Bisimilarity and Hennessy-Milner Logic: Luca Aceto ICE-TCS, School of Computer Science, Reykjavik University

Introduction to Model Checking
Hennessy-Milner Logic
Hennessy-Milner Logic with One Recursive Definition
Selection of Temporal Properties
Bisimilarity and Hennessy-Milner Logic
Luca Aceto
ICE-TCS, School of Computer Science, Reykjavik University
Luca Aceto Bisimilarity and HML

Tentative Plan
1 An introduction to Hennessy-Milner logic (HML)

2 Syntax and semantics of HML
3 Correspondence with bisimilarity
4 Hennessy-Milner logic and temporal properties
5 Hennessy-Milner logic with recursion
6 ...?

Hennessy-Milner Logic Equivalence Checking vs. Model Checking
Hennessy-Milner Logic with One Recursive Definition Modal and Temporal Properties
Verifying Correctness of Reactive Systems

Let Impl be an implementation of a system.
Equivalence Checking Approach
Impl ≡ Spec
≡ is a behavioural equivalence, e.g. ∼ or ≈
Spec is expressed in the same language as Impl
Spec provides the full specification of the intended behaviour
Model Checking Approach

Impl |= Property
|= is the satisfaction relation
Property is a particular feature, often expressed via a logic
Property is a partial specification of the intended behaviour
Verifying Correctness of Reactive Systems

Let Impl be an implementation of a system.
Equivalence Checking Approach
Impl ≡ Spec
≡ is a behavioural equivalence, e.g. ∼ or ≈
Spec is expressed in the same language as Impl
Spec provides the full specification of the intended behaviour
Model Checking Approach

Impl |= Property
|= is the satisfaction relation
Property is a particular feature, often expressed via a logic
Property is a partial specification of the intended behaviour
Model Checking of Reactive Systems
Our Aim
Develop a logic in which we can express interesting properties of
reactive systems.

Logical Properties of Reactive Systems
Modal Properties – what can happen now (possibility, necessity)

drink a coffee (can drink a coffee now)
does not drink tea
drinks both tea and coffee
drinks tea after coffee
Temporal Properties – behaviour in time

never drinks any alcohol
(safety property: nothing bad can happen)
eventually will have a glass of wine
(liveness property: something good will happen)
Can these properties be expressed using equivalence checking?


does not drink tea



does not drink tea


Syntax
Semantics
Denotational Semantics
Correspondence between HM Logic and Strong Bisimilarity
Temporal Properties – Invariance and Possibility
Hennessy-Milner Logic – Syntax

Syntax of the Formulae (a ∈ Act)
F , G ::= tt | ff | F ∧ G | F ∨ G | haiF | [a]F
Intuition:
tt all processes satisfy this property
ff no process satisfies this property
∧, ∨ usual logical AND and OR
haiF there is at least one a-successor that satisfies F
[a]F all a-successors have to satisfy F
Remark
Temporal properties like always/never in the future or eventually
are not included.
Syntax
Semantics

Intuition:
Remark
are not included.
Syntax
Semantics

Intuition:
Remark
are not included.
Syntax
Semantics
Hennessy-Milner Logic – Semantics

a
Let (Proc, Act, {−→| a ∈ Act}) be an LTS.
Validity of the logical triple p |= F (p ∈ Proc, F a HM formula)

p |= tt for each p ∈ Proc
p |= ff for no p (we also write p 6|= ff )
p |= F ∧ G iff p |= F and p |= G
p |= F ∨ G iff p |= F or p |= G
a
p |= haiF iff p −→ p 0 for some p 0 ∈ Proc such that p 0 |= F
a
p |= [a]F iff p 0 |= F , for all p 0 ∈ Proc such that p −→ p 0
We write p 6|= F whenever p does not satisfy F .

Syntax
Semantics
What about Negation?

For every formula F we define the formula F c as follows:
tt c = ff
ff c = tt
(F ∧ G )c = F c ∨ G c
(F ∨ G )c = F c ∧ G c
(haiF )c = [a]F c
([a]F )c = haiF c
Theorem (F c is equivalent to the negation of F )

For any p ∈ Proc and any HM formula F
1 p |= F =⇒ p 6|= F c
2 p 6|= F =⇒ p |= F c
Syntax
Semantics
What about Negation?

For every formula F we define the formula F c as follows:
tt c = ff
ff c = tt
(F ∧ G )c = F c ∨ G c
(F ∨ G )c = F c ∧ G c
(haiF )c = [a]F c
([a]F )c = haiF c
Theorem (F c is equivalent to the negation of F )

For any p ∈ Proc and any HM formula F
1 p |= F =⇒ p 6|= F c
2 p 6|= F =⇒ p |= F c
Syntax
Semantics
Hennessy-Milner Logic – Denotational Semantics

For a formula F let [[F ]] ⊆ Proc contain all states that satisfy F .
Denotational Semantics: [[ ]] : Formulae → 2Proc

[[tt]] = Proc and [[ff ]] = ∅
[[F ∨ G ]] = [[F ]] ∪ [[G ]]
[[F ∧ G ]] = [[F ]] ∩ [[G ]]
[[haiF ]] = h·a·i[[F ]]
[[[a]F ]] = [·a·][[F ]]
where h·a·i, [·a·] : 2(Proc) → 2(Proc) are defined by

a
h·a·iS = {p ∈ Proc | ∃p 0 . p −→ p 0 and p 0 ∈ S}
a
[·a·]S = {p ∈ Proc | ∀p 0 . p −→ p 0 =⇒ p 0 ∈ S}.
Syntax
Semantics
The Correspondence Theorem
Theorem
a
Let (Proc, Act, {−→| a ∈ Act}) be an LTS, p ∈ Proc and F a
formula of Hennessy-Milner logic. Then
p |= F if and only if p ∈ [[F ]].
Proof: By induction on the structure of the formula F . How?

Syntax
Semantics
The Correspondence Theorem
Theorem
a
Let (Proc, Act, {−→| a ∈ Act}) be an LTS, p ∈ Proc and F a
formula of Hennessy-Milner logic. Then
p |= F if and only if p ∈ [[F ]].
Proof: By induction on the structure of the formula F . How?

Syntax
Semantics
Image-Finite Labelled Transition System
Image-Finite System
a
Let (Proc, Act, {−→| a ∈ Act}) be an LTS. We call it image-finite
iff for every p ∈ Proc and every a ∈ Act the set
a
{p 0 ∈ Proc | p −→ p 0 }
is finite.
Question: Are there any connections between image finiteness and
finite branching?

Syntax
Semantics
Relationship between HM Logic and Strong Bisimilarity
Theorem (Hennessy-Milner)
a
Let (Proc, Act, {−→| a ∈ Act}) be an image-finite LTS and
p, q ∈ St. Then
p∼q
if and only if
for every HM formula F : (p |= F ⇐⇒ q |= F ).
Proof?

Syntax
Semantics
CWB Session
[luca@vel5638 CWB]$
./xccscwb.x86-linux
> input "hm.cwb";

hm.cwb > print;
agent S = a.S1; > help logic;
agent S1 = b.0 + c.0; > checkprop(S,<a>(<b>T & <c>T));
true
agent T = a.T1 + a.T2;
> checkprop(T,<a>(<b>T & <c>T));
agent T1 = b.0;
false
agent T2 = c.0;
> help dfstrong;
> dfstrong(S,T);
[a]<b>T
> exit;
Syntax
Semantics
Is Hennessy-Milner Logic Powerful Enough?

Modal depth (nesting degree) for Hennessy-Milner formulae:
md(tt) = md(ff ) = 0
md(F ∧ G ) = md(F ∨ G ) = max{md(F ), md(G )}
md([a]F ) = md(haiF ) = md(F ) + 1
Idea: a formula F can “see” only up to depth md(F ).

Theorem (let F be a HM formula and k = md(F ))
If the defender has a defending strategy in the strong bisimulation
game from s and t up to k rounds then s |= F if and only if t |= F .
Conclusion
There is no Hennessy-Milner formula F that can detect a deadlock
in an arbitrary LTS.
Syntax
Semantics

md([a]F ) = md(haiF ) = md(F ) + 1

Conclusion
Syntax
Semantics

md([a]F ) = md(haiF ) = md(F ) + 1

Conclusion
Syntax
Semantics
Temporal Properties not Expressible in HM Logic

s |= Inv (F ) iff all states reachable from s satisfy F
s |= Pos(F ) iff there is a reachable state which satisfies F
Fact
Properties Inv (F ) and Pos(F ) are not expressible in HM logic.
Let Act = {a1 , a2 , . . . , an } be a finite set of actions. We define

def
hActiF = ha1 iF ∨ ha2 iF ∨ . . . ∨ han iF
def
[Act]F = [a1 ]F ∧ [a2 ]F ∧ . . . ∧ [an ]F
Inv (F ) ≡ F ∧ [Act]F ∧ [Act][Act]F ∧ [Act][Act][Act]F ∧ . . .

Pos(F ) ≡ F ∨ hActiF ∨ hActihActiF ∨ hActihActihActiF ∨ . . .
Syntax
Semantics

Fact

def
def
[Act]F = [a1 ]F ∧ [a2 ]F ∧ . . . ∧ [an ]F

Syntax
Semantics

Fact

def
def
[Act]F = [a1 ]F ∧ [a2 ]F ∧ . . . ∧ [an ]F

Syntax
Semantics
Infinite Conjunctions and Disjunctions vs. Recursion
Problems
infinite formulae are not allowed in HM logic
infinite formulae are difficult to handle
Why don’t we use recursion?

def
Inv (F ) expressed by X = F ∧ [Act]X
def
Pos(F ) expressed by X = F ∨ hActiX
Question: How to define the semantics of such equations?

Syntax
Semantics
Problems

def
def

Syntax
Semantics
Problems

def
def

Syntax
Semantics
Solving Equations is Tricky

Equations over Natural Numbers (n ∈ N)
n =2∗n one solution n = 0
n =n+1 no solution
n =1∗n many solutions (every n ∈ Nat is a solution)
Equations over Sets of Integers (M ∈ 2N )

M = ({7} ∩ M) ∪ {7} one solution M = {7}
M =NrM no solution
M = {3} ∪ M each M ⊇ {3} is a solution
What about Equations over Processes?

def
X = [a]ff ∨ haiX ⇒ find S ⊆ 2Proc s.t. S = [·a·]∅ ∪ h·a·iS
Syntax
Semantics

n =n+1 no solution

M = ({7} ∩ M) ∪ {7} one solution M = {7}
M =NrM no solution

def
Syntax
Semantics

n =n+1 no solution

M = ({7} ∩ M) ∪ {7} one solution M = {7}
M =NrM no solution

def
Syntax
Semantics
Monotonic Functions
Monotonic Function and Fixed Points

A function f : 2Proc → 2Proc is called monotonic iff
X ⊆Y ⇒ f (X ) ⊆ f (Y )
for all X , Y ∈ 2Proc .
A set X ∈ 2Proc is called a fixed point of f iff X = f (X ).
Questions
Is the function f (X ) = X ∪ {s, t} monotonic? What about
g (X ) = Proc \ X ? Do these functions have fixed points?

Syntax
Semantics
Tarski’s Fixed Point Theorem
Theorem (Tarski)
Let f : 2Proc → 2Proc be a monotonic function.
Then f has a unique largest fixed point zmax and a unique least
fixed point zmin given by:
def
[
zmax = {X ∈ 2Proc | X ⊆ f (X )}
def
\
zmin = {X ∈ 2Proc | f (X ) ⊆ X }

Syntax
Semantics
Computing Min and Max Fixed Points on Finite Sets

Let f : 2Proc → 2Proc be monotonic.
def def
Let f 1 (X ) = f (X ) and f n (X ) = f (f n−1 (X )) for n > 1, i.e.,
f n (X ) = f (f (. . . f (X ) . . .)).
| {z }
n times
Theorem
If 2Proc is a finite set then there exist integers M, m > 0 such that
zmax = f M (Proc)
zmin = f m (∅)
Idea (for zmin ): The following sequence stabilizes for any finite
2Proc
∅ ⊆ f (∅) ⊆ f (f (∅)) ⊆ f (f (f (∅))) ⊆ · · ·
Syntax
Semantics
Computing Min and Max Fixed Points on Finite Sets

Let f : 2Proc → 2Proc be monotonic.
def def
Let f 1 (X ) = f (X ) and f n (X ) = f (f n−1 (X )) for n > 1, i.e.,
f n (X ) = f (f (. . . f (X ) . . .)).
| {z }
n times
Theorem
If 2Proc is a finite set then there exist integers M, m > 0 such that
zmax = f M (Proc)
zmin = f m (∅)
Idea (for zmin ): The following sequence stabilizes for any finite
2Proc
∅ ⊆ f (∅) ⊆ f (f (∅)) ⊆ f (f (f (∅))) ⊆ · · ·
Hennessy-Milner Logic Syntax
Hennessy-Milner Logic with One Recursive Definition Semantics
HML with One Recursively Defined Variable

Syntax of Formulae
Formulae are given by the following abstract syntax
F ::= X | tt | ff | F1 ∧ F2 | F1 ∨ F2 | haiF | [a]F
where a ∈ Act and X is a distinguished variable with a definition

min max
X = FX , or X = FX
such that FX is a formula of the logic (can contain X ).
Semantics?
For every formula F we define a function OF : 2Proc → 2Proc s.t.
if S is the set of processes that satisfy X then
OF (S) is the set of processes that satisfy F .
HML with One Recursively Defined Variable

Syntax of Formulae
Formulae are given by the following abstract syntax
F ::= X | tt | ff | F1 ∧ F2 | F1 ∨ F2 | haiF | [a]F
where a ∈ Act and X is a distinguished variable with a definition

min max
X = FX , or X = FX
such that FX is a formula of the logic (can contain X ).
Semantics?
For every formula F we define a function OF : 2Proc → 2Proc s.t.
if S is the set of processes that satisfy X then
OF (S) is the set of processes that satisfy F .
Definition of OF : 2Proc → 2Proc (let S ⊆ 2Proc )
OX (S) = S
Ott (S) = Proc
Off (S) = ∅
OF1 ∧F2 (S) = OF1 (S) ∩ OF2 (S)
OF1 ∨F2 (S) = OF1 (S) ∪ OF2 (S)
OhaiF (S) = h·a·iOF (S)
O[a]F (S) = [·a·]OF (S)
OF is monotonic for every formula F
S1 ⊆ S2 ⇒ OF (S1 ) ⊆ OF (S2 )
Proof: By structural induction on F .

Definition of OF : 2Proc → 2Proc (let S ⊆ 2Proc )
OX (S) = S
Ott (S) = Proc
Off (S) = ∅
OF1 ∧F2 (S) = OF1 (S) ∩ OF2 (S)
OF1 ∨F2 (S) = OF1 (S) ∪ OF2 (S)
OhaiF (S) = h·a·iOF (S)
O[a]F (S) = [·a·]OF (S)
OF is monotonic for every formula F
S1 ⊆ S2 ⇒ OF (S1 ) ⊆ OF (S2 )
Proof: By structural induction on F .

Semantics
Observation
We know OF is monotonic, so OF has a unique greatest and least
fixed point.
Semantics of the Variable X

max
If X = FX then
[
[[X ]] = {S ⊆ Proc | S ⊆ OFX (S)}.
min
If X = FX then
\
[[X ]] = {S ⊆ Proc | OFX (S) ⊆ S}.


max
Inv (F ): X = F ∧ [Act]X
min
Pos(F ): X = F ∨ hActiX
max
Safe(F ): X = F ∧ ([Act]ff ∨ hActiX )
min
Even(F ): X = F ∨ (hActitt ∧ [Act]X )
max
F Uw G: X = G ∨ (F ∧ [Act]X )
min
F Us G: X = G ∨ (F ∧ hActitt ∧ [Act]X )
Using until we can express e.g. Inv (F ) and Even(F ):

Inv (F ) ≡ F U w ff Even(F ) ≡ tt U s F


max
min
max
min
max
F Uw G: X = G ∨ (F ∧ [Act]X )
min



max
min
max
min
max
F Uw G: X = G ∨ (F ∧ [Act]X )
min



max
min
max
min
max
F Uw G: X = G ∨ (F ∧ [Act]X )
min


Bisimilarity and Hennessy-Milner Logic: Luca Aceto ICE-TCS, School of Computer Science, Reykjavik University

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bisimilarity and Hennessy-Milner Logic: Luca Aceto ICE-TCS, School of Computer Science, Reykjavik University

Uploaded by

Copyright:

Available Formats

Introduction to Model Checking

Bisimilarity and Hennessy-Milner Logic

Luca Aceto Bisimilarity and HML

1 An introduction to Hennessy-Milner logic (HML)

Luca Aceto Bisimilarity and HML

Verifying Correctness of Reactive Systems

Model Checking Approach

Verifying Correctness of Reactive Systems

Model Checking Approach

Model Checking of Reactive Systems

Luca Aceto Bisimilarity and HML

Logical Properties of Reactive Systems

Modal Properties – what can happen now (possibility, necessity)

Temporal Properties – behaviour in time

Can these properties be expressed using equivalence checking?

Logical Properties of Reactive Systems

Modal Properties – what can happen now (possibility, necessity)

Temporal Properties – behaviour in time

Can these properties be expressed using equivalence checking?

Logical Properties of Reactive Systems

Modal Properties – what can happen now (possibility, necessity)

Temporal Properties – behaviour in time

Can these properties be expressed using equivalence checking?

Hennessy-Milner Logic – Syntax

F , G ::= tt | ff | F ∧ G | F ∨ G | haiF | [a]F

Hennessy-Milner Logic – Syntax

F , G ::= tt | ff | F ∧ G | F ∨ G | haiF | [a]F

Hennessy-Milner Logic – Syntax

F , G ::= tt | ff | F ∧ G | F ∨ G | haiF | [a]F

Hennessy-Milner Logic – Semantics

Validity of the logical triple p |= F (p ∈ Proc, F a HM formula)

We write p 6|= F whenever p does not satisfy F .

Luca Aceto Bisimilarity and HML

What about Negation?

Theorem (F c is equivalent to the negation of F )

What about Negation?

Theorem (F c is equivalent to the negation of F )

Hennessy-Milner Logic – Denotational Semantics

Denotational Semantics: [[ ]] : Formulae → 2Proc

where h·a·i, [·a·] : 2(Proc) → 2(Proc) are defined by

The Correspondence Theorem

p |= F if and only if p ∈ [[F ]].

Proof: By induction on the structure of the formula F . How?

Luca Aceto Bisimilarity and HML

The Correspondence Theorem

p |= F if and only if p ∈ [[F ]].

Proof: By induction on the structure of the formula F . How?

Luca Aceto Bisimilarity and HML

Image-Finite Labelled Transition System

Luca Aceto Bisimilarity and HML

Relationship between HM Logic and Strong Bisimilarity

Luca Aceto Bisimilarity and HML

> input "hm.cwb";

Is Hennessy-Milner Logic Powerful Enough?

Idea: a formula F can “see” only up to depth md(F ).

Is Hennessy-Milner Logic Powerful Enough?

Idea: a formula F can “see” only up to depth md(F ).

Is Hennessy-Milner Logic Powerful Enough?

Idea: a formula F can “see” only up to depth md(F ).

Temporal Properties not Expressible in HM Logic

Let Act = {a1 , a2 , . . . , an } be a finite set of actions. We define

Inv (F ) ≡ F ∧ [Act]F ∧ [Act][Act]F ∧ [Act][Act][Act]F ∧ . . .

Temporal Properties not Expressible in HM Logic