An Equivalence Based Method for Compositional Verification of the Linear Temporal Logic of Constraint Automata.
ABSTRACT Constraint automaton is a formalism to capture the operational semantics of the channel based coordination language Reo. In general constraint automaton can be used as a formalism for modeling coordination of some components. In this paper we introduce a standard linear temporal logic and two fragments of it for expressing the properties of the systems modeled by constraint automata and show that the equivalence relation defined by Valmari et al. is the minimal compositional equivalence preserving that fragment of linear time temporal logic which has no next-time operator and has an extra operator distinguishing deadlocks and a slight modification of this equivalence is the minimal equivalence preserving linear time temporal logic without next-time operator. We present a compositional model checking method based on these equivalences for component-based systems modeled by labeled transition systems and constraint automata and a simplification of it for model checking the coordinating subsystems modeled by constraint automata.
- [Show abstract] [Hide abstract]
ABSTRACT: Constraint automata are the first-proposed operational semantics of Reo coordination language. They can be composed not only by all well-defined composition operators of labeled transition systems but also by two new operators. The new operators are joining of constraint automata with respect to their common port names and hiding a port name in all transition labels. The operations of these two extra operators depend on the internal structures of the transition labels, while in the others each transition label is considered as a simple entity. An equivalence relation between transition systems is a congruence relation if the replacement of the components of a model by the equivalent ones always yields a model that is equivalent with the original one. Obviously, this definition of the congruency depends on the operators which are used to compose the components of models. This paper introduces four congruency results: we prove that failure-based equivalence relation CFFD (chaos-free failures divergences relation) is a congruence relation with respect to joining of constraint automata and also with respect to hiding port names in a constraint automaton. We also show that these are cases for equivalence relation NDFD (non-divergent failures divergences).International Journal of Computer Mathematics 09/2010; 87:2426-2443. · 0.54 Impact Factor - SourceAvailable from: Ali Movaghar[Show abstract] [Hide abstract]
ABSTRACT: Reo is a coordination language for modeling component connectors of component-based computing systems. Constraint automaton, as an extension of finite automaton, has been proposed as the operational semantics of Reo. In this paper, we introduce an extended definition of constraint automaton by which, every constraint automaton can be considered as a labeled transition system and each labeled transition system can be translated into a constraint automaton. We show that failure-based equivalences CFFD and NDFD are congruences with respect to composition of constraint automata using their join (production) and hiding operators. Based on these congruency results and by considering the temporal logic preservation properties of CFFD and NDFD equivalences, they can be used for reducing sizes of models before doing model checking based verification.Electronic Notes in Theoretical Computer Science 09/2009; 250:105-122. - SourceAvailable from: Farhad Arbab
Conference Paper: Model Checking of Component Connectors
[Show abstract] [Hide abstract]
ABSTRACT: Reo is an exogenous coordination language for compositional construction of the coordinating subsystems of component-based softwares. Constraint automaton has been proposed as the operational semantics of Reo networks. The main goal of this work is to prepare a model checking based verification environment for component-based systems, whose component connectors are modeled by Reo networks and constraint automata. We use the methods of compositional reduction and abstraction in model checking of component-based systems and their component connectors modeled by Reo.Computer Software and Applications Conference, 2007. COMPSAC 2007. 31st Annual International; 08/2007
Page 1
An Equivalence Based Method for
Compositional Verification of the Linear
Temporal Logic of Constraint Automata
Mohammad Izadi1 ,2
Department of Computer Engineering
Sharif University of Technology and
IPM School of Computer Science
Tehran, IRAN
Ali Movaghar Rahimabadi3
Department of Computer Engineering
Sharif University of Technology and
IPM School of Computer Science
Tehran, IRAN
Abstract
Constraint automaton is a formalism to capture the operational semantics of the channel based co-
ordination language Reo. In general constraint automaton can be used as a formalism for modeling
coordination of some components. In this paper we introduce a standard linear temporal logic and
two fragments of it for expressing the properties of the systems modeled by constraint automata
and show that the equivalence relation defined by Valmari et al. is the minimal compositional
equivalence preserving that fragment of linear time temporal logic which has no next-time operator
and has an extra operator distinguishing deadlocks and a slight modification of this equivalence
is the minimal equivalence preserving linear time temporal logic without next-time operator. We
present a compositional model checking method based on these equivalences for component-based
systems modeled by labeled transition systems and constraint automata and a simplification of it
for model checking the coordinating subsystems modeled by constraint automata.
Keywords: formal verification, compositional verification, Constraint automata, component
based systems.
1This work was supported by IPM under Grant No. CS-1383-2-01
2Email: izadi@ipm.ir
3Email: movaghar@sharif.ir
Electronic Notes in Theoretical Computer Science 159 (2006) 171–186
1571-0661/$ – see front matter © 2006 Elsevier B.V. All rights reserved.
doi:10.1016/j.entcs.2005.12.068
www.elsevier.com/locate/entcs
Page 2
1Introduction
Constraint automaton is a formalism to capture the operational semantics
of Reo [2]. Reo is a channel based coordination language in which complex
coordinators are compositionally built out of simpler ones [1]. In a more fun-
damental view, constraint automaton by itself can be used as a formalism for
modeling coordination of some components. Such as any other modeling for-
malism, it needs ways for expressing desired properties of the actual modeled
system and then verifying them. If the correctness requirements of a formally
modeled computing system are given in a mathematical notion, such as linear
temporal logic [10], branching time temporal logic [17] or automata on infinite
objects [14], an algorithmic model theoretic process called model checking [4]
can be used to check if the system respects its correctness requirements. Model
checking has shown to be an efficient and easy to use technique in computer
systems verification. However, there is a major drawback in using exhaustive
model checking: the model of the system tends to be extremely large. In liter-
ature this problem is often referred as state explosion problem. The main goal
of this paper is to show how theories of behavioral equivalences with a com-
positional state space generation help us to analyze large constraint automata
models in the context of model checking temporal properties by alleviating
the state space explosion.
Compositional verification is one of the main proposed methods for dealing
with the problem of state explosion [4,5]. In the compositional verification of
a system, one seeks to deduce properties of the system from properties of its
constituent modules. An obvious strategy is to check local properties of each
component of a compositional system and then present a way for deducing
that a desired property is satisfied by the complete system. Because of their
compositionality in their nature, component-based systems [13] and their for-
mal specification formalisms, such as Reo or constraint automata, are very
natural for applying the methods of compositional verification. An especial
case of compositional verification is the method of equivalence based com-
positional reduction [15,16,12]. In this method components of a system are
reduced with respect to an equivalence relation before building the complete
system from them. If the modeling formalism saves the property of compo-
sitionality in all levels of hierarchal construction of a large scale system, this
method can be applied in all levels and modules of the system. Fortunately
Reo and its operational semantics, i.e. constraint automata, completely save
this compositionality in all steps of the process of modeling coordinating sys-
tems.
A component-based system has two main parts: a set of components and
a coordinating subsystem. By Reo specifications or constraint automata you
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186
172
Page 3
can specify or model the coordinating subsystem in a compositional and hier-
archal way. In other words, if a component based system is modeled by Reo
or constraint automata, both the whole system and the coordinating part of it
are compositional and hierarchal. Thus the method of compositional reason-
ing or verification can be applied both for desired properties of the complete
component system and for desired properties of the coordinating subsystem.
In this paper first we introduce a standard linear temporal logic and two
fragments of it for expressing the properties of the systems modeled by con-
straint automata and show that the equivalence relation defined by initial
stability, traces and stable failures in [n15,n16] is the minimal compositional
equivalence preserving that fragment of linear time temporal logic which has
no next-time operator and has an extra operator distinguishing deadlocks. In
addition, a slight modification of this equivalence [8] is the minimal equiva-
lence preserving linear time temporal logic without next-time operator. There
are reduction algorithms for reducing a constraint automaton to an equiv-
alent one which is smaller in its size and preserves temporal properties of
the modeled system with respect to the above mentioned equivalence rela-
tions. Thus in the last part of this work we use these equivalences and re-
spect reduction algorithms in the context of compositional model checking of
large scale component-based systems and their coordinating subsystems. We
present a compositional model checking algorithm based on these equivalences
for component-based systems modeled by labeled transition systems and con-
straint automata and a simplification of it for model checking the coordinating
subsystems modeled by constraint automata.
The paper proceeds as follows: in section 2 we briefly define constraint
automaton and introduce a way for modifying its definition such that the labels
of transitions be propositional formulas. In section 3 we recall some basic
concepts of process algebras and give the definitions two kinds of equivalences
based on the set of all traces or behaviors of labeled transition systems. In
section 4 we introduce a standard linear temporal logic and two fragments of it
for expressing the properties of the systems modeled by constraint automata.
This section contains a way for interpreting temporal operators over labeled
transitions instead of labeled states (labeled transition systems versus Kripke
structures).In section 5 we show that the above mentioned equivalences
preserve properties specified in the two fragments of linear temporal logic.
It can be shown that these equivalences are the weakest equivalence relations
possible which preserve temporal properties and there are reduction algorithms
for reducing constraint automata to equivalent ones with respect to these
equivalence relations. In chapter 6 we present a compositional model checking
algorithm based on these equivalences for component-based systems modeled
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 173
Page 4
by labeled transition systems and constraint automata and a simplification
of it for model checking the coordinating subsystems modeled by constraint
automata.
2Constraint Automata
Constraint automata were introduced by Arbab et al. in [2] as a formalism
to capture the operational semantics of Reo. Timed data streams, which
constitute the foundation of the coalgebraic semantics of Reo, are also the
referents in the language of constraint automata. In this section we introduce
the notion of constraint automata.
Let V be any set. We define the sets V∗and Vωas the sets of all finite
and infinite sequences over V respectively. We denote individual streams as
a = (a0,a1,a2,...) . We call a0the initial value of a. The (stream) derivative
a?of a stream a is defined as a?= (a1,a2,...) . We recall the definition of timed
data streams from [4]:
TDS = {< α,a >∈ Dataω× Rω
+|∀n ≥ 0 : an< an+1and lim
n→∞an= ∞}
A timed data stream A =< α,a > represents occurrence of events at a
port A and consists of a data stream α ∈ Dataωand a time stream a ∈ Rω
consisting of increasing positive real numbers. The time stream a indicates
for each data item αnthe moment anat which it occurs at a port A.
Constraint automata can be viewed as acceptors for tuples of timed data
streams that are observed at certain ports A1,...,An. The rough idea is that
such an automaton observes the data occurring at A1,...,Anand either changes
its state according to the observed data or rejects the data if there is no
corresponding transition in the automaton. Further, constraint automata are
augmented with the names of their ports A1,...,An, where Aistands for the
ith TDS. Each transition in a constraint automata is labeled with a pair n,g
such that n is a non-empty subset of N = {A1,...,An}, and a guard g that
constrains data in the TDS of ports referenced in n. Data constraints are
defined by the following grammar:
g ::=false | true | data(A) = d | g1∨ g2| g1∧ g2
We use DC as the set of all data constraints defined by the above grammar.
We recall the definition of a constraint automaton from [2] as a quadruple
C = (Q,N,T,q0) where
Q is a finite set of states,
N is a finite set of names,
T ⊆ Q × 2N× DC × Q is a finite set of transitions of C,
q0is the initial state.
+
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186
174
Page 5
We write p
the guard of the transition.
The intuitive operational behavior of a constraint automaton is as follows.
It starts in its initial state q0. If the current state is q, then C waits until
data items occur at some of its ports A1,...,An. Suppose data item d1occurs
at A1 and data item d2 at A2 while (at this moment) no data is observed
at the other ports A3,...,An. This triggers the automaton to check the data
constraints of the outgoing transitions of state q with a name set {A1,A2} to
choose a transition t, such that its guard is satisfied by d1and d2resulting
in state p. If there is no {A1,A2}-transition from q whose data constraint is
fulfilled then C rejects.
For the simplicity of our discussion in the rest of this paper we present
any constraint automata in a new way. Our purpose is to present constraint
automata such that the transitions are labeled with (atomic or compound)
propositions. For this purpose we can define the transition relation as: T ⊆
Q×PS×Q in which PS is the set of all propositions of the form ψ∧g. In other
words, each φ ∈ PS is of the form φ ≡ ψ ∧ gin which g is a data constraint
as defined above and ψis of the form ψ ≡ ((±p1)∧(±p2)∧...∧(±pn)). Each
proposition states that the port Aibelongs to the set n which is a subset of N.
For example suppose that N = {A1,A2,A3), the transition (p,{A1,A2},g,q)
of a constraint automaton can be presented as (p,(p1∧p2∧(¬p3)∧g),q) . In
the case of nondeterminism,ψ is not a full conjunctive formula and it contains
only the positive clauses. We call PS as Port-Constraint Propositions.
n,g
−→ q instead of (p,n,g,q) ∈ T and call n the name set and g
3The Equivalence Theory from Process Algebra
In this section we recall some basic concepts of process algebras and give the
definitions of CFFD and NDFD-equivalences. For a more detailed discussion
of these equivalences and the intuitions behind them please see [15,16,8]. Note
that constraint automaton with our simplification in the last paragraph of the
previous section is a particular case of the notion of lts, such that we will
define bellow.
Definition 3.1 A transition alphabet is a countable infinite set Σ not con-
taining the empty transition label ε. We write Σεfor Σ∪{ε}, and Σ∗(Σω) for
the set of all finite (infinite) strings consisting of elements of Σ. The symbol
ε is used to denote the empty string. If σ ∈ (Σ∗∪ Σω) and n ≥ 1 we write
σnfor the n:th element of σ and σ(n)for the string obtained by leaving the
first n elements out of σ . If σ,π ∈ (Σ∗∪ Σω) , σ.π is used to denote the
concatenation of σ and π and σ ≺ π denote that σ is a prefix of π , and |σ|
to denote the length of σ . If σ ∈ (Σ∗
ε∪ Σω
ε), vis(σ) is used to denote the
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 175
Page 6
string obtained by removing all ε-symbols from σ and Σ(σ) denote the set of
elements of σ.
Definition 3.2 A labeled transition system (lts) is a triple L = (S,s,Δ),
where S is the set of states, s ∈ S is the initial state and Δ ∈ S × Σε× S is
the transition relation. The alphabet of L , Σ(L) is the bellow set:
Σ(L) = {L ∈ Σ|∃s,s?: (s,l,s?) ∈ Δ}
The alphabet of any lts is required to be finite.
s0
−→ sniff there are s1,...,sn−1such that for all 0 < i ≤ n, (si−1,ρi,si) ∈ Δ.
If there is an snsuch that s0
−→ snwe write s0
s0
−→ iff ∃s1,s2,... such that for all i > 0, (si−1,ρi,si) ∈ Δ. If σ ∈ (Σ∗∪Σω),
we write s0
=⇒ sn(s0
=⇒) iff there is a ρ ∈ (Σ∗
(s0
−→) and σ = vis(ρ).
If ρ ∈ Σ∗
ε, we write
ρ
ρρ
−→. If ρ ∈ Σω
ε, we write
ρ
σσ
ε∪ Σω
ε) such that s0
ρ
−→ sn,
ρ
Definition 3.3 Let L = (S,s,Δ) be a labeled transition system.
- σ ∈ Σ∗is a trace of L iff s=⇒ . tr(L) is the set of all traces of L.
- σ ∈ Σωis an infinite trace of L iff s
traces of L.
- σ ∈ Σ∗is a divergence trace of L iff there is a ρ ∈ Σω
and σ = vis(ρ). divtr(L) is the set of all divergence traces of L.
- s?∈ S is stable, if not s?
−→ . Lts L is stable if the initial state s is
stable. We write stable(L) if L is stable, and ¬stable(L) if it is not.
- (σ,A) ∈ Σ∗× P(Σ) where P(Σ) denotes the power set of Σ, is a failure
of L iff there is an s?∈ S such that s=⇒ s?and s?
- (σ,A) ∈ Σ∗×P(Σ) is a stable failure of L iff there is a stable s?∈ S such
that s
=⇒ s?and s?
=⇒ for no a ∈ A. sfail(L) is the set of all stable failures
of L.
- (σ,A) ∈ Σ∗×P(Σ) is a nondivergent failure of L iff (σ,A) is a failure and
σ is not a divergence trace. ndfail(L) is the set of all nondivergent failures of
L.
- σ ∈ Σ∗is a deadlock trace of L iff (σ,A) is a stable failure of L. dtr(L)
is the set of deadlock traces of L.
- σ ∈ Σ∗is a nondivergent deadlock trace of L iff (σ,A) is a nondivergent
failure of L. nddtr(L) is the set of nondivergent deadlock traces of L.Note
that nddtr(L) = dtr(L) − divtr(L).
In adition to the preceding concepts we need some notation which does
not ignore the ε transition labels.
ρ
ρ
=⇒ . inftr(L) is the set of all infinite
εsuch that s
ρ
−→
ε
σ
σ
=⇒ for no a ∈ A.
σ
σ
Definition 3.4 Let L = (S,s,Δ) be a labeled transition system.
- ρ ∈ Σ∗
εis a path of L iff s
−→.
ρ
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186
176
Page 7
- ρ ∈ Σω
infinite paths of L.
- ρ ∈ Σ∗
εis an infinite path of L iff s
ρ
−→. infpath(L) is the set of all
εis a deadlock path of L iff there is a s?∈ S such that s
for no ρ?, s?
−→ holds. dpath(L) is the set of all deadlock paths of L.
ρ
−→ S?and
ρ?
The following proposition lists some consequences of the definitions for
later use.
Proposition 3.5 Let L be an lts.
a) tr(L) = divtr(L) ∪ {σ|(σ,φ) ∈ sfail(L)} =
divtr(L) ∪ {σ|(σ,φ) ∈ ndfail(L)}.
b) If ρ ∈ dpath(L) then vis(ρ) ∈ dtr(L).
c) If ρ ∈ infdpath(L) and vis(ρ) ∈ Σωthen vis(ρ) ∈ inftr(L).
d) If ρ ∈ infdpath(L) and vis(ρ) ∈ Σ∗then vis(ρ) ∈ divtr(L).
e) If ρ ∈ dpath(L) ∪ infpath(L) then
vis(ρ) ∈ inddtr(L) ∪ divtr(L) ∪ inftr(L).
f) If σ ∈ dtr(L) there is a ρ ∈ dpath(L) such that vis(ρ) = σ.
g) If σ ∈ divtr(L) there is a ρ ∈ infpath(L) such that vis(ρ) = σ.
h) If σ ∈ inftr(L) there is a ρ ∈ infpath(L) such that vis(ρ) = σ.
i) If σ ∈ nddtr(L) ∪ divtr(L) ∪ inftr(L) there is a
ρ ∈ dpath(L) ∪ infpath(L) such that vis(ρ) = σ.
On the basis of the definitions, the equivalence concepts can be easily
defined.
Definition 3.6 Let L and L?be ltss. We say that L and L?are CFFD(NDFD)
cffd
≈ L?(L
≈ L?) iff stable(L) ⇔ stable(L?), divtr(L) =
divtr(L?), inftr(L) = inftr(L?), and sfail(L) = sfail(L?) (ndfail(L) =
ndfail(L?)).
equivalent and write L
ndfd
If the labeled transition systems examined are finite, the component inftr
in the definition of CFFD-equivalence is superfluous. This corresponds to the
original definition of CFFD-equivalence in [15], where only finite ltss were
considered.
Proposition 3.7 Let L and L?be finite ltss. Then L
iff stable(L) ⇔ stable(L?), divtr(L) = divtr(L?), and sfail(L) = sfail(L?)
(ndfail(L) = ndfail(L?)).
cffd
≈ L?(L
ndfd
≈ L?)
The following proposition is an immediate consequence of the definitions
3.3 and 3.6 and is essential for the preservation of linear temporal logic.
Proposition 3.8 If L
cffd
≈ L?(L
ndfd
≈ L?), then inftr(L) = inftr(L?),
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 177
Page 8
divtr(L) = divtr(L?), and dtr(L) = dtr(L?) (nddtr(L) = nddt(L?)).
Next we introduce some operators that can be used to combine labeled
transition systems and state that CFFD and NDFD-equivalences are con-
gruences with respect to these operators. The operators used are parallel
composition |[...]|, nondeterministic choice[ ], hiding and renaming.
Definition 3.9 Let L1= (S1,s1,Δ1) and L2= (S2,s2,Δ − 2) be ltss,
G = {g1,...,gn} ⊂ Σ and H = {h1,...,hn} ⊂ Σ then:
L1|[g1,...,gn]|L2 (parallel composition) is the lts (S1× S2,(s1,s2),Δ),
where
- ((t,u),gi,(t?,u?)) ∈ Δ, where gi∈ G, iff (t,gi,t?) ∈ Δ1and (u,gi,u?) ∈ Δ2,
and
- ((t,u),gi,(t?,u?)) ∈ Δ where l is not in G, iff either (t,l,t?) ∈ Δ1and
u = u?or (u,l,u?) ∈ Δ2and t = t?.
L1[ ]L2 is the lts (s × {0} ∪ S1× {1} ∪ S2× {2},(s,0),Δ), where
- ((t,i),l,(t?,i)) ∈ Δ, where i ∈ {1,2}, iff (t,l,t?) ∈ Δi, and
- ((s,0),l,(t,i)) ∈ Δ, where i ∈ {1,2}, iff (si,l,t) ∈ Δi.
Hide g1,...,gnin L1is the lts (S1,s1,Δ) where
- (t,l,t?) ∈ Δ, iff either l is not in G and (t,l,t?) ∈ Δ1or l = ε and there
is a gi∈ G such that (t,gi,t?) ∈ Δ1.
L1[h1/g1,...,hn/gn] (renaming) is the lts (S1,s1,Δ) where
- (t,l,t?) ∈ Δ iff either l is not in G and (t,l,t?) ∈ Δ1 or l = hi and
(t,gi,t?) ∈ Δ1.
Definition 3.10 An equivalence ≈ between ltss is a congruence with respect
to a syntactic operator f iff for every L1,...,Ln and L?
Li≈ L?
1,...,L?
n).
nsuch that
ithe following holds: f(L1,...,Ln) ≈ f(L?
1,...,L?
Proposition 3.11 CFFD and NDFD equivalences are congruences with re-
spect to all the operators defined in 3.9.
Proof. For the finite case CFFD see [15], for the general case [16,8].
2
4The Linear Temporal Logic of Constraint Automata
In this section we recall the definitions of linear models and linear temporal
logic, and discuss some aspects of the relation between process algebras and
temporal logic. In this section we work on constraint automata as restricted
form of the general notion of labeled transition system. Thus the general
results will be about labeled transition systems but some particular results
will be about constraint automata.
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186
178
Page 9
Definition 4.1 A Linear Model is a finite or infinite sequence σ = (σ1,σ2,...)
of sets of atomic propositions. Let the set of all atomic propositions be AP.
We call any σi⊆ AP a state of (in) the linear model σ.
Definition 4.2 The set of all well-formed formulas (wffs) of linear temporal
logic (LTL) is defined by the bellow rules:
1- If φ ∈ AP then φ is a wff.
2- If φ1and φ2are wffs, then (¬φ1), (φ1∨ φ2) and (φ1Uφ2) are wffs.
3- If φ is a wff then Oφ is a wff.
4- There are no other wffs.
We use the abbreviations ? ≡df (p ∨ (¬p)) for some fixed proposition p,
(φ1∧φ2) ≡df(¬((¬φ1)∨(¬φ2))), (Fφ) ≡df(?Uφ) and (Gφ) ≡df(¬(F(¬φ))).
Definition 4.3 The set of all well-formed formulas (wffs) of Nexttime-less
linear temporal logic (LTL−X) is defined by the above mentioned rules 1,2
and 4.
Definition 4.4 The set of all well-formed formulas (wffs) of Restricted linear
temporal logic (LTLω) is defined by the above mentioned rules 1,2 , 4 and the
bellow rule:
3?- If φ is a wff then
F φ is a wff.
ω
Definition 4.5 A temporal formula φ of the above defined syntactic struc-
tures is true in a linear model σ = (σ1,σ2,...) (namely σ ? φ) according to
the following rules:
1- If φ ∈ AP, then σ ? φ iff φ ∈ σ1.
2- σ ? ¬φ iff not σ ? φ.
3- σ ? (φ1∨ φ2) iff σ ? φ1or σ ? φ2
4- σ ? (φ1Uφ2) iff ∃i : 0 ≤ i < |σ|,σ(i)? φ2and ∀j : 0 ≤ j < i,σ(j)? φ1.
5- σ ? Oφ iff σ(2)?= ∅ and σ(2)? φ.
ω
F φ iff there are infinitely many i ≥ 0 such that σ(i)? φ.
6- σ ?
In LTL there is
From the expressiveness power, it can be shown that LTL−X⊂ LTLω⊂ LTL.
In all infinite linear models
F φ ≡ GFφ. Therefore, the temporal operator
is an operator for distinguishing a finite linear model from an infinite one, i.e.
distinguishing a deadlock from a divergence. The same expressive power could
be obtained by the less general operator
ω
F φ ≡ GOFφ. Thus LTLωis a restricted version of LTL.
ωω
F
ω
F ?, the future is infinite, as well.
Definition 4.6 Let σ = (σ1,σ2,...) be a linear model. The finitely reduced
form of σ (fred(σ)) is constructed by collapsing all finite continuous sequences
σi,σi+1,...,σjof identical elements σi= σi+1= ... = σjto one element σi.
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 179
Page 10
The reduced form of σ (red(σ)) is constructed by collapsing all finite and
infinite continuous sequences σi,σi+1,... of identical elements σi= σi+1= ...
to one element σi. If σ1and σ2be two linear models, we say that σ1and σ2
are equivalent under stuttering iff red(σ1) = red(σ2).
Proposition 4.7 Let σ = (σ1,σ2,...) be a linear model. If φ is an LTLω-
formula, then σ ? φ iff fred(σ?? φ). If φ is an LTL−X-formula, then σ ? φ
iff red(σ?? φ).
Proof. It is a straightforward result of the stuttering free result of [9] based
on an induction on the structure of the formula.
2
4.1From states to transitions
Traditionally temporal logics are logical system for specification and verifica-
tion of the properties that are based on the truth values of propositions in
the states of a transition system. (Such transition systems are called Kripke
structures. Linear models defined in previous section are simplifications of
Kripke structures.) On the other hand constraint automata are transition
systems with labels on their transitions. Also process algebraic equivalences
and composition operators usually work purely on information that is based
on transition labels. In this section we present a way of interpreting the tran-
sition labels as functional state transformers: an initial state description and a
sequence of transformations induce a sequence of state descriptions on which
temporal logic formulas may be interpreted.
Definition 4.8 A state modifier sm is a mapping sm : 2AP→ 2AP. The set
of all state modifiers is denoted by TS. The identity state modifier I is the
identity function. A state modifier sequence is a finite or infinite sequence of
state modifiers.
Definition 4.9 A temporal semantics for an lts L is a mapping f : Σ(L) ∪
{ε} → TS such that f(ε) = I. If ρ = a1a2... is a path of L, we write f(ρ)
for the sequence (f(a1),f(a2),...). In particular, A temporal semantics for
constraint automaton L with Port-Constraint Propositions set PS (Σ = PS),
is a mapping f : PS ∪ {ε} → TS such that f(ε) = I.
determinism there are no ε-transitions. Thus a temporal semantics will be of
the form f : PS → TS). A temporal semantics for a path ρ is a mapping
f : Σ(ρ) ∪ {ε} → TS such that f(ε) = I.
(In the case of
Definition 4.10 The linear model induced by a state ν ⊆ AP and a state
modifier sequence sms, denoted Model(ν,sms), is a sequence of states such
that:
1- Model(ν,sms)1= ν
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186
180
Page 11
2- Model(ν,sms)i+1= smsi(Model(ν,sms)i).
If sms is finite then |Model(v,sms)| = |sms| + 1.
Definition 4.11 Let σ ∈ (σ∗
tics for σ, ν0 a state and φ an LTL formula. We say φ is true of σ with
respect to temporal semantics f and initial state ν0 and write σ,f,ν0 ? φ
iff Model(ν0,f(σ)) ? φ. (If L is a deterministic constraint automaton, σ ∈
(PS∗∪ PSω) is a path of it).
ε∪ Σω
ε) be a path of lts L, f a temporal seman-
Usually linear temporal logic formulas are interpreted over the complete
paths generated by a transition system. These correspond to the infinite and
deadlocking paths of an lts.
Definition 4.12 Let L be an lts (in particular a constraint automaton), f
a temporal semantics for L, ν0a state and φ an LTL formula. We say φ is
true of L with respect to temporal semantics f and initial state ν0and write
L,f,ν0? φ iff σ,f,ν0? φ for all σ ∈ dpath(L) ∪ infpath(L).
Now a module of a coordinating system can be modeled by a constraint
automata and a temporal interpretation expressing the changes in the state
information of that module caused by the transition. These modules can then
be combined to larger units of coordination system by syntactic operators such
as parallel composition, hiding and renaming.
5Property Preservation, Minimality and Reduction
In this section we show that CFFD and NDFD-equivalences preserve prop-
erties specified in and respectively. In [15] it was shown that a CFFD is the
minimal equivalence relation in which some temporal logic properties are pre-
served. With a straightforward and highly similar proof it can be shown that
NDFD is the minimal preserving equivalence relation for LTL−X temporal
logic. Also in [15,16] a reduction algorithm for CFFD-equivalence was pre-
sented. By such reduction algorithm, we can reduce the size of an lts or in
particular an constraint automata such that those properties of the modeled
system which can be expressed by LTLω temporal logic formulas are pre-
served. Thus the process of verification or model checking can be simplified.
A modification on the above mentioned reduction algorithm can be applied
for NDFD-equivalence relation (see [8]).
Definition 5.1 Let L1and L2be ltss and φ an LTL-formula. We say that
L1and L2agree on φ iff for every temporal semantics f and for every initial
state ν0it is the case that L1,f,ν0? φ iff L2,f,ν0? φ.
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 181
Page 12
Definition 5.2 An equivalence ≈ between ltss is LTL-preserving iff for any
L1, L2such that L1≈ L2, L1and L2agree on every LTL formula. Similarly,
An equivalence ≈ between ltss is LTL−X(LTLω-preserving iff for any L1, L2
such that L1≈ L2, L1and L2agree on every LTL−X(LTLω) formula.
Now we are in the situation in which we can prove that CFFD and NDFD-
equivalences are LTLω-preserving and LTL−X-preserving respectively.
Proposition 5.3 Let L and L?be ltss and inftr(L) = inftr(L?), divtr(L) =
divtr(L?) and dtr(L) = dtr(L?). Then L and L?agree on every LTLω-formula
.
Proof. Let φ be an LTLω-formula and f, ν0 arbitrary temporal semantics
and initial set respectively. Now,
L,f,ν0? φ iff ρ,f,ν0? φ for all ρ ∈ dpath(L) ∪ infpath(L)
iff vis(ρ),f,ν0? φ for all ρ ∈ dpath(L) and for all infpath(L) such that
vis(ρ) ∈ Σωand vis(ρ).εω,f,ν0? φ for all ρ ∈ infpsth(L) such that
vis(ρ) ∈ Σ∗
iff σ,f,ν0? φ for all σ ∈ dtr(L) and for all σ ∈ inftr(L) and
σ.εω,f,ν0? φ for all σ ∈ divtr(L) (see 3.5)
iff σ,f,ν0? φ for all σ ∈ dtr(L?) and for all σ ∈ inftr(L?) and
σ.εω,f,ν0? φ for all σ ∈ divtr(L?) (by assumption) iff σ,f,ν0? φ.
2
Proposition 5.4 CFFD-equivalence is LTLω-preserving.
Proof. This proposition is a direct consequence of 3.8 and 5.3.
2
Proposition 5.5 Let L and L?be ltss and inftr(L) = inftr(L?), divtr(L) =
divtr(L?) and nddtr(L) = nddtr(L?). Then L and L?agree on every LTL−X-
formula .
Proof. is highly similar to the proof of proposition 5.3 (see [n16,n8]).
2
Proposition 5.6 NDFD-equivalence is LTL−X-preserving.
Proof. This proposition is a direct consequence of 3.8 and 5.5.
2
6Compositional Verification of Component-Based Sys-
tems
With the rapid growth of the power of computing systems, from both hard-
ware and software points of view, the demand of large and complex computing
systems has increased dramatically. The concept of component-based systems
especially component-based software is a new philosophy or way of thinking
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186
182
Page 13
to deal with the complexity in designing large scale computing systems. One
of the main goals of this approach is to compose reusable components by some
glue codes. The model or the way in which these components are composed
is called coordination model. Thus coordination is a way for composing com-
ponents and building large scale computing systems. Reo is a channel based
coordination language in which complex coordinators are compositionally built
out of simpler ones [1]. Constraint automaton is a formalism to capture the
operational semantics of Reo [2]. Thus in general constraint automaton is a
fundamental modeling formalism for coordination. In this section we present
a method for compositional model checking of a component-based system and
its coordinating subsystem by using the above mentioned equivalences for
minimizing formal models.
A component-based system has two main parts: a set of components and a
coordinating subsystem. By Reo specifications or constraint automata you can
specify or model the coordinating subsystems in a compositional and hierar-
chal way. In other words, if the coordinating subsystem of a component-based
system is modeled by Reo or constraint automaton, both the whole system
and the coordinating part of it are compositional and hierarchal. Thus the
methods of compositional reasoning can be applied both for desired proper-
ties of the complete component-based system and for desired properties of the
coordinating subsystem. Fortunately, our above process algebraic discussions
enable us to use equivalence based compositional reduction method in both
cases:
Verification of Coordinating Subsystem
In this case we want to verify desired properties of the coordinating subsys-
tem of a component-based system. If we consider the coordinating subsystem
(for example a Reo circuit or a compositional constraint automata) as a com-
plete system, the set of the components of the component-based system is
the environment of it. Externally visible actions of this coordinating subsys-
tem are the read (input or get) and write (output or put) operations it uses
to communicate with the environment. (In Reo these operations work on its
boundary nodes.) Rest of the actions within the coordinating subsystem, and
its internal states are not interesting if only the correct functionality of co-
ordinating subsystem, that is correct coordinating, is concerned. The main
steps of model checking of desired properties of coordinating subsystem will
be:
1- Expressing the desired property by an LTL−Xor LTLωformula.
2- Modeling the coordination subsystem by a compositional constraint au-
tomaton.
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 183
Page 14
3- According to the type of the property which we want to verify, using an
equivalence relation for minimizing the size of the constraint automaton.
4- Using one of ordinary LTL model checking algorithms on the minimized
model.
Note that because of the minimizations, the efficiency of our method is
better than applying algorithms of LTL model checking directly. However,
according to step 4 above, any improvement in the ordinary algorithms of
LTL model checking, improves the efficiency of our method.
Verification of Coordinating Subsystem
In this case we want to verify desired properties of the whole component-
based system. Fortunately, we can simply model any component by a labeled
transition system (lts) such that we defined in section 3 and the coordinating
system by a compositional constraint automaton. The equivalence relations
defined in section 3 work both for ltss in general and constraint automata.
Thus the main steps of model checking of desired properties of a complete
component based system will be:
1- Expressing the desired property by an LTL−Xor LTLωformula.
2- Modeling every component by a labeled transition system.
3- According to the type of the desired property formula, using an equiv-
alence relation for minimizing the size of all lts models.
4- Modeling the coordination subsystem by a constraint automaton.
5- According to the property which we want to verify, using an equivalence
relation for minimizing the size of constraint automaton model of coordinating
subsystem.
6- Combining the minimized ltss and the constraint automata by using
composition operator and minimizing it.
7- Using standard LTL model checking algorithm for the minimized model.
Note that there are some other compositional reasoning methods, such as
assumption-guarantee method [12], in which the reasoning is done separately
on the component of the model by decomposing the desired property formula.
we can consider using such techniques of compositional reasoning jointed to
our minimization method. If we consider such techniques, the above 6 and 7
steps should be replaced by proper steps based on the selected algorithm of
verification.
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186
184
Page 15
7Conclusions
In this paper we introduced a standard linear temporal logic and two frag-
ments of it for expressing the properties of the systems modeled by constraint
automata and show that the equivalence relation defined by initial stability,
traces and stable failures in [15,16] is the minimal compositional equivalence
preserving that fragment of linear time temporal logic which has no next-time
operator and has an extra operator distinguishing deadlocks. In addition, a
slight modification of this equivalence is the minimal equivalence preserving
linear time temporal logic without next-time operator. There are reduction
algorithms for reducing a constraint automaton to an equivalent one which is
smaller in its size and preserves temporal properties of the modeled system
with respect to the above mentioned equivalence relations. Thus we used these
equivalences and respect reduction algorithms in the context of compositional
verification and model checking of large scale component based systems and
their coordinating subsystems. We presented a compositional model checking
algorithm based on these equivalences for component based systems modeled
by labeled transition systems and constraint automata and a simplification of
it for the coordinating subsystems modeled by constraint automata.
In comparison with other techniques for dealing with state explosion prob-
lem such as the partial order reduction by representatives [11], the preorder
reduction [7], abstraction [3] and symmetry [6], the main advantages of our
method are:
1- Its ability in joining with other above called techniques for dealing with
state explosion problem.
2- Because of the minimizations, the efficiency of our method is better than
applying algorithms of LTL model checking directly. However, any improve-
ment in the ordinary algorithms of LTL model checking or any improvement
in the other techniques for dealing with state explosion problem jointed to our
method, improves the efficiency of our method.
References
[1] Arbab F., Reo: A Channel-based Coordination Model for Component Composition, Math. Struc.
in Computer Science, 14(3), (2004), 329-366.
[2] Arbab F., Baier C., Rutten J., Sirjani M., Modelling Component connectors in Reo by
Constraint Automata, CWI Report SEN-R0304, (2003).
[3] Clarke E., Grumberg O., Long D., Model Checking and Abstraction, ACM Transactions on
Programming Languages and Systems, 16(5), (1994), 1512-1542.
[4] Clarke E., Grumberg O., Peled D., “Model Checking,” The MIT Press,1999.
M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 185