# An Equivalence Based Method for Compositional Verification of the Linear Temporal Logic of Constraint Automata.

**ABSTRACT** Constraint automaton is a formalism to capture the operational semantics of the channel based coordination language Reo. In general constraint automaton can be used as a formalism for modeling coordination of some components. In this paper we introduce a standard linear temporal logic and two fragments of it for expressing the properties of the systems modeled by constraint automata and show that the equivalence relation defined by Valmari et al. is the minimal compositional equivalence preserving that fragment of linear time temporal logic which has no next-time operator and has an extra operator distinguishing deadlocks and a slight modification of this equivalence is the minimal equivalence preserving linear time temporal logic without next-time operator. We present a compositional model checking method based on these equivalences for component-based systems modeled by labeled transition systems and constraint automata and a simplification of it for model checking the coordinating subsystems modeled by constraint automata.

**0**Bookmarks

**·**

**60**Views

- [Show abstract] [Hide abstract]

**ABSTRACT:**Constraint automata are the first-proposed operational semantics of Reo coordination language. They can be composed not only by all well-defined composition operators of labeled transition systems but also by two new operators. The new operators are joining of constraint automata with respect to their common port names and hiding a port name in all transition labels. The operations of these two extra operators depend on the internal structures of the transition labels, while in the others each transition label is considered as a simple entity. An equivalence relation between transition systems is a congruence relation if the replacement of the components of a model by the equivalent ones always yields a model that is equivalent with the original one. Obviously, this definition of the congruency depends on the operators which are used to compose the components of models. This paper introduces four congruency results: we prove that failure-based equivalence relation CFFD (chaos-free failures divergences relation) is a congruence relation with respect to joining of constraint automata and also with respect to hiding port names in a constraint automaton. We also show that these are cases for equivalence relation NDFD (non-divergent failures divergences).International Journal of Computer Mathematics 09/2010; 87:2426-2443. · 0.72 Impact Factor - SourceAvailable from: Ali Movaghar[Show abstract] [Hide abstract]

**ABSTRACT:**Reo is a coordination language for modeling component connectors of component-based computing systems. Constraint automaton, as an extension of finite automaton, has been proposed as the operational semantics of Reo. In this paper, we introduce an extended definition of constraint automaton by which, every constraint automaton can be considered as a labeled transition system and each labeled transition system can be translated into a constraint automaton. We show that failure-based equivalences CFFD and NDFD are congruences with respect to composition of constraint automata using their join (production) and hiding operators. Based on these congruency results and by considering the temporal logic preservation properties of CFFD and NDFD equivalences, they can be used for reducing sizes of models before doing model checking based verification.Electronic Notes in Theoretical Computer Science 09/2009; 250:105-122. - SourceAvailable from: Farhad Arbab
##### Conference Paper: Model Checking of Component Connectors

[Show abstract] [Hide abstract]

**ABSTRACT:**Reo is an exogenous coordination language for compositional construction of the coordinating subsystems of component-based softwares. Constraint automaton has been proposed as the operational semantics of Reo networks. The main goal of this work is to prepare a model checking based verification environment for component-based systems, whose component connectors are modeled by Reo networks and constraint automata. We use the methods of compositional reduction and abstraction in model checking of component-based systems and their component connectors modeled by Reo.Computer Software and Applications Conference, 2007. COMPSAC 2007. 31st Annual International; 08/2007

Page 1

An Equivalence Based Method for

Compositional Verification of the Linear

Temporal Logic of Constraint Automata

Mohammad Izadi1 ,2

Department of Computer Engineering

Sharif University of Technology and

IPM School of Computer Science

Tehran, IRAN

Ali Movaghar Rahimabadi3

Department of Computer Engineering

Sharif University of Technology and

IPM School of Computer Science

Tehran, IRAN

Abstract

Constraint automaton is a formalism to capture the operational semantics of the channel based co-

ordination language Reo. In general constraint automaton can be used as a formalism for modeling

coordination of some components. In this paper we introduce a standard linear temporal logic and

two fragments of it for expressing the properties of the systems modeled by constraint automata

and show that the equivalence relation defined by Valmari et al. is the minimal compositional

equivalence preserving that fragment of linear time temporal logic which has no next-time operator

and has an extra operator distinguishing deadlocks and a slight modification of this equivalence

is the minimal equivalence preserving linear time temporal logic without next-time operator. We

present a compositional model checking method based on these equivalences for component-based

systems modeled by labeled transition systems and constraint automata and a simplification of it

for model checking the coordinating subsystems modeled by constraint automata.

Keywords: formal verification, compositional verification, Constraint automata, component

based systems.

1This work was supported by IPM under Grant No. CS-1383-2-01

2Email: izadi@ipm.ir

3Email: movaghar@sharif.ir

Electronic Notes in Theoretical Computer Science 159 (2006) 171–186

1571-0661/$ – see front matter © 2006 Elsevier B.V. All rights reserved.

doi:10.1016/j.entcs.2005.12.068

www.elsevier.com/locate/entcs

Page 2

1Introduction

Constraint automaton is a formalism to capture the operational semantics

of Reo [2]. Reo is a channel based coordination language in which complex

coordinators are compositionally built out of simpler ones [1]. In a more fun-

damental view, constraint automaton by itself can be used as a formalism for

modeling coordination of some components. Such as any other modeling for-

malism, it needs ways for expressing desired properties of the actual modeled

system and then verifying them. If the correctness requirements of a formally

modeled computing system are given in a mathematical notion, such as linear

temporal logic [10], branching time temporal logic [17] or automata on infinite

objects [14], an algorithmic model theoretic process called model checking [4]

can be used to check if the system respects its correctness requirements. Model

checking has shown to be an efficient and easy to use technique in computer

systems verification. However, there is a major drawback in using exhaustive

model checking: the model of the system tends to be extremely large. In liter-

ature this problem is often referred as state explosion problem. The main goal

of this paper is to show how theories of behavioral equivalences with a com-

positional state space generation help us to analyze large constraint automata

models in the context of model checking temporal properties by alleviating

the state space explosion.

Compositional verification is one of the main proposed methods for dealing

with the problem of state explosion [4,5]. In the compositional verification of

a system, one seeks to deduce properties of the system from properties of its

constituent modules. An obvious strategy is to check local properties of each

component of a compositional system and then present a way for deducing

that a desired property is satisfied by the complete system. Because of their

compositionality in their nature, component-based systems [13] and their for-

mal specification formalisms, such as Reo or constraint automata, are very

natural for applying the methods of compositional verification. An especial

case of compositional verification is the method of equivalence based com-

positional reduction [15,16,12]. In this method components of a system are

reduced with respect to an equivalence relation before building the complete

system from them. If the modeling formalism saves the property of compo-

sitionality in all levels of hierarchal construction of a large scale system, this

method can be applied in all levels and modules of the system. Fortunately

Reo and its operational semantics, i.e. constraint automata, completely save

this compositionality in all steps of the process of modeling coordinating sys-

tems.

A component-based system has two main parts: a set of components and

a coordinating subsystem. By Reo specifications or constraint automata you

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186

172

Page 3

can specify or model the coordinating subsystem in a compositional and hier-

archal way. In other words, if a component based system is modeled by Reo

or constraint automata, both the whole system and the coordinating part of it

are compositional and hierarchal. Thus the method of compositional reason-

ing or verification can be applied both for desired properties of the complete

component system and for desired properties of the coordinating subsystem.

In this paper first we introduce a standard linear temporal logic and two

fragments of it for expressing the properties of the systems modeled by con-

straint automata and show that the equivalence relation defined by initial

stability, traces and stable failures in [n15,n16] is the minimal compositional

equivalence preserving that fragment of linear time temporal logic which has

no next-time operator and has an extra operator distinguishing deadlocks. In

addition, a slight modification of this equivalence [8] is the minimal equiva-

lence preserving linear time temporal logic without next-time operator. There

are reduction algorithms for reducing a constraint automaton to an equiv-

alent one which is smaller in its size and preserves temporal properties of

the modeled system with respect to the above mentioned equivalence rela-

tions. Thus in the last part of this work we use these equivalences and re-

spect reduction algorithms in the context of compositional model checking of

large scale component-based systems and their coordinating subsystems. We

present a compositional model checking algorithm based on these equivalences

for component-based systems modeled by labeled transition systems and con-

straint automata and a simplification of it for model checking the coordinating

subsystems modeled by constraint automata.

The paper proceeds as follows: in section 2 we briefly define constraint

automaton and introduce a way for modifying its definition such that the labels

of transitions be propositional formulas. In section 3 we recall some basic

concepts of process algebras and give the definitions two kinds of equivalences

based on the set of all traces or behaviors of labeled transition systems. In

section 4 we introduce a standard linear temporal logic and two fragments of it

for expressing the properties of the systems modeled by constraint automata.

This section contains a way for interpreting temporal operators over labeled

transitions instead of labeled states (labeled transition systems versus Kripke

structures).In section 5 we show that the above mentioned equivalences

preserve properties specified in the two fragments of linear temporal logic.

It can be shown that these equivalences are the weakest equivalence relations

possible which preserve temporal properties and there are reduction algorithms

for reducing constraint automata to equivalent ones with respect to these

equivalence relations. In chapter 6 we present a compositional model checking

algorithm based on these equivalences for component-based systems modeled

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 173

Page 4

by labeled transition systems and constraint automata and a simplification

of it for model checking the coordinating subsystems modeled by constraint

automata.

2Constraint Automata

Constraint automata were introduced by Arbab et al. in [2] as a formalism

to capture the operational semantics of Reo. Timed data streams, which

constitute the foundation of the coalgebraic semantics of Reo, are also the

referents in the language of constraint automata. In this section we introduce

the notion of constraint automata.

Let V be any set. We define the sets V∗and Vωas the sets of all finite

and infinite sequences over V respectively. We denote individual streams as

a = (a0,a1,a2,...) . We call a0the initial value of a. The (stream) derivative

a?of a stream a is defined as a?= (a1,a2,...) . We recall the definition of timed

data streams from [4]:

TDS = {< α,a >∈ Dataω× Rω

+|∀n ≥ 0 : an< an+1and lim

n→∞an= ∞}

A timed data stream A =< α,a > represents occurrence of events at a

port A and consists of a data stream α ∈ Dataωand a time stream a ∈ Rω

consisting of increasing positive real numbers. The time stream a indicates

for each data item αnthe moment anat which it occurs at a port A.

Constraint automata can be viewed as acceptors for tuples of timed data

streams that are observed at certain ports A1,...,An. The rough idea is that

such an automaton observes the data occurring at A1,...,Anand either changes

its state according to the observed data or rejects the data if there is no

corresponding transition in the automaton. Further, constraint automata are

augmented with the names of their ports A1,...,An, where Aistands for the

ith TDS. Each transition in a constraint automata is labeled with a pair n,g

such that n is a non-empty subset of N = {A1,...,An}, and a guard g that

constrains data in the TDS of ports referenced in n. Data constraints are

defined by the following grammar:

g ::=false | true | data(A) = d | g1∨ g2| g1∧ g2

We use DC as the set of all data constraints defined by the above grammar.

We recall the definition of a constraint automaton from [2] as a quadruple

C = (Q,N,T,q0) where

Q is a finite set of states,

N is a finite set of names,

T ⊆ Q × 2N× DC × Q is a finite set of transitions of C,

q0is the initial state.

+

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186

174

Page 5

We write p

the guard of the transition.

The intuitive operational behavior of a constraint automaton is as follows.

It starts in its initial state q0. If the current state is q, then C waits until

data items occur at some of its ports A1,...,An. Suppose data item d1occurs

at A1 and data item d2 at A2 while (at this moment) no data is observed

at the other ports A3,...,An. This triggers the automaton to check the data

constraints of the outgoing transitions of state q with a name set {A1,A2} to

choose a transition t, such that its guard is satisfied by d1and d2resulting

in state p. If there is no {A1,A2}-transition from q whose data constraint is

fulfilled then C rejects.

For the simplicity of our discussion in the rest of this paper we present

any constraint automata in a new way. Our purpose is to present constraint

automata such that the transitions are labeled with (atomic or compound)

propositions. For this purpose we can define the transition relation as: T ⊆

Q×PS×Q in which PS is the set of all propositions of the form ψ∧g. In other

words, each φ ∈ PS is of the form φ ≡ ψ ∧ gin which g is a data constraint

as defined above and ψis of the form ψ ≡ ((±p1)∧(±p2)∧...∧(±pn)). Each

proposition states that the port Aibelongs to the set n which is a subset of N.

For example suppose that N = {A1,A2,A3), the transition (p,{A1,A2},g,q)

of a constraint automaton can be presented as (p,(p1∧p2∧(¬p3)∧g),q) . In

the case of nondeterminism,ψ is not a full conjunctive formula and it contains

only the positive clauses. We call PS as Port-Constraint Propositions.

n,g

−→ q instead of (p,n,g,q) ∈ T and call n the name set and g

3The Equivalence Theory from Process Algebra

In this section we recall some basic concepts of process algebras and give the

definitions of CFFD and NDFD-equivalences. For a more detailed discussion

of these equivalences and the intuitions behind them please see [15,16,8]. Note

that constraint automaton with our simplification in the last paragraph of the

previous section is a particular case of the notion of lts, such that we will

define bellow.

Definition 3.1 A transition alphabet is a countable infinite set Σ not con-

taining the empty transition label ε. We write Σεfor Σ∪{ε}, and Σ∗(Σω) for

the set of all finite (infinite) strings consisting of elements of Σ. The symbol

ε is used to denote the empty string. If σ ∈ (Σ∗∪ Σω) and n ≥ 1 we write

σnfor the n:th element of σ and σ(n)for the string obtained by leaving the

first n elements out of σ . If σ,π ∈ (Σ∗∪ Σω) , σ.π is used to denote the

concatenation of σ and π and σ ≺ π denote that σ is a prefix of π , and |σ|

to denote the length of σ . If σ ∈ (Σ∗

ε∪ Σω

ε), vis(σ) is used to denote the

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 175

Page 6

string obtained by removing all ε-symbols from σ and Σ(σ) denote the set of

elements of σ.

Definition 3.2 A labeled transition system (lts) is a triple L = (S,s,Δ),

where S is the set of states, s ∈ S is the initial state and Δ ∈ S × Σε× S is

the transition relation. The alphabet of L , Σ(L) is the bellow set:

Σ(L) = {L ∈ Σ|∃s,s?: (s,l,s?) ∈ Δ}

The alphabet of any lts is required to be finite.

s0

−→ sniff there are s1,...,sn−1such that for all 0 < i ≤ n, (si−1,ρi,si) ∈ Δ.

If there is an snsuch that s0

−→ snwe write s0

s0

−→ iff ∃s1,s2,... such that for all i > 0, (si−1,ρi,si) ∈ Δ. If σ ∈ (Σ∗∪Σω),

we write s0

=⇒ sn(s0

=⇒) iff there is a ρ ∈ (Σ∗

(s0

−→) and σ = vis(ρ).

If ρ ∈ Σ∗

ε, we write

ρ

ρρ

−→. If ρ ∈ Σω

ε, we write

ρ

σσ

ε∪ Σω

ε) such that s0

ρ

−→ sn,

ρ

Definition 3.3 Let L = (S,s,Δ) be a labeled transition system.

- σ ∈ Σ∗is a trace of L iff s=⇒ . tr(L) is the set of all traces of L.

- σ ∈ Σωis an infinite trace of L iff s

traces of L.

- σ ∈ Σ∗is a divergence trace of L iff there is a ρ ∈ Σω

and σ = vis(ρ). divtr(L) is the set of all divergence traces of L.

- s?∈ S is stable, if not s?

−→ . Lts L is stable if the initial state s is

stable. We write stable(L) if L is stable, and ¬stable(L) if it is not.

- (σ,A) ∈ Σ∗× P(Σ) where P(Σ) denotes the power set of Σ, is a failure

of L iff there is an s?∈ S such that s=⇒ s?and s?

- (σ,A) ∈ Σ∗×P(Σ) is a stable failure of L iff there is a stable s?∈ S such

that s

=⇒ s?and s?

=⇒ for no a ∈ A. sfail(L) is the set of all stable failures

of L.

- (σ,A) ∈ Σ∗×P(Σ) is a nondivergent failure of L iff (σ,A) is a failure and

σ is not a divergence trace. ndfail(L) is the set of all nondivergent failures of

L.

- σ ∈ Σ∗is a deadlock trace of L iff (σ,A) is a stable failure of L. dtr(L)

is the set of deadlock traces of L.

- σ ∈ Σ∗is a nondivergent deadlock trace of L iff (σ,A) is a nondivergent

failure of L. nddtr(L) is the set of nondivergent deadlock traces of L.Note

that nddtr(L) = dtr(L) − divtr(L).

In adition to the preceding concepts we need some notation which does

not ignore the ε transition labels.

ρ

ρ

=⇒ . inftr(L) is the set of all infinite

εsuch that s

ρ

−→

ε

σ

σ

=⇒ for no a ∈ A.

σ

σ

Definition 3.4 Let L = (S,s,Δ) be a labeled transition system.

- ρ ∈ Σ∗

εis a path of L iff s

−→.

ρ

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186

176

Page 7

- ρ ∈ Σω

infinite paths of L.

- ρ ∈ Σ∗

εis an infinite path of L iff s

ρ

−→. infpath(L) is the set of all

εis a deadlock path of L iff there is a s?∈ S such that s

for no ρ?, s?

−→ holds. dpath(L) is the set of all deadlock paths of L.

ρ

−→ S?and

ρ?

The following proposition lists some consequences of the definitions for

later use.

Proposition 3.5 Let L be an lts.

a) tr(L) = divtr(L) ∪ {σ|(σ,φ) ∈ sfail(L)} =

divtr(L) ∪ {σ|(σ,φ) ∈ ndfail(L)}.

b) If ρ ∈ dpath(L) then vis(ρ) ∈ dtr(L).

c) If ρ ∈ infdpath(L) and vis(ρ) ∈ Σωthen vis(ρ) ∈ inftr(L).

d) If ρ ∈ infdpath(L) and vis(ρ) ∈ Σ∗then vis(ρ) ∈ divtr(L).

e) If ρ ∈ dpath(L) ∪ infpath(L) then

vis(ρ) ∈ inddtr(L) ∪ divtr(L) ∪ inftr(L).

f) If σ ∈ dtr(L) there is a ρ ∈ dpath(L) such that vis(ρ) = σ.

g) If σ ∈ divtr(L) there is a ρ ∈ infpath(L) such that vis(ρ) = σ.

h) If σ ∈ inftr(L) there is a ρ ∈ infpath(L) such that vis(ρ) = σ.

i) If σ ∈ nddtr(L) ∪ divtr(L) ∪ inftr(L) there is a

ρ ∈ dpath(L) ∪ infpath(L) such that vis(ρ) = σ.

On the basis of the definitions, the equivalence concepts can be easily

defined.

Definition 3.6 Let L and L?be ltss. We say that L and L?are CFFD(NDFD)

cffd

≈ L?(L

≈ L?) iff stable(L) ⇔ stable(L?), divtr(L) =

divtr(L?), inftr(L) = inftr(L?), and sfail(L) = sfail(L?) (ndfail(L) =

ndfail(L?)).

equivalent and write L

ndfd

If the labeled transition systems examined are finite, the component inftr

in the definition of CFFD-equivalence is superfluous. This corresponds to the

original definition of CFFD-equivalence in [15], where only finite ltss were

considered.

Proposition 3.7 Let L and L?be finite ltss. Then L

iff stable(L) ⇔ stable(L?), divtr(L) = divtr(L?), and sfail(L) = sfail(L?)

(ndfail(L) = ndfail(L?)).

cffd

≈ L?(L

ndfd

≈ L?)

The following proposition is an immediate consequence of the definitions

3.3 and 3.6 and is essential for the preservation of linear temporal logic.

Proposition 3.8 If L

cffd

≈ L?(L

ndfd

≈ L?), then inftr(L) = inftr(L?),

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 177

Page 8

divtr(L) = divtr(L?), and dtr(L) = dtr(L?) (nddtr(L) = nddt(L?)).

Next we introduce some operators that can be used to combine labeled

transition systems and state that CFFD and NDFD-equivalences are con-

gruences with respect to these operators. The operators used are parallel

composition |[...]|, nondeterministic choice[ ], hiding and renaming.

Definition 3.9 Let L1= (S1,s1,Δ1) and L2= (S2,s2,Δ − 2) be ltss,

G = {g1,...,gn} ⊂ Σ and H = {h1,...,hn} ⊂ Σ then:

L1|[g1,...,gn]|L2 (parallel composition) is the lts (S1× S2,(s1,s2),Δ),

where

- ((t,u),gi,(t?,u?)) ∈ Δ, where gi∈ G, iff (t,gi,t?) ∈ Δ1and (u,gi,u?) ∈ Δ2,

and

- ((t,u),gi,(t?,u?)) ∈ Δ where l is not in G, iff either (t,l,t?) ∈ Δ1and

u = u?or (u,l,u?) ∈ Δ2and t = t?.

L1[ ]L2 is the lts (s × {0} ∪ S1× {1} ∪ S2× {2},(s,0),Δ), where

- ((t,i),l,(t?,i)) ∈ Δ, where i ∈ {1,2}, iff (t,l,t?) ∈ Δi, and

- ((s,0),l,(t,i)) ∈ Δ, where i ∈ {1,2}, iff (si,l,t) ∈ Δi.

Hide g1,...,gnin L1is the lts (S1,s1,Δ) where

- (t,l,t?) ∈ Δ, iff either l is not in G and (t,l,t?) ∈ Δ1or l = ε and there

is a gi∈ G such that (t,gi,t?) ∈ Δ1.

L1[h1/g1,...,hn/gn] (renaming) is the lts (S1,s1,Δ) where

- (t,l,t?) ∈ Δ iff either l is not in G and (t,l,t?) ∈ Δ1 or l = hi and

(t,gi,t?) ∈ Δ1.

Definition 3.10 An equivalence ≈ between ltss is a congruence with respect

to a syntactic operator f iff for every L1,...,Ln and L?

Li≈ L?

1,...,L?

n).

nsuch that

ithe following holds: f(L1,...,Ln) ≈ f(L?

1,...,L?

Proposition 3.11 CFFD and NDFD equivalences are congruences with re-

spect to all the operators defined in 3.9.

Proof. For the finite case CFFD see [15], for the general case [16,8].

2

4The Linear Temporal Logic of Constraint Automata

In this section we recall the definitions of linear models and linear temporal

logic, and discuss some aspects of the relation between process algebras and

temporal logic. In this section we work on constraint automata as restricted

form of the general notion of labeled transition system. Thus the general

results will be about labeled transition systems but some particular results

will be about constraint automata.

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186

178

Page 9

Definition 4.1 A Linear Model is a finite or infinite sequence σ = (σ1,σ2,...)

of sets of atomic propositions. Let the set of all atomic propositions be AP.

We call any σi⊆ AP a state of (in) the linear model σ.

Definition 4.2 The set of all well-formed formulas (wffs) of linear temporal

logic (LTL) is defined by the bellow rules:

1- If φ ∈ AP then φ is a wff.

2- If φ1and φ2are wffs, then (¬φ1), (φ1∨ φ2) and (φ1Uφ2) are wffs.

3- If φ is a wff then Oφ is a wff.

4- There are no other wffs.

We use the abbreviations ? ≡df (p ∨ (¬p)) for some fixed proposition p,

(φ1∧φ2) ≡df(¬((¬φ1)∨(¬φ2))), (Fφ) ≡df(?Uφ) and (Gφ) ≡df(¬(F(¬φ))).

Definition 4.3 The set of all well-formed formulas (wffs) of Nexttime-less

linear temporal logic (LTL−X) is defined by the above mentioned rules 1,2

and 4.

Definition 4.4 The set of all well-formed formulas (wffs) of Restricted linear

temporal logic (LTLω) is defined by the above mentioned rules 1,2 , 4 and the

bellow rule:

3?- If φ is a wff then

F φ is a wff.

ω

Definition 4.5 A temporal formula φ of the above defined syntactic struc-

tures is true in a linear model σ = (σ1,σ2,...) (namely σ ? φ) according to

the following rules:

1- If φ ∈ AP, then σ ? φ iff φ ∈ σ1.

2- σ ? ¬φ iff not σ ? φ.

3- σ ? (φ1∨ φ2) iff σ ? φ1or σ ? φ2

4- σ ? (φ1Uφ2) iff ∃i : 0 ≤ i < |σ|,σ(i)? φ2and ∀j : 0 ≤ j < i,σ(j)? φ1.

5- σ ? Oφ iff σ(2)?= ∅ and σ(2)? φ.

ω

F φ iff there are infinitely many i ≥ 0 such that σ(i)? φ.

6- σ ?

In LTL there is

From the expressiveness power, it can be shown that LTL−X⊂ LTLω⊂ LTL.

In all infinite linear models

F φ ≡ GFφ. Therefore, the temporal operator

is an operator for distinguishing a finite linear model from an infinite one, i.e.

distinguishing a deadlock from a divergence. The same expressive power could

be obtained by the less general operator

ω

F φ ≡ GOFφ. Thus LTLωis a restricted version of LTL.

ωω

F

ω

F ?, the future is infinite, as well.

Definition 4.6 Let σ = (σ1,σ2,...) be a linear model. The finitely reduced

form of σ (fred(σ)) is constructed by collapsing all finite continuous sequences

σi,σi+1,...,σjof identical elements σi= σi+1= ... = σjto one element σi.

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 179

Page 10

The reduced form of σ (red(σ)) is constructed by collapsing all finite and

infinite continuous sequences σi,σi+1,... of identical elements σi= σi+1= ...

to one element σi. If σ1and σ2be two linear models, we say that σ1and σ2

are equivalent under stuttering iff red(σ1) = red(σ2).

Proposition 4.7 Let σ = (σ1,σ2,...) be a linear model. If φ is an LTLω-

formula, then σ ? φ iff fred(σ?? φ). If φ is an LTL−X-formula, then σ ? φ

iff red(σ?? φ).

Proof. It is a straightforward result of the stuttering free result of [9] based

on an induction on the structure of the formula.

2

4.1From states to transitions

Traditionally temporal logics are logical system for specification and verifica-

tion of the properties that are based on the truth values of propositions in

the states of a transition system. (Such transition systems are called Kripke

structures. Linear models defined in previous section are simplifications of

Kripke structures.) On the other hand constraint automata are transition

systems with labels on their transitions. Also process algebraic equivalences

and composition operators usually work purely on information that is based

on transition labels. In this section we present a way of interpreting the tran-

sition labels as functional state transformers: an initial state description and a

sequence of transformations induce a sequence of state descriptions on which

temporal logic formulas may be interpreted.

Definition 4.8 A state modifier sm is a mapping sm : 2AP→ 2AP. The set

of all state modifiers is denoted by TS. The identity state modifier I is the

identity function. A state modifier sequence is a finite or infinite sequence of

state modifiers.

Definition 4.9 A temporal semantics for an lts L is a mapping f : Σ(L) ∪

{ε} → TS such that f(ε) = I. If ρ = a1a2... is a path of L, we write f(ρ)

for the sequence (f(a1),f(a2),...). In particular, A temporal semantics for

constraint automaton L with Port-Constraint Propositions set PS (Σ = PS),

is a mapping f : PS ∪ {ε} → TS such that f(ε) = I.

determinism there are no ε-transitions. Thus a temporal semantics will be of

the form f : PS → TS). A temporal semantics for a path ρ is a mapping

f : Σ(ρ) ∪ {ε} → TS such that f(ε) = I.

(In the case of

Definition 4.10 The linear model induced by a state ν ⊆ AP and a state

modifier sequence sms, denoted Model(ν,sms), is a sequence of states such

that:

1- Model(ν,sms)1= ν

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186

180

Page 11

2- Model(ν,sms)i+1= smsi(Model(ν,sms)i).

If sms is finite then |Model(v,sms)| = |sms| + 1.

Definition 4.11 Let σ ∈ (σ∗

tics for σ, ν0 a state and φ an LTL formula. We say φ is true of σ with

respect to temporal semantics f and initial state ν0 and write σ,f,ν0 ? φ

iff Model(ν0,f(σ)) ? φ. (If L is a deterministic constraint automaton, σ ∈

(PS∗∪ PSω) is a path of it).

ε∪ Σω

ε) be a path of lts L, f a temporal seman-

Usually linear temporal logic formulas are interpreted over the complete

paths generated by a transition system. These correspond to the infinite and

deadlocking paths of an lts.

Definition 4.12 Let L be an lts (in particular a constraint automaton), f

a temporal semantics for L, ν0a state and φ an LTL formula. We say φ is

true of L with respect to temporal semantics f and initial state ν0and write

L,f,ν0? φ iff σ,f,ν0? φ for all σ ∈ dpath(L) ∪ infpath(L).

Now a module of a coordinating system can be modeled by a constraint

automata and a temporal interpretation expressing the changes in the state

information of that module caused by the transition. These modules can then

be combined to larger units of coordination system by syntactic operators such

as parallel composition, hiding and renaming.

5Property Preservation, Minimality and Reduction

In this section we show that CFFD and NDFD-equivalences preserve prop-

erties specified in and respectively. In [15] it was shown that a CFFD is the

minimal equivalence relation in which some temporal logic properties are pre-

served. With a straightforward and highly similar proof it can be shown that

NDFD is the minimal preserving equivalence relation for LTL−X temporal

logic. Also in [15,16] a reduction algorithm for CFFD-equivalence was pre-

sented. By such reduction algorithm, we can reduce the size of an lts or in

particular an constraint automata such that those properties of the modeled

system which can be expressed by LTLω temporal logic formulas are pre-

served. Thus the process of verification or model checking can be simplified.

A modification on the above mentioned reduction algorithm can be applied

for NDFD-equivalence relation (see [8]).

Definition 5.1 Let L1and L2be ltss and φ an LTL-formula. We say that

L1and L2agree on φ iff for every temporal semantics f and for every initial

state ν0it is the case that L1,f,ν0? φ iff L2,f,ν0? φ.

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 181

Page 12

Definition 5.2 An equivalence ≈ between ltss is LTL-preserving iff for any

L1, L2such that L1≈ L2, L1and L2agree on every LTL formula. Similarly,

An equivalence ≈ between ltss is LTL−X(LTLω-preserving iff for any L1, L2

such that L1≈ L2, L1and L2agree on every LTL−X(LTLω) formula.

Now we are in the situation in which we can prove that CFFD and NDFD-

equivalences are LTLω-preserving and LTL−X-preserving respectively.

Proposition 5.3 Let L and L?be ltss and inftr(L) = inftr(L?), divtr(L) =

divtr(L?) and dtr(L) = dtr(L?). Then L and L?agree on every LTLω-formula

.

Proof. Let φ be an LTLω-formula and f, ν0 arbitrary temporal semantics

and initial set respectively. Now,

L,f,ν0? φ iff ρ,f,ν0? φ for all ρ ∈ dpath(L) ∪ infpath(L)

iff vis(ρ),f,ν0? φ for all ρ ∈ dpath(L) and for all infpath(L) such that

vis(ρ) ∈ Σωand vis(ρ).εω,f,ν0? φ for all ρ ∈ infpsth(L) such that

vis(ρ) ∈ Σ∗

iff σ,f,ν0? φ for all σ ∈ dtr(L) and for all σ ∈ inftr(L) and

σ.εω,f,ν0? φ for all σ ∈ divtr(L) (see 3.5)

iff σ,f,ν0? φ for all σ ∈ dtr(L?) and for all σ ∈ inftr(L?) and

σ.εω,f,ν0? φ for all σ ∈ divtr(L?) (by assumption) iff σ,f,ν0? φ.

2

Proposition 5.4 CFFD-equivalence is LTLω-preserving.

Proof. This proposition is a direct consequence of 3.8 and 5.3.

2

Proposition 5.5 Let L and L?be ltss and inftr(L) = inftr(L?), divtr(L) =

divtr(L?) and nddtr(L) = nddtr(L?). Then L and L?agree on every LTL−X-

formula .

Proof. is highly similar to the proof of proposition 5.3 (see [n16,n8]).

2

Proposition 5.6 NDFD-equivalence is LTL−X-preserving.

Proof. This proposition is a direct consequence of 3.8 and 5.5.

2

6Compositional Verification of Component-Based Sys-

tems

With the rapid growth of the power of computing systems, from both hard-

ware and software points of view, the demand of large and complex computing

systems has increased dramatically. The concept of component-based systems

especially component-based software is a new philosophy or way of thinking

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186

182

Page 13

to deal with the complexity in designing large scale computing systems. One

of the main goals of this approach is to compose reusable components by some

glue codes. The model or the way in which these components are composed

is called coordination model. Thus coordination is a way for composing com-

ponents and building large scale computing systems. Reo is a channel based

coordination language in which complex coordinators are compositionally built

out of simpler ones [1]. Constraint automaton is a formalism to capture the

operational semantics of Reo [2]. Thus in general constraint automaton is a

fundamental modeling formalism for coordination. In this section we present

a method for compositional model checking of a component-based system and

its coordinating subsystem by using the above mentioned equivalences for

minimizing formal models.

A component-based system has two main parts: a set of components and a

coordinating subsystem. By Reo specifications or constraint automata you can

specify or model the coordinating subsystems in a compositional and hierar-

chal way. In other words, if the coordinating subsystem of a component-based

system is modeled by Reo or constraint automaton, both the whole system

and the coordinating part of it are compositional and hierarchal. Thus the

methods of compositional reasoning can be applied both for desired proper-

ties of the complete component-based system and for desired properties of the

coordinating subsystem. Fortunately, our above process algebraic discussions

enable us to use equivalence based compositional reduction method in both

cases:

Verification of Coordinating Subsystem

In this case we want to verify desired properties of the coordinating subsys-

tem of a component-based system. If we consider the coordinating subsystem

(for example a Reo circuit or a compositional constraint automata) as a com-

plete system, the set of the components of the component-based system is

the environment of it. Externally visible actions of this coordinating subsys-

tem are the read (input or get) and write (output or put) operations it uses

to communicate with the environment. (In Reo these operations work on its

boundary nodes.) Rest of the actions within the coordinating subsystem, and

its internal states are not interesting if only the correct functionality of co-

ordinating subsystem, that is correct coordinating, is concerned. The main

steps of model checking of desired properties of coordinating subsystem will

be:

1- Expressing the desired property by an LTL−Xor LTLωformula.

2- Modeling the coordination subsystem by a compositional constraint au-

tomaton.

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 183

Page 14

3- According to the type of the property which we want to verify, using an

equivalence relation for minimizing the size of the constraint automaton.

4- Using one of ordinary LTL model checking algorithms on the minimized

model.

Note that because of the minimizations, the efficiency of our method is

better than applying algorithms of LTL model checking directly. However,

according to step 4 above, any improvement in the ordinary algorithms of

LTL model checking, improves the efficiency of our method.

Verification of Coordinating Subsystem

In this case we want to verify desired properties of the whole component-

based system. Fortunately, we can simply model any component by a labeled

transition system (lts) such that we defined in section 3 and the coordinating

system by a compositional constraint automaton. The equivalence relations

defined in section 3 work both for ltss in general and constraint automata.

Thus the main steps of model checking of desired properties of a complete

component based system will be:

1- Expressing the desired property by an LTL−Xor LTLωformula.

2- Modeling every component by a labeled transition system.

3- According to the type of the desired property formula, using an equiv-

alence relation for minimizing the size of all lts models.

4- Modeling the coordination subsystem by a constraint automaton.

5- According to the property which we want to verify, using an equivalence

relation for minimizing the size of constraint automaton model of coordinating

subsystem.

6- Combining the minimized ltss and the constraint automata by using

composition operator and minimizing it.

7- Using standard LTL model checking algorithm for the minimized model.

Note that there are some other compositional reasoning methods, such as

assumption-guarantee method [12], in which the reasoning is done separately

on the component of the model by decomposing the desired property formula.

we can consider using such techniques of compositional reasoning jointed to

our minimization method. If we consider such techniques, the above 6 and 7

steps should be replaced by proper steps based on the selected algorithm of

verification.

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186

184

Page 15

7Conclusions

In this paper we introduced a standard linear temporal logic and two frag-

ments of it for expressing the properties of the systems modeled by constraint

automata and show that the equivalence relation defined by initial stability,

traces and stable failures in [15,16] is the minimal compositional equivalence

preserving that fragment of linear time temporal logic which has no next-time

operator and has an extra operator distinguishing deadlocks. In addition, a

slight modification of this equivalence is the minimal equivalence preserving

linear time temporal logic without next-time operator. There are reduction

algorithms for reducing a constraint automaton to an equivalent one which is

smaller in its size and preserves temporal properties of the modeled system

with respect to the above mentioned equivalence relations. Thus we used these

equivalences and respect reduction algorithms in the context of compositional

verification and model checking of large scale component based systems and

their coordinating subsystems. We presented a compositional model checking

algorithm based on these equivalences for component based systems modeled

by labeled transition systems and constraint automata and a simplification of

it for the coordinating subsystems modeled by constraint automata.

In comparison with other techniques for dealing with state explosion prob-

lem such as the partial order reduction by representatives [11], the preorder

reduction [7], abstraction [3] and symmetry [6], the main advantages of our

method are:

1- Its ability in joining with other above called techniques for dealing with

state explosion problem.

2- Because of the minimizations, the efficiency of our method is better than

applying algorithms of LTL model checking directly. However, any improve-

ment in the ordinary algorithms of LTL model checking or any improvement

in the other techniques for dealing with state explosion problem jointed to our

method, improves the efficiency of our method.

References

[1] Arbab F., Reo: A Channel-based Coordination Model for Component Composition, Math. Struc.

in Computer Science, 14(3), (2004), 329-366.

[2] Arbab F., Baier C., Rutten J., Sirjani M., Modelling Component connectors in Reo by

Constraint Automata, CWI Report SEN-R0304, (2003).

[3] Clarke E., Grumberg O., Long D., Model Checking and Abstraction, ACM Transactions on

Programming Languages and Systems, 16(5), (1994), 1512-1542.

[4] Clarke E., Grumberg O., Peled D., “Model Checking,” The MIT Press,1999.

M. Izadi, A. Movaghar Rahimabadi / Electronic Notes in Theoretical Computer Science 159 (2006) 171–186 185