state labeled transition system A such that the ω-language accepted by A is Lω and all strongly fair computations in A satisfy P. Proof. Since P is satisfied by Lω within fairness, by Lemma 4.4 we have that pre(Lω) = pre(Lω ∩ P). Furthermore, since Lω is limit closed we have that Lω = lim(pre(Lω)) and hence Lω = lim(pre(Lω ∩ P)). (1) Consider thus a reduced Büchi automaton A accepting Lω ∩ P (by reduced we mean that states from which no ω-word can be accepted have been eliminated). ACM Transactions in Computational Logic, Vol. TBD, No. TBD, TBD TBD. 10 · U. Ultes-Nitsche and P. Wolper The finite-state labeled transition system A we are trying to construct is A with its acceptance condition removed. Indeed, by equation (1)A accepts Lω. Furthermore, all strongly fair infinite computations of A will go infinitely often through a former accepting state of A and thus will satisfy P . The theorem we have just proved gives an interesting insight into properties satisfied within fairness. They are the properties that fairness makes true of the system, but possibly at the cost of adding state information to the system implementation in a noninterfering way, i.e. without altering the set of limit-closed behaviors of the system. 6. BEHAVIOR ABSTRACTIONS We now turn to the problem of verifying a system using abstraction. We consider finite-state labeled transition systems (i.e. without acceptance conditions). Hence the finite-word languages accepted by the systems we consider are the prefixclosed regular languages, and the ω-languages they accept are the Eilenberg-limits of prefix-closed regular languages. We consider abstractions that hide or rename the actions of our systems. Precisely, we consider abstraction homomorphisms that are extensions of alphabetic language homomorphisms to mappings on finite and infinite words as defined below. Definition 6.1. Let h : Σ → (Σ∪{ε}) be a total function (ε designates the empty word) and let Σ = Σ∪Σ. Then, the abstraction homomorphism generated by h is the extension of h to a mapping h : Σ → Σ defined as follows. For all words w = w1w2w3 . . . wn ∈ Σ, n ∈ IN , we define h(w) = h(w1)h(w2)h(w3) . . . h(wn). For all ω-words x = x1x2x3 . . . ∈ Σ, we define h(x) = h(x1)h(x2)h(x3) . . ., if lim(h(pre(x))) 6= ∅. Otherwise, if lim(h(pre(x))) = ∅, then h(x) is undefined. This leads naturally to the following definition of the abstract behavior of a system under an abstraction homomorphism. Definition 6.2. Let S be a system whose behaviors are the limit lim(L) of a prefix-closed regular language L. Then, the abstract behavior of S with respect to the abstraction homomorphism h is lim(h(L)). Our goal is to prove properties of the behaviors lim(L) of a system S by only considering the abstract behaviors lim(h(L)) for some abstraction homomorphisms h. More specifically, we are interested in the preservation of properties satisfied within fairness under the abstraction homomorphism. Essential information about the properties that are satisfied within fairness by lim(L) is contained in the sets cont(w,L), for w ∈ L. At the abstract level, we obviously have access to cont(h(w), h(L)), but we really need h(cont(w,L)) in order to ensure that properties satisfied within fairness by the abstraction will also be satisfied within fairness by the concrete system in a corresponding way. Thus, we need to investigate the relation between the sets h(cont(w,L)) and cont(h(w), h(L)) and find conditions under which cont(h(w), h(L)) can be used instead of h(cont(w,L)). In general, h(cont(w,L)) is a proper subset of cont(h(w), h(L)). In order to obtain sufficient information about h(cont(w,L)) from cont(h(w), h(L)), one would ACM Transactions in Computational Logic, Vol. TBD, No. TBD, TBD TBD. Checking Properties within Fairness and Behavior Abstractions · 11 be tempted to require equality of the two sets. Those homomorphisms are continuation closed, since computing the continuation or the abstraction first, both have the same result. However, this is stronger than needed. Indeed, since we are dealing with satisfaction within fairness, we will show that it is sufficient that the behaviors in cont(h(w), h(L)) “eventually” become behaviors in h(cont(w,L)). This condition is the one called simplicity of an abstraction homomorphism in [Ochsenschläger 1994]. We will use a name that is more intuitive with respect to their definition and call them weakly contiunation-closed homomorphisms. Their exact definition is the following. Definition 6.3. An abstraction homomorphism h : Σ → Σ is weakly continuationclosed for a language L ⊆ Σ and a word w ∈ L if and only if there exists u ∈ cont(h(w), h(L)) such that cont(u, cont(h(w), h(L))) = cont(u, h(cont(w,L))). The homomorphism h is weakly continuation-closed for L if and only if it is for all words w ∈ L. Theorem 8.4 will show that this definition indeed meets all the requirements we have informally described above. More details about weakly continuation-closed homomorphisms can be found in [Ochsenschläger 1994]. 7. PRESERVATION OF LINEAR PROPERTIES Before turning to the preservation of properties satisfied within fairness by weakly continuation-closed homomorphisms, we need some general results about abstraction homomorphisms and properties. The problem we address is that the properties true of the abstracted system and of the concrete system can rarely be identical. Indeed, one needs to take into account the fact that the abstraction can rename or hide symbols. Our goal here is to define a transformation on properties that mirrors this. We consider properties defined by PLTL formulas (see Section 3). In order to make the definition of property transformations easier and to make the interpretation of formulas over words more direct (remember that we are dealing with systems represented by sets of infinite words), we define some normal forms for PLTL formulas. A first restriction is to consider only positive normal form formulas. Definition 7.1. A PLTL-formula η is in positive normal form if and only if the scope of all negations is a single atomic proposition. Now we turn to the problem of interpreting formulas over words. Our generic way of doing this (see Section 3) is to use a mapping λ : Σ → 2 from the alphabet Σ of the word to the subsets of the atomic propositions AP of the formula. However, in this context, it is quite natural to consider the elements of Σ directly as atomic propositions, which implies that one is using a mapping λΣ such that ∀a ∈ Σ : λΣ(a) = {a}. We define a normal form that corresponds to this. Definition 7.2. Let Σ be an alphabet. We say that a PLTL formula η is in Σnormal form if and only if η is in positive normal form and all its atomic propositions are in Σ (i.e. AP ⊆ Σ). For an alphabet Σ, the canonical Σ-labeling function λΣ : Σ → 2 is the one such that ∀a ∈ Σ : λΣ(a) = {a}. ACM Transactions in Computational Logic, Vol. TBD, No. TBD, TBD TBD. 12 · U. Ultes-Nitsche and P. Wolper Note that using Σ-normal form formulas is not really restrictive. Indeed, for any PLTL-formulas η over a set AP of atomic proposition and any labeling function λ : Σ → 2 , there exists a PLTL-formula η in Σ-normal form such that, for all x ∈ Σ, x, λ |= η if and only if x, λΣ |= η. We now turn to the interaction between properties and abstraction homomorphisms. Consider an abstraction homomorphism h : Σ → Σ and assume we have established a (Σ-normal form) property η of the abstract version Lω ⊆ Σ ′ω of a system obtained under this homomorphism. Of what system can we say that the property is true on the concrete level? One would expect h(Lω). However, this is a language on Σ on which we cannot directly interpret η. One could modify η to take this into account, but it is simpler to modify the labeling function. Definition 7.3. For alphabets Σ and Σ, and for an abstraction homomorphism h : Σ → Σ, the canonical hΣΣ′-labeling function λh ΣΣ : Σ → 2 ′∪{ε} is the one such that such that ∀a ∈ Σ : λh ΣΣ (a) = {h(a)}. Notice that this labeling function maps some letters to the proposition ε which stands for the empty word. So, we can’t expect a formula η true of the abstract system Lω to be true of h (Lω), even using the mapping λhΣΣ′ . Indeed, this mapping takes care of the fact that letters are renamed, but does not take care of the fact that ε is the empty word. What is needed is to ignore the empty word in the evaluation of the formula. This is handled by transforming the formula η from Σ-normal form to Σ ∪ ε-normal form as follows. Definition 7.4. Let η be a PLTL-formula in Σ-normal form. We define recursively a mapping T (η) that yields a formula in Σ ∪ ε-normal form (see Figure 5; b̂ designates binary boolean operators: b̂ ∈ {∧,∨,⇒,⇔}).