Lecture Notes in Computer Science: Edited by G. Goos, J. Hartmanis and J. Van Leeuwen

Lecture Notes in Computer Science 1043
Edited by G. Goos, J. Hartmanis and J. van Leeuwen
Advisory Board: W. Brauer D. Gries J. Stoer

Faron Moiler Graham Birtwistle (Eds.)
Logics for Concurrency
Structure versus A u t o m a t a
~ Springer
Series Editors
Gerhard Goos, Karlsruhe University, Germany
Juris Hartmanis, Cornetl University, NY, USA
Jan van Leeuwen, Utrecht University, The Netherlands
Volume Editors
Faron Moller
Department ofTeleinformatics, Kungl Tekniska H6gskolan
Electrum 204, S-164 40 Kista, Sweden
Graham Birtwistle
School of Computer Studies, University of Leeds
Woodhouse Road, Leeds LS2 9JT, United Kingdom
Cataloging-in-Publication data applied for
Die Deutsche Bibliothek - CIP-Einheitsaufnahme
Logics for concurrency : s t r u c t u r e versus a u t o m a t a / F a r o n

M o l l e r ; G r a h a m B i r t w i s t l e (ed.). - B e r l i n ; H e i d e l b e r g ; N e w
York ; Barcelona ; Budapest ; Hong Kong ; London ; Milan ;
Paris ; Santa C l a r a ; S i n g a p o r e ; T o k y o 9 S p r i n g e r , 1996
(Lecture notes in computer science ; Voi. 1043)
ISBN 3-540-60915-6
NE: Moiler, Faron [Hrsg.]; GT
CR Subject Classification (1991): F.3, F.4, E l , F.2
ISBN 3-540-60915-6 Springer-Verlag Berlin Heidelberg New York
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,
in its current version, and permission for use must always be obtained from Springer -Verlag. Violations are
liable for prosecution under the German Copyright Law.
9 Springer-Verlag Berlin Heidelberg 1996
Printed in Germany
Typesetting: Camera-ready by author
SPIN 10512588 06/3142 - 5 4 3 2 1 0 Printed on acid-free paper
Preface
This volume is a result of the VIII TH BANFF HIGHER ORDER WORKSHOP held
from August 27th to September 3rd, 1994, at the Banff Centre in Banff, Canada.
The aim of this annual workshop (of which the VIII TH was the final) was to
gather together researchers studying a specific, well-focussed topic, to present
and contrast various approaches to the problems in their area. The workshop
has been locally organised and hosted in Banff by Graham Birtwistle, at that
time Professor of Computer Science at the University of Calgary, but currently
Professor of Formal Methods at the University of Leeds.
Originally the topics were chosen to reflect some aspect of higher-order rea-
soning, thus justifying the name of ~he workshop series, but the topics were
allowed to diversify more and more as the years passed, so that the higher-order
aspect became less and less adhered to. Thus for example, the previous three
workshops were subtitled Functional Programming Research (1991, chaired by
John Hughes, Glasgow); Advanced Tutorials on Process Algebra (1992, chaired
by Faron Moller, Edinburgh); and Advanced Tutorials on Asynchronous Hard-
ware Design (1993, chaired by A1 Davis, HP Labs, Palo Alto).
The final workshop, held in 1994, was subtitled Logics for Concurrency:
Structure versus Automata and was chaired by Faron Moller, Stockholm. The
basic motivation for the workshop was to explore the apparent dichotomy which
9 exists in the area of process logics, particularly in the study of various temporal
logics. On the one hand, the traditional approach has exploited automata-
theoretic techniques which have been studied for decades; this approach is dom-
inant in research carried out in North America. On the other hand, the "Eu-
rotheory" approach is based more on exploiting structural properties involving
aspects such as congruence and decomposability. The relaxed workshop format
of having a set of three lectures from each of five speakers spread over eight days
allowed this dichotomy to be revealed, dissected, and discussed in detail, provid-
ing for a great deal of friendly debate between proponents of each school. The
five series of lectures were presented by Samson Abramsky (London); E. Allen
Emerson (Austin); Voram Hirshfeld (Tel Aviv) and Faron Moller (Stockholm);
Colin Stirling (Edinburgh); and Moshe Vardi (Rice).
The proceedings of the workshop series have generally only been available
informally; indeed they have usually only been informal documents, sometimes
nothing more than photocopies of slides. However, as the final workshop so
successfully met its goal of creating an environment for contrasting approaches,
it was deemed a worthy exercise by all of the lecturers to provide post-workshop
tutorial-style lecture notes, which explored the individual presentations with the
benefit of hindsight, so as to provide a record of the presentations and discussions
carried out at the workshop.
vI
A c k n o w l e d g e m e n t s . The workshop from which this volume emerged was

made possible through an operating grant from the Natural Sciences and En-
gineering Research Council of Canada. The ever-obliging staff of the Banff
Centre made sure that everything ran smoothly and to plan. Professor Richard
Guy presented an entertaining evening lecture midway through the workshop
on Conway's "Game of Life," demonstrating how to construct a computer from
components of "Life" such as gliders, ponds, spaceships, and eaters. Profes-
sor Przemys!aw Prusinkiewicz ("Dr P") gave an equally delightful after-dinner
lecture following the final-evening banquet in which he presented a fascinating
range of fractally-generated plants, including fractal reproductions of the works
of Monet and Van Gogh.
The notes included in this volume were reviewed openly and extensively by
the editors and the various authors, as well as the following people, most of whom
were attendees of the workshop (more specific acknowledgements are included
with the various papers): Howard Barringer, Rick Blute, Robin Cockett, Oys-
tein Haugen, Carton Kirkwood, Orna Kupferman, Phil Scott, David Spooner,
Perdita Stevens, and David Walker. Finally, we would like to thank the lectur-
ers themselves for their efforts in producing the following carefully considered
lecture notes.
December 1995 Faron Moller, Stockholm

Graham Birtwistle, Leeds
Contributors
SAMSON ABRAMSKY is currently Professor of Computer Science at Imperial Col-

lege of Science, Technology and Medicine, London, but will be moving to the
University of Edinburgh in January 1996 to take up the newly-created Chair
of Theoretical Computer Science. He has a Diploma in Computer Science from
Cambridge University,and a P h D in Computer Science from London University.
His research includes: domain theory in logicalform, the lazy lambda calculus,
computational interpretationsof linear logic,strictnessanalysisfor higher-order
and polymorphic functions, proofs as processes, game semantics and full ab-
straction for PCF, and interaction categories. His research interests include:
programming language semantics and logics;concurrency; semantics-based pro-
gram analysis;linear logic; and the integration of functional and process-based
programming paradigms.
E. ALLEN EMERSON is a Bruton Centennial Professor in the Computer Sciences

Department at the University of Texas at Austin. His general research inter-
ests include formal methods, distributed computing, real-time systems, logics of
programs, and other applications of logic to computer science. Areas of spe-
cial interest include the complexity and expressiveness of logical formalisms and
automata on infinite objects. He has published a variety of papers in these ar-
eas. He received the BS degree in Mathematics from the University of Texas at
Austin, and the PhD degree in Applied Mathematics from Harvard University.
He serves on the editorial boards of several journals relating to formal methods
and applied logic.
SIMON GAY is a Lecturer in Computer Science at Royal Holloway, University

of London. He has an MA in Mathematics and a Diploma in Computer Sci-
ence from the University of Cambridge, and a PhD in Computer Science from
the University of London. His research interests include programming language
semantics, concurrency theory, type theory, and linear logic. His current work
focuses on the interaction categories approach to type systems for concurrency.
YORAM HIRSHFELD received an MSc in Mathematics (non-standard analysis)

from the Hebrew University, Jerusalem in 1969, and a PhD in Mathematical
Logic (models of arithmetic) from Yale in 1972. Since then he has been at Tel
Aviv University where his mathematical areas of research have been centred
on mathematical logic, model theory and non-standard analysis. Since 1987
his main interests have been with applications of logic to computer science,
particularly in concurrency theory.
viii
FAI:tON MOLLER is currently Vikariat Professor of Distributed Systems in the

Department of Teleinformatics at the Kungl Tekniska HSgskolan, Stockholm. He
finished his PhD thesis in Edinburgh under Robin Mitner's guidance in 1988. In
his thesis he studied the decomposability of concurrent systems and its theoreti-
cal applicability. His present interests include the study of infinite state systems,
particularly with a view of exploiting decomposability, as well as formalisms for
real-time systems and automated proof systems.
RAJAGOPAL NAGARAJAN is currently completing his PhD degree at Imperial

College of Science, Technology and Medicine, London under the supervision
of Professor Samson Abramsky. He received a Bachelor's degree in Chemical
Engineering from the Indian Institute of Technology, Madras, and a Master's
degree in Computer Science from the University of Delaware, Newark. He was
employed as a Computer Scientist at ORA Corporation, Ithaca, New York, and
as a Research Associate at the University of Calgary. His research interests
include logic, concurrency theory, programming language semantics, automated
reasoning, specification and verification of hardware and software, and semantic
techniques for complexity.
COLIN STIR.LING is Professor of Computer Science at the University of Edin-

burgh. He has researched for over 10 years in the theory of computation, partic-
ularly in concurrency theory and the application of modal and temporal logics
to this area. With David Walker he introduced the notion of local model check-
ing using semantic tableaux. He has also applied this technique to decidability
results for bisimulation equivalence.
MosIJ~. Y. VAaDI is a Noah Harding Professor and Chair of Computer Science

at Rice University. His research interests include database theory, finite-model
theory, knowledge theory, and program specification and verification. Before
joining Rice University in 1993, he was a department manager at the IBM Al-
maden Research Center. Vardi is the recipient of 3 IBM Outstanding Innovation
Awards. He was the program chair of the 6th ACM Symposium on the Princi-
ples of Database Systems (1987), the 2nd Conference on Theoretical Aspects of
Reasoning about Knowledge (1988), and the 8th IEEE Symposium on Logic in
Computer Science (1993). He is currently an editor of Information and Compu-
tation and the Journal of Computer and System Sciences.
Table of Contents
Introduction ............................................................. 1
Specification Structures and Propositions-as-Types for Concurrency

SAMSON ABRAMSKY, SIMON GAY AND RAJAGOPAL NAGARAJAN . . . . . . . . . . 5
1 Introduction ........................................................ 5
2 Specification S t r u c t u r e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1 E x a m p l e s of Specification S t r u c t u r e s ........................... 10
3 Interaction Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.1 T h e I n t e r a c t i o n C a t e g o r y S P r o c ............................... 12
3.2 T h e I n t e r a c t i o n C a t e g o r y . A S P r o c ............................. 22
3.3 A S P r o c as a C a t e g o r y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.4 . A S P r o c as a * - A u t o n o m o u s C a t e g o r y . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.5 T i m e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4 Specification S t r u c t u r e s for D e a d l o c k - F r e e d o m . . . . . . . . . . . . . . . . . . . . . . 25
4.1 T h e S y n c h r o n o u s Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.2 T h e A s y n c h r o n o u s Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.3 C o n s t r u c t i n g Cyclic N e t w o r k s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5 The Dining Philosophers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
A u t o m a t e d Temporal Reasoning about Reactive Systems

E. ALLEN EMERSON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
1 Introduction ....................................................... 41
2 Preliminaries ...................................................... 43
2.1 R e a c t i v e S y s t e m s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2.2 T e m p o r a l Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.3 M a n u a l versus M e c h a n i c a l R e a s o n i n g . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.4 C T L * , C T L , a n d P L T L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : ....... 47
2.5 M u - c a l c u l u s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : ................... 51
3 Model Checking ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4 Decision P r o c e d u r e s I: T a b l e a u - t h e o r e t i c A p p r o a c h . . . . . . . . . : ....... 58
4.1 O v e r v i e w . . . . . . . . . : ........................................... : 58
4.2 T a b l e a u - b a s e d Decision P r o c e d u r e for C T L . . . . . . . . . . . . . . . . . . . . . 59
5 Decision P r o c e d u r e s II: A u t o m a t a - t h e o r e t i c A p p r o a c h .............. 63
5.1 Linear T i m e a n d A u t o m a t a on Infinite S t r i n g s . . . . . . . . . . . . . . . . . . 64
5.2 B r a n c h i n g T i m e and Tree A u t o m a t a ........................... 65
6 Expressiveness versus C o m p l e x i t y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
6.1 Tradeoffs . . . . . . . . . . . . . . . . . . . . . . . . . . ,. . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.2 Expressiveness Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.3 C o m p l e x i t y S u m m a r y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6.4 A u t o m a t o n Ineffable Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
6.5 M u - c a l c u l u s is E q u i v a l e n t to Tree A u t o m a t a . . . . . . . . . . . . . . . . . . . . 81
6.6 Restricted T e m p o r a l Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Decidability Results in Automata and P r o c e s s T h e o r y

YORAM HIRSHFELD AND FARON MOLLER ............................... 102
Preface ........................................................... 102
i G r a m m a r s and Processes ......................................... 103
1.1 Context-Free G r a m m a r s ...................................... 104
1.2 Processes ..................................................... 105
1.3 Context-Free Processes ....................................... 106
1.4 Concurrent Context-Free Processes ............................ 107
1.5 T h e Process Algebras B P A and B P P .......................... 109
2 Bisimulation Equivalence ......................................... 112
2.1 Composition and Decomposition .............................. 116
2.2 E q u i v a l e n c e - P r e s e r v i n g T r a n s f o r m a t i o n s . . . . . . . . . . . . . . . . . . . . . . . 118
3 D e c i d a b i l i t y Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
3.1 C o n t e x t - F r e e Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
3.2 C o n c u r r e n t C o n t e x t - F r e e Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4 A l g o r i t h m s for N o r m e d Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.1 C o n t e x t - F r e e Processes ....................................... 130
4.1.1 A l g o r i t h m i c concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
4.1.2 Simple context-free g r a m m a r s . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
4.2 C o n c u r r e n t C o n t e x t - F r e e Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Modal and Temporal Logics for Processes

COLIN STIRLING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
1 Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
1.1 First examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
1.2 C o n c u r r e n t i n t e r a c t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
1.3 Observable t r a n s i t i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
1.4 R e n a m i n g a n d l i n k i n g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
1.5 More c o m b i n a t i o n s of processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
2 Modalities a n d C a p a b i l i t i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
2.1 H e n n e s s y - M i l n e r logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
2.2 More m o d a l logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
xI
2.3 Process equivalences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

2.4 I n t e r a c t i v e g a m e s and b i s i m u l a t i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
2.5 M o d a l p r o p e r t i e s and equivalences . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
2.6 O b s e r v a b l e b i s i m u l a t i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
2.7 E q u i v a l e n c e checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
3 Temporal Properties .............................................. 184
3.1 M o d a l p r o p e r t i e s revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
3.2 Processes a n d their runs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
3.3 M o d a l e q u a t i o n s and fixed p o i n t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
3.4 M o d a l m u - c a l c u l u s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
3.5 A p p r o x i m a n t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
3.6 E m b e d d e d a p p r o x i m a n t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
3.7 P r e s e r v a t i o n of b i s i m u l a t i o n e q u i v a l e n c e . . . . . . . . . . . . . . . . . . . . . . . 200
3.8 E x p r e s s i n g p r o p e r t i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
4 Verifying T e m p o r a l P r o p e r t i e s .................................... 206
4.1 G a m e s a n d c o n s ta n t s ......................................... 206
4.2 T a b l e a u x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
4.3 R e f i n e m e n t of g a m e s a n d t a b l e a u x ............................ 215
4.4 G a m e g r a p h s a n d a l g o r i t h m s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
4.5 G e n e r a l i z i n g t a b l e a u x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
4.6 Well f o u n d e d n e s s ............................................. 227
5 Concluding Comments ............................................ 232
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
A n A u t o m a t a - T h e o r e t i c A p p r o a c h t o Linear T e m p o r a l Logic
MOSHE Y. VARDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
1 Introduction ...................................................... 238
2 Automata Theory ................................................ 239
2.1 A u t o m a t a on F i n i t e W o r d s - C lo s u r e . . . . . . . . . . . . . . . . . . . . . . . . . . 239
2.2 A u t o m a t a on Infinite W o r d s - C l o s u r e . . . . . . . . . . . . . . . . . . . . . . . . 241
2.3 A u t o m a t a on F i n i t e W o r d s - A l g o r i t h m s . . . . . . . . . . . . . . . . . . . . . . 245
2.4 A u t o m a t a on Infinite W o r d s - A l g o r i t h m s . . . . . . . . . . . . . . . . . . . . . 247
2.5 A u t o m a t a on F i n i t e W o r d s - A l t e r n a t i o n . . . . . . . . . . . . . . . . . . . . . . 248
2.6 A u t o m a t a on Infinite W o r d s - A l t e r n a t i o n . . . . . . . . . . . . . . . . . . . . 251
3 Linear T e m p o r M Logic a n d A u t o m a t a on Infinite W o r d s . . . . . . . . . . . 253
4 Applications ...................................................... 256
4.1 S a t i s f i a b i l i t y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
4.2 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
4.3 S y n t h es i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Introduction
There has been a great deal of effort spent on developing methodologies for
specifying and reasoning about the logical properties of systems, be they hard-
ware or software. Of particular concern are issues involving the verification of
safety and liveness conditions, which may be of mammoth importance to the safe
functioning of a system. While there is a large body of techniques in existence
for sequential program verification, current technologies and programming lan-
guages permit for ever greater degrees of distributed computation, which make
for a substantial increase in both the conceptual complexity of systems, as well
as the complexity of the techniques for their analysis.
One fruitful line of research has involved the development of process logics.
Although I-Ioare-style proof systems have been successful for reasoning about
sequential systems, they have only been of minor impact when primitives for ex-
pressing concurrent computation are introduced. Of greater importance in this
instance are, for example, dynamic, modal, and temporal logics. Such logics
express capabilities available to a computation at various points of time during
its execution. Two major varieties of such logics exist: linear-time logics express
properties of complete runs, whilst branching-time logics permit a finer consid-
eration of when choices within computation paths are made. The study of such
logics is now quite broad and detailed.
There is, however, a perceived dichotomy which exists in the area of tem-
poral logic research; a divide which appears to be defined to a large extent by
geography (though, as with all things, this :division is far from clear-cut). On
the one hand, the North American approach has exploited automata-theoretic
techniques which have been studied for decades. The benefit of this is the abil-
ity to adapt theoretical techniques from traditional automata theory. Hence, for
example, to verify that a particular system satisfies a particular property, one
would construct an automaton which represents in essence the cartesian prod-
uct of the system in question with the negation of the property in question, and
thus reduce the problem to one of emptiness of the language generated by an
automaton. One obvious drawback to this approach is the overhead incurred
in constructing such an automaton: even if the system being analysed can be
represented by a finite-state automaton, this automaton will typically be of a
size which is exponential in its description (due to the so-called state space ex-
plosion problem), and hence this approach to the verification problem will be (at
least) exponential in the worst case. Of course this approach is inapplicable to
infinite-state systems unless you first introduce symbolic techniques for encoding
infinite sets of states efficiently.
On the other hand, the "Eurotheory" approach to the verification problem
is based more on exploiting structural properties. The essence of this approach
is to work as far as possible with the syntactic system and property descriptions
rather than their semantic interpretations as automata. Typically this involves
the development of tableau-based proof systems which exploit congruence and
decomposition properties. This allows more of a so-called "local" model checking
technique which feasibly could handle even infinite-state systems, as the overhead
of constructing the relevant semantic automata is avoided.
Whichever approach is considered, there are common goals which are stressed.
Firstly and of utmost importance, the methodology must be faithful to the sys-
tem descriptions being modelled, as well as to the intended properties being
defined. The methodology must be sound with respect to its intended pur-
pose. Of great importance as well is the ability to automate the techniques;
as economically- and safety-critical systems being developed become more and
more complex, the need for automated support for their verification becomes an
imperative of ever greater importance. Mechanical procedures for carrying out
the verification of such properties are required due to the sheer magnitude of the
systems to be verified. Beyond this, such algorithms must be tractable. There
will clearly be trade-offs between the expressivity of a formalism employed to
define system properties, and the complexity of the verification of these proper-
ties. The verification procedures, beyond being sound, must be effective, as well
as of an acceptable level of time- and space-complexity.
In this volume are to be found five tutorial-style presentations of various ap-

proaches to the verification problem, each of which addresses some or all of the
above concerns. Themes which arise repeatedly throughout the presentations
are:
- What are suitable formalisms for expressing system properties?

- How expressive are these formalisms?
- How difficult are they to employ, both conceptually and computationally?
- What are the advantages and drawbacks when comparing formalisms?
Three of the five presentations concentrate on linear- and branching-time tem-

poral logics (Emerson, Stirling, Vardi); one on process equivalence with an em-
phasis on infinite-state systems (I-Iirshfeld & Molier); and the fifth on a novel
category-theoretic approach to verification (Abramsky, Gay & Nagarajan). Each
contribution can be taken in isolation to form the basis of a short course of study,
the length of each being reflected in the length of the contribution. However,
the presentations generally contrast and complement each other in often delight-
ful ways, so the ideal approach to studying this volume would be to keep this
complementary nature of the presentations in mind.
We finish this introduction with a brief synopsis of each of the five contributions
appearing in this volume.
The paper by Samson Abramsky, Simon Gay, and Rajagopal Nagarajan,
Specification structures and propositions-as-types for concurrency, introduces the
reader via "Hoare triples" to specification structures, a framework for combin-
ing general notions of logical properties with general methods for verification.
These are then employed within the authors' earlier framework of interaction
categories for synchronous and asynchronous processes to provide a mechanism
for expressing properties. Interaction categories were introduced to unify trans-
formational and reactive programming paradigms, which respectively represent
general frameworks underlying functional programming and concurrent compu-
tation. The mechanism developed resembles the provision of a type system for
process algebras which can be used to support verification. As examples of
the application of the approach, the paper details how a specification structure
can be provided to permit the expression of deadlock-freedom. In the end, the
problem of the dining philosophers is used to great effect to demonstrate the
application of the techniques in practice.
The paper by E, Allen Emerson, Automated temporal reasoning about re-
active systems, presents a wide range of complexity and expressiveness results
for a number of linear- and branching-time temporal logics. The paper stresses
the trade-offs between the complexity of various algorithms for satisfiability and
model-checking, presenting essentially optimal automated algorithms for a num-
ber of such problems, and the expressibility of the different temporal logics. The
two varieties of algorithms, automata-theoretic and tableau-based, are explored
and interestingly contrasted. This in-depth overview is presented with an em-
phasis on underlying intuition, and includes an extensive bibliography for the
reader to follow up the topics discussed in far greater detail.
The paper by Yoram Hirshfeld and Faron Moller, Decidability results for au-
tomata and process theory, invites the reader to investigate the theory of context-
free grammars in a process-theoretic framework, where composition (juxtaposi-
tion of symbols)represents either sequential composition or parallel composition.
It is demonstrated how each of these interpretations leads to a familiar process
algebra. Many standard results are encountered, for example that regular gram-
mars give rise to finite-state automata. However, surprising and unexpected
results are also encountered, particularly regarding the decidability of process
equivalence between automata denoted by general context-free grammars; these
results contrast strikingly with the well-known undecidability results in language
theory for context-free languages. Beyond this, non-trivial sub-classes are iden-
tified where tractable algorithms are proven to exist for the process equivalence
problem.
The paper by Colin Stir!ing, Modal and temporal logics for processes, moti-
vates and presents the modal mu-calculus, a very expressive temporal logic, as
a simple modal logic (Hennessy-Milner logic) equipped with fixed points for ex-
pressing safety and liveness properties. The presentation opens with a discussion
of processes and transition graphs, the model of concurrent computation over
which temporal properties are defined. Modal properties are then introduced
in the guise of expressing capabilities, and fixed points are then motivated for
defining perpetual properties. A novel feature of the presentation is the use of
games as an intuitive framework for explaining satisfiability, as well as for intro-
ducing tableau-based algorithms for the model-checking problem. One benefit
of this "local" model checking approach is its applicability to the verification of
properties of infinite-state processes, a theme which is explored in detail in the
presentation.
Finally, the paper by Moshe Vardi, An automata-theoretic approach to lin-
ear temporal logicl presents the reader with an introduction to the theory of
automata on infinite words by way of the more familiar theory of automata on
finite words, and demonstrates its use for analysing linear-time temporal prop-
erties of infinite computations. Its application to each of program specification,
verification, and synthesis is carefully motivated and demonstrated.
Specification Structures and
Propositions-as-Types for Concurrency*
Samson A b r a m s k y Simon Gay Rajagopal Nagarajan
Department of Computing,
Imperial College of Science, Technology and Medicine, London, UK.
email: {sa, sjg3 ,rn4}@doc. ic. ac.uk.
Abstract. Many different notions of "property of interest" and methods

of verifying such properties arise naturally in programming. A general
framework of "Specification Structures" is presented for combining dif-
ferent notions and methods in a coherent fashion. This is then applied to
concurrency in the setting of Interaction Categories. As an example, we
present a type system for concurrent processes strong enough to guar-
antee deadlock-freedom, and expressive enough to allow the treatment
of some standard examples from the literature. This is illustrated using
the classic Dining Philosophers problem.
1 Introduction
Type Inference and Verification are two main paradigms for constraining
the behaviour of programs in such a way as to guarantee some desirable
properties. Although they are generally perceived as rather distinct, on
closer inspection it is hard to make any very definite demarcation be-
tween them; type inference rules shade into compositional proof rules for
a program logic. Indeed, type inference systems, even for the basic case
of functional programming languages, span a broad spectrum in terms of
expressive power. Thus, ML-style types [31] are relatively weak as regards
expressing behavioural constraints, but correspondingly tractable as re-
gards efficient algorithms for "type checking". System F types [21] are
considerably more expressive of polymorphic behaviour, and System F
typing guarantees Strong Normalization. However, System F cannot ex-
press the fact that a program of type list[nat] ~ list[nat] is actually a sort-
ing function. Martin-LSf type theory, with dependent types and equality
types, can express complete total correctness specifications. In the richer
theories, t y p e checking is undecidable [35].
* This research was supported by EPSRC project "Foundational Structures in Com-
puter Science", and EU projects "CONFER" (ESPRIT BRA 6454) and "COORDI-
NATION" (ESPRIT BRA 9102).
One might try to make a methodological distinction: post-hoc verifi-
cation vs. constructions with intrinsic properties. However, this is more
a distinction between ways in which Type Inference/Verification can be
deployed than between these two formal paradigms.
We suggest that it is the rule rather t h a n the exception that there are
many different notions o f "properties of interest" for a given computa-
tional setting. Some examples:
- Even in the most basic form of sequential programming, it has proved

fruitful to separate out the aspects of partial correctness and termi-
nation, and to use different methods for these two aspects [16].
- In the field of static analysis, and particularly in the systematic frame-

work of abstract interpretation [23], a basic ingredient of the meth-
odology is to use a range of non-standard interpretations to gain in-
formation about different properties of interest.
- In concurrency, it is standard to separate out classes of properties such

as safety, liveness, and fairness constraints, extending into a whole
temporal hierarchy, and to apply different methods for these classes
[27].
The upshot of this observation is that no one monolithic type system

will serve all our purposes. Moreover, we need a coherent framework for
moving around this space of different classes of properties.
The basic picture we offer to structure this space is the "tower of
categorieS":
Co ~"~Cl +-"~Cq +-~-"~"~Ck.
The idea behind the picture is that we have a semantic universe (category
with structure) Co, suitable for modelling some computational situation,
but possibly carrying only a very rudimentary notion of "type" or "be-
havioural specification". The tower arises by refining Co with richer kinds
of property, so that we obtain a progressively richer setting for performing
specification and verification 1.
We will now proceed to formalize this idea of enriching a s e m a n t i c
universe with a refined notion of property in terms of Specification Struc-
tures.
a Of course, non-linear patterns of refinement--trees or dags rather than sequences--
can also be considered, but the tower suffices to establish the m~n ideas.
2 Specification Structures
The notion of specification structure, at least in its most basic form, is

quite anodyne, and indeed no more than a variation on standard notions
from category theory. Nevertheless, it provides an alternative view of
these standard notions which is highly suggestive, particularly from a
Computer Science point of view. Similar notions have been studied, for a
variety of purposes, by Burstall and McKinna [28], O'Hearn and Tennent
[32], and Pitts [33].
D e f i n i t i o n 1. Let C be a category. A sl~ecification structure S over C is
defined by the following data:
- a set P A of "properties over A", for each object A of C.
- a relation RA,B C_ P A • C(A, B) x P B for each pair of objects A, B

of C.
We write ~ { f } r for RA,B(Cp, f , r ("Hoare triples"). This relation is re-
quired to satisfy the following axioms, for f : A ~ B, g : B --* C, ~ E P A ,
C E PB and0EPC:
~{idA)~ (sl)
~p{f}r162 '.- ~ { f ;g)8 (s2)
The axioms (sl) and (s2) are typed versions of the standard Hoare logic
axioms for "sequentiM composition" and "skip" [16].
Given C and S as above, we can define a new category Cs. The objects
are pairs (A,~) with n e 0b(C) and ~ e P A . A morphism f : ( d , ~ ) --*
(B, r is a morphism f : A --* B in C such that ~ { f } r
Composition and identities are inherited from C; the axioms (sl) and
(s2) ensure that Cs is a category. Moreover, there is an evident faithful
functor
C~Cs
given by
A ~ (A,~).
In fact, the notion of "specification structure on C" is coextensive with
that of "faithful functor into C'. Indeed, given such a functor F : D -+ C,
we can define a specification structure by:
P A = {~ e Oh(D)I F(~ ) = A}
(by faithfulness, a is unique if it exists). It is easily seen t h a t this passage
from faithful functors to specification structures is (up to equivalence)
inverse to t h a t from S to C ~-~ C s .
A more revealing connection with s t a n d a r d notions is yielded by the
observation t h a t specification structures on C correspond exactly to lax
functors from C t o T6~l, the category of sets and relations. Indeed, given
a specification structure S on C, the object part of the corresponding
functor R : C --+ T~el is given by P, while for the arrow part we define
R ( f ) = {(~, r ~{f}r
T h e n (sl) and (s2) become precisely the s t a t e m e n t t h a t R is a lax functor
with respect to the usual order-enrichment o f T & / b y inclusion of relations:
idR(A) C R(idA)
R(f) ; R(g) g R(f ;g).
Moreover, the functor (2 ~ C s is the lax fibration arising from the
Grothendieck construction applied to R.
The notion of specification structure acquires more substance when
there is additional structure on C which should be rifted to Cs. Suppose
for example t h a t C is a monoidal category, i.e. there is a bifunctor | :
Ca --+ C, an object I, and natural isomorphisms
assocA,B,C : (A | B) | C ~- A | (B | C)
unitlA : I | A- A
unitrA : A| I ~ A
satisfying the s t a n d a r d coherence equations [26]. A specification s t r u c t u r e

for C must then correspondingly be extended with an action
| : PA • PB ~ P(A | B)
and an element u E P I satisfying, for f : A --+ B, f ' : A' --+ B' and
properties ~o, ~#, r r 0 over suitable objects:
qo{f)r qo'{f')r ==~ ~o @ ~o'{f | f ' } r @ r

| r | O{a socA,B,c} | (r | O)
u| r
@ u{unitrA}~.
Such an action extends the corresponding lax functor R : C --+ T~el to a lax
monoidal functor to Rzl equipped with its s t a n d a r d monoidal structure
based on the cartesian product.
Now assume t h a t C is symmetric monoidai closed, with natural iso-
m o r p h i s m symmA, B : A @ B = B | A, and internal h o m --o given by the
adjunction
C(A @ B , C ) ~ - C ( A , B - o C).
Writing A ( f ) : A ~ B --o C for the m o r p h i s m corresponding to f :

A @ B --* C under the adjunction, we require an action
---OA,B: P A • P B ~ P ( A --o B )
and axioms
~P| r162 |
-o r | ,{ewlA,B}r
7~ | r ~ ~ { A ( f ) } r ---o ~o.
Going one step further, suppose t h a t C is a . - a u t o n o m o u s category, i.e.
a model for the multiplicative fragment of classical linear logic [11], with
linear negation ( - ) • where for simplicity we assume t h a t A •177= A.
T h e n we require an action
(--)A~: P A --* P A •
satisfying
7~•177_- ~p
--o r = | r177177
Under these circumstances all this structure on C lifts to Cs. For example,
we define
(A, 7~) | (B, r = (A | B, ~p| r

(A, 7~)• = ( A •
(A, ~2) --o (B, r = (A --o B, ~ ---OA,S r
All the constructions on morphisms in Cs work exactly as t h e y do in C,

the above axioms guaranteeing t h a t these constructions are well-defined
in Cs. For example, if f : (A, 7~) --* (B, r and g : (A', 7~') --+ (B', r
then
f| (A | A',7~ | 7~') --* ( B | B ' , r | r
Moreover, all this structure is preserved by the faithful functor C *-~ Cs.
The above example of structure on C is illustrative. Exactly similar
definitions can be given for a range of structures, including:
]0
- models of Classical (or I n t u i t i o n i s t i c ) L i n e a r Logic including the ad-

ditives and exponentials [10]
- cartesian closed categories [15]
- models of polymorphism [15].
2.1 Examples of Specification Structures

In each case we specify the category C, the assignment of properties P to
objects and the Hoare triple relation.
.
C = Set, P X = X , a { f } b =_ f ( a ) = b.
In this case, Cs is the category of pointed sets.
.
C = T~l, P X = P X , S { R } T = Vx E S.{y [ x R y } C_ T.
This i s essentially a typed version of dynamic logic [25], with the
"Hoare triple relation" specialized to its original setting. If we take
S|
sk=x\s
then Cs becomes a model of Classical Linear Logic.
.
C = "r~el, P X = { C c_ x 21 c = C ~ C n idx = ~ } ,
C { R } D ~ x C x t, x R y , x'Ry' ~ y D y ~.
C | D = {((x,x'),(y,y'))lxCy ^ x'Dy'}
C~. = X 2 \ ( C U i d x ) .
CS is the category of coherence spaces and linear maps [20].
.
c : s e t , p x = { ~ : ~ -~ x I W e x . 3 ~ e ~ . ~ ( ~ ) = ~},
s { f } t - 3• ~ w . / o s ~_ t o ~
where ~,~ is the n t h partial recursive function in some acceptable

numbering [34]. T h e n Cs is the category of modest sets, seen as a full
subcategory of w-Set [10].
1]
.
C = the category of SFP domains,
PD = gY2(D)(the compact-open subsets of D),
U { f } Y =_ U g f - l ( Y ) .
This yields (part of) Domain Theory in Logical Form [2], the other
part arising from the local lattice-theoretic structure of the sets PD
and its interaction with the global type structure.
6. C = games and partial strategies, as in [9], PA = all sets of infinite

plays, U{a}V iff a is winning with respect to U, V in the sense Of [7].
Then Cs is the category of games and winning strategies of [7].
These examples show the scope and versatility of these notions. Let us
return to our picture of the tower of categories:
Co ~ C 1 ~ C 2 ~ . - . ~Ck.
Such a tower arises by progressively refining Co by specification structures

S ] , . . . , Sk so that
c +1 = )s,+l.
Each such step adds propositional information to the underlying "raw"

computational entities (morphisms of Co). The aim of verification in this
framework is to "promote" a morphism from ~ to Ej, i < j. That is, to
promote a Co morphism f : A ~ B to a Ck morphism
f : (A, ~ 1 , - . . , ~k) ~ (B, •1,..., ~)k)

is precisely to establish the "verification conditions"
k
A
i=l
Once this has been done, by whatever means model checking, theo-
rem proving, manual verification, etc. the morphism is now available
in Ck to participate in typing judgements there. In this way, a coher-
ent framework for combining methods, including both compositional and
non-compositional approaches, begins to open up.
We now turn to the specific applications of this framework which i n
fact originally suggested it, in the setting of the first author's interaction
categories.
]2
3 Interaction Categories
Interaction Categories [1, 3, 4, 6] are a new paradigm for the semantics of

sequential and concurrent computation. This term encompasses certain
known categories (the category of concrete data structures and sequential
algorithms [12], categories of games [7], geometry of interaction categories
[8]) as well as several new categories for concurrency. The fundamental
examples of concurrent interaction categories are 8T'roc, the category of
synchronous processes, and AbV)roc, the category o f asynchronous pro-
cesses. These categories will be defined in this section; others will be
constructed later by means of specification structures over SProc and
.,4S'f)roc.
The general picture of these categories is that the objects are types,
which we also think of as specifications; the morphisms are concurrent;
processes which satisfy these specifications; and composition is interac-
tion, i.e. an ongoing sequence of communications. The dynamic nature of
composition in interaction categories is one of the key features, and is in
sharp contrast to the functional composition typically found in categories
of mathematical structures.
There is not yet a definitive axiomatisation of interaction categories,
although some possibilities have been considered [18]. The common fea-
tures of the existing examples are that they have .-autonomous structure,
which corresponds to the multiplicative fragment of classical linear logic
[20]; products and coproducts, corresponding to the additives of linear
logic, and additional temporal structure which enables the dynamics of
process evolution to be described. Furthermore, SProc has suitable struc-
ture to interpret the exponentials ! and ?, and is thus a model of full
classical linear logic.
3.1 T h e I n t e r a c t i o n C a t e g o r y ,S'Proc
In this section we briefly review the definition of SProc, the category of
synchronous processes. Because the present paper mainly concerns the use
of specification structures for deadlock-freedom, we omit the features of
SProc which will not be needed in later sections. More complete definitions
c a n be found elsewhere [1, 6, 18].
An object of SProc is a pair A = (~'A, SA) in which "~A is an alphabet
(sort) of actions (labels) and SA C_n~pr~/E~ is a safety specification, i.e. a
non-empty prefix-closed subset of Z~. If A is an object of 8Proc, a process
of type A is a process P with sort ~A such that traces(P) C SA. Our
notion of process is labelled transition system, with strong bisimulation
13
as the equivalence. We will usually define processes by means of labelled

transition rules.
If P is a labelled transition system, traces(P) is the set of sequences
labelling finite paths from the root. The set of sequences labelling finite
and infinite paths is alltraces(P) and the set of sequences labelling infinite
paths is inftraces(P). The following coinductive definition is equivalent to
this description.
alltraces(P) aef {e} U {aa I P ~' Q, a E alltraces(Q)}

traces(P) clef { a E alltraces(P) [ a is finite}
inftraces(P) de__f{a E alltraces(P)[ a is infinite}.
The fact that P is a process of type A is expressed by the notation P : A.

The most convenient way of defining the morphisms of SProc is first
to define a .-autonomous structure on objects, and then say that the
morphisms from A to B are processes of the internal hom type A --o B.
This style of definition is typical of interaction categories; definitions of
categories of games [7] follow the same pattern. Given objects A and B,
the object A | B has
EA| X ES
SA| d~f {a E Z ~ S I fst*(~) E SA,srld*(o') E ,5'B}.
The duality is trivial on objects: A • a cf A. This means that at the level

of types, ,ST)roc makes no distinction between input and output. Because
communication in SProc consists of Synchronisation rather than value-
passing, processes do not distinguish between input and output either.
The definition of | makes clear the extent to which processes in SProc
are synchronous. An action performed by a process of type A @ B consists
of a pair of actions, one from the alphabet of A and one from that of B.
Thinking of A and B as two ports of the process, synchrony means that
at every time step a process must perform an action in every one of its
ports.
For simplicity, we shall work with .-autonomous categories in which
A •177= A, and A --o B d_ef (A @ B• • A ~2 B ~ f (A • | B-L) • In SProc,
we have A = A J-, and hence A ~g B = A ---o B = A | B. Not all interaction
categories exhibit this degeneracy of structure: in particular the category
S7)rocD of deadlock-free pro cesses, which will b e defined in Section 4, gives
distinct interpretations to | and ~.
14
A morphism p : A --+ B of ,gl~oc is a process p of type A --r B (so p

has to satisfy a certain safety specification). Since A ---o B = A | B in
,b'Proc, this amounts to saying t h a t a morphism from A to B is a process
of type A | B. The reason for giving the definition in terms of --r is that
it sets the p a t t e r n for all interaction category definitions, including cases
in which there is less degeneracy.
I f p : A--* B and q : B ~ C t h e n the c o m p o s i t e p ; q : A--* C i s
defined by labelled transitions.
P (a,b! p, q (b,c) q,
P ; q (a,c! pl ; ql
At each step, the actions in the common type B have to match. The
processes being composed constrain each other's behaviour, selecting the
possibilities which agree in B. For example, if p and q are as shown:
then p ; q is this tree.

(a, C)
This ongoing communication is the "interaction" of interaction categories.

If the processes in the definition terminated after a single step, so that
each could be considered simply as a set of pairs, then the labelled tran-
sition rule would reduce to precisely the definition of relationM composi-
tion. This observation leads to the ~:~oc slogan: processes are relations
extended in time.
The identity morphisms are synchronous buffers or wires: whatever is
received by ida : A ~ .4 in the left copy of _4 is instantaneously trans-
m i t t e d to the right copy (and vice versa--there is no real directionality).
The following auxiliary definition helps to define the identity processes.
If P is a process with sort N and S C_'~pr~1 2;* then the process P[S, Mso
with sort •, is defined by the transition rule
p a,.Q aES
a Qr(S/a)
15
where S/a ~f {a I aa E S}. Note that the condition a E S in the

transition rule refers to the singleton sequence a r a t h e r t h a n the action
a. We make no notational distinction between these uses of a.
The identity morphism idA : A ~ A is defined by ida ~f id [SA---oA
where the process id with sort Z A is defined by the transition rule
aESA
id (a,a! id.
Proposition 2. SProc is a category.
Proof. The proof that composition is associative and that identities work
correctly uses a coinductive argument to show that suitable processes are
bisimilar. Full details can be found elsewhere [1, 6]. []
,5~voc a s a . - A u t o n o m o u s Category The definitions of @ and ( - ) •

can now be extended to morphisms, making t h e m into functors. If p :
A~Candq:B--+Dthenp|174177 :C • •
are defined b y transition rules.
P (a,c! p, q (b,d! q, P (a,c! p,

P | q ((a,b),(c,d)! ff | q, p• (c,~! p,•
The tensor unit I is defined by
z~I de--f{*) SI clef {,n In < W).
The following notation provides a useful way of defining the structural

morphisms needed to specify the rest of the , - a u t o n o m o u s structure. If
P is a process with sort Z , and f : Z --" Z ~ is a partial function, then
P[f] is the process with sort ~ defined by
P ~, Q a E dora(f)
p[f] .f(a! Q[f].

The canonical isomorphisms unitlA : I | A ~ A, unitrA : A | I ~ A,
assocA,B,C : A | (B | C) -~ (A | B) @ C and symmA, B : A @ B - B @ A
are defined as follows. Here we are using a pattern-matching notation
t o define the partial functions needed for the relabelling operations; for
16
example, (a, a) ~-* ((,, a), a) denotes the partial function which has the
indicated effect when its arguments are equal.
def
unitlA = ida[(a, ((,, a),a)]
unitrA def idA[(a,a) ((a, ,),a)]
def
assoCA,B,C ((a,(b,c)),((a,b),c))]
def
symmA,B ((a,b),(b,a))].
If f : A | B --+ C then A ( f ) : A ~ (B --o C) is defined b y
A ( f ) def f [ ( ( a , b ) , e ) ~ (a,(b,e))].
The evaluation morphism APA,B : (A --o B) | A --~ B is defined by

def
APA, B = idA--oB[((a,b),(a,b))~--~ (((a,b),a),b)].
All of the structural morphisms are essentially formed from identities, and
the only difference between f and A ( f ) is a reshuffling of ports. In each
of the above uses of relabelling, the partial function on sorts is defined
by means of a pattern-matching notation; the function is only defined for
arguments which fit the pattern.
If P is a process of type A then P[a ~ (.,a)] is a morphism I
A which can be identified with P. This agrees with the view of global
elements (morphisms from I, in a .-autonomous category) as inhabitants
of types.
P r o p o s i t i o n 3. SProc is a compact closed category.
Proof. Verifying the coherence conditions for | is straightforward, given

the nature of the canonical isomorphisms as relabelled identities. The
properties required of A and Ap are equally easy to check. Since ( - ) •
is trivial, it is automatically an involution. This gives the ,-autonomous
structure; compact closure follows from the coincidence of | and ~g. E]
C o m p a c t C l o s u r e a n d M u l t i - C u t As we have already seen the lin-

ear type structure of SProc is quite degenerate. Specification structures
can be used to enrich the specifications of SProc to stronger behavioural
properties. This will have the effect of "sharpening up" the linear type
structure so that the degeneracies disappear.
Our point here is that the looser type discipline of 6"Proc can actually
be useful in that it permits the flexible construction of a large class of pro-
cesses within a typed framework. In particular, compact closure validates
17
a very useful typing rule which we call the multi-cut. (This is actually
Gentzen's MIX rule [19] b u t we avoid the use of this term since Girard
has used it for quite a different rule in the context of Linear Logic.)
The usual Cut Rule
F F,A ~ A,A •
~-F,A
allows us to plug two modules together by an interface consisting of a
single "port" [5]:
A A•
This allows us to connect processes in a tree structure
o o o 9 . . . . . o o o
b u t not to construct cyclic interconnection networks

t8
~ 1 7 6 1 7 6
such as the Scheduler described in [30]. The problem with building a cycle
is at the last step where we have already connected
To connect
we must plug both a ancl fl simultaneously into the existing network.

This could be done if we had the following "binary" version of the cut
rule
r,A~,A~ ~ ~,A~,A~
~F,A
or more generally the "multi-cut":
F- F, A F- F', A •
f- F, F'
This rule is not admissible in Linear Logic and cannot in general be

interpreted in Linear Categories. However it can always be canonically in-
terpreted in a compact closed category (and hence in particular in SProc)
as the following construction shows.
Let
[' = A 1 , . . . A m , F' = B 1 , . . . B , ~ , A = C 1 , . . . C k .
We write
.4 = A1 | "" | A,~, [~ "~ B1 (~ "'" ~ B n , C -'- C1 ~ * .. ~ C k
C ~ = (c~ | 1 7 4 ~ ~- c,* | 1 7 4
]9
Suppose t h a t the proofs of F F, A and ~- F ~, A r are interpreted by mor-

phisms
1:I , A | C', g : I > /3' | C •
respectively. T h e n we can construct the required m o r p h i s m I ~ .4 @/~
as follows:
l" (unit)
I@I
f|
(4 | ~) | ([~ | ~L)
(canonical isos)
| | Cl~) | ...| (Ck | C t )) | JB
(evaluation)
A|174174174
1 (unit)
A|
(Note t h a t in a compact closed category I = _l_ so A • = A - o I.)
In the case where k = 1 this construction is the internalization of com-
position in the category (using the a u t o n o m o u s s t r u c t u r e ) s o it properly
generalizes the s t a n d a r d interpretation of Cut. For some related notions
which have arisen in work on coherence in compact closed categories, see
[13, 24].
20
,5"Proc as a L i n e a r C a t e g o r y ,57)roc also has structure corresponding

to the linear logic exponentials ! and ?. We will not need this structure
in the present paper; details can be found elsewhere [1, 6, 18].
Non-determinism We can define the non-deterministic s u m exactly as

in CCS. If p, q : A --+ B then p + q is defined by
P (~,b! p, q (a,b! q,
P + q (~,b! p, P + q (a,b! q,
For any objects A and B, there is a m o r p h i s m nil : A --* B which has no
transitions.
The non-deterministic sum and the nil morphisms exist for quite gen-
eral reasons: SProc has biproducts, and it is standard t h a t this yields a
commutative monoid structure on every homset [26]. In the present p a -
per, we have defined + directly as we will not make any other use of the
products, and coproducts.
T i m e So far, none of the constructions in SProc have m a d e use of the

fact t h a t morphisms are processes with dynamic behaviour. Everything
t h a t has been discussed applies equally well to the category of sets and
relations. T h e next step is to justify the claim t h a t 579roc looks like "re-
lations extended in time" by defining some structure which allows the
temporal aspects of the category to be manipulated.
The basic construction dealing with time is the unit delay functor O.
It is defined on objects by
%f {*} +
SOA {E} u I e SA}.

It is notationally convenient to write , instead of inl(.), assuming t h a t
* r ZA. Given f : A --* B, O f : OA ~ O B is defined by the single
transition O f ~ f.
It is straightforward to check t h a t O is indeed a functor. In fact it is
a strict monoidal functor.
P r o p o s i t i o n 4. There are isomorphisms
monA,S: (OA) | (OB) --* O(A | B)
(natural in A and B ) and monun[t : I --* 0 I .

21
Proof. monunit : I ~ O I is defined by
monunit ("*! id/

where ~'I = {o}. monA, B : (OA) | (OB) ~ O(A | B) is defined by
monA,B ((*'*)"2 idA|

In both cases the inverse is obtMned by considering the process as a
morphism in the opposite direction. It is easy to check that these are
isomorphisms and that mon is natural. []
The most important feature of O is that it has the u n i q u e f i x e d p o i n t
p r o p e r t y ( U F P P ) [6]: for any objects A and B, and any morphisms f :
A ~ 9 and g : OB --+ B there is a unique morphism h : A ~ B such
that
A f , 9
B 9 OB
g
commutes. We will not go into the applications of this property in the
present paper, except to mention that it supports guarded recursive def-
initions [1, 6, 18] and is an important part of a proposed axiomatisation
of interaction categories [18].
Apart from 9 there are two other delay functors: the initial delay
and the propagated delay A. These are the same as the operators used
by Milner [29, 30] to construct CCS from SCCS, and they can also b e
used to construct asynchronous processes in the synchronous framework
of S P r o c . However, when analysing asynchronous problems it is much
more convenient to work in a different category, AS7)roc, which we will
define shortly. For this reason, we will give only the basic definitions of
the delay functors here, and not dwell on their properties.
The functors ~ and A are defined on objects by
26Ade=fl + ~A
S,bA d=ef {.r~O. ] (?Z < 0)) A (or E SA))
2AA a_--ef1 + ZA
S,aa d__ef{e} O {al ,n, a2 ,n2 a3 . . . [ ( n i < w ) A ( a l a 2 a 3 . . . E SA)}
22
and on morphisms by transition rules.
f (o,b! f, f (a,b! f,
f (.,.! ~f ~ f (a,b! f, A f (a,b! ~ A f'
Both of these functors are monads. Full details can be found elsewhere
[1, 6, 18].
3.2 The Interaction C a t e g o r y .A~Vroc

The theory of interaction categories is not restricted to the synchronous
model of concurrency which underliew the category SProc. There is also
a category of asynchronous processes, ~ r o c , which we will now define.
In this context, asynchrony means the capacity to delay; in particular, an
asynchronous process can delay in some of its ports while performing ob-
servable actions in others. Because we do not wish to distinguish between
processes which differ only in the amount by which they delay at certain
points, we now consider processes to be labelled transition systems mod-
ulo observation equivalence (weak bisimulation) [30] rather than strong
bisimulation.
In CCS there is a single silent action, v, which is used by all processes
to represent delay. In the typed framework of interaction categories we
no longer have a global set of actions, so it is necessary to specify a
silent action rA in each type A. Thus an object of JtYProc contains an
extra piece of information compared to an object of SProc. This enables
observation equivalence classes of typed processes to be defined: when
considering processes of type A, the action 7"A is used as the silent action
in the standard definition o f observation equivalence.
The approach we will take to defining operations on asynchronous
processes is to define them by labelled transition rules, and then check
that they are well-defined on observation equivalence classes.
The definition of JtSProc in this section is slightly different from the
original definition [4], where an action was taken to be a set of labels and
the silent action was ~. The definition used here emphasises the essential
difference between r and SProc, namely the introduction of rA and
the use of observation equivalence.
3.3 .ASProc as a C a t e g o r y
An object of .A~qProc is a triple A = (,~A, TA, SA), in which ZA is a set

of actions, rA E ZA is the silent action, SA C_~pr~10bAct(A)* is a safety
23
specification, and 0bAct(A) acf SA -- {rA} is the set of observable actions

of A.
A process with sort Z and silent action r E Z is un observation
equivalence class of synchronisation trees with label set Z.
A process P of type A, written P : A, is a process P with sort ZA and
silent action rA such t h a t obtraces(P) C SA, where
allobtraces(P) dCf {~} U {aa I P:=~Q, a E allobtraces(Q)}

obtraces(P) de=f{o" E allobtraces(P) l a is finite}
infobtraces(P) de=f{a E allobtraces(P)I cr is infinite}
Just as in SProc the morphisms are defined via the object part of the
, - a u t o n o m o u s structure. Given objects A and B, the object A | B has
SAGB def z~A • ~E,B

def
TAGB = (TA, TB)
SAGS dr {a E 05Act(ZAGS)* l a[A E SA, arB E S s }
where, for a E 0bAct(ZAGB),
~[A def { ~ st((~) if

otherwise
fst((~) # vA
and for a E 0bAct(ZAGB)*, a[A is obtained by concatenating the indi-

vidual (~ [A. T h e projection a [B is defined similarly. Notice t h a t taking
rAGs = (TA, 7-B) means t h a t a process with several ports delays by simul-
taneously delaying in its individual ports.
The duality is trivial on objects: A • de=fA.
A m o r p h i s m p : A --* B of AS"Proc is a process p such t h a t p : A --o B.
I f p : A--* B and q : B--+ C, then the c o m p o s i t e p ; q : A ~ C i s
defined by labelled transitions.
P (~,~'.! p, q (~'B,c! q,
P ; q (~,~c! p,; q P ; q ('~A,c!P ; q,
P (~,b! p, q (b,c) q,
P ; q (~,c! pl ; ql
The first two rules allow either process to make a transition independently,
if no communication is required. The third rule allows the processes to
24
communicate by performing the same action in the port B. Any of the

actions a, b, c can be r; if b = r s in the third rule, then two simultaneous
independent transitions are made.
It is necessary to prove that composition is weU-defined on observation
equivalence classes, but we will not give the details here.
As in 5"Proc, it is straightforward to prove t h a t if f : A - . B and
g : B --~ C, then f ; g satisfies the safety specification necessary to be a
morphism A --+ C.
Although .AS'Proc is a category of asynchronous processes, the identity
morphisms are still synchronous buffers. As a candidate identity mor-
phism, a synchronous buffer seems likely to work, given the definition of
composition; of course, once it has been shown to be an identity, no other
choice is possible.
The identity morphism idA : A --, A is defined as in 3Proc: idA def
id ISA--oA where the process id with sort ZA is defined by
aEEA
id (a'a! id.
Just as in 5"~oc, if P is a process with sort ,U and S C n~pr~s ,U* then the
process P[S, also with sort Z , is defined by the transition rule
t%
P ,Q aES
PrS a Qr(S/a).
3.4 .AS"Proc as a , - A u t o n o m o u s Category

I f p : A --* C and q : B --+ D then p @ q : A | -~ C | andpX :
C • --* A • are defined by transition rules. The rules for | illustrate the
asynchronous n a t u r e of JISProc; the two processes can make transitions
either independently or simultaneously.
q (b,d! q,
P (~,c! p,
P | q ((~,~B),(c,~n)! p, | q ((~-A,b),(~'c,d)! P | q,
P|
P (a,c! p, q (b,d! q, P (~,c! p,

P @ q ((a,b),(c,d)! p, | q, pX (c,~! p,•
The tensor unit I is defined by

ae=f{ri} S1 aef
25
The morphisms expressing the symmetric monoidal closed structure are

defined as in SProc, by combining identities.
P r o p o s i t i o n 5..ASProc is a compact closed category.
N o n - d e t e r m i n i s m It turns out that dLVProc has only weak biproducts.

The construction of an addition on the homsets can still be carried out,
but it yields r.P + r.Q. This is not surprising, as the CCS operation + is
not well-defined on observation equivalence classes. In later sections we
will often construct processes by means of guarded sums such as a.P+b.Q,
which can be given direct definitions in terms of labelled transitions.
3.5 Time
In AVProc, t h e delay monads $ and A are less meaningful than in SProc,
since delay is built into all the definitions. But the unit delay functor 9
is still important. On objects it is defined by
def
7- 9 = rA
So A dJ V [ SA}.
If f : A --~ B then O f : OA -~ OB is defined by the transition O f (*'*! f .

P r o p o s i t i o n 6. O is a functor, and has the UFPP.
Proof. As in SProc. []
4 Specification Structures for Deadlock-Freedom
4.1 T h e S y n c h r o n o u s Case
We shall now describe a specification structure D for SProc such that
b-TProcD will be a category of deadlock-free processes, closed under all
the type constructions described above (and several more omitted in this
introductory account). This specification structure has a number of re-
markable features:
- The typing rule for composition in ~<TProcDwill be a compositional

proof rule for plugging together deadlock-free processes while pre-
serving deadlock-freedom. Rules of this kind are known to be difficult
to obtain [17].
26
- The concepts and techniques used in defining this specification struc-

ture and verifying t h a t it has the required properties represent a strik-
ing transfer of techniques from Proof T h e o r y (Tait-Girard proofs of
Strong Normalization [21]) to concurrency. This is m a d e possible by
our framework of interaction categories and specification structures.
We begin with some preliminary definitions. Firstly we define a binary
process combinator p n q by the transition rule
p , pl q a 9 ql
p~q a , p, ql.
N o t e that p I-1 q is the meet of p and q with respect to the simulation

pre-order [30].
Let STL be the set of processes labelled over/2. We define, for p f i STL:
p J, - Vs E Z;*,q E ST~.p s 9 q=v3aEs a 9 r.
We read p + as "p is deadlock-free", i.e. it can never evolve into the nil
process.
An important point is that we need to restrict attention to those ob-
jects of SProe whose safety specifications do not force processes to dead-
lock. The object A is progressive if
V8 E SA.3a E EA.sa C= Sa.
By considering just the progressive objects, we can be sure that there are
deadlock-free processes of every type.
Finally, the key definition:
p _L q = ( p F l q ) t .
We can think of p ,L q as expressing the fact t h a t "p passes the test q";
but note that _ _L _ is symmetric so the rSles of p and q, tester and testee,
can be interchanged freely.
Now we lift this symmetric relation to a self-adjoint Galois connection
on sets of processes in a standard fashion [14]:
p -L U = V q E U. p-L q
U l =- { P l P "L U}.
Since ( - ) • is a self-adjoint Galois connection, it satisfies
U•177177
_ U•
27
We are now ready to define the specification structure D on the subcat-

egory of SProc which consists of just the progressive objects.
P A = {U C_ STEAI Vp E U. ( p : A) A ( p ~ ) , U # O , U = U J-•
(Compare with the definition of candidats in [20], and with Linear Real-
izability Algebras [8]).
U@ v ~ f {p| {p E U,q E V ) •177

u v (u x | v• •
U --'oVd~e~-f(u|177 •
T h e Hoare triple relation is defined by means of a satisfaction relation

between processes and properties. If p : A and U E PA t h e n
p~U r pEU
and
v{y}v f v --o v.
P r o p o s i t i o n 7. These definitions yield a specification structure D on
5"Proc; all the type structure on 5"Proc described in Section 3 can be lifted
to ST:~rocD.
We illustrate the proof of this proposition by sketching the verification of
the key case for composition, i.e. the cut rule:
V{p}V Y{q)W p:(A,U)-*(B,V) q:(B,V)-+(C,W)
U{p; q}W p; q: (A,U) --* (C,W)
To verify U{p ; q}W we must show t h a t , for all r E U a n d s E W •
r | s s p ; q, i.e. t h a t ((r @ s) M (p ;q)) ~. By some elementary process
algebra,
((r | s) M ( p ; q)) = (r ;p) M (q; s)
where we regard r as a m o r p h i s m r : I -+ A and s as a m o r p h i s m
s : C -+ I. Thus it suffices to prove t h a t
(r;p) i ( q ; s )
which holds since r E U,p E U --o V implies r ; p E V and similarly
s E W ~ , q E V --o W implies t h a t q ;s E V •
It can be shown t h a t in general, U @ V is properly included in U ~3 V,
and hence in SProcD the operations of | and ~ are distinct. Thus the
specification structure leads to a category which, as a model of linear
logic, is less degenerate t h a n the original SProc.
28
4.2 The Asynchronous Case
The category ~PrOCD allows synchronous problems to be analysed for

deadlock-freedom, but there are also m a n y asynchronous systems which
we would like to verify. The obvious approach to reasoning about asyn-
chronous deadlock-freedom is tb use the delay operators of 8ProcD to
represent asynchrony, and then proceed as before. However, experience
has shown that when this is done the only deadlock-free behaviours which
the types can guarantee to exist are those in which all the processes in
the system delay. Hence we need a version of the specification structure
D over AST~roc. This section describes the construction, and illustrates it
with an application to the dining philosophers problem.
When we try to define a specification structure for deadlock-freedom
over ASProc, two complications arise which were not present in the syn-
chronous case. The first is to do with divergence, or livelock. Suppose
there are morphisms f : A ~ B and g : B ~ C, each of which runs
forever but only does actions in B. Then even if f and g do not deadlock
each other, the result of composing t h e m is a morphism which does no
observable actions at all--under observation equivalence this is the same
as the nil process, which is deadlocked. This shows that when dealing
with asynchronous processes, it is insufficient simply to guarantee that
processes can always communicate with each other when composed. The
second technical problem is t h a t because convergence of a process will
mean the ability to continue performing observable actions, there are no
convergent processes of type I in .ASProc, and hence no properties over
I. This means t h a t the asynchronous deadlock-free category will have no
tensor unit; in order to retain the ability to use the *-autonomous struc-
ture in calculations, a different object will have to be used instead. We
will not discuss this issue in the present paper.
To solve the first problem we can adapt Hoare's solution of a similar
problem [22]. He considers processes with one input and one output, which
can be connected together in sequence. This is actually quite close to the
categorical view in some ways: these processes have the "shape" of mor-
phisms and can be composed, although there are no identity processes.
More to the point, he is interested in conditions on processes which ensure
that connecting t h e m together does not lead to divergence. Restating the
question in the categorical framework, if f : A -~ B and g : B --* C,
what is the condition that f ; g does not diverge? Hoare's solution is to
specify that f should be left-guarded or g right-guarded. Left-guardedness
means that every infinite trace of f should contain infinitely m a n y observ-
able actions in A; similarly, right-guardedness means that every infinite
29
trace of g should contain infinitely many observable actions in C. If f

is left-guarded it has no infinite behaviours which only involve actions
in B, so no m a t t e r what g does there can be no divergent behaviour of
f ; g. Symmetrically, if g is right-guarded then f ; g does not diverge. If
a process is to be a morphism in a category, it must be composable b o t h
on the left and on the right; this means that it needs to be b o t h left-
guarded and right-guarded. Requiring that a morphism be b o t h left- and
right-guarded, i.e. that every infinite trace must contain infinitely many
observable actions in both ports, amounts to a specification of fairness.
W h a t we need for deadlock-freedom is a category in which all the mor-
phisms are fair in this sense. This issue only arises in the asynchronous
case, since in a synchronous category it is impossible for an infinite trace
of a process to have anything other than an infinite sequence of actions
in each port.
The Category :T'Proc The category $'Proc (fair processes) has objects
A = (ZA, TA,:SA, FA). The first three components of an object are exactly
as in YiSTProc.The fourth, FA, is a subset of 0 b A c t ( A ) ~ such that all finite
prefixes of any trace in FA are in SA. The interaction category operations
on objects are defined as in .4SProc, with the addition that
nedFA
FA| aed{s E ObAct(A | B)~ l s[A E FA, s[B e FB}
FOA nod I rA}.
A process in .TT)rocis almost the same as a process in .4SProc, except that
there now has to be a way of specifying which of the infinite traces of a
synchronisation tree are to be considered as actuM infinite behaviours of
the process. This is done by working with pairs (P, Tp) in which P is an
.4SProc process and O ~ Tp C infobtraces(P). Only the infinite traces
in Tp are viewed as behaviours of P , even though the tree P m a y have
m a n y other infinite traces. There is a condition for this specification of
valid infinite traces to be compatible with transitions: if P a Q then
Tp D {as ts E TQ}.
A process of type A in .T'Proc is a pair (P, Tp) as above, in w h i c h P
is a process of type (ZA, TA, SA) in .AS'Proc, and Tp C_FA. Equivalence of
processes is defined by
(P, Tp) = (Q,TQ) ~ (P ,~ Q) A (Tp = TQ)

30
where the relation ~ is observation equivalence; thus equivalence in .T'Proc

is a refinement of equivalence in AgProc.
As usual, a morphism from ~4 to B is a process of type A --o B.
The identity morphism on A in iPProc is (]dA, FA--oA) where idA is the
identity on (ZA, 7A, SA) in .ASProc. It will often be convenient to refer to
~ r o c processes by their first components, and just consider the second
components as extra information when necessary; thus the process (P, Tp)
m a y simply be written P.
For composition, if (f, T]): A --+ B and (g, Tg): B --. C then (f, T]);
(g, Tg) ~ f ( f ; g, Tf;g) where
Tl;g d___ef{s 9 infobtraces(f ;g) I

3t 9 Tf,u 9 Tg.[trA = srd, trB = uIB, uIC = siC]}.
It is straightforward to check that if T! C_ FA--oB and Tg C FB~C then

Tf;g C_FA--oC.
The functorial action of | is defined by (f, Tf)Q(g,Tg) ~f (fQg, Tf|
where, for f : A --* C and g : B --* D,
Tf| ~f {s 9 infobtraces(f | g) I
s r(A, C) 9 TI, s r(B, D) 9 Tg, s 9 FA|174 }.
This definition discards the infinite behaviours of f | g which correspond

to unfair interleavings. Effectively, this means that we are assuming the
existence of a fair scheduler for parallel composition; keeping the treat-
ment of fairness at the level of specifications, we do not say anything
about how such a scheduler might be implemented.
.T'Proc inherits the ,-autonomous structure of r because all the
structural morphisms, being essentially identities, are fair and the ab-
straction operation does not affect fairness. The exception to this is t h a t
there is no tensor unit: 0 b A c t ( I ) = ~ , so it is not possible to define Ft.
P r o p o s i t i o n 8..Pl:'roc is a compact closed category without units.
The definition of $-Proc is very close to the definition of a specification

structure over AST)roc--additional properties (the fairness specifications)
are defined at each type, and satisfaction of these properties by processes
is defined. However, iPProc does not actually arise from a specification
structure. The reason is the assumption of fair interleaving in the defi-
nition of | When a specification structure S is defined over a category
C, functors on (2 are lifted to Cs by checking t h a t their actions in C
31
preserve the Hoare triple relations. By contrast, the | functors on ~ r o c

and j ~ r o c have different actions on morphisms.
The specification structure for deadlock-freedom can now be defined
over the progressive subcategory 5rProcp~ of PProc, which now consists
of those objects for which every safe trace can be extended to a valid
infinite trace. The definitions are very similar to those for SProc. The
essential difference is that convergence of a process means the ability
to keep doing observable actions. Furthermore, the choice of next action
should not commit the process to a branch of behaviour which can lead
only to a disallowed infinite trace. If P : A then P ~ means
- whenever P ~ Q there is a E ObAct(A) and a process R such t h a t

Q-~.R, and there is t E infobtraces(R) such t h a t sat E Tp.
The definition of equivalence of ~CT)roc processes P and Q, requiring
P ~ Q and Tp = TQ, permits the possibility t h a t although P and Q
are not observation equivalent it is only the presence of branches corre-
sponding to invalid infinite traces which causes observation equivalence
to fail. However, if a process is convergent t h e n there is no branch along
which all infinite traces are invalid, so this situation does not arise. In
the specification structure for deadlock-freedom over ~roc, a property
is a set of convergent processes and satisfaction is membership, just as
in the synchronous case. This means that all the deadlock-free processes
considered are convergent, and the equivalence behaves well for them.
It is not, however, possible to require t h a t 9C7~rocshould consist only of
convergent processes, because convergence in itself is not preserved by
composition. It is only when convergence is combined with satisfaction of
suitable deadlock-free types that composition works.
Given P and Q of type A in A~roc, P ~ Q is defined exactly as in
r
p a pI Q a, Q!
P n Q ~. P' ~Q~.
If P and Q have type A in ~Proc and Tp n TQ ~ 0, then P R Q can be
converted into an ,T~roc process of type A by defining TpnQ de=fTp N TQ.
Orthogonality is now defined by
P _l_Q ~ T p N T Q ~ 0 and (P[7Q)~.
It is extended to sets of processes exactly as in the synchronous case. For

each object A, PDA is again the set of •177 sets of convergent
32
processes of type A. Satisfaction is membership, and all of the operations

on properties are defined exactly as before.
The proof that D satisfies the composition axiom is similar to the
proof in the synchronous case, but is complicated by the presence of silent
actions. If f : A --* B and g : B ~ C in .~Proc, communication between f
and g when f;g is formed can include periods in which the common action
in B is 7B. This means that several cases arise in the proof, depending
on whether f and g are delaying or performing observable actions, and
fairness is crucial in dealing with them. Details of the proof can be found
in [lS].
The proof that identity morphisms satisfy the correct properties is the
same as in the synchronous case. Hence
P r o p o s i t i o n 9. D is a specification structure over ~TT~roc~T.
The asynchronous deadlock-free category is called .T~rocD. For each type

A there is a process maxA which has every non-deadlocking behaviour
allowed by the safety specification of A. It is defined by
a e 0bAct(A)
a
maxA ' maxA/a
with TmaxA ---- F A. Note that a process maxA could be defined in this way
for any ~:~roc object A; maxA is simply the process which exhibits every
behaviour permitted by the safety specification SA. In general maxA might
have deadlocking behaviours, but because we are working in YPro%r, ev-
ery safe trace can be extended indefinitely and so maxA never terminates.
The process maxA is orthogonal to every convergent process of type
A: writing Proc(A) for the set of all convergent processes of type A, we
have maxA I Proc(A). In fact, Proc(A) • = {maxA}. Proc(A) is a valid
property over A, as is {maxA}, and they are mutually related by ( - ) •
The deadlock-free type (A, {rnaxA}) specifies an input port, because it
forces all possible actions to be accepted. The type (A, Proc(A)) specifies
an output, because any selection of actions is allowed. From now on,
we denote Proc(A) and {rnaxA} by outA and inA respectively, so that
in i = OUtA and out S = inA. It is not hard to prove
P r o p o s i t i o n 10. o u t A x2 o u t B ---- O u t A x ~ B .
I f P : A in ~'Proc and P $ then P ~ outA and so P : (A, outA) in .~-7)rocD.

Combined with the previous result, this gives
33
Proposition 11. If P : A1 ~2"" "~2A= in .TT)roc and P I, then in .TT)rocD,
P : (Al,outA1) ~ ' " " ~ (An,outAn).
This result is very useful for applications, as we shall see in the next
section. Another useful fact is that if the safety specification of A is such
that in every state there is a unique allowable next action, then inA =
outA.
4.3 Constructing Cyclic Networks
The deadlock-free categories SPrOCD and .~PrOCD are not compact closed,
which means that the categorical structure no longer supports the con-
struction of arbitrary process networks. Any non-cyclic structure can be
constructed, using the fact that the category is ,-autonomous, but addi-
tional proof rules are needed to form cycles.
Suppose that P : (F,U) ~ ( X , V ) ~ ( X • J-) in .~']~OCD. There is an
obvious condition that forming T by connecting the X and X J- ports
should not cause a deadlock: that every trace s of P with srX = srX x
can be extended by an action (~t,x,x) of P. The action x could be r x ,
as it is permissible for the sequence of communications between the X
and X • ports to pause, or the action tuple ~ could be r r , but not both.
Again, to obtain P : (F, U) in ~rocD it is also necessary to ensure that
the specification U can still be satisfied while the communication is taking
place.
The possibility of divergence does not have to be considered separately.
It is conceivable that P could have a non-deadlocking infinite behaviour in
which no observable actions occur in F, but the corresponding behaviour
of P would be unfair because it would neglect the ports in F. Thus it is
sufficient to state a condition which guarantees that forcing X and X •
to communicate does not affect the actions available i n t h e other ports.
This condition can be expressed in terms of ready pairs. The definition
of readies(P) for an ~l)roc process P of type A is
initials(P) aef {a E ObAct(A) I 3Q.P=~Q}

readies(P) de__f{(~,X) I 3Q.[(P=~Q) A ( X = initials(Q))]}.
The condition cycle(P) is now
- For every (s, A) E readies(P) such that s i x = s~X • and every action
(~, x, y) E A, there is z E ~ x such that Vr~x~gx. ~ (-5,z, z) E A.
34
This leads to a proof rule for cycle formation.
P : (P,U)~(X,V),e(X• • cycle(P)
P:(r,v)
This rule illustrates one of the main features of our approach--the combi-
nation of type-theoretic and traditional verification techniques. Typically,
the construction of a process will be carried out up to a certain point by
means of the linear combinators, and its correctness will be guaranteed
by the properties of the type system. This phase of the verification pro-
cedure is completely compositional. However, if cyclic connections are to
be formed, some additional reasoning about the behaviour of the pro-
cess is needed. The nature of this reasoning is embodied in the above
proof rule. The rule is not compositional, in the sense that the internal
structure of P must be examined to some extent in order to validate the
condition cycle(P), but the departure from compositionality is only tem-
porary. Once the hypotheses of the proof rule have been established, the
result is that P has a type, and can be combined with other processes
purely on the basis of that type.
5 The Dining Philosophers
The problem of the dining philosophers [22] provides a good example

of working with the category of asynchronous deadlock-free processes.
Our analysis of it will make use of the proof rule for cycle formation,
introduced in the previous section, and thus illustrates the combination
of type-theoretic arguments with more traditional reasoning. T h e example
itself is well-known in the concurrency literature, but it is worth reviewing
the scenario here before plunging into an analysis.
In a college there are five philosophers, who spend their lives seated
around a table. In the middle of the table is a large bowl of spaghetti; also
on the table are five forks, one between each pair of philosophers. Each
philosopher spends most of his time thinking, but occasionally becomes
hungry and wants to eat. In order to eat, he has to pick up the two
nearest forks; when he has finished eating, he puts the forks down again.
The problem consists of defining a concurrent system which models this
situation; there are then various questions which can be asked about its
behaviour. One is about deadlock-freedom: is it possible for the system to
reach a state in which nothing further can happen, for example because
the forks have been picked up in an unsuitable way? Another is about
fairness: do all the philosophers get a chance to eat, or is it possible
35
for one of t h e m to be excluded forever? The reason for looking at the

dining philosphers example in this paper is to illustrate techniques for
reasoning about deadlock-freedom, but because of the way in which the
asynchronous deadlock-free category has been constructed, fairness has
to be considered as well.
A philosopher can be modelled as a process with five possible actions:
eating, picking up the left fork, putting down the left fork, picking up
the right fork, and putting down the right fork. Calling these actions
e, lu, Id, ru, rd respectively, a CCS definition of a philosopher could
be P = lu.ru.e.ld.rd.P. There is no action corresponding to thinking: a
philosopher is deemed to be thinking at all times, unless actually doing
something else. In A.qProc a philosopher has three ports: one for the eating
action and one each for the left and right forks. The type of the fork
ports is X , defined by ~ x de=f{U, d, r x } and with Sx requiring u and d
to alternate, starting with u. The type of the eating port is Y defined by
~y clef{e, Ty} and with Sy allowing all traces. The philosopher process
can be typed as P : X • ~, Y ~ X.
A fork has four actions, lu, ld, ru and rd. For the usage of these
names by the fork to match their usage by the philosophers, the necessary
convention is that if a fork does the action lu, it has been picked up from
the right. A possible definition of a fork is K = lu.ld.K + r u . r d . K and it
can be typed as K : X • ~ X.
Five philosophers and five forks can be connected together in the de-
sired configuration, illustrated in Figure 1, by using the compact closed
structure of .ASProc, as usual. The next step is to transfer everything to
Y'Proc and then to ~'ProcD.
To construct the P and K processes in .T'Proc, fairness specifications
must be added to the types X and Y, and the acceptable infinite be-
haviours of P and K must be specified. This will be done in such a way
that P and K satisfy the appropriate fairness specifications. For both
X and Y the fairness specification can simply be all infinite traces. This
means that there is no fairness requirement on the actions within a port,
but only between ports. For the t y p e s of the philosopher and the fork,
F x x ~ y ~ x consists of the infinite traces whose projections into the three
ports are all infinite, and similarly Fx• x .
To convert the .A.S'Proc process P into an .TTVroc process, it is sufficient
to take Tp = infobtraces(P). It is then clear that Tp C_ F x . ~ g y ~ x b.e-
cause the behaviour of P simply cycles around all the available actions.
Also, P is convergent because its behaviour consists of just one infinite
branch. However, K has unfair infinite behaviours--for example, there is
36
(
)
Fig. 1. Process Configuration for the Dining Philosophers
an infinite trace in which the ru and rd actions never appear. Thus TK

must be defined in such a way as to eliminate these undesirable infinite
traces, and this can easily be done by taking TK = F x x ~ x . Then K
is convergent, because any of its finite behaviours can be extended to a
fair infinite behaviour by choosing a suitable interleaving from that point
on. This approach means that this section is not addressing the issue of
how fairness can be achieved in the dining philosophers problem--to do
that, the implementation of a fair scheduler would have to be considered.
As already stated, this problem has been introduced as an example of
compositional reasoning about deadlock-freedom; fairness only appears
in the minimal possible way needed for the categorical approach to be
applicable.
Typing the philosopher and fork processes in ~7~rocD requires suitable
properties over the types X and Y. For Y, outy can be used. Because Y
has only one observable action, outy = out~-. Similarly for X, the set outx
can be used, and because the safety specification of X is such that in each
state there is only one action available, outx = out~. Because K : X •
in ~'Proc and K is convergent, K ~ outx• ~ o u t x and so K : (X, o u t x ) •
(X, outx) in YProcD. Similarly, P : (X, ootx) • *g (Y, o u t r ) ~ (X, outz)
in F79rocD. These typings mean that any number of philosophers and
forks can be connected together in a line, and the resulting process is
37
guaranteed to be deadlock-free. Interestingly, this applies not only to the

"correct" configuration in which philosophers and forks alternate, but also
to other possibilities such as a sequence of forks with no philosophers.
The interesting step of the construction consists of completing the
cycle by connecting the X and X j- ports at opposite ends of a chMn in
which forks and philosophers alternate. Because .TProcD is not compact
closed, the proof rule of the previous section must be used. First of all,
some traditional analysis based On reasoning about the state of the system
is useful. For the moment, the e actions can be ignored as they do not
have any impact on deadlocks in this system. The following cases cover
all possibilities for a state.
1. If there is Pi such that both adjacent forks are down, it can pick up
the left fork.
2. If there is P~ whose right fork is up and whose left fork is down, it can
either put down the right fork (if it has just put down the left fork)
or pick up the left fork (if its neighbour has the right fork).
3. If all forks are up and some Pi has both its forks, it can put down the
left fork.
4. If all forks are up and every P~ has just one fork, they all have their
left forks, and there is a deadlock.
The last case is the classic situation in which the dining philosophers may
deadlock--each philosopher in turn picks up the left fork, and then they
are stuck. In terms of ready sets, there is a state in which every possible
next action has non-matching projections in the two X ports.
In Hoare's formulation of the dining philosophers problem [22] the
philosophers are not normally seated, but have to sit down before at-
tempting to pick up their forks. This means that the possibility of dead-
lock can be removed by adding a f o o t m a n , who controls when the philoso-
phers sit down. The footman ensures that at most four philosophers are
seated at any one time, which means that there is always a philosopher
with an available fork on both sides; in this way, the deadlocked situ-
ation is avoided. However, implementing this solution involves a major
change to the system: there is a new process representing the footman,
the philosopher processes have extra ports on which they interact with the
footman, and consequently their types need to be re-examined. It is more
convenient to use an alternative approach, which will now be described.
One of the philosophers is replaced by a variant, pi, which picks up
the forks in the opposite order. So PI = r u . l u . e . r d . l d . P ~in CCS notation.
38
Intuitively, this prevents the deadlocking case from arising, because even
if the four Ps each pick up their left fork, P ' is still trying to pick up its
right fork (which is already in use) and so one of the Ps has a chance to
pick up its right fork as well. The check that there are no deadlocks takes
the form of a case analysis, as before.
1. If all the forks are up and some philosopher has both its forks, it can
put one of t h e m down, whether it is P or P'.
2. If all the forks are up a n d every philosopher has just one, either they
all have their left fork or all the right. If t h e y all have their left fork,
then P ' can put down its left fork. If they all have their right fork,
then any P can put down its right fork.
3. If two adjacent forks are down, then the philosopher in between them
can pick one of them up, whether it is P or P'.
4. Otherwise there is the configuration u - p h i l 1 - d - p h i l 2 - u - p h i l 3.

- If p h i l 2 is P and has its right fork, it can put down the right fork.
- If phil 2 is P and doesn't have its right fork, it can pick up the
left fork.
- If phil 2 is P' and has its right fork, it can pick up the left fork.
If phil 2 is P' and doesn't have its right fork, then phil 3 m u s t
be P and has its left fork. Then if p h i l a ' s right fork is down,
p h i l 3 can pick it up. If the right fork is up and p h i l 3 has it, it
can put down the left fork. Otherwise, p h i l 4 is P and has its left
fork. Continuing this argument for each p h i l / with i /> 4 leads
eventually to either a possible action, or cyclically back t o ' i = 1
and the deduction that p h i l 1 has its left fork. In the latter case,
since p h i l 1 is P, it can pick up its right fork.
To recast this argument in terms of checking the condition on the final

cyclic connection, suppose that the final connection is between the P ' pro-
cess a n d t h e fork on its right. Each case of the argument either produces
a communication between P ' and this fork, or produces a communication
elsewhere in the cycle, which m e a n s that there is an action of the system
in which the two ports to be connected both delay. This shows that the
cycle condition is satisfied, and the proof rule can be applied.
39
Acknowledgements
We would like to thank Rick Blute, Robin Cockett, Phil Scott and David
Spooner for their detailed reviews of this p~per.
References
1. S. Abramsky, S. J. Gay, and R. Nagarajan. Interaction categories and foundations

of typed concurrent programming. In M. Broy, editor, Deductive Program De-
sign: Proceedings of the 1994 Marktoberdor] International Summer School, NATO
ASI Series F: Computer and Systems Sciences. Springer-Verlag, 1995. Also avail-
able as theory/papers/Abramsk://marktoberdorf.ps.gz via anonymous ftp to
theory, doc. ic. ac.uk.
2. S. Abramsky. Domain theory in logical form. Annals of Pure and Applied Logic,
51:1-77, 1991.
3. S. Abramsky. Interaction Categories (Extended Abstract). In G. L. Burn, S. J.
Gay, and M. D. Ryan, editors, Theory and Formal Methods 1993: Proceedings of
the First Imperial College Department of Computing Workshop on Theory and
Formal Methods, pages 57-70. Springer-Verlag Workshops in Computer Science,
1993.
4. S. Abramsky. Interaction Categories and communicating sequential processes. In
A. W. Roscoe, editor, A Classical Mind: Essays in Honour of C. A. R. Hoare,
pages 1-15. Prentice Hall International, 1994.
5. S. Abramsky. Proofs as processes. Theoretical Computer Science, 135:5-9, 1994.
6. S. Abramsky. Interaction Categories I: Synchronous processes. Paper in prepara-
tion, 1995.
7. S. Abramsky and R. Jagadeesan. Games and full completeness for multiplicative
linear logic. Journal of Symbolic Logic, 59(2):543 - 574, June 1994.
8. S. Abramsky and R. Jagadeesan. New foundations for the geometry of interaction.
Information and Computation, 111(1):53-i19, 1994.
9. S. Abramsky, It. Jagadeesan, and P. Malacaria. Full abstraction for PCF (ex-
tended abstract). In M. Hagiya and J. C. Mitchell, editorsl Theoretical Aspects
of Computer Software. International Symposium TA CS'9~, number 789 in Lecture
Notes in Computer Science, pages 1-15, Sendai, Japan, April 1994. Springer-Verlag.
10. A. Asperti and G. Longo. Categories, Types and Structures : An introduction to
category theory for the working computer scientist. Foundations of Computing
Series. MIT Press, 1991.
11. M. Bart. .-autonomous categories and linear logic. Mathematical Structures in
Computer Science, 1(2):159-178, July 1991.
12. G. Berry and P.-L. Curien. Theory and practice of sequential algorithms: the
kernel of the applicative language CDS. In J. C. Reynolds and M. Nivat, editors,
Algebraic Semantics, pages 35-84. Cambridge University Press, 1985.
13. R. Blute. Linear logic, coherence and dinaturality. Theoretical Computer Science,
I15(I):3-41, 1993.
14. P. M. Cohn. Universal Algebrai volume 6. D. Reidel, 1981.
15. R. L. Crole. Categories ]or Types. Cambridge University Press, 1994.
16. J . W . de B~kker. Mathematical Theory of Program Correctness. Prentice tIall
International, 1980.
40
17. W. P. de Roever. The quest for compositionality--a survey of assertion based proof
systems for concurrent programs, Part I: Concurrency based on shared variables.
In Proceedings of the IFIP Working Conference, 1985.
18. S. J. Gay. Linear Types for Communicating Processes. PhD thesis, University of
London, 1995. Available as t h e o r y / p a p e r s / G a y / t h e s i s .ps .gz via anonymous ftp
to t h e o r y .doc. i c . ac .uk.
19. G. Centzen. Investigations into logical deduction. In M. E. Szabo, editor, The
Collected Papers of Gerhard Gentzen. North-Holland, 1969.
20. J.-Y. Girard. Linear Logic. Theoretical Computer Science, 50(1):1-102, 1987.
21. J.-Y. Girard, Y. Lafont, and P. Taylor. Proofs and Types, volume 7 of Cambridge
Tracts in Theoretical Computer Science. Cambridge University Press, 1989.
22. C. A. R. Hoare. Communicating SequentialProcesses. Prentice Hall, 1985.
23. N. D. Jones and F. Nielson. Abstract interpretation. In S. Abramsky, D. Gabbay,
and T. Maibaum, editors, Handbook of Logic in Computer Science, volume 4. Ox-
ford University Press, 1995. To appear.
24. G. M: Kelly and M. L. Laplaza. Coherence for compact closed categories. Journal
of Pure and Applied Algebra, 19:193-213, 1980.
25. D. C. Kozen and J. Tiuryn. Logics of programs. In van Leeuwen, editor, Handbook
of Theoretical Computer Science, volume B, pages 789-840. North Holland, 1990.
26. S. Mac Lane. Categories for the Working Mathematician. Springer-Verlag, Berlin,
1971.
27. Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems.
Springer-Verlag, 1992.
28. J. McKinna and R. Burstall. Deliverables: A categorical approach to program de-
velopment in type theory. In Proceedings of Mathematical Foundation of Computer
Science, 1993.
29. R. Milner. Calculi for synchrony and asynchrony. Theoretical Computer Science,
25:267-310, 1983.
30. R. Milner. Communication and Concurrency. Prentice Hall, 1989.
31. R. Milner, M. Torte, and R. Harper. The Definition of Standard ML. MIT Press,
1990.
32. P. W. O'Hearn and R. D. Tennent. Relational parametricity and local variables.
In Proceedings, 20th ACM Symposium on Principles of Programming Languages.
ACM Press, 1993.
33. A. M. Pitts. Relational properties of recursively defined domains. In 8th Annual
Symposium on Logic in Computer Science, pages 86-97. IEEE Computer Society
Press, Washington, 1993.
34. R. Soare. Recursively Enumerable Sets and Degrees. Perspectives in Mathematical
Logic. Springer-Verlag, Berlin, t987.
35. J. B. Wells. Typability and type checking in the second-order )~-calculus are equiv-
alent and undecidable. In Proceedings, Ninth Annual 1EEE Symposium on Logic
in Computer Science. IEEE Computer Society Press, 1994.
Automated Temporal Reasoning
about
Reactive Systems
E. Allen Emerson
University of Texas at Austin, Austin, Tx 78712, USA
A b s t r a c t . There is a growing need for reliable methods of designing

correct reactive systems such as computer operating systems and air
traffic control systems. It is widely agreed that certain formalisms such as
temporal logic, when coupled with automated reasoning support, provide
the most effective and reliable means of specifying and ensuring correct
behavior of such systems. This paper discusses known complexity and
expressiveness results for a number of such logics in common use and
describes key technical tools for obtaining essentially optimal mechanical
reasoning algorithms. However, the emphasis is on underlying intuitions
and broad themes rather than technical intricacies.
1 Introduction
There is a growing need for reliable methods of designing correct reactive sys-
tems. These systems are characterized by ongoing, typically nonterminating and
highly nondeterministic behavior. Examples include operating systems, network
protocols, and air traffic control systems. There is widespread agreement that
some type of temporal logic, or related formalism such as a u t o m a t a on infinite
objects, provides aft extremely useful framework for reasoning about reactive
programs.
The "classical" approach to the use of temporal logic for reasoning about
reactive programs is a manual one, where one is obliged to construct by hand
a proof of program correctness using axioms and inference rules in a deductive
system. A desirable aspect of some such proof systems is that they m a y be for-
mulated so as to be "compositional', , which facilitates development of a program
hand in hand with its proof of correctness by systematically composing together
proofs of constituent subprograms. Even so, manual proof construction can be
extremely tedious and error prone, due to the large number of details that must
be attended to. Hence, correct proofs for large programs are often very difficult
to construct and to organize in an intellectually manageable fashion. It is not en-
tirely clear that it is realistic to expect manual proof construction to be feasible
for large-scale reactive systems.
42
We have historically advocated an alternative, automated approach to rea-

soning about reactive systems (cf. [Em81], [CE81], [EC82]). 1 The basic idea is
that certain important questions associated with (propositional) temporal logic
are decidable:
1. The Model Checking Problem - Given a finite state transition graph M
and a temporal logic specification formula f, is M a model of f ? This is useful
in automatic verification of (finite state) reactive programs.
2. The Satisfiability Problem - Given a temporal logic specification formula
f , does there exist a model M of f ? This is useful in automatic synthesis of
(finite state) reactive programs.
Thus automated program reasoning, in various forms, is possible in principle.
The limiting factors are:
a. the complexity of the decision procedures, and
b. the expressiveness of the logics.
We will discuss these factors, their interaction with each other, and their
impact on the promise and pitfalls of automated program reasoning. We will
sketch known complexity and expressiveness results for a number of represen-
tative logics and formalisms. In particular, we shall focus on (i) Computation
Tree Logic (CTL) and its variants such as CTL*, (ii) the Mu-Calculus, and (iii)
tree automata. We shall also discuss key technical tools for obtaining essentially
optimal decision procedures.
In the case of model checking, the upshot is that, in practice, the complexity
as a function of the structure size is usually the dominating factor, and in this
regard we have for most useful logics, in effect, efficient algorithms. For this
reason, model checking has been .applied quite successfully to verify correctness
of (and to debug) "real-world" applications. A potentially serious limitation
to model checking, however, is that of state space explosion: e.g., the global
state graph of a concurrent system with n individual processes can be of size
exponential in n. A variety of strategies for ameliorating this state explosion
problem, including symbolic model checking and state reduction techniques, have
been explored in the literature and remain a topic, of current research interest
(cf. [Ku94]).
In the case of testing satisfiability, for the rather simple logic CTL, a tableau
construction suffices to obtain the Small Model Theorem, which asserts that
any satisfiable formula f has a "small" (exponential size) model M; exponential
time decidability follows. This permits us to synthesize reactive programs from
CTL specifications in a wholly mechanical way. The model M defines a program
meeting Specification f. I f f is inconsistent, the decision procedure says so, and
the specification must be reformulated. A potentially serious drawback here is,
1 It seems that nowadays there is widespread agreement that some type of automation
is helpful, although this opinion is not unanimous.
43
of course, the complexity of the decision procedure. Somewhat surprisingly, a

Simplified CTL (SCTL) with radically restricted syntax is still useful (e.g., for
program synthesis) and is decidable in polynomial time.
For logics with greater expressive power, such as CTL* and the Mu-Calculus,
we reduce satisfiability to nonemptiness of tree automata. Here pertinent tech-
nical tools include determinization and complementation of such automata on
infinite strings and trees. Finally, we remark on some more intimate connec-
tions among tree automata, temporal logics, and the Mu-Calculus. For example,
Mu-calculus formulae are simply alternating tree automata.
The remainder of this paper is organized as follows. Section 2 discusses pre-
liminary material including the nature of reactive systems, temporal logic in
general, and manual versus mechanical reasoning; also covered in section 2 are
the technical definitions of the specific logics we focus on. A brief overview of
model checking is given in section 3. The tableau-based approach to decision pro-
cedures is described and illustrated on CTL in section 4. The automata-theoretic
approach to decision procedures is discussed and illustrated on CTL* in section
5. Section 6 discusses expressiveness and complexity issues, including a general
overview, tradeoffs, and a summary of key results. Also considered in section 6
are efficiently decidable temporal logics. Finally, some concluding remarks are
given in section 7.
2 Preliminaries
2.1 Reactive S y s t e m s
The ultimate focus of our concern is the development of effective methods for
designing reactive systems (cf. [Pn86]). These are computer hardware and/or
computer software systems that usually exhibit concurrent or parallel execution,
where many individual processes and subcomponents are running at the same
time, perhaps competing for shared resources, yet coordinating their activities
to achieve a common goal. These processes and subcomponents may be geo-
graphically dispersed so that the computation is then distributed. The cardinM
characteristic of reactive systems, however, is the ongoing nature of their com-
putation. Ideally, reactive systems exhibit nonterminating behavior.
There are many important practical examples of reactive systems. These in-
clude: computer operating systems; network communication protocols; computer
hardware circuits; automated banking teller networks; and air traffic control sys-
tems.
The semantics of reactive systems can thus be given in terms of infinite
sequences of computation states. The computation sequences may in turn be
organized into infinite computation trees. The branching behavior of these re-
active systems is typicMly highly nondeterministic, owing to a variety of factors
44
including the varying speeds at which processes execute, uncertainty over the
time required for messages to be transmitted between communicating processes,
and "random" factors in the environment. Because of this high degree of non-
determinism, the behavior of reactive systems is to a high degree unpredictable,
and certainly irreproducible in practice. For this reason, the use of testing as
a means of ascertaining correctness of a reactive system is even more infeasible
than it is for sequential programs. Accordingly, the use of appropriate formal
methods for precisely specifying and rigorously verifying the correct behavior of
reactive systems becomes even more crucial in the case of reactive systems.
2.2 T e m p o r a l Logic
One obvious difficulty is that formalisms originally developed for use with se-
quent'ial programs that are intended to terminate, and are thus based on initial
state - final state semantics are of little value when trying to reason about reac-
tive systems, since there is in general no finM state. Pnueli [Pn77] was the first
to recognize the importance of ongoing reactive systems and the need for a for-
malism suitable for describing nonterminating behavior. Pnueli proposed the use
of temporal logic as a language for specifying and reasoning about change over
time. Temporal logic in its most basic form corresponds to a type of modal tense
logic originally developed by philosophers (cf. [RU71]). It provides such sim-
ple but basic temporal operators as Fp (sometime p) and Gp (always p), that,
Pnueli argued, can be combined to readily express many important correctness
properties of interest for reactive systems.
Subsequent to the appearance of [Pn77], hundreds , perhaps thousands, of
papers developing the theory and applications of temporal logic to reasoning
about reactive systems were written. Dozens, if not hundreds, of systems of
temporal logic have been investigated, both from the standpoint of basic theory
and from the standpoint of applicability to practical problems. To a large extent
the trend was to enrich (and "elaborate") Pnueli's original logic thereby yielding
logics of increasingly greater expressive power. The (obvious) advantage is that
more expressive logics permit handling of a wider range of correctness properties
within the same formalism. More recently, there has been a counter-trend toward
"simplified" logics tailored for more narrowly construed applications.
In any event, there is now a widespread consensus that some type of temporal
logic constitutes a superior way to specify and reason about reactive systems.
There is no universal agreement on just which logics are best, but we can make
some general comments, temporal logics can be classified along a number of
dimensions:
1. point-based, where temporal assertions are true or false of moments in time,
versus interval-based, where temporal assertions are true or false of intervals
of time.
45
2. future-tense only versus future-and-past-tense operators.

3. linear time, where temporal assertions are implicitly universally quantified
over ~ll possible executions of a reactive system, versus branching time, where
temporal assertions include explicit path quantifiers and are interpreted over
the computation trees describing system execution
4. propositional versus first order
It is our sense that the majority of the work on the use of temporal logic to
reason about reactive systems has focussed on propositional, point-based, future-
tense systems. There are a large number of users of both .the linear time and the
branching time frameworks. We ourselves have some preference for branching
time, since in its full generality it subsumes the linear time framework. We
shall ,thus focus on the systems CTL, CTL* discussed below along with the
"ultimate branching time logic", the Mu-calculus, and PLTL, ordinary linear
temporal logic. It is to be re-emphasized we are always restricting our attention
to propositional logics, which turn out to be adequate for the bulk of our needs.
2.3 Manual versus Mechanical Reasoning
Because of the difficulty of establishing correctness of computer programs in

general and the special subtleties associated with reactive systems in particular
a great deal of of effort has gone into developing formM methods for reasoning
about program correctness. There is a vast literature (cf. [MP92]) on the use of
manual "proof systems", where a program's behavior is specified in some formal
assertion language or logic, often a dialect of temporal logic, and then a rigorous
mathematical proof is given, using axioms and inference rules in a deductive
system for the logic, that the program meets its specification.
Manual proofs of program correctness offer both advantages and disadvan-
tages. The advantages are rather obvious. In principle, it is possible to be com-
pletely formal in conducting the proof, thereby obtMning an absolute guarantee
of soundness. In practice, working with complete, true formality is more problem-
atic to achieve, and some level of quasi-formal argument is substituted instead. 2
These quasi-formal arguments can themselves still be useful, providing some de-
gree of assurance that the program is - more or less - correct. Moreover, the
quasi-formnl arguments can mirror the informal style of a good human math-
ematician. Unfortunately, this does permit errors in the argument to creep in,
2 This is more along the line of the working mathematician's notion of rigorous, but
not strictly formal. To us, a strictly formal proof is conducted by simply performing
symbol manipulations. There should exist an algorithm which, given a text that is
alleged to constitute a strictly formal proof of an assertion, mechanically checks that
each step in the proof is legitimate, say, an instance of an axiom or results from
previous steps by application of an inference nile.
46
and it seems to us that complete formalization is, given the current state of
knowledge about formal systems and notations, not likely to be practical in the
manual setting.
We point out that there are additional drawbacks to manual proof construc-
tion of program correctness. Just as for any proof, ingenuity and insight are
required to develop the proof. The problem is complicated by the vast amount
of tedious detail that must be coped with, which must in general be organized in
subtle ways in formulating "loop invariants", and so forth. There may be so much
detail that it is difficult to organize the proof in an intellec.tually manageable
fashion.
The upshot is that the whole task of manual proof construction becomes
extremely error prone. One source of errors is that strong temptation to replace
truly formal reasoning by quasi-formal reasoning. This is seen through-out the
literature on manual program verification, and it frequently leads to errors.
We feel compelled to assert the following (perhaps controversial):
Claim. Manual verification will not work for large-scale reactive systems.
Our justification is that the task is error-prone to an overwhelming degree.
Even if strictly formal reasoning were used throughout, the plethora of technical
detail would be overwhelming. By analogy, consider the task of a human adding
100000 decimal numbers of 1000 digits each. This is rudimentary in principle
but likely impossible in practice for any human to perform accurately. Similarly,
the verification of 1000000 or even 100000 line programs by hand will not be
feasible. The transcription errors alone will be prohibitive.
For these reasons plus the convenience of automation, we therefore believe
that it is important to focus on mechanical reasoning about program correctness
using temporal logic and related formalisms. There are at least four approaches
to explore:
0. Mechanical assistance for verification of programs using a validity tester

applied to assertions of the form Pl A . . . A Pk ~ q. Intuitively, Pl, . . . , Pk are
assertions already proved to hold for the program and q is a new assertion
to be established for the program.
1. Mechanical verification that a given finite state program M meets a specifi-
cation p formulated in temporal logic, using a model checking algorithm (cf.
ICE81], [QS82], [CES86], [gu94]).
2. Mechanical synthesis of a program M meeting a temporal specification p us-
ing a decision procedure for testing satisfiability (cf. [EC82, MW84, PR89]).
3. Executable temporal logic specifications. This approach [BFGGO89] may be
viewed as an elegant variation of the synthesis approach. While synthesis
might be seen as a 'process of compiling temporal logic specifications, in
contrast, this approach amounts to interpreting the specifications on-the-fly.
47
We note that approach 0, while less ambitious than approach 2, relies on the
technical machinery of approach 2, a decision procedure for satisfiability/validity.
Actually, it can be argued that approaches 1 and 3 also rely heavily on approach
2. In any event, in the sequel, we shall focus on approach 1, model checking, and
approach 2, decision procedures for satisfiability.
2.4 CTL*, C T L , a n d P L T L
In this section we provide the formal syntax and semantics for three repre-
sentative systems of propositional temporal logic. Two of these are branching
time temporM logics: CTL and its extension CTL*. The simpler branching time
logic, CTL (Computational Tree Logic), allows basic temporal operators of the
form: a path quantifier--either A ("for all futures") or E ("for some f u t u r e " -
followed by a single one of the usual linear temporal operators G ("always"),
F ("sometime"), X ("nexttime"), or U ("until"). It corresponds to what one
might naturally first think of as a branching time logic. CTL is closely related
to branching time logics proposed in [La80], [EC80], [QS82], [BPM83], and was
itself proposed in ICE81]. However, its syntactic restrictions limit its expressive
power so that, for example, correctness under fair scheduling assumptions can-
not be expressed. We therefore also consider the much richer language CTL*,
which is sometimes referred to informally as full branching time logic. The logic
CTL* extends CTL by allowing basic temporal operators where the path quan-
tifier (A or E) is followed by an arbitrary linear time formula, allowing boolean
combinations and nestings, over F, G, X, and U. It was proposed as a unifying
framework in [EH86], subsuming a number of other systems, including both CTL
and PLTL.
The system PLTL (Propositional Linear temporal logic) is the "standard"
linear time temporal logic widely used in applications (cf. [Pn77], [MP92]).
Syntax
We now give a formal definition of the syntax of CTL*. We inductively define
a class of state formulae (true or false of states) using rules S1-3 below and a
class of path formulae (true or false of paths) using rules P1-3 below:
S1 Each atomic proposition P is a state formula

$2 If p, q are state formulae then so are p A q, -~p
$3 If p is a path formula then Ep, Ap are state formulae
P1 Each state formula is also a path formula
P2 If p, q are path formulae then so are p A q, -~p
P3 If p, q are path formulae then so are Xp, pUq
The set of state formulae generated by the above rules forms the language
CTL*. The other connectives can then be introduced as abbreviations in the
48
usual way: pV q abbreviates ~ ( ~ p A ~q), p ~ q abbreviates -~pV q, p r q abbre-

viates p ~ q A q ~ p, Fp abbreviates trueUq, and Gp abbreviates -~F'~p. We
oo oo
also let F p abbreviate GFp ("infinitely often"), G p abbreviate FGp ("almost
everywhere"), and (pBq) abbreviate -~((-~p)Uq) ("before").
R e m a r k : We could take the view that Ap abbreviates -~E'~p, and give a more
terse syntax in terms of just the primitive operators E, A, -~, X, and U. However,
the present approach makes it easier to give the syntax of the sublanguage CTL
below.
The restricted logic CTL is obtained by restricting the syntax to disallow
boolean combinations and nestings of linear time operators. Formally, we replace
rules P1-3 by
P0 If p, q are state formulae then Xp, pUq are path formulae.
The set of state formulae generated by rules S1-3 and P0 forms the language
CTL. The other boolean connectives are introduced as above while the other
temporal operators are defined as abbreviations as follows: E F p abbreviates
E(trueUp), AGp abbreviates -~EF'~p, A F p abbreviates A(trueVp), and EGp
abbreviates -~AF-~p. (Note: this definition can be seen to be consistent with
that of CTL*.)
Finally, the set of path formulae generated by rules S1,P1-3 define the syntax
of the linear time logic PLTL.
Semantics
A formula of CTL* is interpreted with respect to a structure M = ( S , R , L )

where
S is the set of states,

R is a total binary relation C S x S (i.e., one where Vs 6 S3t 6 S(s,t) 6 R),
and
L: S --4 2AP is a labeling which associates with each state s a set L(s) consisting
of all atomic proposition symbols in the underlying set of atomic propositions
A P intended to be true at state s.
We may view M as a labeled, directed graph with node set S, arc set R, and
node labels given by L.
A fullpath of M is an infinite sequence so, sl, s 2 , . . , of states such that Vi
(si, s~+l) 6 R. We use the convention that x = (so, sl, s~,...) denotes a fullpath,
and that x i denotes the suffix path (si,si+l,si+2,...). We write M, so ~ p
(respectively, M, x ~ p) to mean that state formulap (respectively, path formula
p) is true in structure M at state so (respectively, of fullpath z). We define
inductively as follows:
49
S1 M, so ~ P i f f P E L ( s o )
$2 M So ~ p A q iff M, so ~ p a n d M , so ~ q
M so ~ -~p iff it is not the ease that M, so ~ p
$3 M so ~ Ep iff 3 fullpath x = (so, sl, s2,...) in M, M, x ~ p
M so ~ Ap iff V fullpath x = (so, si, s2,...) in M, M, x ~ p
P1 M x ~ p iff M, so ~ p
P2 M x ~ p A q i f f i , x ~ p and i , x ~ q
M x ~ -~p iff it is not the case that M, x ~ -~p
P3 M x ~ pUq iff 3i [U, x i ~ q and Vj (j < i implies M, xJ ~ p)]
M x ~ X p iff M, x 1 ~ p
A formula of CTL is also interpreted using the CTL* semantics, using rule
P3 for path formulae generated by rule P0.
Similarly, a formula of PLTL, which is a "pure path formula" of CTL* is
interpreted using the above CTL* semantics.
We say that a state formulap (resp., path formulap) is valid provided that for
every structure M and every state s (resp., fullpath x) in M we have M, s ~ p
(resp., M, x ~ p). A state formulap (resp., path formulap) is satisfiable provided
that for some structure M and some state s (resp., fullpath x) in M we have
M, s ~ p (resp., M, x ~ p).
Alternative and Generalized Semantics
We can define CTL* and other logics over various generalized notions of struc-
ture. For example, we could consider more general structures M = (S, X, L)
where S is a set of states and L a labeling of states as usual, while X C S ~
is a family of infinite computation sequences (fullpaths) over S. The definition
of CTL* semantics carries over directly, with path quantification restricted to
paths in X, provided that "a fullpath x in M " is understood to refer to a fullpath
x in X. Usually, we want X to be the set of paths generated by a binary relation
R (cf. [Em83]).
Another generalization is to define a multiprocess structure, which is a refine-
ment of the above notion of a "monolithic" structure that distinguishes between
different processes. Formally, a multiprocess structure M = (S, R, L) where
S is a set of states,
R is a finite family { R 1 , . . . , Rk} of binary relations Ri on S (intuitively, Ri
represents the transitions of process i) such that R = OR is total (i.e. Vs E S
3 t E S (s,t) E R ) ,
L associates with each state an interpretation of the proposition symbols at
the state.
50
Just as for a monolithic structure, a multiprocess structure may be viewed

as a directed graph with labeled nodes and arcs. Each state is represented by a
node that is labeled by the atomic propositions true there, and each transition
relation Ri is represented by a set of arcs that are labeled with index i. Since
there may be multiple arcs labeled with distinct indices between the same pair
of nodes, technically the graph-theoretic representation is a directed multigraph.
Now we can define nexttime operators relativized to process indices. For
example, we can extend CTL to allow
M, s ~ E X i p iff 3t ( (s, t) E Ri and M, t ~ p)
M, s ~ A X i p iff Vt ( (s, t) E R~ implies M, t ~ p)
We can further generalize the semantics for CTL*. The previous formulation
of CTL* over uniprocess structures refers only to the atomic formulae labeling
the nodes. However, it is straightforward t o extend it to include, in effect, arc
assertions indicating which process performed the transition corresponding to
an arc. This extension is needed to formulate the technical definitions of fairness
constraints, so we briefly describe it.
Now, a fullpath z = (so, dl, sl, d2, s2,...), depicted below
dl d2 d3 d4
9 ---). 9 ---), 9 --). 9 --~ ,,.
so 81 s2 83
si alternating with relation indices di+l such
is an i n f i n i t e s e q u e n c e of states
that (si, si+l) E Rdi+l, indicating that process di+l caused the transition from
si to si+l. We also assume that there are distinguished propositions enl, . . . ,
enk, exl, . . . , eXk, where intuitively enj is true of a state exactly when process
j is enabled, i.e., when a transition by process j is possible, and exj is true of a
transition when it *is performed by process j. Technically, each enj is an atomic
proposition--and hence a state formula--true of exactly those states in domain
M, so ~ enj iffs0 E domain Rj = {s E S : 3t E S (s,t) E Rj}

while each exj is an atomic arc assertion--and a path formula such that
M , z ~ exj iff dl = j.
Fairness constraints (cf. [Fr86], [EL87]) can now be precisely captured:
- Unconditional fairness, which asserts that each process is executed infinitely
oo
often, can be expressed as Aie[l:k](Fexi ).
- Weak fairness,which asserts that each process which is continuously enabled
oo oo
is repeatedly executed, can be expressed as Aie[l:h](Geni ~ Fexi)
- Strong fairness, which asserts that each process which is enabled infinitely
co oo
often is executed infinitely often can be expressed as Aie[l:k](Feni ~ Fex~)
We can define a single type of general structure which subsumes all of those
above. We assume an underlying set of state symbols interpreted over states,
5]
as well as an additional set of arc assertion symbols that are interpreted over
transitions (s, t ) E R. Typically we think of L((s, t)) as the set of indices (or
names) of processes which could have performed the transition (s, t). A (gener-
alized) fullpath is now a sequence of states si alternating with arc assertions di
as depicted above.
Now we say that a general structure M = (S, R, X, L) where
S is a set of states,
R is a total binary relation C S x S,
X is a set of fullpaths over R, and
L is a mapping associating with each state s an interpretation L(s) of all state
symbols at s, and with each transition (s, t) E R an interpretation of each
arc assertion at (s, t).
There is no loss of generality due to including R in the definition: for any set
of fullpaths X, let R = {(s, t) E S x S : there is a fullpath of the form ystz in X
where y is a finite sequence of states and z an infinite sequence of states in S);
then all consecutive pairs of states along paths in X are related by R.
The extensions needed to define CTL* over such a general structure M are
straightforward. The semantics of path quantification as specified in rule $3
carries over directly to the general M, provided that a "full path in M" refers to
one in X. If d is an arc assertion we have that:
M, x ~ d iff d E L((so, sl))
Alternative Syntax
Here the essential idea is that of a basic modality. A formula of CTL* is a basic
modality provided that it is of the form Ap or Ep where p itself contains no A's or
E's, i.e., p is an arbitrary formula of PLTL. Similarly, a basic modality of CTL is
of the form Aq or Eq where q is one of the single linear temporal operators F , G,
X, or U applied to pure propositional arguments. A CTL* (respectively, CTL)
formula can now be thought of as being built up out of boolean combinations
and nestings of basic modalities (and atomic propositions).
2.5 .Mu-calculus
CTL* provides one way of extending CTL. In this section we describe another
way of extending CTL. We can view CTL as a sublanguage of the propositional
Mu-Calculus L# (cf. [Ko83], [EC80]). The propositional Mu-Calculus provides
a least fixpoint operator (#) and a greatest fixpoint operator (u) which make
it possible to give fixpoint characterizations of the branching time modalities.
Intuitively, the Mu-Calculus makes it possible to characterize the modalities in
terms of recursively defined tree-like patterns. For example, the C T L assertion
52
EFp (along some computation path p will become true eventually) can be char-
acterized as #Z.p V EXZ, the least fixpoint of the functional p V E X Z where
Z is an atomic proposition variable (intuitively ranging over sets of states) and
EX denotes the existential nexttime operator.
We first give the formal definition of the Mu-Calculus.
Syntax
The formulae of the propositional Mu-Calculus Lit are those generated by rules
(1)-(6):
(1) /~tomic proposition constants P, Q

(2) Atomic proposition variables Y, Z , . . .
(3) EXp, where p is any formula.
(4) -~p, the negation of formula p.
(5) p A q, the conjunction of formulae p, q.
(6) pY.p(Y), where p(Y) is any formula syntactmally monotone in the proposi:
tional variable Y, i.e., all free 3 occurrences of Y in p(Y) fall under an even
number of negations.
The set of formulae generated by the above rules forms the language Lp. The
other connectives are introduced as abbreviations in the usual way: p A q abbre-
viates -~(-~pA-~q), AXp abbreviates -~EX-~p, uY.p(Y) abbreviates -~pY.-~p(-~X),
etc. Intuitively, pY.p(Y) (vY.p(Y)) stands for the least (greatest, resp.) fixpoint
of p(Y), EXp (AXp) means p is true at some (every) successor state reachable
from the current state, A means "and", etc. We use IP[ to denote the length (i.e.,
number of symbols) of p.4
We say that a formula q is a subformula of a formula p provided that q, when
viewed as a sequence of symbols, is a substring ofp. A subformula q o f p is said
to be proper provided that q is not p itself. A top-level (or immediate) subformula
is a maximal proper subformula. We use SF(p) to denote the set of subformulae
of p.
The fixpoint operators/t and v are somewhat analogous to the quantifiers S
and V. Each occurrence of a propositional variable Y in a subformula pY.p(Y)
(or vY.p(Y)) of a formula is said to be bound. All other occurrence are free. By
renaming variables if necessary we can assume that the expression pY.p(Y) (or
vY.p(Y)) occurs at most once for each Y.
A sentence (or closed formula) is a formula that contains no free propositional
variables, i.e., every variable is bound by e i t h e r / t or t,. A formula is said to be
in positive normal form (PNF) provided that no variable is quantified twice
Defined below.
4 Alternatively, we can define ]p] as the size of the syntax diagram for p.
53
and all the negations are applied to atomic propositions only. Note that every
formula can be put in PNF by driving the negations in as deep as possible
using DeMorgan's Laws and the dualities "~pY.p(Y) = vY.'~p('~Y),-,vY.p(Y) =
#Y.',p(-,Y). (This can at most double the length of the formula). Subsentences
and proper subsentences are defined in the same way as subformulae and proper
sub formulae.
Let tr denote either/~ or v. If Y is a bound variable of formula p, there is
a unique ju or v subformula ~ry.p(y) of p in which Y is quantified. Denote this
subformula by crY. Y is called a p-variable if cry = p y ; otherwise, Y is called a
v-variable. A cr-subformula (cr-subsentence, rasp.) is a subformula (subsentence)
whose main connective is either/~ or v. We say that q is a top-level cr-subformula
of p provided q is a proper e-subformula of p but not a proper tr-subformula of
any other ~-subformula of p. Finally, a basic modality is a ~-sentence that has
no proper cr-subsentences.
Semantics
We are given a set ,U of atomic proposition constants and a set /1 of atomic

proposition variables. We let A P denote Z U / ' . Sentences of the propositional
Mu-Calculus L~u are interpreted with respect to a structure M = (S, R, L) as
before.
The power set of S, 2 s, may be viewed as t h e complete lattice (2 s, S, 0, C, U,
n). Intuitively, we identify a predicate with the set of states which make it true.
Thus, false which corresponds to the empty set is the b o t t o m element, true which
corresponds to S is the top element, and implication (Vs E SIP(s) :~ Q(s)])
which corresponds to simple set-theoretic containment ( P c Q) provides the
partial ordering on the lattice.
Let v : 2 s --+ 2 s be given; then we say that r is monotonic provided that
P C_ Q implies r ( P ) g v(Q).
Theorem ( T a r s k i - K n a s t e r ) . Let v : 2 s --+ 2 s be a monotonic functional.

Then
(a) pY.r(Y) = n { Y : r(Y) = Y} = n {Y : r ( Y ) C_ Y},

(b) vY.r(Y) = U { Y : r(Y) = Y} = O { Y : r(Y) D__Y } ,
(c) pY.r(Y) = Ui 7-i (false) where i ranges over all ordinals of cardinality at most
that of the state space S, so that when S is finite i ranges over [0:lSI] , and
(d). vY.r(Y) = Oi r i (true) where i ranges over all ordinals of cardinality at most
9that of the state space S, so that when S is finite i ranges over [0:[SI].
A formula p with free variables Y1,..-iYn is thus interpreted as a mapping

pM from (2s) n to 2 5, i.e., it is interpreted as a predicate transformer. We write
54
P(Y1,..., Yn) to denote that all free variables of p are among Y1,..., Yn. A val-
uation 1), denoted (V1,..., Vn), is an assignment of the subsets of S, V1,..., Vn,
to free variables Y1,..., Yn, respectively. We use pM(I)) to denote the value o f p
on the (actual) arguments V1,..., Vn (cf. [EC80], [Ko83]). The operator pM is
defined inductively as follows:
(1) pM(v) = {s : s 9 S and P 9 L(s)} for any atomic propositional constant

P9
(2) CV) = v,
(3) (p^ q)M(v) = p (V) n qM(v)
(4) = S\(p (v))
(5) (EXp)M(~)) = {s: 3t 9 pM(I)), (s, t) 9 R}
(6) pYI.p(Y1)M(I )) = n{S' g s : p(Y1)M(s ', V2,..., Vn) C_S'}
Note that our syntactic restrictions on monotonicity ensure that least (as
well as greatest) fixpoints are well-defined.
Usually we write M, s ~ p (respectively, M, s ~ p(Y)) instead of s E pM
(respectively, s E pM(y)) to mean that sentence (respectively, formula) p is true
in structure M at state s (under valuation P). When M is understood, we write
simply s ~ p.
Extensions
Just as for CTL and CTL*, we have the multiprocess versions of the Mu-calculus.
One possible formulation is to use EXip for "there exists a successor state sat-
isfying p, reached by some step of process i". Dually, we then also have AXip.
The classical notation, going back to PDL [FL79], would write < i > p and [i]p,
respectively.
Discussion
We can get some intuition for the the Mu-Calculus by noting the following
extremal fixpoint characterizations for CTL properties:
E F P - #Z.P V E X Z
A G P =_vZ.P A A X Z
A F P = pZ.P V A X Z
E G P - vZ.P A E X Z
A(P V Q) - ttZ.Q v (P A A X Z )
E ( P U Q) - pZ.Q v (P A E X Z )
For these properties, as we see, the fixpoint characterizations are simple and
plausible. It is not too difficult to give rigorous proofs of their correctness [EC80],
55
[EL86]. However, it turns out that it is possible to write down highly inscrutable
Mu-calculus formulae for which there is no readily apparent intuition regarding
their intended meaning. As discussed subsequently, the Mu-calculus is a very
rich and powerful formalism so perhaps this should come as no surprise. We
will comment here that Mu-calculus formulas are really representations of al-
ternating finite state a u t o m a t a on infinite trees (see section 6.5). Since even
such basic a u t o m a t a as deterministic finite state automata on finite strings can
be quite complex "cans of worms", we should again not be so surprised at po-
tential inscrutability. On the other hand, many Mu-calculus characterization of
correctness properties are elegant, and the formalism seems to have found in-
creasing favor, especially in Europe, owing to its simple and elegant underlying
mathematical structure.
One interesting measure of the "structural complexity" of a Mu-calculus
formula is its alternation depth. Intuitively, the alternation depth refers to the
depth of nesting of alternating/~'s and u's. The alternation must be "significant",
entailing a subformula of the forms
(,) #Y.p(vZ.q(Y, Z)) or t,Y.p(I.tZ.q(Y, Z))
where, for example, a #'d Y occurs within the scope of uZ or u'd Y occurs within
the scope of a / t Z .
All the basic modalities AFq, AGq, EFq, etc. of CTL can be expressed in the
Mu-Calculus with alternation depth 1 as illustrated above. So can all CTL for-
mula. For example, EFAGq has the Mu-Calculus characterization ItY.(EXY V
u Z. (PA A X Z)), which is still of alternation depth 1 since while u Z appears inside
/tY, the "alternation" does not have Y inside v Z and does not match the above
form (*). A property such as E(P*Q)*R, meaning there exists a path matching
the regular expression (P*Q)*R, can be expressed by #Y.I~Z.(P A E X Z V (Q A
E X Y ) V R, which is still of alternation depth 1:
On the other hand, properties associated w i t h fairness require alternation
co
depth 2. For example, E F P (along some path P occurs infinitely often) can
oo
be characterized by uY.t~Z.EX(P A Y V Z). It can be shown that E F P is not
expressible by any alternation depth 1 formula (cf. [EC80] [EL86]).
Let L/~k denote the Mu-Calculus L/t restricted to formulas of alternation
depth at most k. It turns out that most all modal or temporal logics of programs
can be translated into L#I or L/~2, often succinctly (cf. [EL86]). Interestingly,
it is not known if higher alternation depths form a true hierarchy of expressive
power. The question has some bearing on the complexity of model checking in
the overall Mu-calculus as discussed in section 7.
56
3 Model Checking
One of the more promising techniques in automated temporal reasoning about

reactive systems began with the advent of efficient temporal logic model check-
ing [CE81] (cf. [Em81], [QS82], [CES86]). The basic idea is that the global state
transition graph of a finite state reactive system defines a (Kripke) structure
in the sense of temporal logic (cf. [Pn77]), and we can give an efficient algo-
rithm for checking if the state graph defines a model of a given specification
expressed in an appropriate temporal logic. While earlier work in the protocol
community had addressed the problem of analysis of simple teachability proper-
ties, model checking provided a powerful, uniform specification language in the
form of temporal logic along with a single, efficient verification algorithm which
automatically handled a wide variety of correctness properties, including both
safety and liveness properties, with equal ease.
Technically, the Tarski-Knaster theorem can be understood as providing a
systematic basis for model checking. The specifications can be formulated in the
Mu-calculus or in other logics such as CTL which, as noted above, are readily
translatable into the Mu-calculus. For example, to calculate the states where the
CTL basic modality E F P holds in structure M = (S, R, L), we use the fixpoint
characterization E F P =_ ~Z.r(Z), with r(Z) - P V E X Z . We successively
calculate the ascending chain of approximations
"r(false) C_v2(false) C_ ... C_ vk(false)
for the least k _< IS] such that ~(false) = rk+l(false). The intuition here
is just that each "ri(false) corresponds to the set of states which can reach P
within at most distance i; thus, P is reachable from state s iff P is reachable
within i steps from s for some i less than the size of M iff s E r i (false) for some
such i less than the size of M. This idea can be easily generalized to provide a
straightforward model checking algorithm for all of CTL and even the entire Mu-
calculus. 5 The Tarski-Knaster theorem handles the basic modalities. Compound
formulae built up by nesting and boolean combinations are handled by recursive
descent. A naive implementation runs in time complexity O((IMllpl)k+l) for
input structure M and input formula p with/z, v formulas nested k deep. Some
improvements are possible as described in section 6.3.
The above model checking algorithm has been dubbed a global algorithm
because it computes for the (closed) formula f over structure M the set fM
of all states of M where f is true. A technical characteristic of global model
checking algorithms is that with each subformula g of the specification f there
is calculated the associated set of state gM. A potential practical drawback is
that all the states of the structure M are examined.
5 Model checking for PLTL and CTL* can be performed as discussed in section 6.3.
57
In practice, we are often only interested in checking truth of f at a particular

state so. This gives rise to local model checking algorithms which in the best case
may not examine all states of the structure M, although in the worst case they
may have to (ef. [SW89]).
In this connection, note that model checkers are a type of decision procedure
and provide yes/no answers. It turns out that, in practice, model checkers are
often used for debugging as well as verification. In industrial environments it
seems that the capacity of a model checker to function as a debugger is perhaps
better appreciated than their utility as a tool for verifying correctness.
Consider the empirical fact that most designs are initially wrong and must
go through a sequence of corrections/refinements before a truly correct design is
finally achieved. Suppose one aspect of correctness that we wish to check is that
a simple invariance property of the form AGgood holds provided the system M
is started in the obviously good initial state so. It seems quite likely t h a t the
invariance may in fact not hold of the initial faulty design due to conceptually
minor but tricky errors in the fine details, s Thus, during many iterations of the
design process, we have that in fact M, so ~ "EF-~good.
It would be desirable to circumvent the global strategy of examining all of
M to calculate the set EF-~good M and then checking whether so is a member of
that set. If there does exist a -~good state reachable from so, once it is detected it
is no longer necessary to continue the search examining M. This is the heuristic
underlying local model checking algorithms. Many of them involve depth first
search from the start state so looking for confirming or refuting states or cycles;
once found, the algorithm can terminate often "prematurely" having determined
that the formula must be true or must be false at so on the basis of the portion
M examined during the limited search.
Of course, it may be that all states must be examined before finding a refu-
tation to AGgood. Certainly, once a truly correct design is achieved, all states
reachable from so must be examined. But in many practical cases, a refutation
may be found quickly after limited search.
All the above discussion concerns what is referred to as extensional model
checking or as explicit state model checking, since it is assumed that the structure
M including all of its nodes and arcs explicitly represented using data structures
such as adjacency lists or adjacency matrices. An obvious limitation then is
the state explosion problem. Given a reactive system composed on n sequential
processes running in parallel, its global state graph will be essentially the product
of the individual local process state graphs. The number of global states thus
grows exponentially in n. For particular systems it may happen that the final
global state graph is of a tractable size, say a few hundred thousand states plus
transitions. A number of practical systems can be modeled at a useful level of
6 This is a scenario where model checkers should be particularly useful.

58
abstraction by state graphs of this size, and extensional model checking can be
a helpful tool. On the other hand, it can quickly become infeasible to represent
the global state graph for large n. Even a banking network with 100 automatic
teller machines each having just 10 local states, could yield a global state graph
of astronomical size amounting to about 10 l~176 states.
A major advance has been the introduction of symbolic model checking tech-
niques (cf. [McM92], [Pi90], [CM90]) which are - in practice- often able to suc-
cinctly represent and model check over state graphs of size 101~176 states and
even considerably larger. The key idea is represent the state graph in terms of a
boolean characteristic function which is in turn represented by a Binary Decision
Diagram (BDD) (cf. [Sr86]). SDD-based model checkers have been remarkably
effective and useful for debugging and verification of hardware circuits. For rea-
sons not well understood, BDDs are able to exploit the regularity that is readily
apparent even to the human eye in m a n y hardware designs. Because software
typically lacks this regularity, BDD-based model checking seems less helpful for
software verification. We refer the reader to [McM92] for an extended account
of the utility of BDDs in hardware verification.
There has thus been great interest in model checking methods that avoid
explicit construction of the global state graph. In some cases, it is possible to
give methods that work directly on the program text itself as an implicit rep-
resentation of the state graph. Some approaches use process algebras such as
CCS or formalisms such as Petri-nets to represent programs. This facilitates
succinct representation of (possibly infinite) families of states and exploitation
of the compositional structure of programs (cf. [BS92]) in performing a more
general type of local model checking. The drawback is that the general method
can no longer be fully automated, for such basic reasons as the unsolvability of
the halting problem over infinite state spaces. Still, such partially automated
approaches are intriguing.
4 Decision Procedures I: T a b l e a u x - t h e o r e t i c Approach
4.1 Overview
In this section we discuss decision procedures for testing satisfiability of temporal

logic formulas.
Basic Idea O: Prove the small model property for the logic, which asserts that
if a formula f is satisfiable then it has a finite model of size bounded by some
function of the length of f, This then yields a nondeterministic algorithm:
- Guess a candidate model of bounded size.

- Check it for genuineness.
59
For m a n y logics the process can be improved:

Basic Idea 1: Eliminate the nondeterminism:
- Build a small tableau graph encoding (essentially all) potential models of f .

- "Pseudo-model-check" the tableau, ensuring t h a t it contains a structure in
which all eventualities are fulfillable; since invariances turn out to take care
of themselves in tableau, this structure defines a genuine model of f .
For m a n y logics the tableau method is natural, powerful, and appropriate.

C T L is such a logic. A key advantage is that there is a fairly direct correspon-
dence between the organization of the tableau and the syntax of the formula.
However, for some logics (such as CTL*) the tableau method, as normally con-
ceived, breaks down. There is no apparent way to derive a natural tableau graph
encoding all possible models of a formula from its syntax. Instead we can fall
back upon what is widely viewed as the standard p a r a d i g m today:
Basic Idea 2: The automata-theoretic approach:
- Build a finite state a u t o m a t o n on infinite objects (strings or trees) accepting

(essentially all) models of f .
- Test it for nonemptiness.
Basic Idea 2 subsumes Basic Idea 1. For logics to which the tableau m e t h o d is
applicable, the tableau can be viewed as defining an a u t o m a t o n . For other logics,
we can build an a u t o m a t o n when it is not possible to build a tableau because
we can appeal to certain difficult combinatorial constructions from the theory
of a u t o m a t a on infinite objects. The most i m p o r t a n t of these is determinization
of a u t o m a t a . 7 The power of a u t o m a t a theory seems to lie in a reservoir of deep
combinatorial results t h a t show how to construct an a u t o m a t o n corresponding
to a formula, even though t h a t correspondence is by no mear~s apparent. Of
course, this opacity could be viewed as a drawback, but it seems to be inherent
in the problem.
4.2 Tableau-based Decision Procedure for CTL
The basic idea underlying the tableau m e t h o d is as follows. Given a formula f ,

we initially construct a tableau graph T, based on systematic case analysis. The
nodes of T are essentially sets of subformulae of f . T h e "meaning" of a node
is the conjunction of all its associated subformulas, and a node is thought of as
a state satisfying those subformulas in a potential model of f . The nodes of T
7 It seems that in most cases complementation is what is really needed. Complemen-

ration" for infinite string automata can be accomplished without determinization (cf.
e.g. [SVW87]). However, for automata on infinite trees it is not clear that comple-
mentation can be performed without determinization of w-string automata.
60
thus correspond to a partitioning/covering of the state space of potential models,

based on which subformulae do and do not hold at a state. We then successively
prune from T nodes which are inconsistent; for example, nodes which assert that
a formula is presently both true and false, or rlodes which assert that something
eventually happens while it really does not. After all such pruning is performed
whatever remains is the final tableau which encodes all potential models, if any,
of f . Below we describe the method in greater detail.
We build an initial tableau To which is a bipartite graph consisting of OR-
nodes D and AND-nodes C, where each node is a set of formulae whose "mean-
ing" is their conjunction. We will then prune the tableau, deleting inconsistent
nodes.
To is constructed starting with Do = {f0}. In general, we have a method,
described below, of decomposing an OR-node D to get its set of AND-node
successors C~, and another method for constructing the OR-node successors Dj
of AND-node C. If any set C~ already appears in the the tableau, we make it a
successor of D. Thus, a set of formulae appears at most once as an AND-node
in the' tableau. Similarly for OR-nodes. This bounds the size of To.
We perform a-/3-expansion to systematically decompose a given OR-node
D that we are testing for satisfiability into boolean combinations of e l e m e n t a r y
formulae, which are atomic propositions P, their negations "~P, and nexttime
formulae A X f , E X f . In this way, D is shown to be equivalent to certain boolean
combinations of assertions about now and nexttime. To do this decomposition, we
note that each n o n e l e m e n t a r y formula may be classified as either a conjunctive
formula a = a l A c~2 or a disjunctive formula/3 - / 3 1 V/32. Plainly, f A g is an
a formula, while f V g is a/3 formula. A temporal modality is classified as a or
/3 on the basis on its fixpoint characterization in the Mu-calculus. For example,
(assuming the .structure is total) A F h = h V A X A F h is a / 3 formula, while
A G h -- h A A X A G h is an a formula.
Thus, given D we perform cr-/3-expansion to its formula and the resulting
subformulae as long as possible. This yields a collection { C 1 , . . . , Ck} of sets of
formula such that
D=C1V...VCk
thereby justifying the term OR-node for D.

Let C be such a Ci. C is downward closed: ~ E C implies a l , a 2 E C;
/3 E C implies/31 E C or/32 E C. It follows that C is equivalent to its subset of
elementary formula which is of the general form
{ P , . . ., -~Q, A X 9 1 , . . ., A X g k , E X h l , . . . , E X h l } .
Hence, to create the successors of C, we let for j E [1: g], D j = { g l , . - . ,gk, h i } .

We have that
C is satisfiable iff D1 is satisfiable and ... and Dk is satisfiable.

6]
This justifies the use of the term AND-node for C.

After completing the construction of the initial tableau To, it is pruned by
repeatedly applying the following deletion rules until the tableau stabilizes, yield-
ing the final tableau T1 which is conceivably empty.
1. Delete any node C which contains both a proposition P and its negation
-hR.
2. Delete any node C One of whose original successors Di has been deleted, or
which has no successors to begin with.
3. Delete any node D all of whose original successors have been deleted.
4. Delete any node C containing an eventuality which is not "fulfillable" within
the current version of the tableau (as described in detail below).
We explain rule 4 in greater detail. An eventuality is a formula such as

EFh, E(gUh), AFh, or A(gUh) which asserts that something does eventually
happen. It is necessary to ensure that there is a certificate of its indeed happening
present in the tableau. If, e.g., EFh is in Co, then there should be a path in
the tableau from Co to a node C with h E C. This path defines a directed
acyclic subgraph, DAG[C0, EFh], rooted at Co certifying fulfillment of EFh
starting from Co. E(gUh) is handled similarly. Fulfillment of AFh in Co means,
roughly speaking, that there should be a subtree rooted at C in the tableau all
of whose frontier nodes C contain h. More precisely, there should be a finite,
directed acyclic graph, DAG[C0, AFh], rooted at Co all of whose frontier nodes
are AND-nodes C ~ containing h with the following stipulations on interior nodes:
if interior OR-node D is in DAG[Co,AFh] precisely one of its tableau successors
C is also in DAG[Co,AFh]; if interior AND-node C is in DAG[Co, AFh], all
of its tableau successors D t , . . . , Dk are in DAG[Co,AFh]. To handle A(gUh),
DAG[Co,A(gUh)] is defined similarly.
The existence of such DAG's can be checked efficiently by an iterative process
amounting to model checking, taking into account the OR-nodes intervening
between AND-nodes.
P r o p o s i t i o n 4.1. The original formula f0 is satisfiable iff the final tableau
T1 contains a node C containing f0.
P r o o f ( S k e t c h ) . To facilitate the argument, we define for every AND-node
C and every eventuality e, DAGG[C,e] to be DAG[C,e] with interior OR-nodes
elided if e E C , and, otherwise, to be some fixed, acyclic graph with exactly one
C successor for each D successor of C. DAGG[C,e] is thus a potential "chunk" of
a model certifying that (i) C has sufficient successors to satisfy its subformulae
of the form EXhj and (ii) e, if present in C is fulfilled by the time the frontier
is reached.
Note that these DAGGs can be spliced together by identifying nodes in the
frontier of one with the roots of others. Suppose this is done in an exhaustive and
62
systematic way as shown in Figure 1. Here S1,..., SN are all the AND-nodes,
i.e. the "states" of the tableau and el, . . , em are all the eventualities. We have
a matrix whose entries are all the DAGG[Si,ej]'s spliced together as shown.
9 . . . . . . . . . . . . . . . . . . . . . .
A ~ j J
J~
0 O 0 level 1
L
s
level 2
9 9
$1 S2 SN
level m
I I
I I
I I
I. I I -I
Fig. 1. Model formed from DAGGs
In the resulting graph, observe that each node is propositionally consistent,

satisfies its EXh formulas, its AXg formulas, and its invariances such as AGh
are also satisfied. The latter follows by downward closure and correctness of
AX's: if AGh labels a node S, by downward closure, so do h and AXAGh.
Hence all successors S~,..., S" are labeled AGh and so on. In this way, invari-
ances may be seen to take care of themselves. The only possible problem is that
eventualities may not be fulfilled. But, if an eventuality, such as ej = AFh, is
not fulfilled along some path, the formula AFh is propagated along in the label
of all the nodes of that path. Eventually, the path must hit (the root S of) some
DAGG[S,AFh] at level j and go through its frontier where h occurs thereby
fulfilling the eventuality.
63
Thus we see, that in this systematically constructed graph, call it M1, for any
node C, we have/141, C ~ AC. If there is a C containing f0 then f0 is satisfiable.
This establishes "soundness" of the decision procedure.
Completeness of the algorithm may be established as follows. If f0 is sat-
isfiable then there is a model M and state so such that M, so ~ f0. Without
loss of generality, we may assume M has been unwound into a tree-like model.
Let M ~ be the quotient structure obtained from M by identifying all states of
M that satisfy exactly the same AND-node label. It follows that M ~ defines a
pseudo-model of f0 that is contained within the tableau throughout its pruning.
The essential point is that if an eventuality such as AFq holds at a state s in M
there is a subtree of M rooted at s whose frontier nodes contain q. This subtree
can be collapsed to yield DAG[Cs,AFq] in the tableau where Cs is the AND-
node for s. Hence, C, will never be eliminated on account of its eventuality AFq
being unfulfilled. O
The size of the tableau To is exponential in n = If01 since there are at most
O(n) different subformulas that can appear in AND-nodes and OR-nodes. The
pruning procedure can be implemented to run in time polynomial in IT01, yielding
an exponential time upper bound. A matching lower bound can be established
by simulating alternating polynomial space Turing machines (cf. [FL79]) Thus,
we have (eft [EH85], [EC82])
T h e o r e m 4.2. CTL satisfiability is deterministic exponential time complete.
5 Decision Procedures II: Automata-theoretic Approach
There has been a resurgence of interest in finite state a u t o m a t a on infinite ob-

jects, due to their close connection to temporal logic. They provide an important
alternative approach to developing decision procedures for testing satisfiability
for propositional temporal logics. For linear time temporal logics the tableau
for formula P0 can be viewed as defining a finite state a u t o m a t o n on infinite
strings that accepts a string iff it defines a model of the formula P0. The satis-
fiability problem for linear logics is thus reduced to the nonemptiness problem
of finite a u t o m a t a on infinite strings. In a related but somewhat more involved
fashion, the satisfiability problem for branching time logics can be reduced to
the nonemptiness problem for finite a u t o m a t a on infinite trees.
For some logics, the only known decision procedures of elementary time com-
plexity (i.e., of time complexity bounded by the composition of a fixed number
of exponential functions), are obtained by reductions to finite a u t o m a t a on in-
finite trees. The use of automata transfers some difficult combinatorics onto
the automata-theoretic machinery. Investigations into such automata-theoretic
decision procedures has been a fruitful and active area of research.
64
5.1 Linear T i m e a n d A u t o m a t a o n Infinite S t r i n g s
We first review the basics of automata-theoretic approach for linear time. (See
[Va9?] for a more comprehensive account.) The tableau construction for CTL can
be specialized, essentially by dropping the path quantifiers to define a tableau
construction for PLTL, remembering that in a linear structure, Epo =- Apo =- Po.
The extended closure of a PLTL formula Po, ecl(po), is defined to be {q,--q :
q appears in some AND-node C }. The (initial) tableau for p0 c a n then be
simplified to be a structure T = (S, R, L) where S is the set of AND-nodes, i.e.,
states, R C S x S consists of the transitions (s, t) defined by the rule (s, t) E R
exactly when V formula X p E ecl(po), X p E s iff p E t, and L(s) = s, for each
sES.
We may view the tableau for PLTL formula p0 as defining the transition
diagram of a nondeterministic finite state automaton .4 which accepts the set of
infinite strings over alphabet ~ = 2 A P that are models of p0, by letting the arc
(u, v) be labeled with AtomicPropositions(v), i.e., the set of atomic propositions
in v (cf. [ES83]). Technically, `4 is a tuple of the form (Q, ~ , J , s0,~) where
Q = S t9 {so} is the state set, so g S is a unique start state, J is defined so
that J(s0,a) -= { states s e S : P0 E s and AtomicPropositions(s) = a} for
each a E E, J(s,a) -- { states t E S : (s,t) E R and AtomicPropositions(t)
= a}. The acceptance condition ~ is described below below. A run r of `4 on
input x - a l a 2 a 3 . . . E ~ is an infinite sequence of states s o s l s 2 . . , such that
Vi > 0 ~i(si,ai+l) D. {Si+l}. Note that Vi > ] AtomicPropositions(si) -" hi.
The automaton ,4 accepts input x iff there is a run r on x that satisfies the
acceptance condition ~.
Several different types of acceptance conditions ~ may be used. For Muller
acceptance, we are given a family ~- of sets of states. Letting I n r denote the
set of states in Q that appear infinitely often along r, we say that run r meets
the Muller condition provided that I n r E Y:.
For a pairs automaton (cf. [McN66], [Ra69]) acceptance is defined in terms of
a finite list ((m~D1, GREEN1),..., (REDk,GREENk))of pairs of sets of automaton
states (which may be thought of as pairs of colored lights where ,4 flashes the
red light of the first pair upon entering any state of the set RED1, etc.): r satisfies
the pairs condition iff there exists a pair i E [1..k] such that REDi flashes finitely
often and GREEN/ flashes infinitely often. It is often convenient to assume the
pairs acceptance condition is given formally by a temporal logic formula 4} =
Vifi[1..k] (~ GREEN/A - ~ RED/). Similarly, a complemented pairs ( cf. [St81] )
automaton has the negation of the pairs condition as its acceptance condition;
i.e., for all pairs i E [1..k], infinitely often CrtEEN/ flashes implies that REDi
flashes infinitely often too. The complemented pairs acceptance condition can
oo oo
given formally by a temporal logic formula 4~ = A/ell:k] FGREENI =~ FRED/. A
special case of both pairs and complemented pair conditions is the Buchi [Bu62]
65
oo
acceptance condition. Here there is a single GREEN light and r = FGrtEEN.
A final acceptance condition that we mention is the parity acceptance con-
dition [Mo84] (cf. [EJ9]]). Here we are given a finite list ( C 1 , . . . , Ck) of sets
of states which we think of as colored lights. The condition is that the highest
index color Ci which flashes infinitely often should be of even parity.
Any run of `4 would correspond to a model of P0, in that Vi >_ 1, x /
A{ formulae p : p E si}, except that eventualities might not be fulfilled. To
check fulfillment, we can easily define acceptance in terms of complemented
pairs. If eel(po) has m eventualities (plVql), ..., (PrnUqm), we let .4 have m pairs
(RED/,GREEN/)of lights. Each time a state containing (p/Uq/) is entered, flash
REDi; each time a state containing qi is entered flash GREEN/. A run r is accepted
iff for each i E [l:m], there are infinitely many RED/ flashes implies there are
infinitely many GREEN/ flashes iff every eventuality is fulfilled iff the input string
z is a model of P0.
We can convert .4 into an equivalent nondeterministic Buchi a u t o m a t o n .41,
where acceptance is defined simply in terms of a single GREEN light flashing
infinitely often. We need some terminology. We say that the eventuality (pUq) is
pending at state s of run r provided that (pUq) E s and q ~ s. Observe that run r
of.4 on input z corresponds to a model of p0 iffnot(3 eventuality (pUq) e eel(po),
(pUq) is pending almost everywhere along r) iff V eventuality (pUq) E ecl(po),
(pUq) is not pending infinitely often along r. The Buchi automaton .41 is then
obtained from .4 augmenting the state with an m + 1 valued counter. The counter
is incremented from i to i + 1 mod (m + 1) when the ith eventuality, (piUqi) is
next seen to be not pending along the run r. When the counter is reset to 0, flash
GrtEEN and set the counter to 1. (If m = 0, flash GREEN in every state.) Now
observe that there are infinitely many GREEN flashes iff Vi E [1 :m] (piUqi) is not
pending infinitely often iff every pending eventuality is eventuality fulfilled iff the
input string z defines a model of p0. Moreover, .4a still has ezp([ Po D'O([ p0 1)
= ezP(I Po [) states.
5.2 Branching Time and Tree Automata
Similarly, the tableau construction for a branching time logic with relatively sim-
ple modal/ties such as CTL can be viewed as defining a Buchi tree a u t o m a t o n
that, in essence, accepts all models of a candidate formula P0. (More precisely,
every tree accepted by the automaton is a model of P0, and if P0 is satisfiable
there is some tree accepted by the automaton.) General automata-theoretic tech-
niques for reasoning about a number of relatively simple logics, including CTL,
using Buchi tree a u t o m a t a have been described by Vardi and Wolper [VW84].
However, it is for richer logics such as CTL* that the use of tree a u t o m a t a
become essential.
66
Tree Automata
We describe finite a u t o m a t a on labeled, infinite binary trees (cf. [Ra69]). s The

set {0, 1}* m a y be viewed as an infinite binary tree, where the e m p t y string A
is the root node and each node u has two successors: the 0-successor u0 and the
1-successor ul. A finite (infinite) path through the tree is a finite (resp., infinite)
sequence x = u0, Ul, u 2 , . . , such t h a t each node ui+l is a successor of node ui.
If E is a n alphabet of symbols, an infinite binary Z-tree is a labeling L which
m a p s {0, 1}* ~ Z, i.e., a binary tree where each node is labeled with a symbol
from Z.
A finite automaton A on infinite binary Z-trees is a tuple (Z, Q, J, q0, ~)
where
Z is the finite, n o n e m p t y input alphabet for the input tree,
Q is the finite, n o n e m p t y set of states of the a u t o m a t o n ,
J : Q x E --+ 2 Q• is the nondeterministic transition function,
q0 E Q is the start state of the automaton, and
is an acceptance condition as described previously.
A run of .A on the input Z-tree L is, intuitively, an annotation of the input
tree with a u t o m a t o n states consistent with the transition function J. FormMly,
a run is a function p : {0, 1}* --+ Q such that for all v 9 {0, 1}*, (p(vO), p(vl))
9 $(p(v),L(v)) and p(A) = q0. We say that .4 accepts input tree L iff there
exists a run p of ,4 on L such that for all infinite paths x starting at the root of
L if r = p o x is the sequence of states `4 goes through along p a t h x, then the
acceptance condition ~ holds along r.
Tree A u t o m a t a R u n n i n g on Graphs
N o t e that an infinite binary tree L' m a y be viewed as a "binary" structure

M = ( S , R , L ) where S = {0,1}*, R = R0 U R1 with R0 = {(s, s0) : s E S}
and R1 = {(s, sl) : s E S}, and L = L'. We could alternatively write M =
(S, n0, n l , L).
We can also define a notion of a tree a u t o m a t o n running on an appropriately
labeled "binary" directed graphs, t h a t are not trees. Such graphs, if accepted,
serve as witnesses to the nonemptiness of tree a u t o m a t a . We make the following
definitions.
8 CTL* and the other logics we study, have the property that their models can be
unwound into an infinite tree. In particular, in [ESi84] it was shown that a CTL*
formula of length k is satisfiable iff it has an infinite tree model with finite branching
bounded by k, i.e. iff it is satisfiable over a k-cry tree. Our exposition of tree automata
can be easily generalized k-cry trees. We consider only binary trees to simplify the
exposition, and for consistency with the classical theory of tree automata.
67
A binary structure M = (S, Ro, R1, L) consists of a state set S and labeling
L as before, plus a transition relation R0 (9 R1 decomposed into two functions:
R0 : S ) S, where Ro(s) specifies the 0-successor of s, and R1 : S ) S,
where Rl(S) specifies the 1-successor of s.
A run of automaton .4 on binary structure M = (S, R0, R1, L) starting at
so E S i s a m a p p i n g p : S - + Q s u c h that Vs E S, (p(Ro(s)), p(Rl(s))) E
5(p(s), i(s)) and p(so) = qo. Intuitively, a run is a labeling of U with states of
.4 consistent with the local structure of .4's "transition diagram".
T h e Transition D i a g r a m of a Tree A u t o m a t o n
The transition function J of a tree automaton ,4 as above can be viewed in a n a t -

ural way as defining a transition diagram T, which facilitates the development of
algorithms for testing nonemptiness. The transition diagram T of,4 is a bipartite
AND/OR-graph where the set Q of states o f , 4 comprises the set of OR-nodes,
while the AND-nodes define the allowable moves of the automaton. Intuitively,
OPt-nodes indicate that a nondeterministic choice has to be made (depending on
the input label), while the AND=nodes force the automaton along all directions.
For example, suppose that for automaton .4, (f(s, a) = {(tl, U l ) , . . . , (tin, Urn)}
and (f(s, b) = {(Vl, w l ) , . . . , (vn, wn)} then the transition diagram contains the
portion shown in Figure 2.
R e m a r k : The resemblance of the transition diagram of a tree automaton to
a CTL tableau is striking. In fact, they are really the same except that in CTL
the models are built out of AND-nodes, while for tree automata the models are
built out of OR-nodes as we shall see below. In fact, an alternative, equivalent
formulation of tree automata [GH82] has the transition function information
presented by a left transition function 50 : Q x S ) 2 q giving the possible
left successor states together with an independent right transition function (fl :
Q• ~ ) 2Q giving the possible right successor states. For this dual formulation
of tree automaton the transition diagram is just as for CTL with models built
out of OR-nodes.
One Symbol Alphabets
For purposes of testing nonemptiness, without loss of generality, we can restrict

our attention to tree automata over a single letter alphabet, and, thereby, subse-
quently ignore the input alphabet. Let `4 = (Q, E,5, q0,~) be a tree automaton
over input alphabet Z. Let `41 = (Q, E~, (i~,q0, r be the tree automaton over one
letter input alphabet ~ = (c} obtained from ,4 by, intuitively, taking the same
transition diagram but now making all transitions on symbol c. Formally, `4~ is
identical to `4 except that the input alphabet is E ~ and the transition function
(i' is defined by ~'(q, c) = U a ~ (i(q, a). Then ,4 is nonempty iff`4' is nonempty.
68
@@@|
9 = OR-nodes (states of .A)
= AND-nodes (transitions on a)
Fig. 2. Portion of tree automaton transition diagram
Henceforth, we therefore assume that we are dealing with tree automata over a
one symbol alphabet.
Generation and Containment
It is helpful to reconsider the notion of run to take advantage of the organization

of the transition diagram of an automaton.
Intuitively, there is a run of tree automaton `4 on binary structure M starting
at so in M provided M is generated from .4 by unwinding .4's transition diagram
so that (a) So in M corresponds to q0 in .4, and (b) each state of M is a copy of
an OR-node of .4, and, moreover, each state's successors are consistent with the
transition diagram. We say that a binary structure M is contained in .4 provided
M is generated by unwinding .4 starting starting at So E M and q0 E .4 and,
moreover, (a copy of) M is a subgraph of T.
L i n e a r Size M o d e l T h e o r e m
The following theorem is from [Em85] (cf. [VS85]). Its significance is that it
provides the basis for our method of testing nonemptiness of pairs automata;
69
it shows the existence of a small binary structure accepted by the a u t o m a t o n

contained in its transition diagram, provided the a u t o m a t o n is nonempty.
T h e o r e m 5.1 ( L i n e a r Size M o d e l T h e o r e m ) . Let A be a ~ree au-
t o m a t o n over a one symbol alphabet with pairs acceptance condition r =
Then a u t o m a t o n .A accepts some tree T if[ ,4 accepts some binary model M ,

of size linear in the size of ,4, which is a structure contained in the transition
diagram of A.
P r o o f . (=*-) For r a pairs condition, [HR72] shows that, if.A accepts some tree
M0, then it accepts some finite binary model M1 starting at some state so E/1//1.
We will explain, roughly, how M1 is obtained in the case of 9 involving a single
pair. Along every p a t h z of M0 there is a first node u with these properties: (i)
u is labeled with a u t o m a t o n state q, (ii) there is a first node v along x strictly
before u also labeled with a u t o m a t o n state q, and (iii) the set of a u t o m a t o n
states in the interval along z from v to u coincides with the set of states t h a t
appear infinitely often along z. The set of all such nodes u forms the frontier
of a finite subtree of M0. M1 is formed from this finite subtree by identifying
each u with its v (i.e., redirecting the predecessor of each u into its v). M1 is a
structure generated by ,4. In the case of one pair, it follows t h a t M1, so ~ A~. 9
Given any such finite structure M1 of A ~ generated by .A we can obtain a
(necessarily finite) structure M contained in .A. If two distinct nodes s and t of
M1 have the same labeling with states of ,4, then we can eliminate one of t h e m
as follows. A t t e m p t to delete s by redirecting all its predecessors u to have t as a
successor instead. More precisely, delete all edges of the form (u, s) and replace
t h e m by edges of the form (u, t). If the resulting structure, call it M t, is a model
of Ar we have reduced the number of "duplicates", such as s and t by one. If
not, try replacing t by s instead. If M s, the resulting structure is a model of A4~
we are done.
However, if b o t h these replacements fail to yield a model of A ~ , each m u s t
yield a model of E - ~ , i.e. each introduces a bad cycle. In M t the bad cycle is
of the form (where u is a predecessor of s in M1) u-+t--+...--+u, where except for
the first transition (u,t) the suffix p a t h from t to u is in the original MI: In M s
the bad cycle is of the form (where v is a predecessor of t in M1) v--+s-+...-+v,
where except for the first transition (v, s) the suffix p a t h from s to v is in the
original M1.
But, these two suffix paths in M1 together with the edges (u, s), and (v, t) in
M1 form a bad cycle in MI: u--+s--+...-+v--+t--+...--4u. This contradicts t h a t M1
was a model of A~.
9 The technical fine point is that cycles satisfying the one pair condition are closed
under union. This is not so for multiple pairs. However, a slightly more subtle con-
struction can be used to get M1 in the case of multiple pairs (cf. [HR72]).
70
By repeatedly eliminating duplicates in this way we eventually get the desired

model M contained in ,4.
( ~ ) Any model M contained in A such that M, so ~ A ~ can plainly be
unwound into a tree that is accepted by `4. []
We can now use the Linear Size Model Theorem to establish the following
result (cf. [EJ88]).
T h e o r e m 5.2. The problem of testing nonemptiness of pairs tree automata
is NP-complete.
p r o o f sketch: Membership in NP (cf. [Em85], [VS85]): Given a pairs tree
automaton, if it accepts some tree, then a linear size modelexists contained
within its transition diagram. Guess that model. Use the (efficient FairCTL)
model checking algorithm of [EL87] to verify in deterministic polynomial time
oo oo
that A(Vi (FGREENi A G-~REDi)) holds.
NP-hardness is established by reduction from 3-SAT (cf. [SJ88]). []
Our overall approach to testing nonemptiness is formulated in terms of
"pseudo-model checking". We write ,4, q0[[- f to indicate that `4 is a pseudo-
model of f at qo; the technical definition is that there is a binary model M
contained in `4 such that M, q0 ~ f.
Observe that for pairs automaton ,4 with acceptance condition 4, ,4 is
nonempty iff ,4, q0[[ - A~.
For simplicity, we illustrate how pseudo-model checking can be performed in
a very rudimentary case. Suppose that 4~ = FGREEN, so that we are dealing with
a finitary acceptance condition where along each path the GREEN light should
flash (at least) once.
We wish to pseudo- model check ,4, q0[[- AFGREEN. We will reduce this here
to ordinary model checking by fixpoint calculation. We start with the fixpoint
characterization AFGREEN _----#Z.GREEN V A X Z . But notice that we cannot
directly use this fixpoint characterization, on account of the presence of both
OR-nodes and intervening AND-nodes in the diagram of ,4. Instead, we use
lAY.GREENV E X A X Y . The inserted " E X " skips over the intervening AND-
nodes appropriately. Now, A, qo[[ - AFGREEN iff `4, q0 ~ lAY.GREENV E X A X Y .
This simple idea can be generalized considerably to handle pairs acceptance
oo oo
(cf [EJ88]). Let r be the pairs condition VieI(~FREDi A FGREENi) where I ----
[l:n] is the index set for the pairs and I - i denotes I \ (i). We pseudo-model
check Ar based on a fixpoint characterization in terms of simple formulae A F
and A G and by induction on the number of pairs. A ~ = IAY.r(Y) where
r(Y) = V AFAG(('.I~ED~V.Y) A A(FGREENIV O-i))

iE1
The pseudo-model checking algorithm of the transition diagram of ,4 must si-

multaneously search for a graph contained within ,4 and check that it defines a
7]
model of the pairs condition Ar It successively calculates the set of states where
r i (false) is "satisfiable" in the transition diagram using Tarski-Knaster approx-
imation. The effective size of the above fixpoint characterization is exponential
in the number of pairs. The pseudo-model checking algorithm runs in time pro-
portional to the size of the fixpoint characterization and polynomial in the size
of the transition diagram. It is shown in [EJ88] that this yields a complexity of
(mn) ~ for an automaton with transition diagram of size m and n pairs. This
bound is thus polynomial in the number of automaton states, with the degree of
the polynomial proportional to the number of pairs. This polynomial complex-
ity in the size of the state diagram turns out to be significant in applications to
testing satisfiability as explained below.
Related results on the complexity of testing nonemptiness of tree automata
may be found in [EJ88], [PR89], [SJ91].
Decision P r o c e d u r e for CTL*
For branching time logics with richer modalities such as CTL*, the tableau con-
struction is not directly applicable. Instead, the problem reduces to constructing
a tree automaton that accepts some tree iff the formula is satisfiable. This tree au-
tomaton will in general involve a more complicated acceptance condition such as
pairs or complemented pairs, rather than the simple Buchi condition. Somewhat
surprisingly, the only known way to build the tree automaton involves difficult
combinatoriM arguments and/or appeals to delicate automata-theoretic results
such as McNaughton's construction ([McN66]) for determinizing automata on
infinite strings, or subsequent improvements [ESS3], [SaS8], [EJ89].
The original CTL* formula f0 can be converted, by the introduction of auxil-
iary propositions, into a normal form fl that is satisfiable iff the original formula
is, but where path quantifiers are nested to depth at most 2. For example,
EFAFEGP
EFAFQ1 A AG(Q1 =_EGP) ,~
EFQ2 A AG(Q2 -- AFQ1) A AG(Qi - EGP)
Here g ~ h means that g is satisfiable iff h is satisfiable.

By using propositional reasoning, we can further the simplify our task of
testing satisfiability of fl to testing satisfiability of boolean combinations of
subformulae of the form Apo, Epo, and AGEpo where P0 is a pure linear time
formula. More precisely, we build tree automata for each of these three forms.
A composite product automaton can then be readily obtained for fl and tested
for satisfiability.
It turns out that it is easy to build tree automata for Epo and AGEpo. Rather
surprisingly, the crucial and difficult step is building the tree automaton the
72
branching time modalities of the form Apo, in terms of the w-string automaton
for the corresponding linear time formula p.
We explain the difficulty that manifests itself with just the simple modality
Apo. The naive approach to get a tree automaton for Apo would be to simply
build the w-string automaton for P0 and then run it it down all paths of the
input tree. However, while this seems very natural, it does not, in fact, work.
To see this, consider two infinite paths zy and zz in the input tree which start
off with the same common finite prefix x but eventually separate to follow two
different infinite suffixes y or z. It is possible that p0 holds along both paths
xy and zz, but in order for the nondeterministic automaton to accept, it might
have to "guess" while reading a particular symbol of the finite prefix x whether
it will eventually read the suffix y or the suffix z. The state the string automaton
guesses for y is in general different from the state it guesses for z. Consequently,
no single run of a tree automaton based on a nondeterministic string automaton
can lead to acceptance along all paths.
Of course, if the string automaton is deterministic the above difficulty van-
ishes. We should therefore ensure that the string automaton for p0 is deter-
minized before constructing the tree automaton. The drawback is that deter-
minization is an expensive operation. However, it appears to be unavoidable.
For a linear temporal logic formula P0 of length n we can construct an equiv-
alent Buchi nondeterministic finite state automaton on w-strings of size ezp(n).
We can then get tree automata for Epo and AGEpo of size ezp(n). However, for
Apo, use of classical automata-theoretic results yields a tree automaton of size
triple exponential in n. (Note: by triple exponential we mean exp(exp(ezp(n))),
etc.) The large size reflects the exponential cost to build the string automaton
as described above for a linear time formula P0 plus the double exponential cost
of McNaughton's construction to determinize it. For a CTL* formula of length
n, nonemptiness of the composite tree a u t o m a t o n can be tested in exponential
time to give a decision procedure of deterministic time complexity quadruple
exponential in n.
An improvement in the determinization process makes an exponential im-
provement possible. In [ES83] it was shown that, due to the special structure
of the string a u t o m a t a derived from linear temporal logic formulae, such string
a u t o m a t a could be determinized with only single exponential blowup. This re-
duced the complexity of the CTL* decision procedure to triple exponential.
Further improvement is possible as described below.
The size of a tree automaton is measured in terms of two parameters: the
number of states and the number of pairs in the acceptance condition. A careful
analysis of the tree automaton constructions in temporal decision procedures
shows that the number of pairs is logarithmic in the number of states, and for
CTL* we get an automaton with a double exponential number of states and
73
a single exponential number of pairs. 10 As described in the previous section,

an algorithm of [EJ88] shows how to test nonemptiness in time polynomial in
the number of states, while exponential in the number of pairs. For CTL* this
yields a decision procedure of deterministic double exponential time complexity,
matching the lower bound of [VS85].
For the Mu-calculus (and PDL-A (cf. [St81])) similar techniques techniques
can be applied to get a single exponential decision procedure (cf. [EJ88], [SE84]).
Other Comments on Automata
There are distinct advantages to thinking automata-theoretically. First, for ob-

taining decision procedures, automata-theoretic techniques provide the only known
methods of obtaining elementary time decision procedures for some very expres-
sive logics such as CTL* and the Mu-calculus. The techniques are general and
uniform. For example, the techniques above can be combined to yield a single
exponeritiM decision procedure for the Mu-calculus [EJ88]. This was a problem
which again was not obviously in elementary, much less exponential time (cf.
[KP83], [SE84]). Secondly, automata can provide a general, uniform framework
encompassing essentially all aspects temporal reasoning about reactive systems
(cf. [VW84]], [VW86], [Va87], [AKS83], [Ku94]). Automata themselves have been
proposed as a potentially useful specification language. Automata, moreover,
bear an obvious relation to temporal structures, the state transition graphs of
concurrent programs, etc. This makes it possible to account for various types
of temporal reasoning applications such as program synthesis [PR89] and model
checking in a conceptuMly uniform fashion [VW86]. Verification systems based
on automata have also been developed ( cf. [Ku86]).
Thus, temporal reasoning has benefited from automata. But the converse
holds as well, with much work on automata inspired by and/or using ideas from
temporal and modal logics. The more improved nonemptiness algorithm for pairs
tree automata discussed above uses the notion of transition diagram for a tree
automaton and exploits the relationship to a CTL tableau. New types of au-
tomata on infinite objects have also been proposed to facilitate reasoning in
temporal logic (cf. [St81], [VS85], [MP87a], [EL87]). Exponential improvements
(down to single exponential) in the complexity of determinization of w-string
automata appeared in .a special case in [ES83] and in the general case in [Sa88].
Exponential improvements (again down to single exponential) in the cost of com-
plementation of such automata have appeared in [SVW87] (cf. [EJ89]). Not only
10 Some intuition for this phenomenon can be gained by considering the case of CTL.
In a naive formulation, a tree automaton for a CTL formula would use one com-
plemented pair of lights for each eventuality to check its fulfillment. The number of
lights is thus linear in the formula length while the tableau/transition diagram size
is exponential in the formula length.
74
do determinization and complementation of string automata have fundamental

applications to decision procedures for temporal and modal logics, but they are
basic problems to the theory of automata on infinite objects in their own right.
6 Expressiveness versus Complexity
Two of the most important characteristics of a temporal or modal logic intended

for reasoning about programs are (i) its expressiveness, referring to which cor-
rectness properties it can and cannot express; and (ii) its complexity, referring
to the computational cost of performing various types of mechanical reasoning
operations such as model checking and satisfiability/validity testing in the logic.
Expressiveness can be characterized in several ways. Theoretical results can
be established to show that, e.g., logic L1 is strictly subsumed in expressive
power by logic L2. Accordingly, let us write L1 < L2 to mean that every property
expressible by a formula of L1 is Mso expressible by a formula of L2 but that there
is at least one property expressible by a formula of L2 that is not expressible
by any formula of L1. We analogously write L1 - L2 and L1 < L2. It is then
possible to establish various hierarchies and other relations of expressive power
among logics. Thus, it is possible to characterize expressiveness of one logic
relative to another. Another possibility is to take a particular logic or formalism
as a reference standard providing, in an sense, an absolute yardstick against
which other logics are compared. We will see some examples of both relative and
absolute expressiveness subsequently.
In practice, we may be more concerned with what specific correctness proper-
ties can and cannot be expressed within a formalism. While in general the more
expressive the better, it is often sufficient to just be able to express invariance
AGp, leads-to/temporal implication AG(p ==~ AFq), and a few other simple
properties. A significant practical issue is how conveniently can we capture a
desired property.
A related theoretical issue concerns succinctness of specifications. This refers
to the economy of descriptive power of a formalism: how long a formula is re-
quired to a capture a property? Two formalisms can be of equivalent raw expres-
sive power, yet differ radically in succinctness. For example, P L T L and FOLLO
(the First Order Language of Linear Order) n are equivalent in expressive power,
but FOLLO can be nonelementarily more succinct, meaning that the translation
of FOLLO into PLTL may cause a blowup in length not bounded by any fixed
composition of exponential functions. We may ask if this means that FOLLO
is better suited than PLTL for specification and reasoning about reactive pro-
grams? Probably not. Even though FOLLO can be astronomically more succinct,
11 FOLLO is essentially a formalization of the right hand side of the definition of the
temporal operators; e.g., FP corresponds to 3t(t > 0 A P(t)).
75
it is quite possible that it is too succinct. Certainly, it is known that the complex-
ity of mechanical reasoning in it would be nonelementary. PLTL, on the other
hand, seems to provide a good combination of expressive power, succinctness,
and complexity of mechanical reasoning (as does C T L in the branching time
framework). 12
6.1 Tradeoffs
In general, the goals of work in this area are (a) to formulate the most expres-
sive logic possible with the lowest complexity decision problem relevant to the
application at hand; and (b) to understand the tradeoffs between complexity
and expressiveness. In connection with point (b), it is worth noting that there
is some relationship between the syntactic complexity of temporal logic formula
and the computational complexity of their decision procedures. This appears
related to the size and structure of the a u t o m a t o n (that would be) constructed
for the formula. However, the relationship is somewhat intricate.
6.2 Expressiveness Hierarchy

The hierarchy shown below illustrates some of the key points regarding expres-
siveness that we would like to emphasize.
CTL =- CTL + < C T F < CTL* < PDL-A < L# -- Tree A u t o m a t a
The first thing to note is that (finite state, pairs) tree a u t o m a t a coincide in
expressive power with the Mu-calculus. Since virtually all mechanical reasoning
operations can be performed in terms of tree a u t o m a t a and all branching time
logics can, it turns out, be translated into tree automata, it is reasonable to take
tree automata as a reference standard for branching time expressibility. 13
12 Actually, rather little research effort has gone into work on succinctness. Particu-
larly valuable topics might include: identification of tractable and useful fragments
of FOLLO (or equivalently S1S), use of w-regular expressions as a specification lan-
guage, and general efforts to gain a deeper understanding of the relation between
syntactic Complexity of a formula and the cost of mechanical reasoning w.r.t, the
formula.
13 In this connection, there is one minor technical caveat about comparing apples and
oranges in the context of expressiveness: tree automata as originally defined run on
infinite binary trees and can distinguish "left" from "right". In contrast, logics such
as CTL* (or the the Mu-calculus with A X , E X as opposed to <0>, [0], <1>, [1]) are
interpreted over models of arbitrary arity but cannot distinguish "left" from "right".
There are a variety of ways to formulate a uniform, compatible framework permitting
76
We next note that the logic PDL-A is strictly subsumed in expressive power
by the Mu-calculus. PDL-A is the Propositional Dynamic Logic with infinite
repetition operator; in essence, it permits assertions whose basic modalities are
of the form E~ where ~ is an w-regular expression (cf. [St81]). PDL-A can be
translated into the Mu-calculus essentially because w-regulai expressions can be
translated into the "linear time" Mu-calculus (cf. [EL86]). For example, P*Q -
pZ.Q v (P A X Z) and P~ =_ v Y . P A X Z. Similarly, E P* Q - # Z . Q v ( P A E X Z)
and E P ~ =_ u Y . P A E X Z . The general translation can be conducted along these
lines. It can be shown, however, that vY. <1> YA <2> Y is not expressible in
PDL-A, over ternary structures with directions/arc labels 0, 1, 2 (cf. [Niw84]).
We also have that CTL* is strictiy subsumed in expressive power by PDL-A.
CTL* can be translated into PDL-A through use of tl~e following main idea:
each linear time formula h defines; using the tableau construction, an equivalent
Buchi automaton (cf. [ES83]) which can be translated into an equivalent w-
regular expression a. Thus, the basic modMity E h of CTL* maps to E a in
PDL-A. Because w-regular expressions are strictly more expressive than PLTL
(cf. [MP71], [Wo83]), there are properties expressible in PDL-A that cannot be
captured by any CTL* formula. E ( P ; true) ~ is perhaps the classic example of
such a property.
It is worth noting that CTL* syntax can be described in a sort of shorthand:
B(F, G, X, U, A, -~, o). This means that the basic modalities of CTL* are of the
form A or E (for a Branching time logic) followed by a pure linear time for-
mula built up from the linear time operators F, G, X, U, the boolean connectives
A,-~, with nestings/compositions allowed as indicated by o. Then we have the
expressiveness results below (cf. [EH86]).
We next compare CTL* with CTF, which is the precursor to CTL and CTL*,
oo
going back to [ECS0]. CTF may be described as the logic B(F, G, X, U, F, A, -~):
Plainly, any CTF formula is a CTL* formula. The difference, syntactically, is
that CTF does not permit arbitrary nesting of linear time formulas in its basic
co
modalities, although it does permit the special infinitary operator(s) F (and in
effect its dual ~) to support reasoning about fairness. However, the CTL* basic
modality A ( F ( P A X P ) ) is not a CTF formula and, moreover, can be shown
to be inequivalent to any CTF formula. Thus, CTL* is strictly more expressive
than CTF.
The logic CTL + is given as B(F, G, X, U, A, -~), permitting basic modalities
with linear time components that are boolean combinations of the linear time
operators F, G, X, U. Thus, CTL + is a sublanguage of CTF, omitting the infini-
meaningful comparisons. One way is to compare "symmetric" tree automata, which

do not distinguish left from right, interpreted over binary trees with branching time
logics. See also the amorphous tree automata of [BG93]. The Mu-calculus would be
equivalent to tree automata in any such reasonable common framework.
77
o(3 (3o oo
tary operator F and its dual G. It can be shown that, for example, E F P is not
expressible in CTL +. Thus, CTL + is strictly subsumed in expressive power by
CTF.
The last logic shown, CTL, is B(F, G, X, U), whose basic modalities permit
just a single linear temporal operator F, G, X, U following A or E. Plainly CTL
is a sublanguage of CTL +. Conversely, every formula of CTL + can be translated
into an equivalent CTL formula9 The essence of the translation is that the CTL +
formula E(FP1 A FP2) is equivalent to the CTL formula EF(P1 A EFP2) V
EF(P~ ^ EFP1).
Finally, we comment again that comparisons of raw expressive power do not
necessarily hold in like kind for succinctness. For example, even though CTL is
equivalent in raw expressive power to CTL +, the translation of CTL + into CTL
can be effected with an exponential blowup. The CTL + formula E(FP1 A FP2 A
9 A FPn) is translated into the following equivalent but long CTL formula:
V EF(PI1 A EF(Pi 2 ^ . . . ^ EFPI,~))

il,i2,...,i,t is a p e r m u t a t i o n o f [l:rt]
Furthermore, while CTL* is less expressive than P D L - A it can be exponentially

more succinct.
6.3 C o m p l e x i t y Summary
The table below summarizes key complexity results for automated temporal rea-
soning. The left column indicates the logic under consideration, the associated
entry in the middle column characterizes the complexity of the logic's model
checking problem, while the associated right column entry describes the com-
plexity of the satisfiability problem. Each row describes a particular logic: PLTL,
CTL, CTL*, and the Mu-calculus.
Logic Model Satisfiability

Checking Testing
PLTL PSPACE-complete PSPACE-complete
O(IM I 9exp(IpoD) time
CTL P-complete EXPTIME-complete
O(]M[-IP01) time
CTL* PSPACE-complete 2EXPTIME-complete
O([M[- exp([poD) time
L/~(k) NP N co-NP EXPTIME-complete
([M[. [p0[)~ time
78
The first row deals with PLTL, whose complexity was first analyzed in [SC85].
(cf. [Va9?]). PLTL model checking can be polynomially transformed to PLTL
satisfiability testing. The essential point is that the "structure" of a structure
M can be described by a PLTL formula where the nexttime operator and ex-
tra propositions are used to characterize what states are present what are the
successors of each state.
The satisfiability problem of PLTL is PSPACE-complete. In practice, this
bound amounts to a decision procedure of complexity exp(n) for an input formula
h of length n. The decision procedure is a speciMization of that for CTL: build
the exponential sized tableau for the formula, which may be viewed as a Buchi
nfa on infinite strings and tested for nonemptiness in time polynomial in the
size of of the automaton. It is possible,in fact, to build the automaton on-the-fly,
keeping track of only an individual node and a successor node at any given time,
guessing an accepting path in nondeterministic polynomial space34 This serves
to show membership in PSPACE for satisfiability testing of PLTL and for model
checking of PLTL by virtue of the above-mentioned reduction. By a generic
reduction from PSPACE-bounded Turing machines, PLTL model checking can
be shown to be PSPACE-hard; it then follows that PLTL satisfiability testing is
also PSPACE-hard.
An important multi-parameter analysis of PLTL model checking was per-
formed by Lichtenstein and Pnueli [LP85], yielding a bound of O(IM I 9exp(Ihl) )
for an input structure M and input formula h. The associated algorithm is simple
and elegant. We wish to check whether there is a path starting at a given state
so in M satisfying the PLTL formula h. (We clarify why we have formulated the
PLTL model checking problem in just this way below.) To do that, first build
the tableau 7- for h. Then form essentially the product graph M x 7-, view it
as a tableau, and test it for satisfiability. This amounts to looking for a path
through the product graph whose projection onto the second coordinate defines
a model of h that, by virtue of the projection onto its first coordinate, must also
be a path in M. Vardi and Wolper [VW86] made the important recognition that
this construction could be described still more cleanly and uniformly in purely
automata-theoretic terms. Use 7- to define an associated Buchi nfa ,4. Then de-
fine a Buchi automaton B that is the product of M and .A, and simply test B
for nonemptiness.
Along with the above algorithm and its complexity analysis, the following
"Lichtenstein-Pnueli thesis" was formulated: despite the potentially daunting
exponential growth of the complexity of PLTL model checking in the size of
the specification h formula, it is the linear complexity in the size of the input
structure M which matters most for applications, since specifications tend to
14 See the very interesting work by Barringer et. al [BFGGO89] on executable temporal
logics extending this idea.
79
be quite short while structures tend to be very large. Thus, the argument goes,
the exponential growth is tolerable for small specifications, and we are fortunate
that the cost grows linearly in the structure size. Our main point of concern thus
should be simply the structure size.
There appearsto be a good deal of empirical, anecdotal evidence that the
Lichtenstein-Pnueli thesis is often valid in actual applications. As further noted
in a forthcoming section, very simple assertions expressible in a fragment of CTL
are often useful. On the other hand, it is also possible to find instances where
the Lichtenstein-Pnueli thesis is less applicable.
We remark that we have formulated the PLTL model checking problem to
test, in effect, M, so ~ Eh. However, in applications using the linear time frame-
work, we want to know whether all computations of a program satisfy a spec-
ification h'. This amounts to checking M, so ~ Ah ~. It is, of course, enough to
check M, so ~: E('~h ~) which the Lichtenstein-Pnueli formulation handles. Since
PLTL is trivially closed under complementation we thus have a workable, effi-
cient solution to the "all paths" problem in terms of of the Lichtenstein-Pnueli
formulation. (cf. [EL87]).
The next row concerns CTL. CTL model checking is P-complete. Membership
in P was established in ICE81] by a simple algorithm based on the Tarski-Knaster
theorem. This was improved to the bound O([M]]f] ) for input structure M
and CTL formula f in [CES86]. Satisfiability testing for CTL is complete for
deterministic exponential time [EH85]. The upper bound established using the
tableau method was discussed previously. The lower bound follows by a generic
reduction from alternating polynomial space Tm's (cf. [FL79]).
We next consider CTL*. Its model checking problem is of the same com-
plexity as for PLTL. It is PSPACE-complete with a multi-parameter bound of
O([M[. ezp([f])). The lower bound follows because the PLTL model checking
problem is a special case of the CTL* model checking problem. The upper bound
follows because, as noted above,. Ah = ~E~h, and by using recursive descent to
handle boolean connectives and nested path quantifiers. In particular, to check
the formula E ( F A G P A GAFQ), first check A G P and label all states where it
holds with auxiliary proposition P~ ; next check A F Q and label all states where
it holds with auxiliary proposition Q~ ; finally, check E ( F P ~A GQ/). Of course,
in practice it is not really necessary to introduce the auxiliary propositions. It is
simply enough to observe that subformulas A G P and A F Q are state formulas
that can be used to first label the states where they are found to hold before
evaluating the top level formula. CTL* satisfiability can be tested in determin-
istic double exponential time by building a tree automaton of essentially double
exponential size and then testing it for nonemptiness as discussed previously.
The lower bound follows by a generic reduction from alternating exponential
space Tm's [VS85].
80
Finally, we come to the complexity of the Mu-calculus, L#. There are a

number of interesting open questions concerning model checking in the Mu-
calculus. First, a "tight" bound is not known. We do know that it is in NP N
co-NP [EJS93]. There are not too many such problems known. It suggests that
we ought to be able to show that it is in P, but it has so far resisted all efforts to
do so by a number of researchers. On the other hand, were it, say, shown to be
NP-complete then we would get that NP = co-NP, which seems highly unlikely.
The argument establishing membership in NP follows from observing that,
given a structure M and a Mu-calculus formula f , a nondeterministic T m can
guess a "threaded" annotation of the states and edges in M with "ranked"
subformulas. The ranks indicate how many times a #-formula can be unwound
and the threads indicate whether subformula f at state s generates subformula
g at a successor state t. It is then only necessary to check that this annotation is
propositionally consistent at each state and well-founded. Membership in co-NP
follows because the Mu-calculus is trivially closed under negation.
However, we can say more about useful fragments of the Mu-calculus. Re-
call the notion of alternation depth of a Mu-calculus formula referring to the
depth of "significant" nestings of alternating least and greatest fixpoints. We
use Lpk to indicate the Mu-calculus fragment where formulas are restricted to
alternation depth k. Using the Tarski-Knaster theorem and basic monotonicity
considerations, a time bound of O((IM I 9Ill) k+l) can be shown (cf. [EL86]). Sub-
sequent work has addressed improving the degree of the polynomial to simply k
(cf. [An93], [CS93]). In fact, this can be improved to about O((tM I 9 Ill) k/2) (cf.
[Lo§ by a technique that trades time for space and stores, roughly, all inter-
mediate results. However, this method also uses space about O((IM ] 9 Ill)k~2).
In contrast, the straightforward algorithm only uses about O(IM 19Ifl) space. Of
course, all known "practical" properties including all those expressible in PDL-A
are in L/~2 and can be model checked in low order polynomial time. Finally, sat-
isfiability testing for the Mu-calculus is in deterministic exponential time [EJ88],
as shown by building a tree automaton essentially equivalent to the Mu-calculus
formula and testing it for nonemptiness. The lower bound of being deterministic
exponential time hard again follows by simulating alternating polynomial space
Wm's. 15
6.4 A u t o m a t o n Ineffable P r o p e r t i e s
While finite state a u t o m a t a on infinite trees seem a good reference standard for
logics of the sort we have been considering, it is worth noting that there are some
types of reasonably properties correctness properties which are not expressible
by any finite state tree automaton. One such property we refer to as "uniform
inevitability".
15 or by succinctly encoding CTL.
8]
The property of (ordinary) inevitability of P is expressed by the CTL formula

A F P . This is of the general form Y computation 3 time P; note that the time i
a which P occurs along a given computation path depends on the specific path.
The property of uniform inevitability is of the general form 3 time Y computa-
tion P. That is, there is a single, uniform time i such that along all computation
paths P holds at exactly time i.
Interestingly, it can be shown that uniform inevitability is not definable by
any finite state automaton on infinite trees [Em87]. The argument is akin to
that used to establish the pumping lemma for ordinary context free languages.
However, uniform inevitability is definable by a type of pushdown tree automata.
6.5 M u - c a l c u l u s is E q u i v a l e n t t o T r e e A u t o m a t a
The Mu-calculus is equivalent in expressive power to tree automata. This result

was first given in [EJ91]. We will discuss t h a t argument and the information
that Can be extracted from it.
But first we note that the result can be rather easily obtained by using
translation through SnS concatenated with other known results. In [KP83] it
was established that the Mu-calculus can be translated into SnS: Lp < SnS.
Earlier, IRa69] established the basic result that tree automata are equivalent to
SnS: ta --__SnS. Later, [Niw88] showed that for a restricted Mu-calculus, call it
R/z, we have ta = R#. By definition, Rju < L/~. Putting it all together,
Lp _< SnS-- ta = R# < Lp
We conclude that Lp --- ta.

The limitation of the above argument is t h a t many appeals to the Comple-
mentation Lemma are made in the proof of the step SnS -=- ta in IRa69]. The
Complementation Lemma asserts that if tree language L is accepted by a finite
state pairs automaton on infinite trees, the complement language L is also ac-
cepted by some finite state pairs tree automaton on infinite trees. The original
proof of Rabin IRa69] was extraordinarily difficult and intricate, and the Lemma
remains one of the technically most challdnging results in the field. Because of its
technically formidable nature as well as its importance to applications involving
decidability of logical theories 16, a number of authors have attempted to give
simpler proofs of the Complementation Lemma (cf. [RAT1], [GH82], [Mu84]).
Arguments were given in [EJ91] (a) to prove directly that ta -= Lp ; and
showing how to use that to (b) give a simplified proof of the Complementation
Lemma by translation through the Mu-calculus. The equivalence (a) is estab-
lished by showing
Lp < ata < ta-=- R# < Lp
18 We emphasize that CTL* and Lp satisfiability seem to require string automaton
determinization or tree automaton complementation.
82
where ata denotes the class of alternating tree a u t o m a t a (which are defined
technically below). All of these translations from left-to-right are direct. None
involves the Complementation Lemma. We can then accomplish the simplified
proof (b) of the Complementation L e m m a based on the following simple idea:
given a a tree automaton ,4 there is an equivalent Lp formula f . The negation of
f , -~f, is certainly also a f o r m u l a o f Lp since Lp is trivially closed under syntactic
negation. Therefore, -~f can then be translated into an equivalent tree automaton
which recognizes precisely the complement of the set of trees recognized by
A.
R e m a r k : The restricted Mu-calculus, Rp, of [Niw88] consists of formulas
f, g, ... built up from constructs of these forms: atomic proposition constants and
their negations P, Q, -~P, -~Q..., atomic proposition variables Y, Z , . . . , restricted
conjunctions of the form P A EXoY A EX1Z, disjunctions f V g, and least and
greatest fixpoint operators i.tY.f(Y), ~,Y.f(Y). Since it is not syntactically closed
under complementation, nor obviously semantically closed (as the general A is
missing) 17, we cannot use it directly to establish the Complementation Lemma.
L/~ into ata
The idea underlying the translation of Lp into ata is simple: a Mu-calculus for-
mula is an alternating tree automaton. In more detail, the syntax diagram of a
Mu-calculus formula may be viewed as (a particular formulation of) the transi-
tion diagram of an alternating tree automaton that checks the local structure of
the input tree to ensure that it has the organization required by the formula. As
the alternating automaton runs down the input tree, "threads" from the syntax
diagram are unwound down each path; in general, there may be multiple threads
going down the same path of the tree due to conjunctions in the formula. We
remark that it is these conjunctions and associated multiple threads which make
the automaton an alternating one.
For example, the syntax diagram of pY.P V ( < 0 > YA < 1 > Y) is shown in
Figure 3. As indicated, there is a node in the syntax diagram for each subformula
and an edge from each formula to its immediate subformulae. In addition, there
is an edge from each occurrence of Y back to #Y.
The transition diagram consists of AND-nodes and OR-nodes. All nodes are
OR-nodes except those corresponding to connective A. is Each node has an input
symbol, usually an implicit r indicating, as usual, that no input is consumed.
The automaton starts in state pY, from which it does an ~ move into state V.
In state V it makes a nondeterministic choice. The automaton may enter state
17 It is semantically closed but the proof requires an appeal to the Complementation
Lemma.
is Matters are simplified by noting that over a binary tree 0,1 are functions, not just
relations.
83
% %9
% %
% %
%
V %
/\
P A
/
I
t
I
t
!
!
<( )> I
!
I
I
I
I
I
I
/
I /S
Y" s S
Fig. 3. Syntax diagram of pY.P V (<0> YA <1> Y)
P. In this case it checks the input symbol labeling the current node to see if
it matches P, in which case it accepts; otherwise, it rejects. Alternatively, the
automaton may enter state A, which is an AND-node and from which it will
exercise universal nondeterminism. From A the automaton launches two new
threads of control: < 0 > down the left branch and < l > down the right branch.
Then state < 0 > does an e move to ensure that at the left successor node the
automaton is in state Y from which does an e move into pY, Similarly, state
< 1 > does an ~ move to ensure that at the right successor node the automaton
is in state Y and then I.tY. Etc.
Acceptance is handled by colored lights placed to ensure that p-regeneration 19
is well-founded. One way to do this is to associate a pair of lights (REDi, GrtEEN~)
with each eventuality # ~ . f . Whenever the eventuality # ~ .f is regenerated along
along a thread, indicated in the syntax diagram by traversing the edge re-entering
the node for/tY/from within the scope of/~Y~, flash GREENi. Whenever the scope
of #Y~ is exited, flash RED~. Thus, /~Y~.f is regenerated infinitely often along a
19 Informally, this refers to recursive unfolding of p- formulae.

84
oo oo
thread iff F GrtEENi A ~FREDi holds along it. Call a thread meeting the associ-
ated pairs condition bad. Then the Mu-calculus formula is true of the input tree iff
the associated ata accepts the tree by virtue of the existence of a run on the tree
such t h a t all threads of all paths of the run are good (i.e., not bad). This amounts
to acceptance by the complemented pairs condition Ai(FGREENi ::~ FRED/)
Nondeterminization
Next, we must discuss the "nondeterminization" of an alternating tree automa-

ton needed to show ata _< ta. First, however, we make precise the notion of such
an alternating tree automaton. An a t a `4 is just like an ordinary, nondeterminis-
tic ta except that it has both existential and universal nondeterminism. This is
reflected in its transition function which permits transitions of the form 6(q, a)
= {({r~,...,r~l},{s~,...,s~}),...,({r~,...,rklk},{s~,...,skmk})}. The mean-
ing is that when a u t o m a t o n .4 is in state q at current node v of the input tree
which is labeled with symbol a, then .4 first uses existential nondeterminism to
choose among k alternative next moves. Each possible existential next move is
specified by a pair of the form ({r~,.. . , r iti ) , { s l , . . . , s ~ n ' } ) , with 1 < i < k. Then
the a u t o m a t o n exercises universal nondeterminism to go into all of the states
r l , . . . , r ili on the left successor node v0 and into all of the states s ii, . . . , sm' on
the right successor node vl.
As usual, the a u t o m a t o n .4 starts out in a designated start state q0 on the
root node A of the input tree. By applying the above transitions a run of .4
on the input tree is constructed. This run is not just a labeling of the nodes of
the input tree with a u t o m a t o n states, but a superposition of a tree of threads
(sequences of a u t o m a t o n states) on the input tree. If q is the tip of a thread z
a node v, which is labeled by symbol a, and (i(q, a) is of the form above, then z
branches into extending threads of the form z r ~ , . . . , zrel i corresponding to the
left successor v0, and z s ~ , . . . , zs i"~ , corresponding to the right successor vl. Any
infinite tree comprised of threads in this way constitutes a run o f . 4 on the input
tree. The a u t o m a t o n ,4 accepts the input tree provided there exists a run on
the input tree such t h a t along every p a t h every thread meets the acceptance
condition of the a u t o m a t o n (Buchi, pairs, etc.).
Note that a run p of.4 on an input tree m a y be viewed as a tree superimposed
on the input tree. Thee m a y be two or more copies of the same a u t o m a t o n state q
as the tip of two different finite threads corresponding to a particular tree node.
These copies of q m a y make different existential moves. One therefore cannot
merge such different copies of q as the "threads" t h a t would result would in
general be different from those in the original run.
However, for a history free alternating tree automaton, if it has an accepting
run, it has an accepting run in which the existential choices depend only on the
85
current state and position in the tree (and not the thread of which it is a tip).
Thus, such a history free run will not necessarily be a tree superimposed on
the input tree, but a dag, with intuitively threads intertwined down each tree
branch, such that there is only a single copy of each automaton state at each
tree node. Along a path through the input tree, the coSafra construction (cf.
[EJ89], [Sa92]) can be used to bundle together the collection of infinitely many
threads along the path, which are choked through a finite number of states at
each node.
Finally, it turns out that the alternating tree automaton corresponding to
a Mu-calculus formula is history free. The intuitive justification is that at each
existential choice node, one can take the choice of least rank, ensuring that p's
are fulfilled as soon as possible.
Remark: An alternative method of nondeterminization is to essentially con-
struct the tree automaton for testing satisfiability of a Mu-calculus formula as
in [SE84]. A sharpening of this construction builds a tree automaton equivalent
to the Mu-calculus formula. Basically, perform a tableau construction to get a
local automaton checking the invariance properties inherent in the formula. Con-
join it with a global automaton that checks well-foundedness of p-regenerations.
The global automaton is obtained as follows: Build an w-string automaton that
guesses a bad thread through the tableau along which some p-formula is regen-
erated infinitely often, in violation of the requirement that it should be well-
founded. Then use the coSafra construction to simultaneously determinize and
complement that string automaton, The tree automaton that runs the resulting
string automaton down all paths of the tree is the desired global automaton that
checks the liveness properties associated with p-formulas.
6.6 Restricted Temporal Logics

If one considers longstanding previous trends in the work on decision procedures
for (propositional) temporM and modal logics of programs, one observes the
following characteristics:
- There has been a continual emphasis toward logics of increasingly greater

expressive power.
- Most work has sought the most expressive temporal logic decidable in single
exponential time deterministically; this is a consequence of the fact that
the temporal logic subsumes ordinary propositional logic and the reasonable
presumption that P r NP, strongly suggesting that we can not do better in
general.
- A quest for increasing generality and richness of of expressive power.
We now discuss a possibly promising counter-trend (cf. [ESS89]) toward more

limited logics with these characteristics:
86
- The limited logics exhibit greater specificity; they are tailored for particular
applications.
- The limited logics are of restricted expressive power. The restrictions may
limit both raw expressive power and economy of descriptive power.
- They are intended to support efficient, polynomial time decision procedures.
We will focus on the restricted logics from [ESSS9] and lEES90]. It can be
quite delicate to obtain a logic that is restricted, efficiently decidable, and at the
same time useful. Some of the implications of these requirements are:
- We must give up propositional logic in its full generality, since obviously any
logic subsuming propositional logic must be at least NP-hard.
- The atomic propositions should be disjoint and exhaustive. Otherwise, if
we allow overlapping propositions, there can be as many as 2 n subsets of
n propositions, yielding an immediate combinatorial explosion. (In practice,
this restriction may not be that onerous in our applications. For example,
we may wish to describe a program which may be in any of n locations. This
may be described using propositions at-locl,...,at-lOCn.
- The overall syntax should be simplified. One simplification is to restrict for-
mulas to be of the form: A assertion; t h a t is, to be a conjunction of simpler
assertions. Note that for purposes of program specification A is more fun-
damental than V- One typically wants a program that meets a conjunction
of criteria. Another simplification is to limit the depth of nesting of tempo-
ral operators. Deeply nested temporal modalities are rarely used in practice
anyway.
Simplified C T L
We first consider Simplified CTL (SCTL). It turns out that SCTL corresponds
precisely to the fragment of CTL actually used in program synthesis in [EC82].
The formulae of SCTL are conjunctions of assertions of the following forms:
- P V . . . V P~ -initial assertions
- AG(Q V . . . Ol) - invariance assertions
- AG(P ~ A F ( R V . . . V R)) - leads-to assertions
- A G ( P ~ A((Q V . . . V Q')Us(R V . . . R ' ) ) - assurance assertions
- AG(P ~ AX(Q, V . . . v Q~)A - successor assertions
E X ( R V . . . V R') A . . . A E X ( S V. . . V S~))
over an alphabet of disjoint, exhaustive propositions P, P~, Q, Q~, R, R~,..., etc.,
subject to the following Euclidean Syntactic Constraint (ESC):
If an SCTL formula has conjuncts of the form A G ( P =~ AFQ) and
AG(P ~ A X ( . . . R V . . . ) . . . ) then AG(R ~ AFQ) must also be a
conjunct of the formula.
87
The ESC ensures that eventualities are recoverable from propositions alone.
The significance in practice of the ESC is that, while it is a restriction, it
permits the specification of "history-free" processes. This means that the even-
tualities pending at each state S of a process are the same irrespective of t h e
path taken by the process from its initial state to S.
The restricted syntax of S C T L permits the decision procedure of CTL to
be simplified yielding a polynomial time decision procedure for formulas of
SCTL. To understand in broad terms why this is possible in it helpful to think
automata-theoretically [VW84]. The a u t o m a t o n / t a b l e a u for a CTL formula m a y
be thought of as the product of the local automaton (the nexttime tableau) with
the global automaton, which is itself the product of an eventuality a u t o m a t o n
for each eventuality such as AFP. The size of the whole a u t o m a t o n is thus the
size of the the nexttime tableau times the product of the sizes of each eventu-
ality automaton. An eventuality automaton for, say, A F P has 2 states, one for
A F P being pending, one for it it being fulfilled (or not required to be satisfied).
Thus, the size of the whole automaton is exponential in the number of eventual-
ities. However, if the set of pending eventualities can be determined from set of
atomic propositions, as is the case with SCTL owing to the ESC, then the local
automaton can serve as the entire automaton.
The SCTL decision procedure then amounts to:
- Construct the nexttime tableau for the input formula f0 using the nexttime
assertions. Each atomic proposition P is an AND-node of the tableau. Each
such AND-node P gets sets of successor AND-nodes, intermediated by OR-
nodes, based on the nexttime assertion 2~ associated with P . For example,
AG(P ~ AX(Q1 v Q2 v R1 V R2) A EXQ1 A EX(R1 V R2)) would have two
OR-node successors, one with AND-node Q1 as a successor, the other with
AND-nodes R1, R2 as successors. This is the local automaton .4io. By virtue
of the ESC it is also the entire automaton. The initial assertions determine
the "start state".
- Check .410 for "nonemptiness". Repeatedly delete "bad" nodes from its tran-
sition diagrams. There is associated with every node a set eventualities e that
must be fulfiliable. The key step is to ensure that e a c h such e is fulfillable
by finding the appropriate DAG[Q,e]'s as for ordinary CTL.
Example: Consider the SCTL formula comprised of the conjunction of the

following assertions:
20 Without loss of generality we may assume there is only one.

88
(P V Tt)
AG(P V R V S V T)
AG(P ~ A X S A EXS)
AG(R ~ A X ( R Y T) A EXT)
AG(S ::~ A X ( P V R) A E X P A EXR)
AG(T :::vA X ( P Y T) A E X ( P Y T)
AG(P :=~AFT)
AG(S ~ AFT)
We get the initial tableau shown in Figure 4 (i). Since A F T is not fulfillable
at node P, delete P . Propagate the deletion to any incident edges as well as
OR-nodes whose only successors were P.
The resulting tableau is shown in Figure 4 (ii). Node S violates its successor
assertion because it no longer has a P successor. Thus, S is deleted and its now
spurious successor OR-node,
In Figure 4 (iii) the final pruned tableau is shown. It induces the model shown
in Figure 4 (iv).
Restricted Linear Temporal Logic

We now consider another logic that turns out to be efficiently decidable: Re-
stricted Linear Temporal Logic (RLTL). It is presented, for the sake of uni-
formity, in CTL-like syntax. But the path quantifiers are all A's; hence, any
satisfiable formula has a linear model, and it may be viewed as a linear time
logic. Alternatively, the path quantifiers may all be elided to get formulae that
are literally within the syntax of PLTL.
Formulae are now conjunctions of assertions of the following forms:
- AG(Q V . . . Q') - invariance assertions

- AG(P =~ A F ( R Y . . . V R~)) - leads-to assertions
- AG(P =~ AX(Q V . . . V Q')) - successor assertions
where again propositions are disjoint and exhaustive. There is no Euclidean

Syntactic Constraint or related restriction.
Nonetheless, we can establish the following
T h e o r e m Satisfiability of RLTL can be tested in deterministic polynomial
time.
P r o o f i d e a . The basic idea is simple: Build the nexttime tableau. The input
formula is satisfiable iff the tableau has a total, self-fulfilling strongly connected
89
(i)
57)
(fi)
(iii)
(iv)
Fig. 4. SCTL decision procedure example
subgraph C. The latter means that if any AF(Q V V Q') appears in C, then
one of Q , . . . , Q' also appears in C. Thus it suffices to build the initial tableau,
split into SCC's, delete non-self-fulfilling SCC's, until stabilization.
Example: Consider the RLTL formula comprised of the conjunction of the

following assertions:
90
AG(P V Q V R V S V T )
AG(P ~ AXQ)
AG(R =~ A X P )
AG(T ~ A X ( P V R))
AG(Q ::~ A X ( R Y S))
AG(S ~ A X ( R V S))
AG(Q :* AFP)
AG(S ::~ AFT)
The initial nexttime tableau is shown in Figure 5 (a). It is partitioned into

SCC's: {{T},{P,Q,R,S}}. The SCC {T} is deleted because it is not total.
The node S is deleted from SCC {P, Q, R, S}. because AFh is not fulfillable.
See Figure 5 (b) Then the remainder of this SCC is split into SCC's yielding
{{P, Q, R}}. The sole remaining SCC of this collection, {P, Q, R}, is total and
self-fulfilling. Hence, any infinite path through it defines a model of the original
specification as in Figure 5 (c).
Restricted Initialized Linear Temporal Logic.
We now illustrate that the boundary between efficient decidability and worst
case intractability can be quite delicate. Certainly, RLTL is highly restricted.
While useful specifications can be formulated in RLTL, many properties cannot
be expressed. One very basic type of assertion that was omitted was an initial
assertion. Let us define Restricted Initialized Linear temporal logic (RILTL) to
be the logic permitting formulas which are conjunctions of assertions of the form:
- P V ... V P ' - initial assertions

- AG(Q v...Q') - invariance assertions
- AG(P ::~ A F ( R V . . . V R~)) - leads-to assertions
- AG(P ::v AX(Q v . . . v Q~)) - successor assertions
where one again propositions are disjoint and exhaustive, and there is no Eu-
clidean Syntactic Constraint or related restriction. In other words, RILTL equals
RLTL plus an initial assertion.
Most surprisingly, this small change increases the complexity:
T h e o r e m The satisfiability problem for RILTL is NP-hard.
The idea behind the proof is as follows. Given a state graph M, such as that
shown in Figure 6, we can capture its structure by a formula fM that is a simple
~Z
(
o-q
( 9
./ \
~~
() |
92
conjunction of RILTL successor assertions, such as

AG(I ~ AXB)A
AG(B ~ AX(C V D))A
AG(C ~ AXH)A
AG(D :v AXH)A
AG(H ~ AXH)
(Here we assume, for ease of exposition, that a unique proposition labels each
node.) We thereby reduce model checking over M to RILTL satisfiability: M, I
E(FBAFCAFH) iff fMAIAAG(I ~ AFB)AAG(I ~ AFC)AAG(I ::v AFH)
is satisfiable. We can generalize this argument to reduce arbitrary model checking
problems of the form M, so ~ E(FP1 A... FPn) to RILTL satisfiability. This
restricted form of the PLTL model checking problem is known to be NP-hard as
established by Sistla and Clarke [SC85]. (The intuition is that it is necessary to
consider all possible permutations that the Pi can occur in.)
7 Conclusion
Due to the proliferation of computer microelectronics and associated safety crit-

ical software, there is an undeniable and growing need to find effective methods
of constructing correct reactive systems. One factor these systems have in com-
mon beyond their nondeterministic, ongoing, reactive nature is that they are
complex. While it is conceivable that it is easy to describe in general terms what
such a system is supposed to do (e.g., provide an air traffic control system), it
appears quite difficult to "get the details straight". Temporal logic appears to to
provide a good handle on precisely stating just what behavior is to occur when
at a variety of levels of detail. Automation of temporal reasoning appears to
offer a good handle on actually keeping track of the myriad of associated points
of fine detail.
A c k n o w l e d g e m e n t s This work was supported in part by NSF grant CCR-
9415496 and by SRC contract 95-DP-388.
We also thank Howard Barringer, Colin Stirling, and Moshe Vardi for most
helpful comments on a preliminary version of this paper.
References
[An93] Anderson, H. R., Verification of Temporal Properties of Concurrent Sys-

tems, Ph.D. Dissertation, Computer Science Department, Aarhus Univ.,
Denmark, June 1993.
[AKS83] Aggarwal S., Kurshan R. P., Sabnani K. K., "A Calculus for Protocol
Specification and Validation", in Protocol Specification, Testing and Ver-
ification III, H. Ruden, C. West (ed.'s), North-Holland 1983, 19-34.
93
[AI(86] Apt, K. and Kozen, D., Limits for Automatic Verification of Finite State
Systems, IPL vol. 22, no. 6., pp. 307-309, 1986.
[BFGGO89] Barringer, H., Fisher, M., Gabbay, D., Gough, G., and Owens, R.,
Metatem: A Framework for Programming in Temporal Logic. In Proc. of
the REX Workshop on Stepwise Refinement of Distributed Systems: Mod-
els, Formalisms, Correctness, Mook, The Netherlands, Springer LNCS,
no. 430, June 1989.
[BKP84] Barringer, H., Kuiper, R., and Pnueli, A., Now You May Compose Tem-
poral Logic Specifications, STOC84.
[BKP86] Barringer, H., Kuiper, R., and Pnueli, A., A Really Abstract Concurrent
Model and its Temporal Logic, pp. 173-183, POPL86.
[BPM83] Ben-Ari, M., Pnueli, A. and Manna, Z. The Temporal Logic of Branching
Time. Acta Informatica vol. 20, pp. 207-226, 1983.
[BG93] Bernholtz~ O., and Grumberg G., Branching T i m e Temporal Logic
and Amorphous Automata, Proc. 4th Conf. on Concurrency Theory,
Hildesheim, Springer LNCS no. 715, pp. 262-277, August 1993.
[BS92] Bradfield, J., and Stirling, C., "Local Model Checking for Infinite State
Spaces", Theor. Comp. Sci., vol. 96, pp. 157-174, 1992.
[BCD85] Browne, M., Clarke, E. M., and Dill, D. Checking the Correctness of
sequential Circuits, Proc. 1985 IEEE Int.. Conf. Comput. Design, Port
Chester, NY pp. 545-548
[BCDM86a] Browne, M., Clarke, E. M., and Dill, D,, and Mishra, B., Automatic ver-
ification of sequential circuits using Temporal Logic, IEEE Trans. Comp.
C-35(12), pp. 1035-1044, 1986
[Br86] Bryant, R., Graph-based algorithms for boolean function manipulation,
IEEE Trans. on Computers, C=35(8), 1986.
[Su62] Buchi, J. R., On a Decision Method in restricted Second Order Arith-
metic, Proc. 1960 Inter. Congress on Logic, Methodology, and Philosophy
of Science, pp. 1-11.
[CE81] Clarke, E. M., and Emerson, E. A., Design and Verification of Synchro-
nization Skeletons using Branching Time Temporal Logic, Logics of Pro-
grams Workshop, IBM Yorktown Heights, New York, Springer LNCS no.
131., pp. 52-71, May 1981.
[CES86] Clarke, E. M., Emerson, E. A., and Sistla, A. P., Automatic Verification
of Finite State Concurrent System Using Temporal Logic, 10th ACM
Symp. on Principles of Prog. Lang., Jan. 83; journal version appears in
A C M Trans. on Prog. Lang. and Sys., vol. 8, no. 2, pp. 244-263, April
1986.
[CFJ93] Clarke, E. M., Filkorn, T., Jha, S. Exploiting Symmetry in .Temporal
Logic Model Checking, 5th International Conference on Computer Aided
Verification, Crete, Greece, June 1993.
[CGBS8] Clarke, E. M., Grumberg, O., and Brown, M., Characterizing Kripke
Structures in Temporal Logic, Theor. Comp. Sci., 1988
[CG86] Clarke, E. M., Grumberg, O. and Browne, M.C., Reasoning about Net-
works with Many Identical Finite State Processes, Proc. 5th ACM PODC,
pp. 240-248, 1986.
94
[CG87] Clarke, E. M. and Grumberg, O., Avoiding the State Explosion Problem
In Temporal Model Checking, PODC87.
[CGSTb] Clarke, E. M. and Grumberg, O. Research on Automatic Verification of
Finite State Concurrent Systems, Annual Reviews in Computer Science,
2, pp. 269-290, 1987
[CM83] Clarke, E. M., Mishra, B., Automatic Verification of Asynchronous Cir-
cuits, CMU Logics of Programs Workshop, Springer LNCS ~164, pp.
101-115, May 1983.
[CGB89] Clarke, E. M., Grumberg, O., and Brown, M., Reasoning about Many
Identical Processes, Inform. and Comp., 1989
[CS931 Cleaveland, R. and Steffan, B., A Linear-Time Model-Checking Algorithm
for the Alternation-Free Modal Mu-calculus, Formal Methods in System
Design, vol. 2, no. 2, pp. 121-148, April 1993.
[C193] Cleaveland, R., Analyzing Concurrent Systems using the Concurrency
Workbench, Functional Programming, Concurrency, Simulation, and Au-
tomated Reasoning Springer LNCS no. 693, pp. 129-144, 1993.
[cvw85] Courcoubetis, C., Vardi, M. Y., and Wolper, P. L., Reasoning about Fair
Concurrent Programs, Proc. 18th STOC, Berkeley, Cal., pp. 283-294, May
86.
[CM90] Coudert, O., and Madre, J. C., Verifying Temporal Properties of Sequen-
tial Machines without building their State Diagrams, Computer Aided
Verification '90, E. M. Clarke and R. P. Kurshan, eds., DIMACS, Series,
pp. 75-84, June 1990.
[DGG93] Dams, D., Grumberg, O., and Gerth, R., Generation of Reduced Models
for checking fragments of CTL, CAV93, Springer LNCS no. 697, 1993.
[Di76] Dijkstra, E. W. , A Discipline of Programming, Prentice-Hall, 1976.
[DC86] Dill, D. and Clarke, E.M., Automatic Verification of Asynchronous Cir-
cuits using Temporal Logic, IEEE Proc. 133, Pt. E 5, pp. 276-282, 1986.
[Em81] Emerson, E. A., Branching Time Temporal Logics and the Design of
Correct Concurrent Programs, P h . D . Dissertation, Division of Applied
Sciences, Harvard University, August 1981.
[Em83] Emerson, E. A., Alternative Semantics for Temporal Logics, Theor.
Comp. Sci., v. 26, pp. 121-130, 1983.
[Em85] E.A. Emerson, "Automata, Tableaux, and Temporal Logics", Proc. Work-
shop on Logics of Programs, Brooklyn College, pp. 79-87, Springer LNCS
no. 193, June 1985.
[EC80] Emerson, E. A., and Clarke, E. M., Characterizing Correctness Prop-
erties of Parallel Programs as Fixpoints. Proc. 7th Int. Colloquium on
Automata, Languages, and Programming, Lecture Notes in Computer
Science #85, Springer-Verlag, 1981.
[EC82] Emerson, E. A., and Clarke, E. M., Using Branching Time Temporal
Logic to Synthesize Synchronization Skeletons, Science of Computer Pro-
gramming, vol. 2, pp. 241-266, Dec. 1982.
95
lEES90] Emerson, E. A., Evangelist, M., and Srinivasan, J., On the Limits of
Efficient Temporal Satisfiability, Proc. of the 5th Annual IEEE Symp. on
Logic in Computer Science, Philadelphia, pp. 464-477, June 1990.
[EH85] Emerson, E. A., and Halpern, J. Y., Decision Procedures and Expressive-
ness in the Temporal Logic of Branching Time, Journal of Computer and
System Sciences, vol. 30, no. 1, pp. 1-24, Feb. 85.
[EH86] Emerson, E. A., and Halpern, J. Y., 'Sometimes' and 'Not Never' Revis-
ited: On Branching versus Linear Time Temporal Logic, JACM, vol. 33,
no. 1, pp. 151-178, Jan. 86.
[EJ88] Emerson, E. A. and Jutla, C. S., "Complexity of Tree Automata and
Modal Logics of Programs", Proc. 29th IEEE Foundations of Computer
Sci., 1988
[E J89] Emerson, E. A., and Jutla, C. S., On Simultaneously Determinizing and
Complementing w-automata, Proceedings of the 4th IEEE Symp. on Logic
in Computer Science (LICS), pp. 333-342, 1989.
[EJ91] Emerson, E. A., and Jutla, C. S. "Tree Automata, Mu-Calculus, and
Determinacy", Proc. 33rd IEEE Syrup. on Found. of Comp Sci., 1991
[EJS93] Emerson, E. A., Jutla, C. S., and Sistla, A. P., On Model Checking for
Fragments of the Mu-calculus, Proc. of 5th Inter. Conf. on Computer
Aided Verification, Elounda, Greece, Springer LNCS no. 697, pp. 385-
396, 1993.
[EL86] Emerson, E. A., and Lei, C.-L., Efficient Model Checking in Fragments
of the Mu-calculus, IEEE Symp. on Logic in Computer Science (LICS),
Cambridge, Mass., June, 1986.
[EL87] Emerson, E. A., and Lei, C.-L.m Modalities for Model Checking: Branch-
ing Time Strikes Back, pp. 84-96, ACM POPL85; journal version appears
in Sci. Comp. Prog. vol. 8, pp 275-306, 1987.
[ES93] Emerson, E. A., and Sistla, A. P., Symmetry and Model Checking, 5th
International Conference on Computer Aided Verification, Crete, Greece,
June 1993full version to appear in Formal Methods in System Design.
[ES83] Emerson, E. A., and Sistla, A. P., Deciding Full Branching Time Logic,
Proc. of the Workshop on Logics of Programs, Carnegie-Mellon Univer-
sity, Springer LNCS no. 164, pp. 176-192, June 6-8, 1983; journal version
appears in Information ~ Control, vol. 61, no. 3, pp. 175-201, June 1984.
[ESS89] Emerson, E. A., Sadler, T. H. , and Srinivasan, J. Efficient Temporal
Reasoning, pp 166-178, 16th ACM POPL, 1989.
[Em87] Emerson, E. A., Uniform Inevitability is Finite Automaton Ineffable, In-
formation Processing Letters, v. 24, pp. 77-79, 30 January 1987.
[Em90] Emerson, E. A., Temporal and Modal Logic, in Handbook of Theoretical
Computer Science, vol. B, (J. van Leeuwen, ed.), Elsevier/North-Holland,
1991.
[FL79] Fischer, M. J., and Ladner, R. E, Propositional Dynamic Logic of Regular
Programs, JCSS vol. 18, pp. 194-211, 1979.
[Fr86] Francez, N., Fairness, Springer-Verlag, New York, 1986
96
[GPSS80] Gabbay, D., Pnueli A., Shelah, S., Stavi, J., On The Temporal Analy-
sis of Fairness, 7th Annual ACM Syrup. on Principles of Programming
Languages, 1980, pp. 163-173.
[GS92] German, S. M. and Sistla, A. P. Reasoning about Systems with many
Processes, Journal of the ACM, July 1992, Vol 39, No 3, pp 675-735.
[GH82] Gurevich, Y., and Harrington, L., "Trees, Automata, and Games", l$th
ACM STOC, 1982.
[HT87] Haler, T., and Thomas, W., Computation Tree Logic CTL* and Path
Quantifiers in the Monadic Theory of the Binary Tree, ICALP87.
Knowledge and Common Knowledge in a Distributed Environment, Proc.
3rd ACM Syrup. PODC, pp. 50-61.
[HS86] Halpern, J. Y. and Shoham, Y., A Propositional Modal Logic of Time
Intervals, IEEE LICS, pp. 279-292, 1986.
[Ha79] Harel, D., Dynamic Logic: Axiomatics and Expressive Power, PhD Thesis,
MIT, 1979; also available in Springer LNCS Series no. 68, 1979.
[HA84] Harel, D., Dynamic Logic, in Handbook of Philosophical Logic vol. II:
Extensions of Classical Logic, ed. D. Gabbay and F. Guenthner, D. Reidel
Press, Boston, 1984, pp. 497-604. Applications, 16th STOC, pp. 418-427,
May 84.
[HS84] Hart, S., and Sharir, M., Probabilistic Temporal Logics for Finite and
Bounded Models, 16th STOC, pp. 1-13, 1984.
[HS84] Hart, S. and Sharir, M. Probabilistic Temporal Logics for Finite and
Bounded Models, 16th ACM STOC, pp. 1-13, 1984.
[Ho78] Hoare, C. A. R., Communicating Sequential Processes, CACM, vol. 21,
no. 8, pp. 666-676, 1978.
[Ha82] Hailpern, B., Verifying Concurrent Processes Using Temporal Logic,
Springer-Verlag LNCS no. 129, 1982.
[HO80] Hailpern, B. T., and Owicki, S. S., Verifying Network Protocols Using
Temporal Logic, In Proceedings Trends and Applications 1980: Computer
Network Protocols, IEEE Computer Society, 1980, pp. 18-28.
[HR72] Hossley, R., and Rackoff, C, The Emptiness Problem For Automata on
Infinite Trees, Proc. 13th IEEE Symp. Switching and Automata Theory,
pp. 121-124, 1972.
[ID93] Ip, C-W. N., Dill, D. L., Better Verification through Symmetry, CHDL,
April 1993.
[Je94] Jensen, K., Colored Petri Nets: Basic Concepts, Analysis Methods, and
Practical Use, vol. 2: Analysis Methods, EATCS Monographs, Springer-
Verlag, 1994.
[JR91] Jensen, K., and Rozenberg, G. (eds.), High-level Petri Nets: Theory and
Application, Springer-Verlag, 1991.
[Ka68] Kamp, Hans, Tense Logic and the Theory of Linear Order, PhD Disser-
tationl UCLA 1968.
[Ko87] Koymans, R., Specifying Message Buffers Requires Extending Temporal
Logic, PODC87.
97
[Ko83] Kozen, D., Results on the Propositionnal Mu-Calculus, Theor. Comp.

Sci., pp. 333-354, Dec. 83
[KP81I Kozen, D. and Parikh, R. An Elementary Proof of Completeness for PDL,
Theor. Comp. Sci., v. 14, pp. 113-118, 1981
[KP83] Kozen, D., and Parikh, R. A Decision Procedure for the Propositional
Mu-calculus, Proc. of the Workshop on Logics of Programs, Carnegie-
Mellon University, Springer LNCS no. 164, pp. 176-192, June 6-8, 1983.
[KT87] Kozen, D. and Tiuryn, J., Logics of Programs, in Handbook of Theoretical
Computer Science, (J. van Leeuwen, ed.), Elsevier/North-Holland, 1991.
[Ku86] Kurshan, R. P.," Testing Containment of omega-regular Languages", Bell
Labs Tech. Report 1121-86101.0-33 (1986); conference version in R. P.
Kurshan, "Reducibility in Analysis of Coordination", LNCIS 103 (1987)
Springer-Verlag 19-39.
[Ku94] Kurshan, R. P., Computer-Aided Verification of Coordinating Processes:
The Automata-Theoretic Approach Princeton University Press, Princeton,
New Jersey 1994.
[LR86] Ladner, R. and Reif, J. The Logic of Distributed Protocols, in Proc. of
Conf. On Theor. Aspects of reasoning about Knowledge, ed. J Halpern,
pp. 207-222, Los Altos, Cal., Morgan Kaufmann
[La80] Lamport, L., Sometimes is Sometimes "Not Never"---on the Temporal
Logic of programs, 7th Annual ACM Symp. on Principles of Programming
Languages, 1980, pp. 174-185.
[La83] Lamport, L., What Good is Temporal Logic?, Proc. IFIP, pp. 657-668,
1983.
[LPS81] Lehmann. D., Pnueli, A., and Stavi, J., Impartiality, Justice and Fairness:
The Ethics of Concurrent Termination, ICALP 1981, LNCS Vol. 115, pp
264-277.
[LS82] Lehmann, D., and Shelah, S. Reasoning about Time and Chance, Inf. and
Control, vol. 53, no. 3, pp. 165-198, 1982.
[LP851 Litchtenstein, O., and Pnueli, A., Checking That Finite State Concurrent
Programs Satisfy Their Linear Specifications, POPL85, pp. 97-107, Jan.
85.
[LPZ85] Lichtenstein, O, Pnueli, A. ,and Zuck, L. The Glory of the Past, Brooklyn
College Conference on Logics of Programs, Springer-Verlag LNCS, June
1985.
[Lo+94] Long, D., Browne, A., Clarke, E., Jha, S., Marrero, W., An Improved
Algorithm for the Evaluation of Fixpoint Expressions, Proc. of 6th Inter.
Conf. on Computer Aided Verification, Stanford, Springer LNCS no. 818,
June 1994.
[MPS2a] Manna, Z., and Pnueli, A., Verification of Concurrent Programs: The
Temporal Framework, in The Correctness Problem in Computer Science,
Boyer & Moore (eds.), Academic Press, pp. 215-273, 1982.
[MP8~] Manna, Z. and Pnueli, A., Verification of Concurrent Programs: Temporal
Proof Principles, in Proc. of Workshop on Logics of Programs, D. Kozen
(ed.), Springer LNCS ~131, pp. 200-252, 1981.
98
IMPS2] Manna, Z. and Pnueli, A , Verification of Concurrent Programs: A Tem-

poral Proof System, Proc. 4th School on Advanced Programming, Ams-
terdam, The Netherlands, June 82.
[MP83] Manna, Z. and Pnueli, A., How to Cook a Proof System for your Pet
Language, ACM Symp. on Princ. of Prog. Languages, pp. 141-154, 1983.
IMP84] Manna, Z. and Pnueli, A., Adequate Proof Principles for Invariance and
Liveness Properties of Concurrent Programs, Science of Computer Pro-
gramming, vol. 4, no. 3, pp. 257-290, 1984.
[MP87a] Manna, Z. and Pnueli, A. Specifcation and Verification of Concurrent
Programs by Y-automata, Proc. 14th ACM POPL, 1987
[MP87b] Manna, Z. and Pnueli, A. A Hierarchy of Temporal Properties, PODC7.
[MW78] Manna, Z., and Waldinger, R., Is "sometimes" sometimes better than "al-
ways"?: Intermittent assertions in proving program correctness, CACM,
vol. 21, no. 2, pp. 159-172, Feb. 78
[MW841 Manna, Z. and Wolper, P. L., Synthesis of Communicating Processes from
Temporal Logic Specifications, vol. 6, no. 1, pp. 68-93, Jan. 84.
IMP92] Manna, Z. and Pnueli, A., Temporal Logic of Reactive and Concurrent
Systems: Specification, Springer-Verlag, 1992
[McM921 McMillan, K., Symbolic Model Checking: An Approach to the State Ex-
plosion Problem, Ph. D. Thesis, Carnegie-Mellon University, 1992.
[McN661 McNaughton, R., Testing and Generating Infinite Sequences by a Finite
Automaton, Information and Control, Vol. 9, 1966.
IMP71] McNaughton, R. and Pappert, S. Counter-Free automata, MIT Press,
1971.
[MC80] Mead, C. and Conway, L., Introduction to VLSI Systems, Addison-
Wesley, Reading, Mass., 1980.
[Me74] Meyer, A. R., Weak Monadic Second Order Theory of One Successor is
Not Elementarily Recursive, Boston Logic Colloquium, Springer-Verlag
Lecture Notes in Math. no. 453, Berlin/New York, 1974.
[Mo84] Mostowski, A. W., Regular Expressions for Infinite Trees and a Standard
Form of Automata, Proc. 5th. Symp on Computation Theory, Zaborow,
Poland, pp. 157-168, Springer LNCS no. 208, 1984.
[Mu84] Muchnik, A. A., Games on Infinite Trees and Automata with Dead-ends:
a New Proof of the Decidability of the Monadic Theory of Two Successors,
Semiotics and Information, 24, pp. 17-40, 1984 (in Russian).
[Mo83] Moszkowski, B., Reasoning about Digital Circuits, PhD Thesis, Stanford
Univ, 1983.
[Mu63] Muller, D. E., Infinite Sequences and Finite Machines, 4th Ann. IEEE
Symp. of Switching Theory and Logical Design, pp. 3-16, 1963.
[NDOG86] Nguyen, V., Demers, A., Owicki, S., and Giles, D., A Model and Temporal
Proof System for Networks of Processes, Distr. Computing, vol. 1, no. 1,
pp 7-25, 1986
[Niw84] Niwinski, D., unpublished manuscript.
[NiwS8] Niwinski, D., Fixed Points versus Infinite Generation, Proc. 3rd IEEE
Symp. on Logic in Computer Science, pp. 402-409, 1988.
99
[OL82] Owicki, S. S., and Lamport, L., Proving Liveness Properties of Concurrent
Programs, ACM Trans. on Programming Languages and Syst., Vol. 4, No.
3, July 1982, pp. 455-495.
[PW84] Pinter, S., and Wolper, P. L., A Temporal Logic for Reasoning about
Partially Ordered Computations, Proc. 3rd ACM PODC, pp. 28-37, Van-
couver, Aug. 84
[Pi90] Pixley, C., A Computational Theory and Implementation of Sequen-
tial Hardware Equivalence, CAV'90 DIMACS series, vol.3 (also DIMACS
Tech. Report 90-3 1), eds. R. Kurshan and E. Clarke, June 1990.
[Pi921 Pixley, C., A Theory and Implementation of Sequential Hardware Equiv-
alence, IEEE Transactions on Computer-Aided Design, pp. 1469-1478,
vol. 11, no. 12, 1992.
[Pe81] Peterson, G. L., Myths about the Mutual Exclusion Problem, Inform.
Process. Letters, vol. 12, no. 3, pp. 115-116, 1981.
[Pn771 Pnueli, A., The Temporal Logic of Programs, 18th annual IEEE-CS Syrup.
on Foundations of Computer Science, pp. 46-57, 1977.
[Pn81] Pnueli, A., The Temporal Semantics of Concurrent Programs, Theor.
Comp. Sci., vol. 13, pp 45-60, 1981.
[Pn83] Pnueli, A., On The Extremely Fair Termination of Probabilistic Algo-
rithms, 15 Annual ACM Symp. on Theory of Computing, 1983, 278-290.
[Pn841 Pnueli, A., In Transition from Global to Modular Reasoning about Con-
current Programs, in Logics and Models of Concurrent Systems, ed. K.
R. Apt, Springer, 1984.
[Pn85] Pnueli, A., Linear and Branching Structures in the Semantics and Logics
of Reactive Systems, Proceedings of the 12th ICALP, pp. 15-32, 1985.
[Pn86] Pnueli, A., Applications of Temporal Logic to the Specification and Ver-
ification of Reactive Systems: A Survey of Current Trends, in Current
Trends in Concurrency: Overviews and Tutorials, ed. J. W. de Bakker,
W.P. de Roever, and G. Rozenberg, Springer LI~CS no. 224, 1986.
[PR89] A. Pnueli and R. Rosner, On the Synthesis of a Reactive Module, 16th
Annual ACM Syrup. on Principles of Programing Languages, pp. 179-190,
Jan. 1989.
[PR89b] A. Pnueli and R. Rosner, On the Synthesis of an Asynchronous Reactive
Module, Proc. 16th Int'l Colloq. on Automata, Languages, and Program-
ming, Stresa, Italy, July, 1989, pp. 652=671, Springer-Verlag LNCS no.
372.
[Pr81] Pratt, V., A Decidable Mu-Calculus, 22nd FOCS, pp. 421-427, 1981.
[Pr67] Prior, A., Past, Present, and Future, Oxford Press, 1967.
[RU71] Rescher, N., and Urquhart, A., Temporal Logic, Springer-Verlag, 1971.
[QS82] Queille, J. P., and Sifakis, J., Specification and verification of concurrent
programs in CESAR, Proc. 5th Int. Symp. Prog., Springer LNCS no. 137,
pp. 195-220, 1982.
[QS83] QueiUe, J. P., and Sifakis, J., Fairness and Related Properties in Transi-
tion Systems, Acta Informatica, vol. 19, pp. 195-220, 1983.
100
[Ra69] Rabin, M. O., "Decidability of Second Order Theories and Automata on

Infinite Trees", Trans. AMS, 141(1969), pp. 1-35.
[R~72] Rabin, M. O., Automata on Infinite Objects and Church's Problem, Conf.
Board. of Math. Sciences, Regional Series in Math. no. 13, Amer. Math.
Soc., Providence, Rhode Island, 1972.
[P,a71] Rackoff, C., The Emptiness and Complementation Problems for Au-
tomata on Infinite Trees, Master's Thesis, EECS Dept, MIT, 1971.
[RU71] Rescher, N. and Urquhart, A., Temporal Logic, Springer-Verlag, New
York, 1971.
[deR76] de Roever, W. P., Recursive Program Schemes: Semantics and Proof The-
ory, Math. Centre Tracts no. 70, Amsterdam, 1976.
[s~ssJ Safra, S., On the complexity of omega-automata, Proc. 29th IEEE FOCS,
pp. 319-327, 1988.
[Sa92] Safra, S., Exponential Determinization for w-Automata with Strong Fair-
ness Acceptance Condition, Proceedings of the 24th Annual ACM Sym-
posium on the Theory of Computing, pp. 275-282, Victoria, May 1992.
[si83] Sistla, A. P., Theoretical Issues in the Design of Distributed and Concur-
rent Systems, PhD Thesis, Harvard Univ., 1983.
[sc85] Sistla, A. P., and Clarke, E. M., The Complexity of Propositional Linear
Temporal Logic, J. ACM, Vol. 32, No. 3, pp.733-749.
[SCFM84] Sistla, A. P., Clarke, E. M., Francez, N., and Meyer, A. R., Can Message
Buffers be Axiomatized in Temporal Logic?, Information & Control, vol.
63., nos. 1/2, Oct./Nov. 84, pp. 88-112.
[Si85] Sistla, A. P., Characterization of Safety and Liveness Properties in Tem-
poral Logic, PODC85.
[SVW87] Sistla, A. P., Vardi, M. Y., and Wolper, P. L., The Complementation Prob-
lem for Buchi Automata with Applications to Temporal Logic, Theor.
Comp. Sci., v. 49, pp 217-237, 1987.
[SMS82] Schwartz, R., and Melliar-Smith, P. From State Machines to Temporal
Logic: Specification Methods for Protocol Standards, IEEE Trans. on
Communication, COM-30, 12, pp. 2486-2496, 1982.
[SMV83] Schwartz, R., Melliar-Smith, P. and Vogt, F. An Interval Logic for Higher-
Level Temporal Reasoning, Proc. 2nd ACM PODC, Montreal, pp. 173-
186, Aug. 83.
[St81] Streett, R., Propositional Dynamic Logic of Looping and Converse, PhD
Thesis, MIT, 1981; journal version appears in Information and Control
54., 121-141, 1982.
[SES4] Streett, R., and Emerson, E. A., The Propositional Mu-Calculus is El-
ementary, ICALP84, pp 465 -472, July 84; journal version appears as
An Automata Theoretic Decision Procedure for the Propositional Mu-
calculus, Information and Computation v. 81, no. 3, June 1989.
[SW89] Stirling, C., and Walker, D., Local Model Checking in the Mu-calculus,
pp. 369-383, Springer LNCS no. 351, 1989.
[st93] Stifling, C., Modal and Temporal Logics. in Handbook of Logic in Com-
puter Science, (D. Gabbay, ed.) Oxford, 1993
101
[Ta55] Tarksi, A., A Lattice-Theoretical Fixpoint Theorem and its Applications,

Pacific. J. Math., 55, pp. 285-309, 1955.
[Wh79] Thomas, W., Star-free regular sets of omega-sequences, Information and
Control, v. 42, pp. 148-156, 1979
[Wh91] Thomas, W., Automata on Infinite objects, in Handbook of Theoretical
Computer Science, vol. B, (J. van Leeuwen, ed.), Elsevier/North-Holland,
1991.
[Va85] Vardi, M., The Taming of Converse: Reasoning about Two-Way Compu-
tations, Proc. Workshop on Logics of Programs, Brooklyn, NY, LNCS
no. 193, Springer-Verlag, pp. 413-424, 1985.
[Va87] Vardi, M., Verification of Concurrent Programs: The Automata-theoretic
Framework, Proc. IEEE LICS, pp. 167-176, June 87
[Va88] Vardi, M. A Temporal Fixpoint Calculus, POPL, 1988.
[Va9?] Vardi, M, An Automata-theoretic Approach to Linear Temporal Tempo-
ral Logic, this volume.
[vs85] Vardi, M. and Stockmeyer, L., Improved Upper and Lower Bounds for
Modal Logics of Programs, Proc. 17th ACM Symp. on Theory of Com-
puting, pp. 240-251, 1985.
[vw83] Vardi, M. and Wolper, P., Yet Another Process Logic, in Proc. CMU
Workshop on Logics of Programs, Springer LNCS no. 164, pp. 501-512,
1983.
[vw84] Vardi, M. and Wolper, P., Automata Theoretic Techniques for Modal
Logics of Programs, STOC 84; journal version in JCSS, vol. 32, pp. 183-
221, 1986.
[vw86] Vardi, M., and Wolper, P. , An Automata-theoretic Approach to Auto-
matic Program Verification, Proc. IEEE LICS, pp. 332-344, 1986.
[Wo83] Wolper, P., Temporal Logic can be More Expressive, FOCS 81; journal
version in Information and Control, vol. 56, nos. 1-2, pp. 72-93, 1983.
[Wo82] Wolper, P., Synthesis of Communicating Processes from Temporal Logic
Specifications, Ph.D. Thesis, Stanford Univ., 1982.
[Wo85] Wolper, P., The Tableau Method for Temporal Logic: An Overview,
Logique et Analyse, v. 28, June-Sept. 85, pp. 119-136, 1985.
[Wo86] Wolper, P., Expressing Interesting Properties of Programs in Proposi-
tional Temporal Logic, ACM Symp. on Princ. of Prog. Lang., pp. 184-193,
1986.
[Wo87] Wolper, P., On the Relation of Programs and Computations to Models
of Temporal Logic, in Temporal Logic and Specification, Springer-Verlag
LNCS no. 398, April 1987.
Decidability Results in
A u t o m a t a and Process Theory
Yoram Hirshfeld Faron Moller
School of Mathematical Sciences Department of Teleinformatics

Tel Aviv University Kungl Tekniska HSgskolan
Ramat-Aviv 69978 S-164 40 Kista
ISRAEL SWEDEN
email: yoram@math.tau.ac.il email: fm@it.kth.se
Preface
The study of Process Algebra has received a great deal of attention since the
pioneering work in the 1970s of the likes of R. Milner and C.A.R. Hoare. This
attention has been merited as the formalism provides a natural framework for
describing and analysing systems: concurrent systems are described naturally
using constructs which have intuitive interpretations, such as notions of abstrac-
tions and sequential and parallel composition.
The goal of such a formalism is to provide techniques for verifying the cor-
rectness of a system. Typically this verification takes the form of demonstrat-
ing the equivalence of two systems expressed within the formalism, respectively
representing an abstract specification of the system in question and its imple-
mentation. However, any reasonable process algebra allows the description of
any computable function, and the equivalence problem--regardless of what rea-
sonable notion of equivalence you consider--is readily seen to be undecidable in
general. Much can be accomplished by restricting attention to (communicating)
finite-state systems where the equivalence problem is just as quickly seen to be
decidable. However, realistic applications, which typically involve infinite enti-
ties such as counters or timing aspects, can only be approximated by finite-state
systems. Much interest therefore lies in the problem of identifying classes of
infinite-state systems in which the equivalence problem is decidable.
Such questions are not new in the field of theoretical computer science. Since
the proof by Moore [50] in 1956 of the decidability of language equivalence for
finite-state automata, language theorists have been studying the decidability
problem over classes of automata which express languages which are more ex-
pressive than the class of regular languages generated by finite-state automata.
Bar-Hillel, Perles and Shamir [3] were the first to demonstrate in 1961 that the
class of languages defined by context-free grammars was too wide to permit a
103
decidable theory for language equivalence. The search for a more precise divid-
ing line is still active, with the most outstanding open problem concerning the
decidability of language equivalence between deterministic push-down automata.
W h e n exploring the decidability of the equivalence checking problem, the
first point to settle is the notion of equivalence which you wish to consider.
In these notes we shall be particularly interested not in language equivalence
but in bisimulation equivalence as defined by Park and used to great effect by
Milner. Apart from being the fundamental notion of equivalence for several
process algebraic formalisms, this behavioural equivalence has several pleasing
mathematical properties, not least of which being that--as we shall discover--it
is decidable over process classes for which all other common equivalences remain
undecidable, in particular over the class of processes defined by context-free
grammars. Furthermore in a particularly interesting class of processes--namely
the normed deterministic processes--all of the standard equivalences coincide,
so it is sensible to concentrate on the most mathematically tractable equivalence
when analysing properties of another equivalence. In particular, by studying
bisimulation equivalence we shall rediscover old theorems about the decidability
of language equivalence, as well as provide more efficient algorithms for these
decidability results than have previously been presented. We expect that the
techniques which can be exploited in the study of bisimulation equivalence will
prove to be useful in tackling other language theoretic problems, notably the
problem of deterministic push-down automata.
A c k n o w l e d g e m e n t s These notes were first produced for a series of lectures at

the VIII Banff Higher Order Workshop "Theories of Concurrency: Structure vs
Automata". We would like to thank the organiser of the workshop series Graham
Birtwistle for allowing us the opportunity and the motivation for producing the
notes, as well as a forum in which to present the material. We would also like
to thank all of our colleagues with whom we have worked on or discussed the
results presented in these notes, which themselves contain little of novelty except
in their presentation. Notably we would like to acknowledge Didier Caucal, S0ren
Christensen, Hans Hiittel, Petr Jan6ar, Mark Jerrum, Robin Milner and Colin
Stirling.
1 Grammars and Processes

In these notes we consider infinite-state processes defined by context-free gram-
mars. The purpose of such a study is to provide results in both process theory,
where one is interested in the behaviour of systems, as well as classical automata
theory, where one is interested in the languages defined by automata. In each
case we are interested in deciding properties, notably equivalences between pro-
104
cesses or automata. It is a classical result that the equivalence problem for

context-free grammars is undecidable. However we shall demonstrate that the
analogous problem--as we define i t - - i n the process theoretic framework is in
fact decidable. This does not just feed positively into process theory; by tak-
ing such a non-standard process-theoretic approach to the classical theory we
open up new techniques for tackling classical problems. For example, we shall
demonstrate that our techniques for process theory naturally apply to problems
in automata theory regarding deterministic automata.
1.1 Context-Free Grammars
A context-free grammar (CFG) is a 4,tuple G = (V, T, P, S), where

9 V is a finite set of variables;
9 T is a finite set of terminals which is disjoint from V;
9 P C_ V • (V U T)* is a finite set of production rules, written X --~ c~ for

(X, c~) E P . We shall assume that some rule X --~ a exists in P for each
variable X E V; and
9 S E V is the start symbol.
The production rules are extended to be defined over the domain (V OT)* by
allowing 7Xfl --* 7c~)3 for each 7, fl E (V U T)* whenever X --* a is a production
rule of the grammar. A word w E T* (that is, a string of terminals) is generated
by a string a E (V U T)* iff a --** w. The (context-free) language defined by the
grammar, denoted L(G), is the set of words which can be generated from the
start symbol S. More generally, the language L ( a ) generated by a string a is
the set of words which it can generate, and hence L(G) = L(S).
The norm of a string of symbols (~ E (V U T)*, written norm(a), is the
length of a shortest word which can be generated from a via productions in P.
In particular, the norm of the empty string e is 0; the norm of a terminal symbol
a E T is 1; and the norm is additive, that is, norm(a/~) = norm(a) + norm(fl).
A grammar is normed iff all of its variable have finite norm. Notice that the
language defined by a grammar is nonempty exactly when its start symbol has
finite norm.
A grammar is guarded iff each of its production rules is of the form X --+ ac~
where a E T. If moreover each c~ E V* then the grammar is in Greibach normal
form (GNF). If furthermore each such c~ is of length at most k, then it is in k-
Greibach normal form (k-GNF). A 1-GNF grammar is called a regular grammar
as such grammars generate precisely the regular languages which do not contain
the empty string e. Finally, if within a guarded grammar we have that a = fl
whenever X --~ ac~ and X --+ aj3 are both production rules of the grammar for
105
some X E V and some a E T, then the g r a m m a r is deterministic, and simple if

the g r a m m a r is in Greibach n o r m a l form.
/ \
Example 1 Consider the grammar G = ( { X , Y } , { a , b } , P , X ) where P con-
% /
sists of the rules
X ~ aY Y --* aYb Y --~ b
This guarded grammar generates the (context-free) language { akb k : k > 0 }.

The norm of Y is 1 and the norm of X is 2, as Y generates the word b and X
generates the word ab. Hence the grammar is normed. A grammar in Greibach
normal f o r m which generates the same language is given by the rules
X --* a Y Y --+ a Y Z Y --* b Z --* b
Notice t h a t an u n n o r m e d variable cannot generate any finite words. T h u s any

u n n o r m e d variables m a y be removed f r o m a g r a m m a r , along with any rules
involving them, w i t h o u t affecting the language generated by the g r a m m a r .
1.2 Processes
We shall define a process as an extension of the usual n o t i o n of a nondeterministic

finite-state a u t o m a t a where we m a y now allow an infinite set of states and where
we generally do not consider final states. We m a y consider a state to be final if
there are no transitions evolving f r o m it. However, the intention of a process is
to allow an analysis of its r u n t i m e behaviour rather t h a n simply the sequences
of transitions which lead to a final state.
A process is thus a labelled transition system (LTS), a 4-tuple P = (S, A,
, c~0) where
9 S is a set of states;
9 A is some set of actions which is disjoint f r o m S;
9 ~ C_ S • A x S is a transition relation, written c~ a ~ j3 for (c~, a, fl) E

~. We shall extend this definition by reflexivity and transitivity to allow
c~ s ~ fl for s E A * ; and
9 c~0 E S is the initial state.
T h e norm of a process state a E S, written n o r m ( a ) , is the length of the

shortest transition sequence f r o m t h a t state to a t e r m i n a l state, t h a t is, a state
f r o m which no transitions evolve. A process is normed iff all of its states have
finite norm.
106
A process is image-finite if for each c~ E S and each a E A the set {;3 " c~ a
f~ } is finite. We also refer to states of a process as being image-finite if the
r
process itself is image-finite. Finally, if we have t h a t / 3 = 3' whenever ~ ) ;3
a
and c~ ) "y are b o t h transitions of the process for some ~ E S and some a E A,
then the process is deterministic. We also refer to states of a process as being
deterministic if the process itself is deterministic.
We m a y abstract away from the behaviour of a process P and define the
language L(c~) which is defined by a state ~ of the process as the set of strings
s E A* such that c~ -s ) I~ where/3 is a terminated state, that is, where there
are no transitions evolving from ;3. The language generated by the process P is
then given as L(P) = L(c~o).
1.3 Context-Free Processes
In the theory of formal languages one generally associates a context-free g r a m m a r

with a push-down a u t o m a t a , a finite-state a u t o m a t a with a single push-down
stack. Such devices are known to characterise the expressive power of context-
free grammars; that is, they generate exactly the class of context-free languages.
In these notes, we take a different automata-theoretic view of g r a m m a r s by
embedding the stack into the states, so as to make the infinite-states explicit.
The loss of the stack and burden of an infinite-state control is more than balanced
by the gain in having a uniform treatment of state. T h e reader m a y equally
interpret our a u t o m a t a as stateless (that is, single-state) push-down a u t o m a t a
where the contents of the missing push-down stack are now represented within
the state. This interpretation can be gleaned from Example 2. However, we do
not pursue this aspect in these notes.
To a given CFG G = (V, T, P, S) we associate the process 8 ( G ) = ( ( Y U
%
T)*, T, ), S ) where , is defined to be the least relation satisfying ac~ ~ ~~

a
and X~' a ) ~ , whenever X ~ ~ is a rule of the g r a m m a r and o~ , ;3. Such a
process will be termed a conte~t-free process.
The intuition behind context-free processes is t h a t terminals and variables
represent basic processes capable of exhibiting behaviour (performing transi-
tions), while the composition of variables and terminals represents a sequen-
tial composition of the component processes. As such the leftmost symbol in
the composition provides the transitions of the process. In terms of g r a m m a r
derivations, this in effect corresponds to a leftmost derivation.
E x a m p l e 2 The grammar of Example 1 which generates the language { akb k "

k > 0 } defines the following process.
107
,f
( ~ a D a 9 a a 9 9 9
, , , , ...
Behaviourally, this process represents a simple form of counter: it performs pre-

cisely as many b transitions as a transitions.
From this example it is clear to see that the definition of n o r m in the process
sense is consistent with the definition of n o r m in the g r a m m a r sense. In par-
ticular, a normed g r a m m a r will give rise to a normed process. Furthermore the
language defined by the process associated with a g r a m m a r is the same as the
language defined by the g r a m m a r itself.
Notice that in the case of a CFG in Greibach normal form the state set of the
associated context-free process need only be V* as any sequence of transitions
from any element of V* (in particular from the start state S) must lead to a
state given by another element of V*. For the same reason the state set of
the process associated with a regular g r a m m a r need only be the finite set V,
which coincides with an expectation that the regular processes (those given by
g r a m m a r s generating regular languages) are finite-state processes.
1.4 Concurrent Context-Free Processes
To a given C F G G = ( V , T , P , S ) we associate the process C(G) = /(Y U

T)*, T, ), S) where ~ is defined to be the least relation satisfying c~ag a )
~/3 and c~X/3 a ~ ~Tfl whenever either X ~ a 7 is a rule of the g r a m m a r or

X --* b is a rule of the g r a m m a r with b E V ( V U T ) * and b a ~ 7. Such a process
will be termed a concurrent context-free process.
The intuition behind concurrent context-free processes is that the composi-
tion of variables and terminals represents a parallel composition of the compo-
nent processes, and as such any symbol in the composition can contribute the
next transition rather than simply the leftmost symbol. In terms of g r a m m a r
derivations, this in effect corresponds to an arbitrary derivation rather t h a n the
leftmost derivation scheme adopted in context-free processes. T h e exception to
this rule is the basic transition steps defined by the guarded production rules.
Notice that a corollary of the concurrent nature of such processes is that the
composition of symbols representing the states is commutative, so t h a t for ex-
108
ample the concurrent context-free process generated by X Y is the same as that

generated by Y X , where X and Y are variables of a CFG.
E x a m p l e 3 Consider the guarded grammar consisting of the production rules
X --* a X b X --~ c X d
This grammar defines the following concurrent context-free process (modulo com-
mutativity of symbols).
a___r
--U--
d ---U-
a
a i
-'--b----
This process represents a form of two.counter, or more properly a multiset or

bag: two types of tokens can be inserted into and removed from the bag, the
first being inserted with an a transition and removed with a b transition, and the
second being inserted with a c transition and removed with a d transition. Hence
at any moment during the execution of this process there will have been at least
as many a transitions as b transitions and at least as many c transitions as d
transitions.
Again it is clear that the n6rm of a concurrent context-free process is consistent

with the norm of the corresponding grammar. In particular, the grammar and
process in the above example are unnormed as the start symbol X is unnormed.
As noted above a corollary of this is that the language generated by the grammar
(equivalently the process) is empty. Note though that this process still exhibits
an interesting behaviour; abstracting away from a process all but the language
which it generates is generally too coarse an interpretation for the study of
processes.
One final point to note is that the class of languages generated by concur-
rent context-free processes is incomparable to the class of context-free languages
109
generated by context-free processes. One direction of this claim is almost imme-

diate from Example 3: although this process generates the empty language, it
can be easily modified by adding the production rules X --* ab and X -* cd to
the defining grammar to generate the language of all strings over the alphabet
{a, b, c, d} in which the number of as is the same as the number ofbs, the number
of cs is the same as the number of ds, and any prefix contains no more bs than as
and no more ds than cs. This language is quickly seen not to be a context-free
.language. For the reverse implication, Christensen [12] demonstrates that the
context-free language { anb n : n > 0 } generated by the context-free process of
Example 2 cannot be given by any concurrent context-free process. However, the
class of languages generated by concurrent context-free processes is contained
within the class of context-sensitive languages, as they are easily seen to be given
by grammars which include context-sensitive rules of the form X Y --~ Y X for
commuting variables.
1.5 The Process Algebras BPA and BPP
We have defined context-free and concurrent context-free processes as particular

semantic interpretations of context-free grammars. However their history is more
truthfully given in the process algebra framework. In particular there are two
well-studied process algebras which give rise to these two classes. We briefly
outline here the process algebraic framework by describing these two process
algebras.
B P A : Basic P r o c e s s A l g e b r a
A process algebra is defined by some term algebra along with a particular tran-
sitional semantic interpretation assigned to the constructs of the algebra. A
process is then given by a finite set of process equations
Xi = Ei " l<i<n
where each E~ is an expression over the particular term algebra with free variables
taken from the collection of Xis. In the case of the Basic Process Algebra (BPA)
of Bergstra and Klop [4] the form of the expressions Ei is given by the following
syntax equation.
E ::= a I Xi I E+F I EF
where a is taken from some finite set of atomic actions A. Informally, each a E A
represents an atomic process, Xi represents the process expression Ei, E 4- F
represents a choice of behaving as process E or process F, and E F represents the
sequential composition of processes E and F. Formally the semantic interpreta-
tion of these constructs is given by the least relation ) C_ P • A • ( P U {e})
satisfying the following rules.
110
a a )g Ei a ' G E a~G F a>G E "'G

Xi a ' G E+F a,G E+F a+G EF a~GF
(Note that we absorb the symbol e into terms, so as to read ~E as E.)
It is not difficult to recognise the correspondence between context-free pro-
cesses and BPA processes. Roughly speaking, the variables and terminals of a
CFG correspond to the variables and actions of a BPA process, with sequencing
of symbols being naturally carried across both formalisms and a choice of pro-
duction rules in a grammar corresponding to the choice operator in the algebra.'
Thus for example, the context-free process of Example 2 can be given as the
BPA process
def
{ Z -~. a Y ,
def
Y = aYb + b }.
More formally, given a CFG G = (V, T, P, S) we can define the equivalent
BPA process
BPA(G) = X = ~{E " X--*E6P} " X6V
For the reverse direction a bit of care is needed to handle summation. Given a
BPA process
P= { Xi =,= ~_,{E~j " l<_j<_n~} " l<i<n }

we first assume that the terms Eli do not involve the summation operator; this is
acceptable as such subterms can be replaced by newly-introduced variables with
their obvious defining equations. Then we can define the equivalent CFG G(P)
with variables Xi and production rules Xi ---' Eij. We leave it to the reader to
verify that these transformations are valid, in the sense that for every CFG G,
S ( a ) and BPA(G) describe the same (that is, isomorphic) process, and that for
every BPA process P, P and S(G(P)) describe the same processes.
We could restrict the syntax by allowing not general sequencing E F but
rather simply action prefixing aE as is done by Milner [48]. We would be left
with the following syntax equation for terms.
E ::= a I X~ I E+F I aE
The effect of this modification would be to restrict ourselves to an algebra cor-
responding to regular grammars and hence generating the class of finite-state
processes.
BPP: Basic Parallel Processes
Basic Parallel Processes (BPP) are defined by a process algebra given by includ-
ing a parallel combinator [[ within the algebra of regular processes. Hence the
term algebra is given by the following syntax equation.
111
E ::=a I l aE I EfIF
The semantic interpretation of the new construct is given by the following rules.
E ~G F a,G
E[IF ~,G[]F E[IF ~,E[IG
(Note that we also absorb the symbol e into parallel terms, so as to read E [I e
and e II S as E.)
Again it is straightforward to recognise the correspondence between concur-
rent context-free processes and B P P processes. For example, the context-free
process of Example 3 can be given as the B P P process
{X de=f a(X I[ b) + c(X II d)}.
As above we can define a B P P process B P P ( G ) for any grammar G and a

CFG G(P) for any B P P process P such that for every CFG G, C(G) and B P P ( G )
decribe the same processes, and for every B P P process P , P and C(G(P)) dscribe
the same processes. We leave the definitions, as well as the proofs of these
correspondences, to the reader.
There is yet another natural interpretation of concurrent context-free pro-
cesses which comes from the study of Petri nets. A (labelled place/transition)
Petri net is simply a (finite) directed bipartite graph with the two partitions of
nodes referred to as places and transitions respectively. A marking of a net is an
assignment of some natural number to each of the places. A transition is enabled
in a particular marking of a net if the value of the marking of each place is at
least as large as the number of arcs leading from that place to the transition in
question. A firing of an enabled transition entails first deducting from the value
of the marking of each place an amount equal to the number of arcs leading from
that place to the enabled transition in question, and then adding to the value of
the marking of each place an amount equal to the number of arcs leading to that
marking from the transition. We can then define Petri net processes by taking
the set of markings of a particular net as the set of states of a process, and the
firings of the enabled transitions as the transitions of the process. If we restrict
attention to nets whose transitions all have a single incoming transition, then we
define precisely the class of guarded concurrent context-free processes. We leave
the proof of this correspondence for the reader to consider, but demonstrate it
with the following example.
E x a m p l e 4 Consider the context-free grammar consisting of the production

rules
X --~ aY Y --* b X X
112
Clearly neither of the variables X or Y is normed; hence interpreted as a context-

free process, this degenerates to the finite-state process consisting of a never-
ending cycle of "ab" transitions. However, viewed as a concurrent context-free
process, we have a much more interesting behaviour. It corresponds to the fol-
lowing B P P process and Petri net.
a
{Xy de__fdefa Y ,
b(x IfX)
b
This grammar defines the following concurrent context-free process.
ooo
Typically the expressions Ei allowed in process definitions within a given

process algebra are restricted to being guarded, in the sense that every occur-
rence of a variable Xi appears within a subexpression of the form aEi This
corresponds in the grammar framework to a restriction to guarded grammars.
We shall demonstrate the importance of this restriction later when we discuss
transformations from arbitrary grammars into equivalent Greibach normal form
grammars.
2 Bisimulation Equivalence
We can straightforwardly define language equivalence between CFGs by saying
that two grammars G1 and G2 are language equivalent, denoted G1 "~L G2,
if L(G1) = L(G2). This definition applies equally well to processes. However
in these notes we shall be concentrating on a much stricter notion of process
113
equivalence, namely bisimulation equivalence. In this section we shall define this

notion and present the properties which it possesses which motivate our choice of
emphasis. We shall furthermore demonstrate analogies to the Greibach normal
form theorem for grammars demonstrating that CFGs and context-free processes
and concurrent context-free processes may be represented (upto isomorphism,
and hence bisimulation equivalence) by grammars in Greibach normal form.
Definition 5 Let (S, A, ---~, so) be a process. A relation T~ C S • S is a bisim-

ulation iff whenever ((~, fl) E Tt we have that
* ifc~ a o~' thenfl a fl, f o r s o m e f l , with(o~',fl')ETr and
* iffl a , f l ' thenc~ a a ' f o r s o m e o ~ ' w i t h ( a ' , f l ' ) E T r
c~ and fl are bisimulation equivalent or bisimilar, written a ~ fl, iff (~, fl) E Tr
for some bisimulation Tr
This definition can easily be extended to compare states of different processes

by simply considering the disjoint union of the two processes.
L e m m a 6 ~ = U{T~ " 7~ is a bisimulation relation} is the maximum bisim.

ulation relation.
P r o o f An arbitrary union of bisimulation relations is itself a bisimulation rela-

tion. []
We can extend the notion of bisimilarity to a relation over grammars and

strings of symbols in a grammar by considering the processes associated with
the grammars. Note however that we can in fact do this in two ways, by consid-
ering either context-free processes or concurrent context-free processes. Unless
explicitly stated otherwise, we shall mean the (sequential) context-free process
interpretation when considering the process generated by a grammar.
We shall see that bisimulation equivalence is strictly finer than language
equivalence. However this distinction vanishes if we restrict our attention to
normed deterministic processes. This fact, along with various other elegant
properties enjoyed by bisimulation equivalence, motivates us to concentrate on
this stronger equivalence in these notes. In this way not only will we explore
solutions to problems in process theory, but we shall also tackle long-standing
problems in formal language theory regarding deterministic language classes.
E x a m p l e 7 Consider the following two context-free processes.

114
X ~ ab X ~ ac Y ---~ a Z Z -* b Z --+ c
Q
a a
b c
.The g r a m m a r s defining these two processes are certainly language equivalent.

H o w e v e r , they are not b i s i m u l a t i o n equivalent, as the processes which they define
are not bisimilar.
Lemma 8 ,-~ is an equivalence relation.
P r o o f Reflexivity is established by demonstrating { (c~, c~) : (~ E S } to be

a bisimulation; s y m m e t r y is established by demonstrating 7~ -1 to be a bisimu-
lation whenever 7~ is; transitivity is established by demonstrating 7~S to be a
bisimulation whenever ~ and S are. These are all straightforward. []
Lemma 9 I f c~ ~ fl and a - - ~ a ' f o r s E A* then ~ --2-* fl' such that o/ ..~ fl'.
P r o o f Given a bisimulation ~ relating a and fl, it is a simple induction on the

length of s E A* to demonstrate t h a t if a ' , a ' then fl 8 , / y with (a', fl') E 7~.
[]
C o r o l l a r y 10 I f c~ ,~ fl then o~ "~L ft.
P r o o f If a ~ fl then s E L ( a ) iff a ' ~ a ' where a ' is a t e r m i n a t e d state, which

by the previous l e m m a holds iff fl " ~ fl' where fl' is a t e r m i n a t e d state, which
finally holds iff s E L ( f l ) . []
C o r o l l a r y 11 I f a ~ fl then n o r m ( a ) = norm(fi)
115
P r o o f Immediate from the previous corollary. []
L e m m a 12 For normed deterministic c~ and fl, if o~ '~L fl then ot .~ ~.
P r o o f It suffices to demonstrate that the relation ~ (a, fl) " a "~L ~ and ce~
%
normed deterministic } is a bisimulation relation. []
We shall occasionally exploit the following alternative stratified definition of

bisimulation due to Milner.
D e f i n i t i o n 13 Let (S,A, ),So) be a process. We inductively define the fol-

lowing sequence of binary relations over S: o~ N o ~ f o r every o~, fl E S, and f o r
k > 0, c~ "~k+l fl iff we have that
9 ifo~od then~ a,fllforsomefll witha'..~k/31; and
9 iffl a,fl'then~ a , a' f o r some cd with a' "~k fl'.
L e m m a 14 I f c~ ~. fl then a "~k fl f o r all k > O. Conversely, f o r image-finite

o~, if ~ ~ k fl f o r all k > 0 then c~ ,~ #.
P r o o f The first implication requires a simple induction on k, whereas the second

implication requires that we demonstrate that the relation { (a, fl) : a " k fl
for all k > 0 and a image-finite } is a bisimulation. Each of these obligations is
straightforward. []
E x a m p l e 15 Consider the following image-infinite context-free process.
X---~ X a Y ---~Y a Y---m Z

X---*a Y---~a Z---~aZ
a-...L\- I / a ...
116
The states X and Y are clearly not bisimilar, as the state Z cannot be bisimilar
to a k f o r any k >_ O. H o w e v e r X "~k Y f o r each k >_ 0 as Z ~ k a k.
We shall generally be restricting our attention to guarded grammars, which

we can easily verify generate image-finit e processes. This will allow us a useful
technique for demonstrating bisimilarity, namely inductively showing that each
"~k relation holds. Furthermore, as shall be seen in Subsection 2.2, any guarded
grammar can be transformed into a bisimilar one which is in Greibach normal
form (with respect to either interpretation of composition), and hence we shall
eventually consider only Greibach normal form context-free processes, ie, those
processes given by a grammar in Greibach normal form.
2.1 Composition and Decomposition

An important property of bisimulation equivalence which we shall exploit is
the following congruency result, which is valid under either interpretation of
composition.
L e m m a 16 Given a C F G G = (V, T, P, S) and ~, ~', fl, fl' e ( V U T)*, if ~ ..~ fi

and (~ ,,~ /~' then ~ 1 ,~ flfll, regardless of whether we interpret this g r a m m a r as
a context-firee process or a concurrent context-free process.
P r o o f In either case, we can demonstrate that the relation ~ ( ~ , flfl~) "

%
fl and ~ ,-* fl~ } is a bisimulation, from which the result follows. O
Complementing our congruency property we have an obvious potential tech-

nique for the analysis of a process built up as a composition, namely decomposing
the process into simpler components. In general this notion is not suitably pro-
vided for, but for the class of normed processes we get a unique factorisation
result regardless of whether we interpret composition as sequential or parallel
composition. We say that an elementary process X E V is p r i m e (with respect
to bisimilarity ,,~ as well as the particular interpretation of composition which we
are considering) i f f X ~ (~/? entails c~ = e or fl = e. We shall demonstrate our two
results here separately, namely that normed Greibach normal form context-free
processes and normed concurrent Greibach normal form context-free processes
can be decomposed in a unique fashion into such prime components. For the
sequential case, we start with the following cancellation lemma.
L e m m a 17 I f a, ~ and 7 are Greibach normal f o r m context-free processes and

i f 7 is normed then ~'/ ..~ f17 implies c~ .~ ft.
P r o o f We can demonstrate that the relation

117
t" "1
(a, fl) " there exists 7 such that norm(7 ) < c~ and a 7 "~ f17
is a bisimulation, from which the result follows. []
The assumption in this lemma that 7 is normed cannot be dropped, as can be

readily seen by considering the following counterexample. Consider the processes
X and Y whose only transitions are X a ~ r and Y a ~ Y; then X Y ,,~ Y, but
clearly X 7~
T h e o r e m 18 Normed Greibach normal form context-free processes admit unique

(up to bisimilarity) prime decompositions.
P r o o f Existence may be established by induction on the norm.

For uniqueness, suppose that a = X 1 . . . X p ,~ Y1...Yq = fl are prime de-
compositions of bisimilar processes a and fl, and that we have established the
uniqueness of prime decompositions for all a ' E V* with n o r m ( a ' ) < norm(a).
If p = 1 or q = 1 then uniqueness is immediate. Otherwise suppose that
X1 a ~ 7 is a norm-reducing transition that is matched by ]I1 a, 8, so that
7X2 ... Xp ,~ ~Y2... Yq. By the inductive hypothesis, the prime decompositions
of these two processes are equal (up to ,,,), entailing Xp ,,, Yq. Hence, by Lem-
mas 16 and 17, X 1 . . . X p - 1 ~ Y1...Yq-1, and uniqueness then follows from a
second application of the inductive hypothesis. []
Notice that this theorem fails for unnormed processes. The reason for failure
is immediately apparent from the observation that a ,-~ aft for any unnormed a
and, any ft.
T h e o r e m 19 Normed concurrent Greibach normal form context-free processes

admit unique (up to bisimilarity) prime decompositions.
P r o o f Again, existence may be established by induction on the norm.

For uniqueness, suppose that a = P1klP~2---Pmk'~ ,~ p ~ l p ~ 2 . . . p ~ = .6
represents a counterexample of smallest norm; that is, all 7 with norm(7 ) <
norm(a) ( = norm(fl)) have unique prime decompositions, the Pis are primes,
but i exists such that ki # li. We may assume that the Pis are ordered by
nondecreasing norms, and then we may choose this i so that kj = lj whenever
j > i. We shall furthermore assume without loss of generality that ks > Ii. We
distinguish three cases, and in each case show that process a may perform a
norm-reducing transition a a, al that cannot be matched by any transition
fl a ~ fl, with a ' ~ fl' (or vice versa with the roles of a and /? reversed),
which will supply our desired contradiction'. Observe that by minimality of the
counterexample if a ' and fl' are to be bisimilar then their prime decompositions
must be identical.
118
C a s e I . If kj > 0 for some j < i, then we may let c~ perform some norm-
reducing transition via process Pj. Process fl cannot match this transition,
as it cannot increase the exponent Ii without decreasing the exponent of
some prime with norm greater than that of Pi.
C a s e II. If kj > 0 for some j > i,' then we may let a perform a norm-reducing
transition via process Pj that maximises (after reduction into primes) the
increase in the exponent ki. Again the process fl is unable to match this
transition.
C a s e I I I . If the process a = p/k~ is a prime power, then note that lj 0 for

all j > i by choice of i, and that ki > 2 by the definition of "prime." If
li > 0, then we may let j3 perform a norm-reducing transition via Pi; this
transition cannot be matched by c~, since it would require the exponent
ki to decrease by at least two. If li = 0 on the other hand, then we may
let c~ perform a norm-reducing transition via Pi; this transition cannot be
matched by fl, since fl is unable to increase the exponent li.
These cases are inclusive, so the theorem is proved. D
C o r o l l a r y 20 I f c~, fl and 7 are normed concurrent Greibach normal form

context-free processes then ~7 ~ f17 implies o~ .~ ft.
P r o o f Immediate. O
Notice that for concurrent Greibach normal form context-free processes,

unique decomposition and cancellation again each fail, for similar reasons to
the sequential case.
2.2 Equivalence-Preserving Transformations
In this section we demonstrate how to transform an arbitrary guarded CFG

into a bisimilar (and hence also language equivalent) CFG in Greibach normal
form. This transformation will be valid for interpreting grammars either as
context-free processes or concurrent context-free processes. Furthermore these
transformations only involve a linear increase in the size of the grammar (that is,
the number of symbols appearing in the production rules of the grammar), more
precisely, an increase of only twice the size of the terminal alphabet. Combining
this with the usual technique (from [33]) for transforming an arbitrary CFG not
generating the empty word ~ into guarded form gives an alternative proof of the
usual Greibach normal form theorem.
Let G = (V, T, P, S) then be an arbitrary guarded CFG. We can define a new
grammar G = (V,T, JB, S) as follows. Firstly we let V = {Ya " ~r E V U T }
119
and S = Ys. The production rules of P are defined by Ya "* a for each a E T,
and Yx --* aEa for each X E V and each rule X --~ a a in P , where Ee = r and
Eaa = YaEa for ~r E V U T.
L e m m a 21 G ... G. That is, S(G) ,.~ S(G).
Proof Let T~ = ~ (a, Ea) " a E (V U T)* ~. We shall demonstrate t h a t

%
is a bisimulation relation, from which we shall conclude t h a t S .-. E s = S. To

do this it suffices to demonstrate t h a t a " > /3 if and only if E~ ~, EZ for all
a E (V U T)* . .Certainly this is true for a = ~. It is equally true for a = a/3 with
a E T as each of a/3 and E,# = YaE# has only one transition, namely aft ~,/3
and E~a a ~ EZ respectively. Finally it is true for a = X/3 with X E V as
Xfl ~ ' 7 if and only if X ~ a6 is a rule of P and 7 = 6/3, which is true if and
only if Y x ~ aE~ is a rule o f / ~ (and still 7 = 6/3), which in turn is true if and
only if E x ~ = Y x E # ~, E6E~ = E~. []
L e m m a 22 C(G) ,~ C(G).
f
P r o o f As for the previous case we can demonstrate t h a t T~ = ~ (a, Ea) " E
(V U T)* } is a bisimulation relation by demonstrating t h a t a a ~/3 if and only
ifEa a, E~ for a l l a E ( V U T ) * . Suppose then t h a t a a~ /3. This can
occur in one of two ways: either c~ = 7a6 a n d / 3 = 76, in which case we have
~a = ~'rYa~t a , E.rE t = E#; or else a = 7X6 and 13 = 7y6 where X ~ ay is
a rule of P , in which case we have E~ = ETYxE~ a ~ ETEnE6 = E#. Similarly
we can show t h a t i f E ~ a , E ~ t h e n a a~/3. []
Extending these transformations to the process algebras BPA and B P P using

the transformations given in Subsection 1.5 provides us with an efficient trans-
formation into standard form processes analogous to Greibach normal form.
However this w o r k s only for guarded processes. For example, the unguarded
g r a m m a r given in Example 15 clearly cannot be transformed into a bisimilar
g r a m m a r in Greibach normal form. This stands in contrast to the classical re-
sult stating t h a t any g r a m m a r can be transformed into a language equivalent
Greibach normal form grammar; this transformation can in fact be carried out
so that the size of the resulting g r a m m a r is at most the square of the size of the
original g r a m m a r .
We can weaken the definition of guarded, saying t h a t a g r a m m a r is weakly
guarded if we cannot rewrite any variable X using a positive number of rewrites
into a string Xc~ for some a. Equivalently if we define an ordering between
variables by X > Y whenever X --* Y a for some a, then the g r a m m a r is
weakly guarded if this ordering is well-founded. The above transformations are
120
then valid, though the resulting grammars may be exponentially larger than the
original grammars. We leave it to the reader to verify these facts, in particular
by considering the transformation of the weakly guarded grammar given by
X1 ~ a, X1 ~ b, and for each 0 < k < n, Xk+l ~ X k a and Xk+l "* Xkb.
A (bisimulation) equivalent grammar in Greibach normal form is necessarily
exponentially larger than this original grammar.
3 Decidability Results
If we consider the class of regular (finite-state) processes, theh bisimulation
equivalence is readily seen to be decidable: To check if ~ ,~/~ we simply need
to enumerate all binary relations over the finite-state space of ~ and/~ which
include the pair ((~,/~) and check if any of these is by definition a bisimulation
relation. Language equivalence is similarly known to be decidable for finite-state
automata. This can be seen by noting that regular grammars can be transformed
easily into normed deterministic grammars; the decidability of language equiv-
alence then follows from the decidability of bisimilarity along with Corollary 10
and Lemma 12.
As soon as we move to a class of infinite-state processes, the decision problem
for bisimulation equivalence becomes nontrivial. For image-finite processes, the
nonequivalence problem is quickly seen to be semi-decidable--given the com-
putability of the transition relation--using L e m m a 14, noting that the relations
~k are all trivially computable. However there would appear to be potentially
infinitely many pairs of states to check individually in order to verify the bisim-
ilarity of a pair of states. We may also be led to believe that the equivalence
problem for bisimulation checking is undecidable given the classic result con-
cerning the undecidability of language equivalence.
However it turns out that bisimulation equivalence is in fact decidable for
both context-free processes and concurrent context-free processes. In this section
we shall concentrate on presenting these two results. The result concerning
context-free processes is due to Christensen, Hiittel and Stirling [18], while that
concerning concurrent context-free processes is due to Christen'sen, Hirshfeld
and Moller [15]. One immediate corollary of the former result is the result of
Korenjak and Hoperoft [44] that language equivalence is decidable for simple
grammars.
We shall henceforth simplify our study, using the results of the previous
section, by assuming that our grammars are in Greibach normal form. Let us
then fix some Greibach normal form grammar G = (V, T, P, S). Our problem is
to decide a -,~ fl for ~, fl E V*, first in the case where we interpret the grammar
as a context-free process, and then in the case where we interpret the grammar
as a concurrent context-free process. Notice that such processes are image-finite,
121
so we may use the fact that bisimilarity is characterised by the intersection of

our stratified bisimulation relations. Also, as nonequivMence is semi-decidable,
we only need demonstrate semi-decidability of the equivalence problem.
Based on the congruency result of L e m m a 16 for context-free processes, we define

the following notion. Let T~ be some binary relation over V*. We define ~ to
be the least congruence with respect to composition which contains 7~. T h a t
is, - is the least equivalence relation which contains 7~ and contains the pair
(as',/3/31) whenever it contains each of (c~, 13) and (a', 13'). Our technique will
rely on the following definition due to Caucal [10].
D e f i n i t i o n 23 A relation Tl C_ V* x V* is a Caucal base iff whenever (a, 13) E T~

we have that
* ifce a)e~ I then13 a)131forsome131 w i t h a 1~131; and
* if13~t3' thena a a'forsomea I witha'~13'.
Hence the definition of a Caucal base differs from that of a bisimulation only in
how the derivative states a ~ and 13~are related; in defining T~ to be a bisimulation,
we would need these derivative states to be related by 7~ itself and not just by
T~
the (typically much larger) congruence -- . A Caucal base then is in some sense
a basis for a bisimulation. The importance of this idea is encompassed in the
following theorem.
7~
T h e o r e m 24 ( C a u c a l ) I f T~ is a Caucal base, then -- is a bisimulation. In
T~
particular, -- C ,,~.
P r o o f We demonstrate that if a ~ fl then the two clauses given by the definition

7r
of - being a bisimulation hold true, thus demonstrating Te
-- to be a bisimula-
tion. The proof of this we carry out by induction on the depth of inference of
7r
or _---- 13.
7~
If a -- 13 follows from (a, 13) E T~ then the result follows from T~ being a
Caucal base.
R
If a _---/3follows from one of the congruence closure conditions, then the result
easily follows by induction, using the above congruency lemma. []
C o r o l l a r y 25 a -~/3 iff (a,/3) E T~ for some Caucal base T~.

122
P r o o f Immediate. []
It now becomes apparent that in order to demonstrate bisimilarity between

terms, we needn't produce a complete (infinite) bisimulation relation which con-
tains the pair; rather it suffices simply to produce a Caucal base which contains
the pair. W h a t we shM1 demonstrate is that this corollary can be strengthened
to a finite characterisation of bisimulation, in that we shall describe a finiie
Tr
relation 7~ satisfying -- = ..~. This relation Tr will clearly be a CaucM base,
and our semi-decidability result (and hence the decidability result itself) will be
established, taking into account the following.
L e m m a 26 It is semi-decidable w h e t h e r a given finite binary relation Tr over

V* is a Caucal base.
P r o o f We need simply check that each pair (a, ;3) of the finite relation Tr
satisfies the two clauses of the definition of a Caucal base, which requires testing
(in parallel) if each transition for o n e of a and fl has a matching transition
from the other. This matching t e s t - - t h a t is, checking if the derivative states
Tr Tr
are related by - --is itself semi-decidable, as the relation -- is semi-decidable.
[]
Our semi-decision procedure for checking a ,~ ;3 then consists of enumerating

all finite binary relations over V* containing the pair (c~, fl) and checking (in
parallel) if any one of them is a Caucal base. We thus concentrate on defining
Tr
the finite relation T~ satisfying = = ~*.
We first present some technical results, starting with the following unique
solutions lemma.
L e m m a 27 I f (~ ~ 7o~ and ;3 ~, "7;3 f o r s o m e "7 r E then o~ ,,, ;3.
P r o o f Let 7~ { (~a, 6;3) " o~ ,,~ "Ta and fl ,-, "7;3 for some "7 ~ r }. We may
demonstrate straightforwardly that -~7r is a bisimulation, from which we may
deduce our desired result. []
An important finiteness result on which our argument hangs is given by the

following.
L e m m a 28 I f c~'7 ,~ /37 f o r infinitely m a n y n o n - b i s i m i l a r 7, then ~ ..,/3.
Proof We shall show that 7~ = { (a, ;3) " a 7 "~ ;37 for infinitely many non-
bisimilar 7 } is a bisimulation, from which our result will follow.
Let (c~,;3) E 7~, and suppose that c~ a ~ a,. Since c~ r e, by Lemma 27 there
can only be one 7 (up to bisimilarity) such that a 7 ,-~ 7, so we must have that
123
r ~. Thus for infinitely many non-bisimilar 7 we must have fl a ) fir such

that a~'y N fl-~7- Since ~ is image-finite, we must have that fl a , ~ such that
at-/,,~ fit7 for infinitely many non-bisimilar 7- Hence we must have (a t, fit) E TO.
Similarly if (a, fl) E Tr and fl a) fit then a ~) a t such that (a t, fit) E TO.
[]
We may split the set of variables into two disjoint sets V = N O U with the
variables in N being normed and those in U being unnormed. Our motive in
this is based on the following lemma.
L e m m a 29 If X is unnormed then X a ,,~ X for all a,
P r o o f We can immediately verify that { (X, X a ) " X is unnormed [ is a
bisimulation. []
Hence we need only ever consider states a E N* U N ' U , the others being im-
mediately rewritable into such a bisimilar state by erasing all symbols following
the first unnormed variable.
The argument relies on recognising when a term may be broken down into a
composition of somehow simpler terms. To formalise this concept we start with
the following definition.
D e f i n i t i o n 30 A pair ( X a , Yfl) satisfying X a ,,, Y fl is decomposable if X and

Y are normed, and for some 7,
9 X ,,~ Y 7 and 7or ,,~ fl; or
. yNX7 andTfl,~a.
The situation would be clear if all bisimilar pairs were decomposable; indeed
we shall exploit this very property of normed processes--which follows there from
our unique decomposability result--in in Section 4. However we can demonstrate
that there is in some sense only a finite number of ways that decomposability Can
fail. This crucial point in our argument is formalised in the following lemma. We
consider two pairs ( X a , Yfl) and ( X a ' , Yfl') to be distinct if a r ~t or fl 7L fit.
L e m m a 31 For any X , Y E V, any set of the form
7~ = { ( X a , Y ~ ) " X a , Y ~ E N* U N * U , X a , ~ Yfl, and ( X a , Yfl) not

decomposable }
which contains only distinct paws must be finite.
P r o o f If X, Y E U then clearly ~ can contain at most the single pair (X, Y).
124
IfX EUandY W)r " iEI}thenforeachiEIwe

must have that X _w ) ai such that ai "~/3/. But then by image-finiteness there
can be only a finite number of non-bisimilar such/3/.
Suppose then that X , Y E N and t h a t 7~ { (Xai,Y/3i) " i E I ~ is
infinite. Without loss of generality, assume t h a t norm(Y) < n o r m ( X ) , and t h a t
y w) r with length(w) = norm(Y). Then for each i E I we must have t h a t
X ~ ) "/i such t h a t ~fiai "~/3i. By image-finiteness, we can have only finitely
m a n y such ~'i, so we must have that X w, 7 for some 3~ such t h a t ~/cq ,-~/3i holds
for infinitely m a n y i E I; by distinctness these ~is must all be non-bisimilar. For
these i E I we must then have that X a i ,~ YT~i, But then by L e m m a 28 we
must have that X --~ YT, contradicting non-decomposability. []
We are now ready to demonstrate our m a i n result, t h a t there is a finite

7r
relation 7~ satisfying =__ -- N. This will be done by induction using the following
well-founded ordering _ft.
Definition 32 Define the measure s on N* UN*U as follows. For a E N* and

X E U, let s(a) = s ( a X ) = n o r m ( a ) .
Then let(OL1,Ot2)__E (/31,/32) ij~ ma~x(s(a,), s(a2) ) _~ max(8(/31), 8(/32)).
Lemma33 Let T~o be the largest set { ( X , a ) " X E N and X - a }, and

letT~l be the largest set { (Xc~,Y/3) " X a , Y/3 E N * U U N*, X a .~ Y/3, and
(Xc~, Y/3) not decomposable } which contains only distinct pairs, and containing
minimal elements with respect lo C_. Then R = 7~o U T~I is a finite relation
7r
satisfying =_ = ..~.
Proof Firstly, 7~0 and T~1 must both be finite. Also we must have _-- _ ~.
T~
7r
We will demonstrate by induction on E_ that X a ~ Yfl implies X a - Yfl
If (Xa, Yfl) is decomposable, then X, Y E N and (without loss of generality)
assume that X ,~ Y~/ and 7 a ,,~ ft. Then s(Ta ) < s(Y^/a) = s(Xa) and
7~
s(fl) < s(Yfl), so (7c~,/3) if_ (Xa, Yfl). Hence by induction 7c~ _~/3. Then from
T~
(x, n o we get x a = Y/3.
Suppose then that (Xa, Yfl) is not decomposable. Then ( X a ~, Y/3~) E T~I
for some a ~ ,~ a and/3~ ,-~/3 with (a',/3~) E_ (a,/3).
9 If X, Y E N, then (a, fl), (a', fl') r- ( X a , Yfl), so (a, a ' ) , (/3,/3') E (Xa, Y/3).
Thus by induction a -_- a n d / 3 -/3~, so X a -- Xa~TIY/3 ~ =_ Y/3.
9 IfX E N and Y E U, then fl = fl' = r and X a ,~ Y. Also s ( a ' ) <

7r
s(a) < s(Xa), so ( a , a ~) r- (Xa, Y). Thus by induction a _ = a ~, so
125
"R,
X a = X a I ~- Y. A symmetric argument applies for the case when X E U
and Y E N.
Tr
* IfX, YEU, thenc~=a~=fl=fl'=r ET~l, S O X ~ - - Y f l .
[]
T h e o r e m 34 Bisimulation equivalence is decidable for guarded context-free pro-

cesses.
P r o o f I m m e d i a t e from the preceding argument. []
Unfortunately, as the decidability follows from two semi-decision procedures,

we have no method of determining a complexity bound on the problem, and it
is immediately apparent that the procedure is impractical for use. In Section 4
we shall go some way towards rectifying this situation, by exploiting the special
nature of normed processes to provide a polynomial-time decision procedure for
that subclass of context-free processes.
Our demonstration of the decidability of bisimulation equivalence for concur-

rent context-free processes uses a vastly different technique than in the case of
context-free processes. In particular, rather than construct a semantic represen-
tation for bisimulation equivalence, we devise a syntactic characterisation which
exploits the commutative nature of the composition, representing states a E V*
compactly in the form y..1k l yk2
"'2 "'" X~" where V = { X1, X 2 , . . . , X,~ }. We shall
hence assume that the production rules are in the form X1 --* aX~ 1 " .X~",
and otherwise read sequences of variables modulo commutativity, so that for
example if a = X ~ ' - " X n k" a n d fl = X~ ~ . . - X S , we shall recognise aft as
x ~ + ~ , ... x ~ . + z . .
Our technique will rely on the following well-founded ordering r- on such
elements of V*.
D e f i n i t i o n 35 X ~ ' . . . X ~ "
v- X~ 1 . . . x ~ " iff there exists j such that kj < lj
and for all i < j we have that ki = li.
It is straightforward to verify that E is indeed well-founded.

We present here a tableau decision procedure for checking bisimilarity. Our
tableau system is a goal directed equationM proof system with rules built around
equations either of the form a = fl where a,fl E V*, or of the f o r m ~ i E I aic~i =
~ j E j b j f l j where I and J are finite index sets, each al,bj E A, and each
~i,flj E V*. NotationMly, we read ~ i e o aioq as r and )-'~ie{0} aioq as a0a0.
126
T h e u n d e r s t a n d i n g we m a k e of s u m f o r m s is as a listing of the transitions which

are i m m e d i a t e l y available to a process; as such, we shall interpret these terms
as processes themselves.
Each rule has the f o r m
E=F
El=F1 9.. E, =F,
possibly with a side condition. T h e premise of the rule represents a goal to
be achieved whereas the consequents represent (sufficient) subgoals to be estab-
lished in order t o achieve the goal.
A tableau for E = F is a m a x i m a l p r o o f tree whose root is labelled E = F and
where the labelling of i m m e d i a t e successors of a node are determined according
to the rules of the tableau s y s t e m presented in Table 1. For the presentation of
rule R E c we introduce the n o t a t i o n unf(c~) for c~ E V* to m e a n the unfolding of
c~ defined as follows:
unf(X~'...X~") = E E aX~'+I~'"X~'+I'-I'"X~"+I"
l<i<n zl In
-- -- Xi---*aX x ...X~
k~>0
We shall denote nodes in a tableau by n (with roots also denoted by r) possibly

with subscripts; If a node n has label E = F we write n : E = F .
In building t a b l e a u x the rules are only applied to nodes t h a t ate not terminal.
A terminal node can either be successful or unsuccessful. A successful terminal
node is one labelled a = a, while an unsuccessful t e r m i n a l node is one labelled
either a a = b~ such t h a t a r b or a a = e or e = bfl. A tableau is successful if
and only if all terminal nodes are successful; otherwise it is unsuccessful.
Nodes of the f o r m n : a = fl are called basic nodes. W h e n building t a b l e a u x
basic nodes m i g h t dominate other basic nodes; we say t h a t a basic node n : a 7 =
or n : ~f = a 7 dominates any node n ~ : a = fl or n ~ : fl = a which appears above
n in the tableau in which a "1 ~ and to which rule R,EC is applied. Whenever a
basic node dominates a previous one, we apply one of the SUB rules to reduce
the terms before a p p l y i n g the REC rule.
Example 36 Consider the concurrent context-free process given by the following

grammar.
X1 ---* a X 1 X 4 X2 ---+aX3 X3 ~ a X 3 X 4 X4 ---* b

X3 ~ bX2
We can verify semantically that X1 "~ X2. A successful tableau for X1 = X2 is

given as follows.
127
REC
u n f ( ~ ) ----u n f ( ~ )
p q
E i = I a i a i ---- ~jffil bjjSj
SUM
{ aiozi = b](i)~](i) i=1
{ bjl~j = ag(j)otg(j)
}"j=l
where f : { 1 , . . . , p } --+ { 1 , . . . , q }
g : { 1 , . . . , q } --+ {1 . . . . ,p}
ac~ = a/~
PREFIX
,~=~
at7 = ~5 if the d o m i n a t e d node is labelled

StmL
~-~=a o~ = fl or 1~ = a with c~ ~
~5=o~ 7 if the d o m i n a t e d node is labelled

StmR
a=B7 a = fl or B = a with a ~
T a b l e 1: R u l e s of t h e t a b l e a u s y s t e m .
Xl ~ X2
REC
aX1X4 = aX3
PREFIX
XaX4 = X3
StmL
X2X4 = Xa
REc
aX3X4 + bX2 = aXaX4 + bZ2
SUM
aX3X4 = aX3X4 bX2 = bX2
PREFIX PREFIX
XaX4 = XaX4 )(2 = Xa
Lemma 3 7 Every tableau f o r o~ = 13 is finite. Furthermore, there is only a

finite n u m b e r of tableaux f o r o~ = ft.
Proof S u p p o s e t h a t we h a v e a t a b l e a u w i t h r o o t l a b e l l e d c~ = ft. I t c a n o n l y
b e i n f i n i t e if t h e r e exists a n i n f i n i t e p a t h t h r o u g h it, as e v e r y n o d e h a s f i n i t e
128
branching degree. Hence suppose 7r is such an infinite p a t h starting at the

root r : c~ = ~. The p a t h zr can only be infinite if it contains infinitely m a n y
basic nodes to which the tableau rule REc is applied. This is due to the well-
foundedness of the ordering ~ on V* which is decreased through applications
of the SUB rules. Thus from the p a t h 7r we can form an infinite sequence S of
nodes {ni : c~i = ~i9 }i=1
(DO
by collecting (in order of appearance) the basic nodes
along 7r to which the rule REc is applied. Hence n l : c~t = ~1 represents the
root, n2 : c~2 = f12 represents the second node along 7r at which REC is applied,
and so on.
An expression c~ can be viewed as a vector ~ of JTVn: the value of the /th
coordinate of ~, denoted ~(i), indicates the n u m b e r of occurrences of variable Xi
in a. Thus we can represent the sequence S by an infinite sequence of vectors
{~i}i~176 where ~i 6 / W 2n for all i. The first n coordinates represent ai and the
last coordinates represent ill.
Consider the infinite sequence { fii (1) } ~ 1 consisting of all the first coordinates
of vectors of the sequence S. If this sequence has an upper bound we extract
from S an infinite sequence $1 of vectors {v, }i=1 with the property that the first
coordinate of ~i remains constant throughout $1. If the sequence {fii(1)}~l does
not have an upper bound we extract from S an infinite sequence $1 of vectors
{vi}i~l with the property t h a t the first coordinate of vi is nondecreasing, i.e.
~ ( 1 ) < ~j(1) whenever i < j. Continuing in this fashion we arrive at an infinite
sequence S2n of vectors {w,}i=l
~9 OO
with the property that all coordinate sequences
are nondecreasing. But then every node in this sequence is dominated by every
node after it, so the rule REc cannot be applied to any of these nodes, as a SUB
rule is applicable.
For the proof of the second part, we note t h a t if there were an infinite number
of tableaux, then since there are only a finite number of partial tableaux of a
given finite size, there must be an infinite sequence of partial tableaux, each of
which being derived from the previous by the application of some rule to the
node most recently introduced. But then this sequence provides a tableau with
an infinite p a t h through it, which by the first part cannot be. []
We now proceed to show the soundness and completeness of the tableau system.
Theorem 38 ( C o m p l e t e n e s s ) If a ,,, fl then there exists a successful tableau

for~=Z.
P r o o f Suppose a ,-, j3. If we can construct a tableau for a = / ? with the property
t h a t any node n : E = F satisfies E ,,* F, then by L e m m a 37 t h a t construction
must terminate and each terminal will be successful. Thus the tableau itself will
be successful.
We can construct such a tableau if we verify t h a t each rule of the tableau
system is forward sound in the sense that if the antecedent as well as all nodes
129
above relate bisimilar processes then it is possible to find a set of consequents

relating bisimilar processes. It is easily verified t h a t the rules are indeed forward
sound in this sense. Notice in particular t h a t t h e rule REC reflects the expansion
law for parallel composition [48] and that forward soundness of the SUB rules
follows from the fact that bisimilarity is a congruence. []
The proof of soundness of the tableau system relies on the alternative stratified
characterisation of bisimulation equivalence.
Theorem 39 ( S o u n d n e s s ) I f there is a successful tableau for a = fl then c~ ,.~

/3.
P r o o f Suppose t h a t we have a tableau for c~ = / 3 , and that ~ 7~/3. We shall
construct a m a x i m a l p a t h ~r = {nl : El = Fi} through this tableau starting at
the root a = / 3 in which Ei 7~ Fi for each i. Hence the terminal node of this
p a t h cannot be successful, so there can be no successful tableau for c~ =/3.
While constructing ~r, we shall at the same time construct the sequence of
integers {mi : Ei 7~rn, Fi and Ei "~j Fi for all j < mi}. We shall also
prove along the way t h a t this sequence is nonincreasing, and strictly decreasing
through applications of the rule PREFIX.
Given ni : Ei = Fi and mi, we get ni+t : Ei+l = Fi+l and mi+l according
to the following cases:
* If REC is applied to ni, then the consequent is n i + l and mi+l = mi.
9 If SUM is applied to ni, then there must be some consequent n i + l : Ei+l =

Fi+l with Ei+l 7~m~ Fi+l and Ei+l ~ i Fi+l for all j < mi, so mi+l = mi.
* If PREFIX is applied to ni, then the consequent is ni+l and mi+l = rni - 1 .
9 If SuBL is applied to ni : Ei = Fi then Ei = Fi must be of the f o r m a 7 = ~

with dominated node nj : a = 13 ( a -7/3). Since between nj and ni there
must have been an intervening application of the rule PREFIX, we must
have t h a t mi < m j . We take the node ni+l :/37 = ~, and show t h a t we
have some valid rni+l < mi, that is, that/33' 7Lrn~ ~. But this follows from
a "~-n/3 and a 7 7~,~ ~. The arguments for the other possible applications
of the SUB rules are identical.
T h a t the above conditions hold of the resulting p a t h is now clear. []
We are now in a position to infer the decidability of bisimulation equivalence on

concurrent context-free processes. In order to decide the validity of a = fl we
simply start listing tableaux for a = fl and stop and answer "yes" if a successful
tableau has been found. If we list all of the finite number of finite tableaux
(systematically, so that we recognise when they have all been listed) and fail to
130
discover a successful one, then we answer "no". By soundness and completeness

of the tableau system, we know that this procedure will always give the right
answer. Thus the decidability result is established.
T h e o r e m 40 Bisimulation equivalence is decidable for guarded concurrent con-

text-free processes.
P r o o f Immediate from the preceding argument. []
Unlike the previous argument for context-free processes, we have a single

decision :procedure for determining equivalence rather than two opposing semi-
decision procedures, so we could feasibly extract some complexity measure on
deciding equivalence. However, the complexity measure which we could immedi-
ately extract, being based on our the particular well-founded ordering C on V*,
would fail even to be primitive recursive, so once again our decision procedure
is impractical. However, again in the normed case we can exploit particular
properties to extract a polynomial-time decision procedure. This we also carry
out in Section 4.
4 A l g o r i t h m s for N o r m e d P r o c e s s e s
In the previous section we demonstrated the decidability of bisimulation equiv-
alence over both the class of context-free processes and the class of concurrent
context-free processes. However, the computational complexity of the algorithms
which we presented shows them to be of little practical value. To overcome this
deficiency we concentrate in this section on developing efficient algorithms for
deciding bisimilarity within these classes of processes. What we demonstrate
in fact are polynomial algorithms for the problem of deciding equivalences over
the subclasses of normed processes. These algorithms will both be based on
an exploitation of the decomposition properties enjoyed by normed processes;
however, despite the apparent similarity of the two problems, different methods
appear to be required.
For our algorithms, we fix a normed context-free grammar G = (V, T, P, S)
in Greibach normal form. Our problem then is to determine efficiently--that
is, in time which is polynomial in the size n (the number of symbols in the
production rules) of the grammar--whether or not c~ --, fl for c~, j3 E V*, where
we interpret these first as context-free processes and then as concurrent context-
free processes.
Our basic idea is to exploit the unique prime decomposition theorem by de-
composing process terms sufficiently far to be able to establish or refute the
131
equivalence we are considering. Further, we try to construct these decomposi-

tions by a refinement process which starts with an overly generous collection of
candidate decompositions. As the algorithm progresses, invalid decompositions
will gradually be weeded out.
Assume that the variables V are ordered by non-decreasing norm, so that
X < Y implies norm(X) < norm(Y). A base is a set B of pairs (Y, X ~ ) , where
X, Y 9 V, a 9 Y*, X < Y and norm(Y) = n o r m ( X a ) . We insist that B contains
at most one pair of the form (Y, X a ) for each choice of variables X, Y, so that
the cardinality of B is at most O(n2). A base B is full iff whenever Y ,,~ X f l
with Y > X there exists a pair (Y, Xc~) 9 B such that c~ ,-~ /~. In particular,
(X, X ) 9 B for all X 9 V. The key idea is that infinite relations on V*, in
particular that of bisimilarity, may be expressed as the congruence closure of a
finite base.
L e m m a 41 If the base B is full then ,,, C ~ .
P r o o f This result may be proved by induction on norm; however, the effort

would be unnecessary, as in Subsection 4.1.1 we shall encounter a procedure
which given a full base B constructs a binary relation on V* that contains ,~
B
and is contained by = . D
t~
Let ~B be some relation satisfying ~ C_ - 5 C = whenever B is full. At
a high level, the exact choice of the relation --~ is immaterial, as the proof
B
of correctness relies only on the inclusions ,-~ C ------B C -- ; later we shall fix
a particular --B which is computable in polynomial time. It is here that the
algorithmic subtlety lies, as efficiency demands a careful choice of =t~ 9
Our task is to discover a full base that contains only semantically sound
decomposition pairs. To do this, we start with a full (though necessarily small)
base, and then proceed to refine the base iteratively whilst maintaining fullness.
Informally, we are proposing that at any instant the current base should ~ n s i s t
of pairs (X, a) representing candidate decompositions, that is, pairs such that the
relationship X ,,~ a is consistent with information gained so far. The refinement
step is as follows.
Given a base B, define the sub-base B C B to be the set of pairs (X, c~) 9 B
such that
9 if X .A_,/3 then a ~ ~ 7 with j3 -=t~ 7, and
9 ifa ~TthenX a~j3with/~--=z7.
L e m m a 42 If B is full then B is full.
P r o o f Suppose Y ~ Xj3 with Y _> X. By fullness of B, there exists a pair

(Y, Xc~) 9 B such that ~ -,~ /~. We show that the pair (Y, X a ) survives the
132
refinement step, to be included in B. Note that, since ,,~ is a congruence, Y ,,~

Xc~. Thus, if Y _2_, 7 then X a a ~ 6 for some 6 satisfying 6 -~ 7. By fullness
of B and Lemma41, 6 -t3 7. Similarly, i f X ~ ~ > 6 then Y a ~ 7 with 7 "" 6, and
hence 7 --t~ 6. The pair (Y~ X a ) therefore satisfies the conditions for inclusion
in B. []
In general, the refinement step makes progress, i.e., the new base B is strictly
contained in the base B from which it was derived. If, however, no progress
occurs, an important deduction may be made.
L e m m a 43 If B = 13 then =t3 C ,,~.

B
P r o o f The relation --n is contained in = , the congruence closure of B, so B
must be a Caucal base. Now apply Theorem 24. []
Note that by iteratively applying the refinement step B := B to a full initial

base, we are guaranteed by the preceding three lemmas to stabilise at some full
base B for which _-__~ = N.
We are now left with the task of constructing our initial base B0. This is
achieved as follows. For each X E V and each 0 _< u _< norm(X), let [X]v be
some process that can be reached from X via a sequence of u norm-reducing
transitions. (Note that some norm-reducing transition is available to every pro-
cess.)
L e m m a 44 The base 13o = ~ (Y, X[Y]norm(X)) " X~Y E V and X < Y ~ is

]
full.
P r o o f Suppose Y ,~ X/~ with X _< Y, and let v = norm(X); then (Y, X[Y]v) E
B0 for some [Y]~ such that Y ' > [Y]v in v norm-reducing steps, where s E A V.
But the norm-reducing sequence Y ' ~ [Y]~ can only be matched by X/~ ' ~/3.
Hence [Y]~ -~/?, and B0 must be full. []
The basic structure of our procedure for deciding bisimilarity between normed
processes a and/3 is now clear: simply iterate the refinement procedure B :=
from the initial base B = B0 until it stabilises at the desired base B, and then
test a -=t3/3. By the preceding four lemmas, this test is equivalent to a ,,~/3.
So far, we have not been specific about which process [X]v is to be selected
among those reachable from X via a sequence of u norm-reducing transitions.
A suitable choice is provided by the following recursive definition. For each
variable X E V, let a x E V* be some process reachable from X by a single
norm-reducing transition X " ~ a x . Then,
-
{ [/~]p-norm(X), if p_> norm(X);

[Xfl]p = [c~x]p_l/3, if p < norm(X).
133
L e m m a 45 With this definition for [.]~, the base Bo introduced in Lemma ,t4
may be explicitly constructed in polynomial time; in particular, every pair in Bo
has a compact representation as an element of V • V*.
P r o o f It is easily checked that the natural recursive algorithm based on the

definition is polynomial-time bounded. O
We have already observed that B0 contains O(n 2) pairs, so the refinement

procedure is iterated at most O(n 2) times. It remains to define the relation = n
and show that it may be computed in polynomial time. Once this has been
done, it is clear that the entire decision procedure runs in polynomial time.
T h e o r e m 46 There is a polynomial-time (in the lengths of the words a and fl,

and the size of the defining grammar) procedure for deciding bisimilarity of two
normed context-free processes a and ft.
Recall that the only condition we impose on the relation -t3 is that it
B
satisfies the inclusions -~ C ---B _ -= whenever B is full. This flexibility in the
specification of ---s is crucial to us, and it is only by carefully exploiting this
flexibility that a polynomial-time decision procedure for =-B can be achieved.
The definition and computation of --~ is the subject of the following section.
4.1.1 Algorithmic concerns
Central to the definition of the relation ---B is the idea of a decomposing func-
tion. A function g : V ---+ V* is a decomposing function of order q if either
g(X) = X or g(X) = X 1 X 2 . . . X p with 1 < p < q and Xi < X for each
1 < i < p. Such a function g can be extended to the domain V* in the obvious
fashion by defining g(e) = e and g(Xa) = g(X)g(c~). We then define g*(~) for
E V* to be the limit of gt(~) as t --* ~ ; owing to the restricted form of g we
know that it must be eventually idempotent, that is, that this limit must exist.
The notation g[X ~-+ a] will be used to denote the function that agrees with g
at all points in V except X, where its value is a.
The definition of the relation --B may now be given. For base B and de-
composing function g, the relation a = ~ / ? . i s defined b y the following decision
procedure:
9 if g*(c~) = g*(fl) then the result is true;
9 otherwise let X and Y (with X < Y) be the leftmost mismatching pair of

symbols in the words g*(c~) and g*(fl);
- if (Y, XT) 9 B then the result is given by a - ~ fl, where 9 = g[Y ~-+
xT];
134
- otherwise the result is false.
Finally, let --=t~ be _--~d where Id is the identity function.
L e m m a 47 -6 C --- and ,,~ C -t~ whenever B is full.
P r o o f The first inclusion is easily confirmed , since for any g constructed by the
B
algorithm for computing --B , it is the case that X =_ g ( X ) for each X E V.
For the second inclusion, suppose that a ,~ /3 and at some point in our
procedure for deciding a --t~ fl we have that g* (a) # g* (fl), and that we have
only ever updated g with mappings X ~ 7 satisfying X -,~ 7. Let X and Y
(with X < Y) be the leftmost mismatching pair. Then Y ,~ X 7 must hold
for some 7, and so, by fullness, (Y, XT) E B for some 7 with Y ,,* XT. So the
procedure does not terminate with a false result, but instead updates g with this
new semantically sound mapping and continues. []
Finally, we are left with the problem of deciding g*(a) = g*(/3), all other
elements in the definition of ---t~ being algorithmically undemanding. Note
that the words g*(a) and g*(/3) will in general be of exponential (in n) length,
so we cannot afford to compute them explicitly.
We shall begin by assuming that the function g is of order 2, that is, maps
a single variable to at most two variables; this simplification may be achieved
using a standard polynomial-time reduction to Chomsky normal form. In the
sequel, let n denote the total number of variables after this reduction to what
is essentially Chomsky normal form, and let V refer to this extended set of
variables. We say that the positive integer r is a period of the word a E V* if
1 < r < length(a), and the symbol at position p in a is equal to the symbol at
position p + r in a, for all p in the range 1 < p < length(a) - r. Our argument
will be easier to follow if the following lemma is borne in mind; we state it in
the form given by Knuth, Morris and Pratt.
L e m m a 48 I f r and s are periods of a E Y * , and r + s < length(a) + gcd(r, s),

then gcd(r, s) is a period of a.
P r o o f See [43, Lemma 1]; alternatively the lemma is easily proved from first
principles. []
For a, fl E V*, we shall use the phrase alignment of a against/3 to refer to a

particular occurrence of a as a subword of/3. Note that if two alignments of a
against/3 overlap, and one alignment is obtained from the other by translating
a through r positions, then r is a period of a. Suppose X, ]I, Z E V, and let
a = g * ( X ) , /3 = g * ( Y ) , and 7 = g*(Z). Our strategy is to determine, for all
triples X, Y, and Z, the set of alignments of a against/37 that include the first
135
I ~ = g*(X) I
I I
fl = g*(Y) t 7 - - g*(Z)
First symbol of 7, and ith of
Figure 1: A alignment of ~ that spans ~ and 7
symbol of 7 (see Figure 1). Such alignments, which we call spanning, may be
specified by giving the index i of the symbol in a that is matched against the
first symbol in 7. It happens that the sequence of all indices i that correspond
to valid alignments forms an arithmetic progression. This fact opens the way
to computing all alignments by dynamic programming: first with the smallest
variable X and Y, Z ranging over V, then with the next smallest X and ]I, Z
ranging over V, and so on.
L e m m a 49 Let a, 6 E V* be words, and I be the set of all indices i such that

there exists an alignment of (~ against 6 in which the ith symbol in a is matched
to a distinguished symbol in 6. Then the elements of I form an arithmetic
progression.
P r o o f Assume that there are at least three alignments, otherwise there is
nothing to prove. Consider the leftmost, next-to-leftmost, and rightmost possible
alignments of c~ against 6. Suppose the next-to-leftmost alignment is obtained
from the leftmost by translating c~ though r positions, and the rightmost from
the next-to-leftmost by translating a through s positions. Since r and s satisfy
the condition of Lemma 48, we know that gcd(r, s) is a period of (~; indeed, since
there are by definition no alignments between the leftmost and next-to-leftmost,
it must be the case that r -- gcd(r, s), i.e., that s is a multiple of r. Again by
Lemma 48, any alignment other than the three so far considered must also have
the property that its offset from the next-to-leftmost is a multiple of r. Thus
the set of all alignments of c~ against 6 can be obtained by stepping from the
leftmost to the rightmost in steps of r.
This completes the proof, but it is worth observing for future reference, that
in the case that there are at least three alignments of c~ against 6 containing
the distinguished symbol, then c~ must be periodic, i.e., expressible in the form
= eka, where k >_ 2 and cr is a (possibly empty) strict initial segment of e.
D
In the course of applying the dynamic programming technique to the problem

at hand, it is necessary to consider not only spanning alignments of the form
illustrated in Figure 1, but also inclusive alignments: those in which a = g* (X)
appears as a subword of a single word fl = g* (Y). Fortunately, alignments of
this kind are easy to deduce, once we have computed the spanning alignments.
136
O/
I I
I ........ ~
Figure 2: Trapping an alignment
L e m m a 50 Suppose spanning alignments of o~ = g*(X) against 7 -- g*(Z) and

7 ~ = g*(Z ~) have been pre-computed for a particular X and all Z, Z ~ E V. Then
it is possible, in polynomial time, to compute, for any Y and any distinguished
position p in 13 = g* (Y), all alignments of (~ against ~ that include p.
P r o o f Consider the sequence

{ g. (.:0)) },
{ g. },
{ g. (y:2)), g. }, :
of partitions of fl = g*(Y), obtMned by the following procedure. InitiMly, s e t
y(0) = y . Then, for i > 1, suppose that g.(yj(i-1)) is the block of the ( i - 1)th
partition that contains the distinguished position p, and let Z = y ( i - D be
the symbol generating that block. Let the ith partition be obtained from the
( i - 1)th by splitting that block into two--g*(Z') and g*(Z")--where where
g(Z) = Z ' Z " . The procedure terminates when g(Z) = Z, a condition which is
bound to hold within at most n steps. Observe that, aside from in the trivial
case when length(a) -- 1, any alignment of c~ containing position p will be at
some stage "trapped," so that the particular occurrence of the subword a in fl
is contained in g*(Yj(i))g*(Yj(+)), but not in g. (yj(0) or g* (Yj(+))separately (see
Figure 2).
For each such situation, we may compute the alignments that contain posi-
tion p. (By Lemma 49, these form an arithmetic progression.) Each Mignment of
that includes p is trapped at least once by the partition refinement procedure.
9The required result is the union of at most n arithmetic progressions, one for
each step of the refinement procedure. Lemma 49 guarantees that the union of
these arithmetic progressions will itself be an arithmetic progression. Thus the
result may easily be computed in time O(n) by keeping track of the leftmost,
next-to-leftmost, and rightmost points. []
The necessary machinery is now in place, and it only remains to show how
spanning alignments of the form depicted in Figure 1 may be computed by
137
" = g'ix) "

I I I
[ It- [ 3'=r
= r p • r
Figure 3: Dynamic programming: inductive step
o~! og I!
I I I
I I
z t "T
ff P
Figure 4: Dynamic programming: the leftmost alignment
dynamic programming, with X ranging in sequence from the smallest variable

up to -the largest.
If g(X) = X, the task is trivial, so suppose g(X) = X ' X ' . The function g
induces a natural partition of d = g*(X) into a ' = g*(X') and a " = g*(X");
suppose it is a " that includes p, the first symbol in 3' (see Figure 3.) We need to
discover the valid alignments of cd against fl, and conjoin these with the span-
ning alignments--that we assume have already been computed--of a " against
fl and 3'.
Consider the leftmost valid alignment of a " and let p' be the position imme-
diately to the left of cr Figure 4). We distinguish two kinds of alignments
for o~ = o~1or tl.
CASE I. The alignment of a' against ~3' includes position p'. These alignments
can be viewed as conjunctions of spanning alignments of a " (which are precom-
puted) with inclusive alignments of a' (which can be computed on demand using
Lemma 50). The valid alignments in this case are thus an intersection of two
arithmetic progressions, which is again an arithmetic progression.
CASE II. The alignment of c~' against f13' does not includes position p', i.e., ties
entirely to the right ofp'. If there are just one or two spanning alignments of a "
against ~ and % then we simply check exhaustively, using Lemma 50, which, if
any, extend to alignments of c~ against/~3'. Otherwise, we know that a " has the
form p%r with k > 2, and ~ a strict initial segment of p; choose p to minimise
length(e ). A match of a " will extend to a match of a only if c / = cr'pm, where
or' is a strict final segment of e. (Informally, a' is a smooth continuation of the
periodic word a " to the left. Thus either every alignment of c~" extends to one
of a = a % " , or none does, and it is easy to determine which is the case. As in
Case I, the result is an arithmetic progression.
The above arguments were all for the situation in which it is the word a "
138
that contains p; the other situation is covered by two symmetric cases--Case I ~

and Case II~--which are as above, but with the roles of a I and a" reversed. To
complete the inductive step of the dynamic programming algorithm, it is only
necessary to take the union of the arithmetic progressions furnished by Cases I,
II, I ~, and II~: this is straightforward, as the result is known to be an arithmetic
progression by Lemma 49.
At the completion of the dynamic programming procedure, we have gained
enough information to check arbitrary alignments, both spanning and inclusive,
in polynomial time. From there it is a short step to the promised result.
L e m m a 51 There is a polynomial-time (in the lengths of o~and/3, and the size

of the description of g) algorithm for the problem of deciding g*(~) = g*(fl) for
arbitrary o~,~ E V*. In the case that g*(o~) r g*(fl), the algorithm returns the
leftmost position at which there is a mismatch.
P r o o f Let ~ = ]I1112...]I,. Apply the partition refinement procedure used in

the proof of Lemma 50 to the word c~ to obtain a word c~I = X1X2 . . . X r with
the property that each putative alignment of g*(Xi) against the corresponding
g*(Yj) or g*(Yj)g*(Yj+l) is either inclusive or spanning. This step extends
the length of a by at most an additive term length(~)n. Now test each Xi
either directly, using the precomputed spanning alignments, or indirectly, using
Lemma 50. In the case that g*(a) • g*(~), determine the leftmost symbol Xi
such that g*(X~) contains a mismatch. If g(Xi) = X~ we are done. Otherwise,
let g*(X~) = ZZ', and test whether g*(Z) contains a mismatch: if it does,
reeursively determine the leftmost mismatch in g*(Z); otherwise determine the
leftmost mismatch in g* (ZI).
During the dynamic programming phase, there are O(n 3) subresults to be
computed (one for each triple X, Y, Z E V), each requiring time O(n); thus
the time-complexity of this phase is O(n4). Refining the input a to obtain
cd, and checking alignments of individual symbols of cd takes further time
O(n 2 length(~fl)). The overall time complexity of a naive implementation is
therefore O(n 4 + n 2 length(c~fl)). []
4.1.2 Simple context-free grammars
Recall that a simple grammar is a context-free grammar in Greibach normal form

such that for any pair (X, a) consisting of a variable X and terminal a, there is
at most one production of the form X :-* ac~. The decision procedure given by
Korenjak and Hopcroft [44] for deciding language equivalence between simple
grammars is doubly exponential; this time complexity was recently improved
improved by Caucal [11] to be singly exponential. Hence this result represents
139
the first polynomial algorithm for the (language) equivalence problem for simple
grammars.
T h e o r e m 52 There is a polynomial-time algorithm for deciding equivalence of
simple grammars
P r o o f To obtain a polynomial-time decision procedure for deciding language
equivalence of simple context-free grammars, we merely recall from Corollary 10
and L e m m a 12 that in the case of normed simple grammars, language equiva-
lence and bisimulation equivalence coincide. We can restrict attention to normed
grammars, as any unnormed grammar can be transformed into a language-
equivalent normed grammar by removing productions containing unnormed non-
terminals. (Note that this transformation does not preserve bisimulation equiva-
lence, which makes it inapplicable for reducing the unnormed case to the n o r m e d
case in checking bisimilarity.) Thus language equivalence of simple grammars
may be checked in polynomial time b y the procedure presented in the previous
two sections. []
To demonstrate that we can decide bisimilarity between concurrent context-free

processes in polynomial time, we require a vastly different technique than that
used for the sequential case; nonetheless the technique still relies completely on
the unique factorisation property.
To start off, we assume without loss of generality that the variables are
given in order of non-decreasing norm, so that norm(X1) < norm(X~) < . . . <
norm(Xn). Define the size of monomial a E V* to be the sum of the lengths of
the binary encodings of the various exponents appearing in the monomial; the
size of a production X a, fl to be the length of the triple (X, a, fl), encoded in
binary; and the size of a context-free grammar G to be the sum of the sizes of
all the productions contained within it. Our aim is to prove the following.
T h e o r e m 53 Suppose the set V* of processes is defined by a normed, context-

free grammar G in Greibach normal form. There is a polynomial-time (in the
size of ~, /3, and G) algorithm tO decide (~ ~ /3 for arbitrary (~,/3 E V*.
To prepare for the description of the algorithm and the proof of the theorem,
we require some definitions and a few preparatory lemmas. To ensure a smooth
development, the proofs of the lemmas are deferred to the end of the section.
Suppose T~ is any relation on V*. We say that a pair (c~,/3) E V* x V*
satisfies (norm-reducing) expansion in TI if
* if c~ a ) a~ is a norm-reducing transition t h e n / 3 a ~ /3~ for some/3~ with
c~17r
140
and
9 if ~ ~ ~/3' is a norm-reducing transition then a a ~ a ' for some a ' with

a ' T~ ~'.
Observe that a relation T~ is a bisimulation if every pair (a,/3) E T~ satisfies

expansion in ~. Observe also that if ~ is an equivalence relation (respectively,
congruence) then the relation "satisfies (norm-reducing) expansion in 7~" is an
equivalence relation (respectively, congruence).
Define a unique decomposition base, ~P, to be a pair (II, F), where II =
II(7:)) = { P 1 , . . . , P r } _C V is a set of primes, and F = F(:D) is a set of pairs
(X, p~l ... pr~r), one for each non-prime elementary process X E V - II. The
set F may be viewed as specifying, for each non-prime process X, a decompo-
sition of X into primes.* A unique decomposition base defines an equivalence
relation --79 on V*: the relation (~ = v / 3 holds between c~,/3 E V* if the prime
decompositions of c~ and/3 are equal (as monomials).
L e m m a 54 Let :D be a unique decomposition base. Then:

(i) the equivalence relation =-79 is a congruence with cancellation, t which
79
coincides with =-, the smallest congruence containing F(T));
(ii) there is a polynomial-time (in the size of o~ and/3) algorithm to decide

o~ =_79~ for arbitrary c~,/3 E V* ;
(iii) the relation =_79 is a bisimulation provided every pair in F(:D) satisfies
expansion within =-79 ; this condition may be checked by a polynomial-time
algorithm;
(iv) the maximal bisimulation ,~ coincides with the congruence =-79 , where :D
represents the unique decomposition in ,,,.
The next lemma allows us to shrink a congruence, defined by a unique de-

composition base, whenever it is strictly larger than the maximal bisimulation.
L e m m a 55 Let 7) be a unique decomposition base such that the congruence =-79

is norm-preserving and strictly contains the maximal bisimulation ,.~. Then it
is possible, in polynomial time, to find (a representation of) a relation - on V*
such that:
(i) the relation c~ - / 3 is decidable in polynomial time (in the sum of the sizes
of ~ and/3);
*These "primes" axe n o t in general t h e primes with r e s p e c t to t h e m a x i m a l bisimulation,

which were tile s u b j e c t of T h e o r e m 19.
tThus, in a d d i t i o n to satisfying t h e conditions of a congruence, - - ~ h a s t h e p r o p e r t y t h a t
c~ _--v t3 whenever c~"/-l~ ~lY.
141
(ii) the relation - is a congruence;
(iii) there is a variable X E V that is decomposable in - v but not in - ;
(iv) the inclusions ,,~ C_ - C - - v hold.
The final lemma allows us to "smooth out" an unmanageable congruence

into a congruence defined by a unique decomposition base.
L e m m a 56 Let ~ be a norm-preserving, p o l y n o m i a l - t i m e computable congru-

ence satisfying ~ C_ =_-, where N d e n o t e s ' m a x i m a l bisimulation. T h e n there is a
decomposition base 2), computable in polynomial time, such that ,,~ c_ - 9 c_ - .
With the three preceding lemmas in place, the procedure for deciding bisim-
ulation equivalence writes itself; in outline it goes as follows.
(1) Let the congruence =- be defined b y c~ -- ~ iff n o r m ( a ) = norm(fl).
(2) Compute a decomposition base 7) with ,~ C -=9 _C - , using L e m m a 56.
(3) If -----9 is a bisimulation--a condition that can be checked in polynomial

time using L e m m a 54--then halt and return the relation - 9 9
(4) Compute a congruence - satisfying ,-~ C_ - C --9 , using L e m m a 55. Go

to step 2.
The proof of the main result is virtually immediate.
P r o o f o f T h e o r e m 53 On each iteration of the loop formed by lines (2)-(4),
the number of primes increases by at least one. Thus the number of iterations
is bounded by n, and each iteration requires only polynomial time by the three
preceding lemmas. []
We complete the section by providing the missing proofs of the various lem-
mas.
P r o o f o f L e m m a 54
(i) It is easy to check that -z) is a congruence with cancellation contain-

ing F(/)); thus - v certainly includes - , the smallest congruence con-
taining F(O). On the other hand, if a - v fl, then fl can be obtained from
a via a finite sequence of substitutions chosen from F(O), and the reverse
inclusion holds.
(ii) The algorithm may be modelled directly on the definition of - v .
(iii) Suppose a ~ v fl and let c~ = ~ p ~ l . . . p a r =V fl be the common prime

decomposition of c~ and ft. By assumption, the pairs (c~, p~l , . . p ~ ) and
(fl, p~l ... prar) both satisfy expansion in - z ~ , and so then does the pair
(a, fl), by transitivity of the relation "satisfies expansion in --~ ."
142
(iv) This part follows from Theorem 19.
This concludes the proof of the lemma. [:3
P r o o f o f L e m m a 55 Define the relation = as follows: for all c,,/3 E V*, the re-
lationship a = / 3 holds iff a --~/3 and the pair (a,/3) satisfies expansion in --~9 9
We must demonstrate that - satisfies conditions (i)-(iv) in the statement of the
lemma.
i The relationship a = fl is clearly decidable in polynomial time: an algo-

rithm follows directly from the definition of - .
ii The relation = is the intersection of two congruences, and hence itself a

congruence.
iii If the 'congruence - v is not a bisimulation then, by Lemma 54, there is

a first (non-prime) variable X such that the pair (Z, P ~ . . . P T " ) E F(:D)
does not satisfy expansion in -=v 9 We show that X is indecomposable
with respect to the relation =.
Suppose to the contrary that X is decomposable, that is to say, X = a E
V*, where a contains only variables smaller than X. By definition of =,
the pair (X, a) satisfies expansion in = v , and X =z~ a = ~ P ~ ... P ~ ' .
By minimality of X, for every non-prime variable Y occurring in a, the
pair (Y,P~'...P~') e F(:D) satisfies expansion in ----v. Thus the pair
(a, P ~ ... PrX~), and by transitivity the pair (X, p~x . . . p [ , ) , satisfies ex-
pansion in = v , contradicting the choice of X.
iv It is clear that the relation = is contained in = v 9 On the other hand, if

a ,-, fl then the pair (a,/3) satisfies expansion in --, and hence in -=v ; it
follows that a =/3.
This concludes the proof of the lemma. []
P r o o f o f L e m m a 56 As before, assume that variables are in order of non-

decreasing norm. Given a congruence = __D -~ on V* we define, by induc-
tion, a unique decomposition base :P~ for { X 1 , . . . , X~}*, with primes 1I(2)) =
{ P 1 , . . . , P~}, such that:
* the inclusion = v i C_ = holds on the set { X 1 , . . . , Xi}*;
* i f X j =z,i p~l . . . p : ~ is the decomposition of Xj, for some j < i, then the
pair (Xj, P ~ ' . . . P [ , ) satisfies norm-reducing expansion in =z,, ;
143
9 if Xj ,,, Q ~ ' . . . Q~' is the prime decomposition of Xj with respect to ,~,

for some j < i, then Xj --~i Q~I ... Q~,~;~
9 if P ~ : . . . p i t = p ~ l . . , pflr and the pair ( p [ 1 . . . p f r , p ~ x . . , pfl,) satisfies
norm-reducing expansion in =z~,, then ( x : , . . . , xr) = (Yl,.-., Yr).
Assume that there exists a unique decomposition base :Di for { X : , . . . , Xi}* that
satisfies these properties. We wish to demonstrate that :Di may be extended to a
unique decomposition base Di+l for { X 1 , . . . , Xi+:}* Mso satisfying conditions
(a)-(d) above; this involves finding, in polynomial time, a consistent decompo-
sition for the variable Xi+l.
The extension of the unique decomposition base is achieved as follows. By
condition (d) we know that there is at most one product P ~ ' . . . P~" of primes
of/9i such that Xi+: ==-P[~... P[" and such that the pair (Xi+:, P~' ... P[~)
satisfies norm-reducing expansions in - - ~ . If there is such a product, it is
declared as the decomposition of Xi+:; otherwise Xi+: is declared to be prime.
It is clear that conditions (a) and (b) continue to hold.
To show (c), assume that Xi+: "~ Q ~ . . , Q ~ is the prime decomposition
of Xi+: with respect to the maximal bisimulation ,,,. Note that if Xi+: is prime
with respect to ,,, then there is nothing to prove, so we may assume the decom-
position is non-trivial. Let Q1 =9~ c~1, . . . , Qt =9~ c~t be the prime decompo-
sitions of Q:, 99 ., Q,t with respect to --9,. Then Xi+: -- c ~ : . .. at~t, where, it.
will be observed, the right-hand side is a product of primes with respect to - 9 ~ .
The pairs (Qj, aj) satisfy norm-reducing expansion in --9,, by condition (b),
and the pair Xi+: " Q~'... Q~' satisfies norm-reducing expansions in -z~,, b y
virtue of Xi+: and Q ~ ... Q ~ being bisimilar; it follows by transitivity that the
pair (Xi+l, c~' .. 9a~") also satisfies norm:reducing expansion in --9,- Thus, by
the uniqueness condition (d), Xi+: ----9,+1 c~' . . . a ~ ' must be the chosen prime
decomposition of Xi+l with respect to --z~,+a.
To show (d), assume to the contrary that II(:Di+:) = { P : , . . . , Pr} is the set
of primes with respect to =9,+,, and that the pair (c~, fl), where a = p~l ... par
and fl = P ( ~ . . . P ~ ' , is a counterexample to condition (d): that is, c~ - /?,
( a : , . . . , a~) 5~ ( b : , . . . , br), and the pair (a, fl) satisfies norm-reducing expansions
in --9~+1. We demonstrate that this assumption leads to a contradiction.
Let j be the largest index such that aj ~ bj, and assume, without loss of
generality, that aj > bj. We distinguish three cases:
CASE I. If ak > 0 for some k < j, then let a perform some norm-reducing
transition via process Pk. Process/3 cannot match this transition, since it
cannot increase the exponent bj without decreasing some exponent t o t h e
right of bj.
~Again, note t h a t Q 1 , . . . , Qt, although primes with respect to ,,~, are not in general primes
with respect to ---~i"
144
CASE II. Ifak > Ofor some k > j, then let c~ perform a norm-reducing transition
via process Pk that maximises the increase in the exponent aj. Again the
process fl is unable to match this transition.
CASE ]II. The monomial ~ = pjaj is a power of a prime with respect to - ~ + 1 .

Note that bk = 0 for all k > j by choice of j, and aj > 2, otherwise, Pj
would not be prime with respect t o / ) i + 1 . If bj > 0, let/3 perform a norm-
reducing transition via Pj; this transition cannot be matched by c~, since
it would require the exponent aj to decrease by at least two. Finally, if
bj = 0, then let (r perform a norm-reducing transition via Pj; this transition
cannot be matched by/3, since/3 is unable to increase the exponent bj.
This completes the inductive step.

It only remains to show that the extension of ~Di to :D~+I may be computed
in polynomial time. We need to investigate the possibility that Xi+l may be
expressed as Xi+l =- P ~ ...Pr~ where the pair (Xi+I,P~ ~ . . . P f ' ) satisfies
norm-reducing expansion in =-v~. Recall that effecting the transition X a )/3
may be viewed as multiplication b y / 3 / X ; thus the transition a a )/3 may occur
precisely if of~ = c~/3/X is a monomial (i.e., the exponent of X is non-negative),
in which case a~ is the resulting process.
Now choose any norm-reducing transition Xi+l a ) ~ E { X 1 , . . . , Xi}*, and
let c~ - V , P~a 999p a r be the prime decomposition of c~. If this transition is to be
matched by/3 = p~l ... prz~ then (r//3 must be one of a finite set of possibilities,
one for each production in G. Thus there are only as many possibilities for the
process/3 as there are productions in G; for each possibility it is easy to check
whether (i) Xi+l - P;" . . . P f ' , and (ii) the pair ( X i + I , P ~ I . . . P f ' ) satisfies
norm-preserving expansion in - v ~ . Thus the extension of :Di to :Di+l may
indeed be computed in polynomial time. [2
References
[1] P. Aczel. Non-well-founded Sets. CSLI Lecture Notes 14, Stanford Univer-
sity, 1988.
[2] J.C.M. Baeten, J.A. Bergstra and J.W. Klop. Decidability of bisimulation
equivalence for processes generating context-free languages. Journal of the
A C M 40, pp653-682, 1993.
[3] Y. Bar-Hillel, M. Perles and E. Shamir. On formal properties of simple

phrase structure grammars. Zeitschrifl fiir Phonetik, Sprachwissenschafl,
und Kommunikationsforschung 14, pp143-177, 1961.
145
[4] J.A. Bergstra and J.W. Klop. Algebra of Communicating Processes with
Abstraction. Theoretical Computer Science 37, pp77-121, 1985.
[5] G. Boudol. Notes on algebraic calculi of processes. In K. Apt (ed), Logics

and Models of Concurrent Systems, NATO ASI Series f13, 1985.
[6] J.C. Bradfield. Verifying Temporal Properties of Systems. Birkh/iuser, 1991.
[7] E. Brinksma. Information Processing Systems - Open Systems Interconnec-

tion - LOTOS - A formal description technique based upon the temporal
ordering of observable behaviouL Draft International Standard ISO8807,
1988.
[8] S.D. Brookes, C.A.R. Hoare and A.W. Roscoe. A theory of Communicating
Sequential Processes. Journal of the ACM 31, pp560-599, 1984.
[9] O. Burkart and B. Steffen. Model checking for context-free processes. In

Proceedings of CONCUR 92, W.R. Cleaveland (ed), Lecture Notes in Com-
puter Science 630, pp123-137. Springer-Verlag, 1992.
[10] D. Caucal. Graphes canoniques des graphes alg~briques. Informatique

Thdorique el Applications (RAIRO) 24(4), pp339-352, 1990.
[11] D. Caucal. A fast algorithm to decide on the equivalence of stateless DPDA.
Informatique Thdorique et Applications (RAIRO) 27(1), pp23-48, 1993.
[12] S. Christensen. Decidability and Decomposition in Process Algebras.
Ph.D. Thesis ECS-LFCS-93-278, Department of Computer Science, Uni-
versity of Edinburgh, 1993.
[13] S. Christensen. Distributed bisimilarity is decidable for a class of infinite-

state processes. In Proceedings of CONCUR 92, W.R. Cleaveland (ed),
Lecture Notes in Computer Science 630, pp148-161. Springer-Verlag, 1992.
[14] S. Christensen, Y. Itirshfeld and F. Moller. Decomposability, decidability
and axiomatisability for bisimulation equivalence on basic parallel processes.
In Proceedings of LICS93. IEEE Computer Society Press, 1993.
[15] S. Christensen, Y. Hirshfeld and F. Moller. Bisimulation equivalence is de-

cidable for basic parallel processes. In proceedings of CONCUR93, E. Best
(ed), Lecture Notes in Computer Science 715, pp143-157, Springer-Verlag,
1993.
[16] S. Christensen, Y. Hirshfeld and F. Moller. Decidable subsets of CCS. The

Computer Journal 37(4), pp233-242, 1994.
146
[17] S. Christensen and H. Hiittel. Decidability issues for infinite-state processes

- a survey. Bulletin of the EATCS 51, pp156-166, October 1993.
[18] S. Christensen, H. Hiittel and C. Stifling. Bisimulation equivalence is

decidable for all context-free processes. In Proceedings of CONCUR 92,
W.R. Cleaveland (ed), Lecture Notes in Computer Science 630, pp138-147.
[19] J. Esparza and M. Nielsen. Decidability issues for Petri nets - a survey.
Bulletin of the EATCS 52, pp245-262, February 1994.
[20] E.P. Friedman. The inclusion problem for simple languages. Theoretical
Computer Science 1, pp297-316, 1976.
[21] R.J. van Glabbeek. The linear time-branching time spectrum. In Proceed-
ings of CONCUR 90, J. Baeten, J.W. Klop (eds), Lecture Notes in Computer
Science 458, pp278-297. Springer-Verlag, 1990.
[22] J.F. Groote. A short proof of the decidability of bisimulation for normed
BPA processes. Information Processing Letters 42, pp167-171, 1991.
[23] J.F. Groote and H. Hiittel. Undecidable equivalences for basic process al-
gebra. Information and Computation, 1994.
[24] J.F. Groote and F. Moller. Verification of parallel systems via decomposi-
tion. In Proceedings of CONCUR 92, W.R. Cleaveland (ed), Lecture Notes
in Computer Science 630, pp62-76. Springer-Verlag, 1992.
[25] Y. Hirshfeld. Petri Nets and the Equivalence Problem. In Proceedings of

CSL'93, K. Meinke (ed), Lecture Notes in Computer Science Springer-
Verlag, 1994.
[26] Y. Hirshfeld. Deciding equivalences in simple process algebras. In Proceed-

ings of a 3-day Workshop on Bisimulation, Amsterdam, April, 1994.
[27] Y. I'Iirshfeld, M. Jerrum and F. Moller, A polynomial algorithm for decid-

ing bisimilarity of normed context-free processes. Submitted to Theoretical
Computer Science, 1994.
[28] Y. Hirshfeld, M. Jerrum and F. Moiler, A polynomial algorithm for deciding

bisimulation equivalence of normed basic parallel processes. Submitted to
Mathematical Structures in Computer Science, 1994.
[29] Y. Hirshfeld and F. Moller. A fast algorithm for deciding bisimilarity of

normed context-free processes. In Proceedings of CONCUR'94, J. Parrow
(ed), Lecture Notes in Computer Science. Springer-Verlag, 1994.
147
[30] M. Hennessy. Algebraic Theory of Processes. MIT Press, 1989.
[31] C.A.R. Hoare. Communicating Sequential Processes. Communications of

the ACM 21, pp666-677, 1978.
[32] C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1988.

[33] J.E. Hopcroft and J.D. Ullman. Introduction to Automata Theory, Lan-
guages, and Computation. Addison Wesley, 1979.
[34] It. Hfittel. Decidability, Behavioural Equivalences and Infinite Transition

Graphs. Ph.D. Thesis ECS-LFCS-91-191, Department of Computer Science,
University of Edinburgh, 1991.
[35] H. Hfittel. Undecidable equivalences for basic parallel processes. In Proceed-

ings of FSTTCS'93, 1993.
[36] H. Hfittel and C. Stirling. Actions speak louder than words: proving bisimi-
larity for context-free processes. In Proceedings of LICS'91, IEEE Computer
Society Press, pp376-386, 1991.
[37] D.T. Huynh and L. Tian. On deciding readiness and failure equivalences
for processes. Technical report UTDCS-31-90, Department of Computer
Science, University of Texas at Dallas, September 1990.
[38] D.T. Huynh and L. Tian. Deciding bisimilarity of normed context-free pro-
cesses is in ~P. Theoretical Computer Science 123, pp183-197, 1994.
[39] D.T. Huynh and L. Tian. On deciding some equivalences for concurrent
processes. Informatique Th orique et Applications (RAIRO) 28(1), pp51-
71, 1994.
[40] P. JanSar. Decidability questions for bisimilarity of Petri nets and some
related problems. In Proceedings of STACS'94, P. Enjalbert, E.W. Mayr
and K.W. Wagner (eds), Lecture Notes in Computer Science 775, pp581-
592, Springer-Verlag, 1994.
[41] P.C. Kanellakis and S.A. Smolka. CCS expressions, finite-state processes
and three problems of equivalence. Information and Computation (86),
pp43-68, 1990.
[42] S.C. Kleene. Representation of events in nerve nets and finite automata. In
Automata Studies, pp3-42, Princeton University Press, Princeton, 1956
[43] D.E. Knuth, J.H. Morris, and V.R. Pratt, Fast pattern matching in strings,
SIAM Journal on Computing 6, pp323-350, 1977.
148
[44] A. Korenjak and J. Hopcroft. Simple deterministic languages. In Proceed-

ings of 7th IEEE Switching and Automata Theory conference, pp36-46,
1966.
[45] W.S. McCullock and W. Pitts A logical calculus of the ideas immanent in
nervous activity. Bull Math Biophysics 5, pp115-133, 1943.
[46] R. Milner. Processes: a mathematical model of computing agents. In Pro-

ceedings of Logic Colloquium'73, Rose and Shepherdson (eds), pp157-174,
North Holland, 1973.
[47] R. Milner. A Calculus of Communicating Systems. Lecture Notes in Com-

puter Science 92, Springer-Verlag, 1980.
[48] R. Milner. Communication and Concurrency. Prentice-Hall, 1989.

[49] R. Milner and F. Moller.. Unique decomposition of processes. Theoretical
Computer Science 107, pp357-363, 1993.
[50] E.F. Moore. Gedanken experiments on sequential machines. In Automata

Studies, pp129-153, Princeton University Press, Princeton, 1956
[51] D. Muller and P. Schupp. The theory of ends, pushdown automata and
second order logic. Theoretical Computer Science 37, pp51-75, 1985.
[52] R. Paige and R.E. Tarjan. Three partition refinement algorithms. SIAM
Journal on Computing 16, pp937-989, 1987.
[53] D.M.R. Park. Concurrency and Automata on Infinite Sequences. Lecture

Notes in Computer Science 104, pp168-183, Springer Verlag, 1981.
[54] W. Reisig. Petri Nets: An Introduction. E A T C S Monographs on Theoretical

Computer Science, Springer-Verlag, 1985.
[55] L.J. Stockmeyer. The polynomial time hierarchy. Theoretical Computer Sci-
ence 3, ppl-22, 1977.
Modal and Temporal Logics for Processes
Colin Stifling
Dept. of Computer Science

University of Edinburgh
Edinburgh EH9 3JZ, UK
email: cps~dcs.ed.a~.uk
Preface
We examine modal and temporal logics for processes. In section 1 we intro-

duce concurrent processes as terms of an algebraic language comprising a few
basic operators, as developed by Milner, Hoare and others. Their behaviours
are described using transitions. Families of transitions can be arranged as la-
belled graphs, concrete summaries of process behaviour. Various combinations
of processes are reviewed.
In section 2 modal logic is introduced for describing the capabilities of pro-
cesses. An important discussion is when two processes may be deemed, for all
practical purposes, to have the same behaviour. We discuss bisimulation equi-
valence as the discriminating power of modal logic is tied to it. This equivalence
is initially presented in terms of games.
More generally practitioners have found it useful to be able to express tem-
poral properties (such as liveness and safety) of concurrent systems. A logic
expressing temporal notions provides a framework for the precise formalization
of such specifications. Formulas of the modal logic are not rich enough to express
such temporal properties. So extra operators, extremal fixed points, are added
in section 3. The result is a very expressive temporal logic.
The modal and temporal logics provide a repository of useful properties.
However it is also very important to be able to verify that an agent has or lacks
a particular property. This is the topic of section 4. First we show that property
checking can be understood in terms of game playing. We then present sound and
complete tableau proof systems for proving temporal properties of processes. The
proof method is illustrated on several examples. Finally, concluding comments
are contained in section 5.
A c k n o w l e d g e m e n t s : Earlier versions of this paper have been presented at the
4th European Summer School in Logic, Language and Information, University
of Essex, 1992; at the Tempus Summer School for Algebraic and Categorical
Methods in Computer Science, Masaryk University, Brno, 1993; and the Summer
School in Logic Methods in Concurrency, Aarhus University, 1993. I would like
to thank the organisers and the participants of these summer schools, and of the
Banff higher order workshop. I would also like to thank Julian Bradfield for use
of his Tex tree constructor for building derivation trees and Carton Kirkwood,
Faron Moller, Perdita Stevens and David Walker for comments on earlier drafts.
150
1 Processes
Process theory introduces processes as terms of an algebraic language comprising

a few basic operators. Transitions of the form E a ) F , that process E may
become F by performing the action a, feature prominently, underpinning the
behavioural meaning of a process. Structured rules guide their derivation in the
sense that the transitions of a compound process are determined by those of its
components. Families of transitions can be arranged as labelled graphs, concrete
summaries of the behaviour of processes. Here we review various combinations
of processes and their resulting behaviour as determined by the transition rules.
1.1 First examples
A simple example of a process (courtesy of Hoare [40]) is a clock that perpetually

ticks, Cl d_cft i c k . C / . We adopt the usual convention that names of actions such
as t i c k are in lower case whereas names of processes have an initial capital
letter. The defining expression for Cl invokes a prefix operator . which forms
the process a.E from the action a and the process E. The facility for defining
processes d___~f,relating a process name with a process expression, is recursive as
both occurrences of Cl name the same process. The behaviour of Cl is very
elementary: it can only perform the action t i c k and in so doing becomes Cl
again. This is deducible from the rules for transitions.
First is the axiom for the prefix operator when a is an action and E a process:
Its meaning is that process a.E may perform (respond to, participate in, or
accept) the action a and evolve into the process E. An instance is the transition
r tick) Cl. Next is the transition rule for d___ef,which is presented as a goal
directed inference rule:
R.~.(~__) Pa, F def

E "~) F P = E
Provided that E may become F by performing a and that the side condition
P ~ f E is fulfilled, it follows that P a ) F .
Using these two rules we can show Cl tick Cl:
Cl ~ic~) Cl
CI d__eftick. Cl
tick. Cl tick) Cl
This proof of Cl tick) C! Is presented with the desired conclusion as antecedent

which follows from the axiom instance beneath it via an application of R(def)
The behaviour of Cl can be visually summarized as in figure 1. The ingredi-
ents of this graph (called a labelled transition system) are process terms and
151
tick
Fig. 1. The transition graph for Cl
directed labelled arcs between them. Each vertex is a process term, and one of
them is Cl which can be thought of as the root. All the possible transitions from
each vertex, those that are provable from the rules for transitions, are represen-
ted.
A second example, a very simple vending machine, is defined in figure 21
Here + (which has wider scope than .) is the choice operator from Milner's
Ven de=f2p. Venb + 1p. Vent

clef
Venb = blg.collectb. Ven
.
def
Vent = l i t t l e . c o l l e c t , . V e n
Fig. 2. A vending machine
CCS, Calculus of Communicating Systems, [52]. Initially Ven may accept a 2p

or lp coin; then a button, b i g or l i t t l e , may be depressed depending on which
coin was deposited; finally, after an item is collected the process reverts to its
initial state Ven. Transition rules for +, justifying this description of Ven, are:
R(+) EI+E~ a F
E1 a ~ F
The proof of the transition Ven 2p Venb is1:

El+E2 a~F
E2 a ' F t
Ven 2p~ Venb
2p. Venb -.1-lp. Vent 2p~ Venb
2p. Venb 2p ~ Venb
The final transition is an axiom instance; an application of the first R(+) rule
to it yields the intermediate transition; and the goal therefore follows using the
rule R(d--ef): The transition graph for Ven is presented in figure 3.
1 In proofs of transitions we usually omit explicit mention of side conditions in the
application of a rule such as R(~f).
152
~coll:ct~.Ven collect/.Yen
Fig. 3. The transition graph for Ve.
A transition E a ~ F can be viewed as an assertion which is derivable from

the rules for transitions. To find out what transitions are possible from E it
suffices to examine its main combinator and the possible transitions of its com-
ponents. There is an analogy with rules for expression evaluation: for instance,
to evaluate (3 • 2) + 4 it suffices to evaluate the components 3 • 2 and 4, and
then sum their values. Such families of rules give rise to a structured operational
semantics in the style of [59]. However, whereas the essence of an expression is
to be evaluated, the essence of a process is to act.
Families of processes can be defined using indexing. A simple case is the
set of counters {Cti : i 6 N} of figure4. The counter Ct3 can increase to
clef
Cto = up. Ctl +
Cto round.
deI
Cti+l = up. Cti+2 + down. Cti
Fig. 4. A family of counters
Ct4 by performing up, or decrease to Ct2 by performing down. Each m e m b e r

Cti determines the same transition graph which contains an infinite number of
different vertices: such graphs are infinite state in contrast to the finite state
graphs of figures 1 and 3.
The operator + is frequently extended to indexed families ~ { E i : i 6 I}
where I is a set of indices.
R(~) ~'~{Ei : i e I} a F
Ej a , F j6I
A special case is when the indexing set I is empty. By the rule R ( ~ ) this process
has no transitions as the subgoal can never be fulflled. In CCS this nil process
is abbreviated to 0 (and to S T O P in Hoare's CSP, Communicating Sequential
Processes, [40]). Thus t i c k . 0 can only do a single tick before terminating.
Actions can be viewed as ports or channels, means by which processes can
interact. It is then also i m p o r t a n t to consider the passage of d a t a between pro-
cesses along these channels or through these ports. In CCS input of data at a
153
port named a is represented by the prefix a(x).E where a(x) binds free occur-
rences of x in E. (In CSP a(x) is written a?x.) Now a no longer names a single
action but instead represents the set {a(v) : v E D} where D is the appropriate
family of d a t a values. The transition axiom for this prefix input f o r m is:
R(in) a(x).E
a(l)! E{v/x} rED
where E{v/x} is the process t e r m which is the result of replacing all free occur-
rences of x in E with v ~. Output at a port n a m e d a is represented in CCS by
the prefix "5(e).E where e is a data expression. The overbar - symbolizes output
at the n a m e d port. (In CSP ~(e) is written a!e.) The transition rule for output
depends on extra machinery for expression evaluation. Assume t h a t Val(e) is the
d a t a value in D (if there is one) to which e evaluates:
I R(out) "5(e).E E Val(e) = v
The a s y m m e t r y between input and output is illustrated in the following

process t h a t copies a value from i n and then sends it through out:
Cop %f in(x).o--~(x). Cop
For any v 6 D the transition Cop i=(,,)"5"~(v).Cop is derived as follows:
Cop
Cop i.(o? Cop
The subgoal is an instance of R(in), (6-~(=).Cop){v/=} is 6-~(v).Cop. This
as
latter process has only one possible transition, o--~(v). Cop ~-~(~) Cop, an instance
of R(out) as we assume t h a t Val(v) is v. Whenever Cop inputs a value at i n it
immediately disgorges it through out. The size of the transition graph for Cop
depends on the size of the data domain D and is finite when D is a finite set.
Input actions and indexing can b e mingled, as in the following description of
a family of registers where both i and x have type N:
Regi clef~ ( i ) . R e g i + write(x).Reg x

Reg i can output the value i at the port r e a d , or instead it car~ be u p d a t e d by
being written to at w r i t e .
We shall implicitly assume different expression types, such as boolean expres-
sions. For instance when i is an integer, Val(even(i)) = true if i is even and is
false otherwise. This allows us to use conditionals in the definition of a process,
as exemplified by S which sieves numbers:
2 a(x).E can be viewed as an abbreviation for ~{a,,.E{v/x} : V e D}, writing a~
instead of a(v).
154
S d+f i n ( z ) . i f even(x) t h e n o--ffte(z).S else -5-ff-to(Z).S
Below are the transition rules for this conditional.
i f b t h e n E1 else E2 ~ E' I
R(ifl) E1 ~ ~ E I Val(b) = true
I
R(if2) if b t h e n E1 else E2 ~ ~ E' Val(b) = false
E2 a ~E'
E x a m p l e 1 Consider the following family of processes for i > 1:
T(i) dee i f even(i) t h e n "J-~(i).T(i/2) else "J'~(i).T((3i + 1)/2)
T(5) performs the transition sequence T(5) ;~(]) T(8) o-~(s) T(4) o-~(4) T(2),
and then cycles through the transitions T(2) ~-~(~) T(1) "-~(~) T(2). []
1.2 C o n c u r r e n t interaction
A compelling feature of process theory is its modelling of concurrent interaction.
A prevalent approach is to appeal to handshake communication as primitive.
At any one time only two processes may communicate at a port or along a
channel. In CCS the resultant communication is a completed internal action.
Each incomplete, or observable, action a has a partner ~, its co-action. Moreover
the action ~ is a which means that a is also the co-action of ~. The partner of
a parametrized action in(v) is i-~(v). Simultaneously performing an action and
its co-action produces the internal action r which is a complete action and so
does not have a partner.
Concurrent composition of E and F is expressed as the process E [ F. The
crucial transition rule for [ which conveys communication is:
R(lcom) E l F ", E'[F'

E a E' ~ F'
Consider a potential user of the copier Cop of the previous section who first
writes a file before sending it through the port in:
Sser d=e f . r i t e ( z ) . User= User= def= Wet

As soon as User has written the file v it becomes the process User, which can
communicate with Cop. Rule R(] corn) licenses the following proofS:
a We assume that [ has greater scope than the other process operators: the process
"5"5-i(v).Cop ] User is therefore the parallel composition of o---~(v).Cop and User.
155
Cop I User~ ", ~-~(,).Cop l User

Cop i,(o) ~-a~(v). Cop User~ ~(~ User
in(z).~-~(~). Cop i,(~? ~-a~(v). Cop ~(~). User ~(~), User
Through this communication the value v is sent from the user to the copier.
Data is thereby passed from one process to another. When the actions a and
do not involve values, the resulting communication is a synchronization.
Various users can share the copying resource, Cop I ( Uservl I Userv2) admits
two users, but only one at a time is allowed to employ it. So other transition rules
for I are needed, permitting components to proceed without communicating.
These rules are:
R(I) E I F - 2 - ~ E ' I F ElF "'ELF'

E a EI F "~F t
In the first of these rules the process F does not contribute to the action a which
E performs. An example derivation is:
Cop I ( Uservl I Userv~) ~, -5-ff'f(vl).Cop I ( User I Userv2)

Cop i=(vl) o--~(vl). Cop Uservl I Userv2 ~(vl) User I Userv2
in(v 1) ~ .
in(~).o---~(~). Cop ) out(vl).Cop Yser, l V,(~l)) User
:(v:). User :('~) User
The goal transition reflects a communication between Cop and User, l, and
so User~2 does not contribute to it. The process Cop I (Useful I UServ2) is
not forced to engage in communication, it may instead perform an input in(v)
action or an output action i-~(vl) or i-~(v2).
The behaviour of the users sharing the copier is not affected by order of
parallel subcomponents or by placement of brackets. (Cop I User, l) I Userv2 and
Uservl I (Cop I Userv2) have the same capabilities as Cop I (Uservl I Userv2).
These three process expressions have isomorphic transition graphs, and therefore
in the sequel we omit brackets between multiple concurrent processes 4.
The parallel operator is expressively powerful. It can be used to describe
infinite state systems without invoking infinite indices or value spaces. A simple
example is the counter Cut given by Cnt d__efup.(Cnt I down.0). It can perform
up and become Cnt I down.0 which in turn can also perform up and thereby
becomes Cnt I down.0 I down.0, and so on.
Figure 5 offers an alternative pictorial representation of the copier Cop and
its user process User. Such diagrams are called ]:low graphs by Milner [52] (and
should be distinguished from transition graphs). A flow graph summarizes the
156
Cop
wri~~User ~~n ~ln~ Cop out
wri~e~ User ~ ~ . ~ n ~
Cop ~ out:
Fig. 5. The flow graphs of User,Cop,CopI Userand CopI User[ User
potential movement of information flowing into and out of ports, and also ex-
hibits the ports through which a process is in principle willing to communicate.
In the case of User the incoming arrow to the port labelled w r i t e represents
input whereas the outgoing arrow from i--~ symbolizes output. The flow graph
for Cop I Userhas the crucial feature that there is a potential linkage between
the output port in of Userand its input in Cop permitting information to cir-
culate from Userto Cop when communication takes place. However this port
is still available for other users: both users in Cop I User I User are able to
communicate, at different times, with Cop.
Consider now the situation where a user has private access to a copier. This is
modelled using an abstraction or encapsulation operator which conceals ports or
channels. In CCS there is a restrictionoperator \ J where J ranges over families
of incomplete actions (thereby excluding r). Let K be the set {in(v) : v 6 D}
where D is the space of values that could be accessed through in. In the process
(Cop I User)\K the port in is inaccessible from the outside. Its flow graph is
pictured in figure 6 where the linkage without names at the ports represents that
they are concealed from other users. This flow graph can therefore be simplified
as in the second diagram of figure 6.
The visual effect of \ J on flow graphs is underpinned by its transition rule,
where the set 7 i s {~ : a 6 J}.
4 Section 2.4 provides further justification for this.
157
wri:e~ User~ ~~ Cop ~-- out
out
Fig. 6. Flow graphs of (Cop I User)\K
E\J a , F\J - I
R(\) E a~F a~JOJ
!
The behaviour of E \ J is part of that of E. The presence of \ K prevents Cop
in (Cop I User)\K from ever doing an i n transition except in the context of a
communication with User. This therefore enforces communication between these
two components. The only available transition after an initial write transition,
(Cop] User)\K . r i t . ( ~ ) ( C o p [ User~)kK, is the communication whose proof is:
(Cop] User~)\K T (-6-~(v).Cop [ User)\K

Cop l User~ *, o--~(v).Cop I User
Cop i.(o? -o-~(v). cop User~ r.(~! User
in(~).o-~(~). Cop ~;(~!-~-~(v). Cop r~(v). User ~(~? User
The second user in (Cop I User)\K I User has no access to the copier. As the
operator \ J is intended to conceal ports, we shall usually abbreviate any set of
actions of the form {a(v) : v E D} within a restriction to {a}: for instance the
restriction \ K above is more succinctly expressed as \ { i n } .
Process descriptions can become quite large, especially when they consist of
multiple components in parallel. So we shall employ abbreviations of process
expressions using the relation - where P = F means that P abbreviates F .
E x a m p l e 1 The mesh of abstraction and concurrency is further revealed in the
following finite state example (without data) of a level crossing of figure 7 from
[17] consisting of three components. The actions c a r and t r a i n represent the
approach of a car and a train, up is the gates opening for the car, c c r o s s is
the car crossing, down closes the gates, g r e e n is the receipt of a green signal
by the train, t c r o s s is the train crossing, and r e d automatically sets the light
red. Unlike most crossings it keeps the barriers down except when a car actually
158
def
Road = car.up.cc--ff-fh~.do~-a.Road
Rail ~ train.green.tcross.rod.Rail
Signal d_efg~-d-ff.red. Signal Jr fi-ff.down.Signal
Crossing .~ (Road[ Rail I Signal) \ {greon, red, up, do~n}
Fig. 7. A level crossing
approaches and tries to cross. The flow graphs of the components and the overall
system are depicted in figure 8, as is its transition graph. []
An i m p o r t a n t arena for the use of process descriptions is modelling protocols

[58]. An example is Protocol of figure 9 taken from [69] which models a simple
communications protocol that allows a message to be lost during transmission.
Its flow graph is the same as that of Cop earlier, and the size of its transition
graph depends on the space of messages. The sender transmits any message it
receives at the port i n to the medium. In turn the m e d i u m m a y transmit the
message to the receiver, or instead the message m a y be lost, an action modelled
as the silent r action, in which case the m e d i u m sends a timeout signal to the
sender and the message is retransmitted. On receiving a message the receiver
outputs it at the port o u t and then sends an acknowledgement directly to the
sender (which we assume cannot be lost). Having received the acknowledgement,
the sender m a y again receive a message at port in.
Although the flow graphs for Protocol and for Cop are the same, their levels of
detail are very different. It turns out that these two processes are equivalent in the
sense defined in section 2.6. As process descriptions they are very different. Cop
is close to a specification, as its desired behaviour is given merely in terms of what
it does, or how it m a y react. In contrast Protocol is closer to an implementation
as it is defined in terms of how it is built from simpler components.
E x a m p l e 2 The slot machine in figure 10 is an infinite state system (from

[17]). Its flow graph is also depicted there. A coin is input (the action s l o t )
and then after some silent activity either a loss is output or a winning sum of
money. It consists of three components; IO which handles the taking and paying
out of money, Bn a bank holding n pounds, and D the wheel-spinning decision
component. O
1.3 Observable transitions
A natural extension of the transition relations a ~ is to finite length sequences

of actions or traces a l . . . an. Assume that w ranges over such sequences (with r
as the e m p t y trace). The notation E ~o ~ F represents t h a t E m a y perform the
trace w and become F . The next transition rule captures this generalization:
159
$ car I green
green
o
I ccross ~ red ~ red
train ~ w
I car
~tcross
Crossing
wiF . _ _
ccross
\ Es. train IE6 ETkk carl'9 /
K = {green, red, up, down}

Eo =- Crossing
Ea = ( u p . ~ . d o , n . R o a d I Rail I Signal)\K
E~ - ( noaa Igreen.%-6F6~.~-d~Raill Signal) \ K
E3 --( u p . ~ . d o w a . R o a d I green.tcr~ l Signal)\K
E, - ( cc--6T6~.do,n.Road l Rail ldown.Signal)\K
E5 - ( Ro~d l tc--F6~.~-~.Rail lre&Sivnal) \ K
E6 = ( ~ . d o w a . R o a d l green.tcross.red.Rail I down.Signal) \ K
E7 = (up.~.do,n.Roadltc-UF6~.~.Rail l red.Sianal) \ K
E, =_ ( d-~,~.no~a l Rail l do,n.Sianal) \ K
E9 - ( noad l Wd.R.il l red.Sian~t) \ K
Eao = (T6~.Road l gree~ t c r o a s . ~ . R a i l l dowa.Sianal) \ K
Ell = (up.~.do.n.Road l ~-ff~.Rail Ired.Sianal)\K
Fig. 8. Flow graphs of the crossing and its components, and its transition graph
160
Sender d~=fin(x).~(x).Sendl(x)
Sendl (,) %f ms:~(,).Sendl (,) + ok.Sender
Medium d_,_fsm(y).Medl(y)
Medl (y) de-4~i-f(y).Medium + r.~'g.Medium
Receiver ~' mr(z).'6~(z).-~.Receiver
Protocol = (Sender I Medium I Receiver) \ { sm, ms, mr, ok}
Fig. 9. A simple protocol
IO d,__~slot.bank.(lost.loss.IO + release(y).~Tn(y).lO)
Bn dealb ~ k . ~ ( , + X).l*ft(y).8,
m dej max(z).(lost.left(z).D + ~ { ~ ( y ) . Y ~ ( z - y).D : 1 <_ y < z})
S M , =_ (IOIBn ]D)\{bank, max, l e f t , release}
loss
win
Fig. 10. A slot machine
E alP) r
R(tr) E ~, E
E ~>E' E' ~~
For instance, the crossing of figure 7 performs the cycle Crossing ~ Crossing,
when w is t r a i n r ~ c r o s s r.
There is an important difference between the completed internal r action and
incomplete actions. An incomplete action is observable in the sense that it can
be interacted with in a parallel context. Assume that E may at some time per-
form the action ok, and that F is a resource. Within the process ( E ] ~-k.F)\{ok}
accessibility to this resource is triggered only when E performs ok. Here obser-
vation of ok is the same as the release of the resource. The silent action r can
not be observed in this fashion.
Consequently an important abstraction of the behaviour of processes is away
clef
from silent activity. Consider a slightly different copier C = in(x).o---ut(x).o--k.C,
161
and a user U, defined as write(z).i-n(z).ok.U, who writes a file before send-

ing it through i n and then waits for an acknowledgement. The behaviour of
(C[ U)\{• ok} is very similar to that of Ucop dr grite(z).o---~(z). Ucop. The
only difference in their capabilities is internal activity. Both are initially only able
to perform a write action. But afterwards Ucop outputs immediately whereas
the other process must first perform a communication before outputing and then
r again before a second write can happen. When abstracting from silent actions
this difference disappears: outwardly both processes repeatedly write and output.
Therefore we now define another family of transition relations between processes
which epitomizes observable behaviour.
Given a trace w the subsequence of w restricted to the set of actions J,
denoted by w r J, is the remainder of w when actions outside of J are erased.
For instance ( t r a i n T t e r o s s r ) [ { ~ } = t e r o s s , and r r [ { ~ } = r
Associated with any trace w is its observable trace, the suhsequence w I (9 when
(9 is a universal set of observable actions (containing at least all the actions
mentioned in this work apart from v). For example the observable trace derived
from t r a i n r l ; c r o s s v is t r a i n t c r o s s . Observable traces are either empty or
built from observable actions. Consequently we can introduce the notion that
E may perform the observable trace w and evolve into F: we use the standard
notation E ~ F to represent this. A transition rule for such traces utilizes
R(tr) and [:
[ R(Tr) E ~ r
E '~F u=w [(9
Observable traces can also be built from their observable components. The
extended observable transition Crossing ~r~i~ros~ Crossing is the result of glu-
ing together the two transitions Crossing t~= E and E t ~ Crossing when
the intermediate state is either E2 or Es of figure 8. Following [52] we therefore
define a new family of transition relations which underpin observable traces. A
label in this family is either the empty sequence ~ or an observable action a:
[ R(:::~) E=:~E E=------~F

E ~,E I Et~F
E :=~ E' E' a ~ F' F' =:~ F

The observable behaviour of a process can also be visually encapsulated as a
graph. As in section 1.1 the ingredients of this graph are process terms related by
directed labelled arcs. Each arc is either ~ or :=~ where a is observable. Con-
sequently there are two behaviour graphs associated with any process. Although
both graphs contain the same vertices, they differ in their labelled arcs. Ob-
servable graphs are more complex than their counterparts built from the single
162
arrow transitions. However the abundance of arcs may result in redundant ver-
tices, for when minimized with respect to notions of observable equivalence, the
graphs may be dramatically simplified as their vertices are fused. In this way
the observable transitions of a process offer an abstraction from its behaviour.
1.4 Renaming and linking
The processes Cop and User are essentially one place buffers, taking in a value
and later expelling it. Assume that B is a canonical buffer, B gel i(z).~(x).B.
Cop is the process B when port i is i n and o is out and User is B when i is
w r i t e and o is in. Relabelling of ports or actions can be made explicit, as in
CCS with a renaming combinator.
The crux of renaming is a function mapping actions into actions. To ensure
pleasant algebraic properties (see section 2.7) a renaming function f is subject
to a few restrictions. First it should respect complements: for any observable a
the actions f(a) and f(~) are co-actions. Second f should also preserve values
passing between ports, f(a(v)) is an action b(v) with the same value, and for any
other value w the action f(a(w)) is b(w). Finally it should conserve the silent
action, f ( r ) = r. Associated with any function f obeying these conditions is
the renaming operator Ill which when applied to a process E is written as E[f],
and is the process E whose actions are relabelled according to f . Following [52]
a renaming function f is usually abbreviated to its essential part: when the ai
are distinct observable actions bl/al,..., bn/a, represents the function f which
renames ai to bi, and leaves any other action c unchanged. For instance Cop
abbreviates the process B [ i n / i , out/o], as we maintain the convention that i n
stands for the family {in(v) : v 6 D} and i for {i(v) : v 6 D}, and so i n / i
symbolizes the function which maps i(v) to in(v) for each v.
The transition rule for renaming is:
R([f]) E[f] a F[f] a = f(b)

E b~F
which is used in the derivations of the following pair of transitions.
B[in/i, out/o] i,(v) (5(v).B)[in/i, out/o] ~(~) B[in/i, out/o]

An important feature of processes is that they can be built from simpler
components. Consider for instance how to construct an n-place buffer, when
n > 1, following [52], by linking together n instances of B in parallel. The
flow graph of n copies of B is pictured in figure 11. For this to become an n-
place buffer we need to link and then internalize the contiguous ~ and i ports.
Renaming permits linking as the following variants of B show:
B1 -- B[ol/o] Bi+I =_B[oi/i , oi+1/o ] 1 _< j < n - 1 Bn = B [ o . _ l / i ]

163
:C o _Qo - $ -
Fig. 11. Flow graph of n instaaices of B, and B1 I .-- I B,,
The flow graph of B1 I ... I Bn is also depicted in figure 11, and contains
the intended links. The n-place buffer is the result of internalizing these links,
(B1 I... I B,)\{ox,...,o,-1}.
A more involved example from [52] is the construction of a scheduler from
small cycling components. Assume n tasks when n > 1, and that action ai
initiates the ith task whereas bi signals its completion. The scheduler timetables
the order of task initiation, ensuring that the sequence of actions al ... an is
performed cyclically starting with al. The tasks may terminate in any order,
but a task can not be restarted until its previous performance has finished. So
the scheduler must guarantee that the actions ai and bi happen alternately for
each i.
Let Cy I be a cycler of length four, Cy I def a.e.b.d.Cyt, whose flow graph is
illustrated in figure 12. In this case the flow graph is very close to the transition
graph, and so we have circled the a label to indicate that it is initially active. A
first attempt at building'the required scheduler is as a ring of Cy ~ eyclers.
C' - CV[, l/a, el~c, h/b,e,,/aq

Cy i =- (d.Cy')[ai/a, ci/c, bi/b,-6i_l/d] 1 < i < n
When n is four the flow graph of the process Cy~ I Cy~ I Cy~3 I Cy~4 with initial
states marked is depicted in figure 12. Next the ci actions are internalized. Let
Sched~ abbreviate the process (Cy~ I Cy~ I Cy~ I Cy~)\{cl,..., c4}. The flow
graph shows how the tasks must be initiated cyclically (when the ci actions are
internalized): for example a3 can only happen once al and then a2 have both
happened. Moreover no task can be reinitiated until its previous performance
has terminated: action a3 cannot recur until b3 has happened. However Sched~
does not permit all possible acceptable behaviour. A simple case is that action
b4 depends on bl, so task four can not terminate before the initial task.
The solution in [52] to this problem is to redefine the cycler as follows,
Cy de=fa.c.(b.d.Cy + d.b.Cy), and to use the same renaming functions. Let Cy i
for 1 < i < n be the process (d.Cy)[ai/a, ci/c, bi/b,'~i,1/aq, and let Cy t be
Cy[al/a, o/e, bt/b,'~n/d]. The required scheduler, Sched,, is the following pro-
cess, (Cy 1 I ' " I CYn)\{el,...,Cn}.
164
_ % b~
a _ C
Fig. 12. Flow graph of Cy' and Cy~ I Cy~ ] Cy~ ] Cy~
1.5 More combinations of processes
In previous sections we have emphasized the process combinators of CCS. There

is a variety of process calculi dedicated to precise modelling of systems. Besides
CCS and CSP there is ACP due to Bergstra and Klop [11, 6], Hennessy's EPL
[36], MEIJE defined by Austry, Boudol and de Simone [4, 61], Milner's SCCS
[51], and Winskel's general process algebra [72]. Although the behavioural mean-
ing of all the operators of these calculi can be presented using inference rules,
their conception reflects different concerns, see [7]. ACP is primarily algebraic,
highlighting equations 5. CSP was devised with a distinguished model in mind,
the failures model 6, and MEIJE was introduced as a very expressive calculus, ini-
tiating general results about families of rules that can be used to define process
operators [35]. The general process algebra in [72] has roots in category the-
ory. Moreover users of the process notation can introduce their own operators
according to the application at hand. 9
Numerous parallel operators are proposed within the calculi mentioned above.
Their transition rules are of two kinds. First, where x is parallel, is a synchron-
ization rule:
5 See section 2.7.
6 See section 2.2 for the notion of failure.
165
E x F ab E' x F'
E a , E' F ~ F'
Here ab is the concurrent product of the component actions a and b, and . . . m a y
be filled in with a side condition: in the case of I of section 1.2 the actions a and
b must be co-actions, and their concurrent product is the silent action. Other
rules permit components to act alone.
ExF a)E~xF ExF a)ExFI

E -~ E I F a ) FI
In the case of [ there are no side conditions when applying these rules. This gen-
eral format covers a variety of parallel operators. At one extreme is the case when
x is a synchronous parallel (as in SCCS), when only the synchronization rule
applies thereby forcing maximal concurrent interaction. At the other extreme
is a pure interleaving operator when the synchronization rule never applies. In
between, are the parallel operators of ACP, CCS, CSP and MEIJE.
A different conception of synchronization underlies the parallel operator of
CSP (when data is not passed). Synchronization is sharing the same action.
Actions now do not have partner co-actions as multiple parallel processes m a y
synchronize. Each process instance in CSP has an associated alphabet consisting
of those actions in which it is willing to engage. Two processes must synchronize
on common actions, belonging to both component alphabets. An alternative
presentation which does not require alphabets is to introduce a family of binary
parallel operators IlK indexed by a set K of actions which have to be shared.
Rules for IlK are:
EIIK F a E, IIKF ~
aEK
E '~ ) E I F - ~ FI
EIIK F a E, IIKF EIIK F ~ EIIK F,

a~K a~K
E '~)E I F a)FI
The operator IlK enforces synchronization. In CCS enforced synchronization
is achieved using I and the restriction operator \ K . Restriction also provides
a mechanism for abstracting from observable actions by making them silent.
Similarly there is a useful abstraction, or hiding, operator in CSP which we
represent as \ \ K . Its rules are
E\\K ~ F\\K E\\K r F\\g

a~K aEK
E-2-~ F E a)F
There is a variety of extensions to these basic calculi for modelling real time
phenomena such as timeouts expressed using either action duration or delay
intervals between actions [55, 54], priorities among actions or among processes
166
[24, 21], and the description of stochastic behaviour using probabilistic instead
of non-deterministic choice [46]. These extensions are useful for modelling hybrid
systems which involve a mixture of discrete and continuous, and can be found
in chemical plants, and manufacturing.
Processes can also be used to capture foundational models of computation
such as Turing machines, counter machines, or parallel random-access machines.
This remains true for the following restricted process language where P ranges
over process names, a over actions, and I over finite sets of indices:
E ::= P I y ~ { a i . E i : i e I} I E1 I E2 I E\{a}
A process is given as a finite family of definitions {Pi de=~Ei : 1 < i < n} where
all the process names in each Ei belong to the set { P 1 , . . . , Pn}. Although process
expressions such as the counter Cto (figure 4) the register Reg o (section 1.1) and
the slot machine SMo (figure 10) are excluded because their definitions appeal
to value passing or infinite sets of indices, their observable behaviour can be
described within this restricted process language. Consider, for example, the
following finite reformulation [68] of the counter Cto, the process Count:
Count d=e f round.Count + up.(Countl I a.Count)\ {a}

Count1 d=e f down.n.0 + up.( Count2 I b.CounQ )\{b}
Count2 de_fdown.b.0 + up.( Countl l a.Count2)\{a}
A two counter machine can simulate a Turing machine, and can be expressed
as a process of the form (Init I Fin I Count I Count')\K, where Init captures
initialisation, Fin is the finite state control, and the other components are the two
counters. The general significance of this is unclear. First there is not a natural
formulation of functions within these process calculi, and in particular there is
not a simple account of lambda calculus. Second it is not known what the right
criteria are for assessing the expressive power of calculi which model concurrency.
Should there be a "canonical" process calculus? Is there a concurrent version of
the Church-Turing thesis for sequential programs? Some exciting work has been
progressing in this area. Two examples are interaction categories [1], and the
~r-calculus [53].
2 Modalities and Capabilities
Various examples of processes have been presented, from a simple clock to a

sophisticated scheduler. In each case a process is a term drawn from a process
language built from a small number of operators. Behaviour is determined by
the transition rules for these process combinators. These rules may involve side
conditions relying on extra information, as is the case when data is involved.
The ingredients of a process description are combinators, predicates, and rules
which allow us to deduce transitional behaviour.
167
In this section we consider various abstractions from the behaviour of pro-

cesses. Already we have contrasted finite state from infinite state processes: the
size being determined by the behaviour graph generated from a process. We
have also distinguished observable transitions, marked by the thicker transition
arrows ~ , from their thinner counterparts. An important discussion surrounds
the question of when two processes may be deemed, for all practical purposes, to
have the same behaviour. Such an abstraction can be presented by defining an
appropriate equivalence relation between processes. A more abstract approach
is to examine behavioural properties, and to consider equivalence in terms of
having the same pertinent properties. Consequently we first define simple logics
which can capture process capabilities.
2.1 H e n n e s s y - M i l n e r logic
We now introduce a modal logic for describing local capabilities of processes.

Formulas are built from boolean connectives and modal operators [K] ("box
K") and (g) ("diamond g " ) where K is a set of actions:
] 9 ::= tt I I 'Pi Ar Ir vr I [K]~ I (K)'P I

This modal logic slightly generalizes Hennessy-Milner logic [38, 39], as sets of
actions instead of single actions appear in the modalities.
For any modal formula 9 we define when a process E has, or satisfies, the
property r written E ~ ~. If E fails to have the property 9 we write E ~: r
The satisfaction relation ~ between processes and formulas is defined inductively
on the structure of formulas:
E~tt
E~=ff
E~A~ iff E ~ 4~ and E ~ g'
E ~r life ~ or E ~ t/'
E iffVFE{E' : E :~>E'andaEK}.F~
iffSFE{E' : E a)E, andaEK}.F~
The meanings of modalized formulas appeal to the transition behaviour of a

process. To reduce the number of brackets in modalities we write [ a l , . . . , a~]
and ( a l , . . . , a~) instead of [ { a l , . . . , a,}l and ({a~,..., a=}).
The simple modal formula ( t i c k ) t t expresses a capability for performing
the action t i c k , E ~ ( t i c k ) t t iff 3 F E {E' : E ,ir E'}. The clock Cl
from section 1.1 has this property. In contrast, [ t i c k ] f f expresses an inability
to perform t i c k , E ~ [ t i c k ] f f iff {E' : E ~ir E'} 0. So Ven has this
property but Cl fails to have it. Such basic properties can be embedded within
modal operators and between boolean connectives. For instance E can perform
the trace a l . . . a, just in case it has the corresponding property ( a l ) . . . (an)tt.
168
The formula [ t i c k ] ( ( t i e k ) t t A [ t o c k ] f f ) 7 expresses the property that after any

t i c k action it is possible to perform t i c k again but not possible to perform
rock.
[ K ] f f expresses an inability to initially perform an action in K. In the case
of the vending machine Ven a button can not be depressed (before money is
deposited), so Ven ~ [big, l i t t l e ] f f . Other interesting properties of Ven are:
- Ven ~ [ 2 p ] ( [ l i t t l e ] f f A ( b i g ) t t ) : after 2p is deposited the little button

cannot be depressed whereas the big one can.
- Ven ~ [1p, 2p][1p, 2 p i l l : after a coin is entrusted no other coin (2p or lp)
may be deposited.
- Ven ~ [lp, 2p][big, l i t t l e ] ( c o l l e c t b , c o l l e c t / ) t t : after a coin is deposited
and a button is depressed, an item can be collected.
Verifying that Ven has these properties is undemanding. Their proofs merely
appeal to the inductive definition of the satisfaction relation between processes
and formulas. For instance Ven ~ [1p, 2p][1p, 2p]ff iff Venb ~ [1p, 2p]ff and
Venz ~ [lp, 2 p i l l , and clearly both of these hold. Similarly establishing that
Ven lacks a property, such as (lp)(lp, b i g ) t t , is equally routine. Notice that
it is not necessary to construct the transition graph of a process when showing
that it has, or fails to have, a property.
Actions in the modalities may contain values. For instance the register Reg 5
from section 1.1 has the property (r---e~(5))tt h [{r-'-e-~(k) : k # 5}]ff.
Assume that ,4 is a universal set of actions including r: so ,4 = O U {r}
where O is described in section 1.3. We let - K abbreviate the set .4 - K, and
within modaiities we write - h i , . . . , a , for - { a l , . . . , an}. Moreover we assume
that - abbreviates the set - $ (which is just .A). Consequently a process E has
the property [ - ] ~ w h e n each F in the set {E' : E a E ' a n d a E , 4 } has the
feature 4~. The modal formula [ - ] f f expresses deadlock or termination.
Within this modal logic we can also express immediate necessity or inevitab-
ility. The property that only a can be performed, that it must be the next action,
is given by the formula ( - ) t t A [ - a ] f f . The conjunct ( - ) t t affirms that some ac-
t i o n is possible while [ - a ] f f states that every action except a is impossible. After
2p is deposited Ven must perform big, and so Ven ~ [ 2 p ] ( ( - ) t t h [ - b i g ] f f ) .
2.2 M o r e m o d a l logics
Process activity is delineated by the two kinds of transition relation distinguished
by the thickness of their arrows ~ and ~ . The latter captures the perform-
ance of observable transitions as ~ permits silent activity before and after a
happens: the relation =:~ was defined (see section 1.3) in terms of a ~ and the
relation ==~ indicating zero or more silent actions.
7 We assume that A and V have wider scope than the modalities [K], (K/, and that
brackets are introduced to resolve any further ambiguities as to the structure of a
formula: consequently, A is the main connective of the subformula (t ick)ttA[tock]ff.
169
The modal logic of the previous section does not express observable capabil-
ities of processes as silent actions are not accorded a special status. To overcome
this it suffices to introduce two new modalities [ ] and (()):
]E~[I~ i f f V F E {E' : E ~ E ' } . F ~ 4 ~

E ~ (( ))q~iff 3F e {E' : E ~ E'}. F ~ ~
These operators are not definable within the modal logic of the previous section.
Using them, supplementary mo~lalities [K] and ((K)) are definable when K is a
subset of observable actions O.
[K] 9 de~ [ ] [K] [ ] ~) ((K>>Ode__f (( >>(K}(()>~
The derived meaningsof these modalitiesappeal to the observable transition
relations ~ in the same way that their counterparts [K] and (K} appeal
to a,. We write [ a l , . . . , a , ] and ((al,...,an)) instead of [{al, .... ,an}] and
(<{el,...,an})).
The simple modal formula ((tick))tt expresses the observable capability for
performing the action t i c k while )tick] f f expresses an inability to tick after
any amount of internal activity. Both clocks CI' clef = t i c k . C / ' + r.0 and CIdef=
tick. C1 have the property ((tick))tt but Cl' may at any time silently stop
ticking, and therefore it also has the property ((tick)) [ t i c k ) f f .
E x a m p l e 1 Crossing satisfies [car) [ t r a i n ) ( ( ( ~ ) ) t t V ((~))tt), but
it fails to satisfy )car] [ t r a i n ) ( ( ( ~ ) ) t t A ((cc-W2-a~))tt). []
Modal formulas can also be used to express notions that are basic to the
theory of CSP [40]. A process may Perform the observable trace a l . . . an provided
that it has the property ((al))... ((an))tt. The formula [ K ) f f expresses that the
observable set of actions K is a refusal. The pair ( a l . . . an, K) is an observable
failure for a process if it has the property ((al }}... (Can}}([r]ffA [K) f f ) : a process
satisfies this formula if it can perform the observable trace al ... an and become
stable (unable to perform r) and also be unable to perform any observable action
in K.
Recall that O is a universal set of observable actions (which does not contain
r). Let l - K ) abbreviate )O - K) and similarly for (i-K}}. Moreover let [ - )
and ({-}} be abbreviations for [O] and ((O}}. This means that the modal formula
[ - ) f f expresses an inability to perform an observable action: so the process Div
has this property when Div de--4fr.Div.
The modal logic of the previous section permits the expression of immediate
necessity or inevitability. The property that a process must perform a next is
given by the formula ( - } t t A [ - a ] f f . However the similarly structured formula
((-}}tt A I - a ) f f does not preclude the possibility that the observable action a
becomes excluded through silent activity. For instance both clocks CI and Cl'
earlier have the feature ((-}}tt A ) - - t i c k ) f f : CI' has this property because it is
able to perform an observable transition (so satisfies ((-}}tt) and is unable to
perform any observable action other than t i c k (and so satisfies ) - t i c k ] f f ) . But
170
Cl' may silently break down and therefore be unable to tick. This shortcoming
can be surmounted with the strengthened formula [ ] ( ( - / ) t t A [ - t i c k ] f f . Now
Cl' ~ [ ] ( ( - ) ) t t because of the silent transition Cl' ~ O. But there is still a
question mark over this formula as an expression of necessity. Let Cll be a further
clock, Cll cleft i c k . Cll + "r.Cll, which satisfies [ - t i c k ] f f as its only observable
transition is that of t i c k . However it also has the property [ ] ( ( - ) ) t t as the
set {F : Cll =~ F} contains the sole element Cll which obeys ((-))tt. But
interpreting this as the inevitability that t i c k must be performed fails to take
into account the possibility that Cll perpetually engages in internal activity and
therefore never ticks.
A process diverges if it is able to perform internal actions for ever: we write
E T i f E diverges following [36], and E ~ if E converges (fails to diverge). So Cll T
whereas Cl~ 1. Convergence and divergence are not definable in the modal logics
introduced so far. Consequently we introduce another modality [~], similar to
[ ], except it contains information about convergence:
I Z~[J.]~ iff E l andVre{E':E~E'}.r~ I

From this we can define the modality [~ K] as [~] [g] [ ]:
E~[,LK]r iff E ~ a n d V F E { E ' : E=~E'andaeK}.r~r
Other mixtures are also definable: [K 1] as [ ] [K] [J,]; and [$ K ~] as [~] [K] [~].
Thus the stronger necessity ~ ] ((-))1;1; A [ - t i c k ] f f excludes divergence.
Features of processes concerning divergence, appealed to in definitions of
behavioural refinement [36], can also be expressed as modal formulas in this ex-
tended modal logic. For instance the strong property that there can not be diver-
gence throughout the observable trace a l . . . an is given as [~ al ~ ] . . . [1 an 1] t t .
2.3 Process equivalences

Process expressions are intended to be used for describing actual systems. Our
discussion has omitted criteria for when two expressions describe the same sys-
tem. Alternatively we can consider grounds for differentiating process descrip-
tions. Undoubtedly the clock Cl and the vending machine Ven of section 1.1 are
different. They are intended as models of distinct kinds of objects. Moreover at
every level they differ, their algebraic expressions, their action names, their flow
graphs, and their transition graphs. A concrete manifestation of these differences
is their initial capabilities. The clock Cl can perform the observable action t i c k
whereas Ven can not: CI has the properties ( t i c k ) t t and ( ( t i c k ) ) t t which Ven
fails to have.
Syntactic differences alone should not be sufficient grounds for distinguishing
processes. It is important to allow the possibility that two process descriptions
may be equivalent even though they differ markedly in their level of detail.
An example is the two descriptions of a counter Cto of figure 4 and Count of
section 1.5. An account of process equivalence has practical significance when we
171
view process expressions both as specifications and as descriptions of a possible

implementation. Cto is a specification (even the requirement specification) of a
counter whereas the finite description Count with its very different structure
can be seen as a description of a possible implementation. Similarly the buffer
Cop can be seen as a specification of the process Protocol of section 1.2. In this
context, a theory of process equivalence could tell us when an implementation
meets its specification s .
Not only do Cto and Count have the same initial capabilities, but also this
feature is preserved as observable actions are performed. There is a similarity
between their observable transition graphs, a resemblance which is not immedi-
ately easy to define. A simpler case is the following two clocks, Cl d__~ft i c k . Cl and
Cl2 d=eft i c k . t i c k . Cl2. Although they have different transition graphs, whatever
transitions one of these clocks makes can be matched by the other and the res-
ulting processes also have this property. An alternative basis for suggesting that
these two clocks are equivalent starts with the observation that CI and t i c k . CI
should count as equivalent expressions since the second is the definition of Cl. A
useful principle is that if two expressions are equivalent then replacing one with
the other in some other expression should preserve equivalence. For instance, re-
placing Cl with t i c k . Cl in an expression E should result in an expression which
is equivalent to E. In particular, if E is t i c k . CI then t i c k . CI and t i c k . t i c k . Cl
are equivalent. As particular names of processes are unimportant this should
imply that Cl and Cl2 are also equivalent.
The extensionality principle here is that an equivalence should be a congru-
ence, preserved by the various process combinators. For example if the decision
component D of the slot machine SMn breaks down then replacing it with an
equivalent component should not affect the overall behaviour of the system (up
to equivalence). In principle, an equivalence which is also a congruence offers the
potential for structured reasoning about combinations of processes, and also the
possibility that equivalence proofs may be founded on equational reasoning.
Clearly if processes have different initial capabilities then they should not be
deemed equivalent. Distinguishability can be extended to many other features,
such as initial necessities, traces, and deadlock potentials. We can therefore ima-
gine choosing some simple properties as the basic distinguishable features, and
then stipulating that two processes are equivalent if whenever they are placed
in a process context the resultant.processes have the same basic properties, and
thereby by definition the resulting equivalence is a congruence. This approach is
sensitive to three important considerations. First is the choice of what counts as a
basic distinguishable property and whether it is to do with observable behaviour
as determined by the = ~ and =:~ transitions or the single arrow transitions.
Second is the family of process operators that are p e r m i t t e d in process expres-
sions. Finally there is the question as to whether the resulting congruence can be
characterized independently of its definition, as preservation of basic properties
by all process contexts.
a Similar comments could be made about refinement where we would expect an order-
ing on processes.
172
Interesting work has been done on this topic, mostly however with respect
a
to the behaviour of processes as determined by the single thin transitions ---*.
Candidates for basic distinguishable features include traces and completed traces
(given respectively by formulas of the form ( e l ) . . . ( a n ) t t and (a 1 ) . . . ( a , ) [ - ] f f ) .
Elegant results are contained within [13, 35, 34] which isolate congruences for
traces and completed traces. These cover very general families of process op-
erators whose behavioural meaning is governed by the permissible format of
their transition rules. The resulting congruences are independently definable as
equivalences 9. Results for observable behaviour include those for the failures
model [40] which takes the notion of observable failure as basic. Related results
are contained in the testing framework of [36] where processes are tested as to
what they may and must do.
E x a m p l e 1 Consider the following three vending machines:
def
Venl -- Ip.lp.(tea. Venl + coffee. Venl)
def
Ven 2 -----Ip.(Ip.tea. Ven2 + Ip.coffee. Ven2)
def
Yen3 -- l p . l p . t e a . Ven3 + l p . l p . c o f f e e . Ven3
def
which have the same (observable) traces. Assume a user, Use = l p . l p . t e a . o k . 0 ,
who only wishes to drink a single tea by offering coins and having done so
expresses visible satisfaction as the action ~ . For each of the three vending
machines we can build the process ( Veni J Use)\K where K is {1p, t e a , coffee}.
When i = 1 there is just one completed trace v v re--k:
(re.11 Vse)\K "'" (re.1 I 0 ) \ g

and so the user must express satisfaction after some silent activity. In the other
two cases there is another completed trace, 7"v:
( Veni I Use)\g ~ ~, (coffee. V~,~ [ t - ~ . ~ . o ) v c

The resulting process here is deadlocked. So Venl should not be equivalent to
either Ven~ or Ven3.
With respect to the failures model of CSP [40] and the testing framework
of [36] Ven2 and Ven3 are equivalent. Finer equivalences distmguish them on
the basis that once a coin has been inserted in Ven3 any possible successful
collection of tea must already be decided. Imagine that after a single coin has
been inserted the resulting state is copied for a number of users: in the case of
Ven3 all these users must express satisfaction or all of them must deadlock. Let
Rep be a process operator that replicates successor processes.
nep( E) " >E' I E'
E a~E'
9 They include failures equivalence (expressed in terms of formulas of the form
(aa)... (an)[K]ff), two-thirds bisimulation, two-nested simulation equivalence, and
bisimulation equivalence.
173
The two processes (Rep( Veni [ Use))\K, i = 2 and i = 3, have different com-
pleted traces. When i = 2 it has the completed trace r r r r ~-k
(Rep( Ven2 [ Use)) \ K r r r r ok ( Ven2 I 0 I r Ven2 I ~-dK.-dk.O)\ K

which (Rep( Vena [ Use)) \ K fails to have. []
2.4 I n t e r a c t i v e g a m e s a n d bisimulations
Equivalences for GCS processes begin with the simple idea t h a t an observer can
repeatedly interact with a process by choosing an available transition f r o m it.
Equivalence of processes is then defined in terms of the ability for these observers
to m a t c h their selections so that they can proceed with further corresponding
choices. The crucial difference with the approach of the previous section is t h a t
an observer can choose a particular transition. Such choices can not be directly
simulated in terms of process activity 1~ These equivalences are defined in terms
of bisimulation relations which capture precisely what it is for observers to m a t c h
their selections. However we proceed with an alternative exposition using games
which offer a powerful image for interaction.
A pair of processes (E0, F0) is an interactive game to be played by two parti-
cipants, players I and I I who are the observers who make choices of transitions.
A play of the game (E0, F0) is a finite or infinite length sequence of the form
(E0, F 0 ) . . . (Ei, Fi) .... Player I a t t e m p t s to show that a conspicuous difference
between the initial processes is detectable whereas player II wishes to estab-
lish t h a t they can not be distinguished. Suppose an initial part of a play is
(E0, F 0 ) . . . ( E j , Fj). The next pair ( E j + I , F j + I ) is determined by one of the
following two moves:
- ( ): Player I chooses a transition Ej a E j + I from Ej and then player II

chooses a transition with the same label from the other process Fj a ) Fj+I.
[ ]: Player I chooses a transition Fj a F j + I from Fj and then player II
chooses a transition with the same label from the other process Ej a ~Ej+I.
Player II knows which transition player I chose, and more generally b o t h players
know all the previous moves. The play then m a y continue with further moves.
The next move in a game play is therefore very straightforward. The import-
ant issue is when a player is said to win a play of a game. A game is played
until one of the players wins, where the winning circumstances are described in
figure 13. If a player is unable to make a move then the other player wins t h a t
play of the game. Player II loses when condition 1' holds, when no corresponding
transition is available in response to a move from player I, which happens in the
10 For instance if E ~ E1 and E ~-~ E2 then the observer is able to choose either of
these, but there is not a "testing" process ~.F which can guarantee this choice in the
context (g.F] E)\{a}: the two results (F [ El)\{a} and (F E2)\{a} are equally
likely after the synchronization on a.
174
Player II wins Player I w i n s
1. The play is (E0, F0)... (E~, F~) 1'. The play is (E0, F0)... (En, Fn)
and there are no available and for some a either
transitions from E~ or from Fn. En _2.. E' and not(3F'. Fn _.2_+F') or
F,~ --~ F' and not(3E'. E , --2-* E').
2. The play is (E0, F0)... (En, Fn)
and for some i < n
Ei = En and Fi = F~.
3. The play has infinite length.
Fig. 13. Winning conditions
configuration (En, Fn) when one of these processes is able to perform an initial
action which the other can not, and so a manifest difference is detectable. Player
I loses in the configuration (En, Fn) when b o t h these processes have terminated
or are deadlocked as described in 1. Player II also wins in the other two circum-
stances, first when there is a repeat configuration, when (En, Fn) has already
occurred earlier in the play, as in 2, and second when the play has infinite length.
In both these cases player I has been unable to expose a difference between the
initial processes. Condition 2 is not necessary, as it is subsumed by 3: however
we include it because then an infinite length play is only possible when at least
one of the initial processes is infinite state.
E x a m p l e 1 Each play of the game (Cl, Cl2), when Cl d__~ft i c k . C / a n d Cl2 de=f
t i ok. t i ok. Cl2, has the form ( Cl, Cl2) ( Cl, t i ok. Cl2) ( Cl, Cl2) which ensures th at
player I loses because of the repeat configuration. It does not m a t t e r whether
player I chooses the { ) or the [ ] move, as player II is guaranteed to win. In the
case of the game (Cl, Cls) when Cl5 d_~ft i c k . C / 5 + t i c k . 0 there are plays that
player I wins and plays that player II wins. If player I initially moves Cl~ tick 0
then after her opponent makes the move Cl tick Cl, the resulting configuration
(Cl, O) obeys condition 1' of figure 13, and so player I wins. Instead if player I
chooses the other [ ] move Cl~ ~ Cl5 then player II wins immediately with
the transition Cl tick Cl. However player I has the power to win any play of
(Cl, Cls) by initially choosing the transition Cl5 tick O. Similarly player II is
able to win any play of (Cls, Cls) just by copying any move that player I makes
in the other process. []
A strategy for a player is a set of rules which tells her how to move depending
on what has happened previously in the play. A player uses the strategy ~r in a
play if all her moves in the play obey the rules in ~r. The strategy ~ is a winning
strategy if the player wins every play in which she uses It. In example 1 above,
175
player I's winning strategy for the game (Cl, Cls) consists of the single rule: if the
current game configuration is (Cl, Cls) choose the transition Cl5 tir 0. In the
example game (Cls, Cls), player II's winning strategy contains the two rules: if
the current game configuration is (Cls, Cls) and player I has chosen Cl5 tick Cl5
then choose Cls tick Cls, and if it is (Cls, Cls) and player I has chosen Cl5 tick 0
then choose Cl5 tick) 0. It turns out that for any pair of processes one of the
players has a winning strategy, and that this strategy is history free in the sense
that the rules do not need to appeal to moves that occurred before the current
game configuration.
E x a m p l e 2 The different choice points in the vending machines Ven2 and Ven 3
of the previous section ensure that player I has a winning strategy for the game
( Ven2, Vena). []
E x a m p l e 3 Player II has a winning strategy for the game (B, B') where these
def
processes are, B = • I o u t . B and B ' def
= i n . B ~+ o u t : B ~. In this case any play
has to be of infinite length, and player II's strategy resides with the fact that
she is always able to respond to any move by player I. []
E x a m p l e 4 Player II has a winning strategy for ((C I U ) \ { i n , ok}, Uco/) when

these processes are:
def
c = ~(~).o-~(=).~.c
def
U = ,rite(z).i-n(z).ok.U
Ucop' d,j ,rite(x).r.o--~(x).r.Ucop'
A play has to proceed as follows, modulo the choice of data value:
((c I v)\{in, ok}, Uco/)

((C I ~(v).ok.V)\{in, ok}, r.~--~(v).r. Wool)
((~--~(~).~.C I ok.U)\{in, ok}, o-~(~).r. Ueop')
((~.C I ok.U)\{~n, ok}, ~. Uco/)
((c I v)\{~,, ok}, ~co/).
An important feature is that each play has a finite bounded length even though
the processes are infinite state. []
When player II has a winning strategy for the game (E, F ) we say that
process E is game equivalent to process F. In this circumstance player II is able
to win any play irrespective of the moves her opponent makes, and so player I
is unable to distinguish between E and F .
Player II can always match player I's moves when two processes E and F
are game equivalent: by the ( ) move if E a ) E ~ then there is a corresponding
transition F --5+ F ' and E ~ and F ' are also game equivalent, and by the [ ]
move if F a ) F , then there is also a corresponding transition E a ) E , with E ~
and F ~ game equivalent. This is precisely the criterion for being a bisimulation
176
relation. Bisimulations were introduced 11 by Park [57] as a small refinement of

the equivalence defined by Hennessy and Milner in [38, 39, 50].
D e f i n i t i o n 1 A binary relation Tr between processes is a bisimulation just in
case whenever (E, F) E Tr and a E .A,
1. i f E a , E ~ t h e n F a , F ~ f o r s o m e F ~ such that (E ~,F I) ET~, and

2. if F ~ F ~ then E a, E' for some E ~ such that (E ~, F') E 7~.
A binary relation between processes counts as a bisimulation provided that it

obeys the two hereditary conditions in this definition. Simple examples of bisim-
ulations are the identity relation and the empty relation.
Two processes E and F are bisimulation equivalent (or bisimilar), written
E --. F, if there is a bisimulation relation 7~ with (E, F ) E TO.
P r o p o s i t i o n 1 The relation ,~ between processes is an equivalence relation.
E x a m p l e 5 A classical example of two processes that are not bisimilar is
a.(b.O + c.O) and a.b.O + a.c.O. There cannot be a bisimulation relating this pair
because it would have to include either (b.0 + c.0, b.0) or (b.0 + c.0, c.0). []
P r o p o s i t i o n 2 I f {TQ : i E I} is a family of bisimulation relations then
U{7~i : i E I} is a bisimulation relation.
A corollary of this last Proposition is that the binary relation ~ is the largest
bisimulation, as ,~ is U{7~ : 7~ is a bisimulation}.
Not surprisingly bisimulation and game equivalence coincide.
P r o p o s i t i o n 3 E is game equivalent to F iff E ,,~ F.

Parallel Composition is both commutative and associative w i t h respect to
bisimulation equivalence (as is +): this permits us to drop bracketing in the case
of a process description with multiple parallel components (see the discussion in
section 1.2).
To show that two processes are bisimilar it is sufficient to exhibit a bisim-
ulation relation which contains them. This offers a very straightforward proof
technique for bisimilarity.
E x a m p l e 6 The two processes Cat and Ct~o are bisimilar where
Cnt %f up.(Cnt Idown.0)

Ct'o der
= up. bt 1
tt def ,~,!
C i+1 = u p . ~ i + 2 + down.C/~
A bisimulation containing the pair ( c n t , Ct~) has to be infinite because these

processes are infinite state. Let Ci be the following families of processes for i _> 0
(when brackets are dropped between parallel components):
11 They also occur in a slightly different form in the theory of modal logic as zig-zag
relations, see [12].
177
Co = { Cnt [ Oj : j _ > 0 }
Ci+l = {E l 0 j I down.0 I ok : E E Ci and j > 0 and k > 0}
where F [ 0 ~ = F and F ] 0 i+1 = F [ 0 i [ 0. The relation 7~ = {(E, Ct~) : i >_

0 and E E C~} is a bisimulation which contains (Cnt, C{o). []
Bisimulation equivalence is also a congruence with respect to all the process
combinators introduced in previous sections (including the operator Rep).
P r o p o s i t i o n 4 If E ,,* F then for any process G, set of actions K, action a,

and renaming function f,
1. a . E ~ a . F 2. E + G , , ~ F + G 3. E I G ~ F I G
4. E[f] -,, F[f] 5. E \ K ~ F \ K 6. E \ \ K ~ F \ \ K
7. EIIKG "- FIIKG 8. r e p ( E ) ~ rep(F).
Bisimulation equivalence is a very fine equivalence between processes, reflect-
ing the fact that in the presence of concurrency a more intensional description of
process behaviour is needed than for instance its set of traces. For full CCS the
question whether two processes are bisimilar is undecidable. As was noted in sec-
tion 1.5 Turing machines can be "coded" in CCS. Let T M , be this coding of the
n-th Turing machine when all observable actions are hidden (using the operator
\\ which can be defined in CCS). The undecidable Turing machine halting prob-
lem is equivalent to whether or not T M , ~ Div where Div de=f1".Div. However an
interesting question is for which subclasses of processes it is decidable. Clearly
this is the case for finite state processes, a s there are only finitely many can-
didates for being a bisimulation. Surprisingly it is also decidable for families of
infinite state processes including context-free processes and basic parallel pro-
cesses [23, 22]. By exploiting the observation in example 4, when the length of
a game play is boundedly finite, one can also show decidability of bisimilarity
for various classes of value passing processes whose data m a y be drawn from an
infinite value space.
2.5 Modal properties and equivalences

Another approach to understanding equivalences between processes is in terms
of families of modal properties. Each finite or infinite set of modal formulas F
induces an equivalence relation = r on processes12:
E=rF iff V ~ E F . E ~ iff F ~
E x a m p l e 1 When F consists of all formulas of the form ( a J ... ( a n ) t t the rela-

tion - r is traces equivalence. If F contains the formulas { a J . . . ( a n ) [ - ] f f then
the induced equivalence is completed traces, and when generalized to formulas
12 Similarly we can also define the preorder induced by F: E C_r F iff Vr E F if E ~
then F ~ r
178
{a1)... {a,,}[K]ff it is failures equivalence. Observable equivalences include ob-

servable traces and observable failures equivalence. []
There is an intimate relationship between bisimulation equivalence and hav-

ing the same modal properties. Let F be the family of all modal formulas built
from the boolean connectives and the modal operators {[K], (K/, [ - ] , / ( - / ) , [~]}.
Bisimulation equivalence preserves modal properties.
P r o p o s i t i o n 1 I f E ,., F then E = r F .
The converse of Proposition 1 holds for a restricted set of processes. A process
E is immediately image finite if for each a E A the set {F : E a, F} is
finite. And E is image finite if every member of {F : 3w E A*. E _2_+F} is
immediately image finite.
P r o p o s i t i o n 2 I f E and F are image finite and E = r F then E ,,. F .
Clearly Proposition 1 remains true for any subset of modal formulas, and
Proposition 2 holds for the subset Of modal formulas when the modalities are
restricted to be either [a] or (a), a E .4. Under this restriction, these two res-
ults are known as the modal characterization o f bisimulation equivalence, due
to Hennessy and Milner [38, 39]. This characterization not only reinforces the
naturalness of bisimulation equivalence but also suggests that modal logic is
well-suited for describing properties of processes.
E x a m p l e 2 Consider the family of clocks C//+1 dealt i c k . C// for i _> 0 and the
clock Cl clef tick.C/. Let E be the process ~ { C l i : i > 0}, and let F be E + CI.
The processes E and F are not bisimilar because the transition F t i r Cl would
have to be matched by E tick Cl j for some j > 0, and clearly Cl 7~ CIj. On the
other hand E and F satisfy the same modal properties. []
There is an unrestricted characterization result for infinitary modal logic,

M ~ , given as follows where I ranges over arbitrary finite and infinite indexing
families:
::= A { ~ , : i e r } I V{,~i : i e z } I [Iq'~ I (K)~

The satisfaction relation between processes and A and V formulas is defined as
expected
E~/~{r : iEI} iffE~r
E~V{r :iEI} iffE~r
The atomic formula t t is defined a s / ~ { ~ : i E 0} and f f as V{~i : i E 0}.
P r o p o s i t i o n 3 E ~ F iff E =Moo F .
A variety of the proposed equivalences between image finite processes in the

linear and branching time spectrum, as summarized in [32], can be presented in
179
terms of games and in terms of - - r when f ' is an appropriate subset of modal

formulas.
2.6 Observable bisimulations

In the previous two sections we have seen that there is a close relationship
between winning strategies, bisimulation relations, and modal properties. Not
one of this trio abstracts from the silent action r, as each appeals to the family
of transition relations { a ~: a E .A). By consistently replacing this set with the
family of observable transitions as defined in section 1.3, these notions uniformly
abstract from r. We can define observable modal logic whose modalities are
restricted to the set (~K~, [ ] , ((g)), (()/}. We can also define observable games
whose moves appeal to the thicker transition relations = ~ , a E (9 U {e}, and
observable bisimulation relations.
A play of the observable game (E0, F0) is again a finite or infinite length
sequence of pairs (E0, F 0 ) . . . (Ei, F i ) . . . played by the two observers players I
and II. The next pair after an initial part of the play (Eo, Fo)...(Ej,Fj) is
determined by one of the moves where a E O 13 {e}:
- (()): Player I chooses a transition Ej ~ Ej+I from Ej and then player II

chooses a transition with the same label Fj ~ Fi+1 from Fj.
- [ ]: Player I chooses a transition Fi ==~ Fj+I from Fj and then player I[
chooses a transition with the same label Ej ~ Ej+I from Ej.
A game is played until one of the players wins, where the winning circumstances
are depicted in figure 14. The only difference with section 2.4 is that player I is
P l a y e r II wins Player I wins
1. The play is (E0, F0) ... (En, F,~) 1'. The play is (E0, F0)... (E,, Fn)
and for some i < n, and for some a either
Ei = En and Fi = Fn. E,~ ==~ E' and not(3F'. F,~ ~ F') or
F , ==~ F' and not(3E'. E,, = ~ E').
2. The play has infinite length.
Fig. 14. Winning conditions
always able to make a move (because of the empty.transition).

Again a strategy for a player is a set of rules which tells her how to move,
and it is winning if the player wins every play in which she uses it. E and F are
observably game equivalent if player II has a winning strategy for (E, F ) .
Underpinning observable game equivalence is the existence of an observable
bisimulation relation whose definition is as in section 2.4 except with respect to
observable transitions 3 .
180
D e f i n i t i o n I A binary relation T~ between processes is an observable bisimula-

tion just in case whenever (E, F ) 9 T~ and a 9 O U {e},
1. ff E =:~ E I then F ~ F I for some F I such that ( E ~, F ~) 9 T~, and
2. ff F = ~ F ' then E ~ E ~ for some E ~ such that (E', F ~) 9 7~.
E and F are observably bisimilar, written E ,~ F , if there is an observable

bisimulation relation 13 ~ with (E, F ) E R. The relation "~ has many prope r-
ties in common with ,,~. It is an equivalence relation, and the union of a family
of observable bisimulations is also an observable bisimulation, and so ~ is it-
self an observable bisimulation. Observable bisimulation and observable game
equivalence also coincide.
P r o p o s i t i o n 1 E is observable game equivalent to F iff E ,~ F.
A direct proof that two processes are observably bisimilar consists in exhib-
iting an observable bisimulation relation containing them.
E x a m p l e 1 We show that Protocol ~ Cop by exhibiting an observable bisim-
ulation which contains them. (Again we drop brackets when processes contain
multiple parallel components as ] is associative and commutative with respect
to this equivalence.) The following relation
((Protocol, Cop)} U
{((Sendl(m) I Medium I -~.Receiver)\J, Cop) : m 9 D} U
((( (m).Sendl (m) I Medium l aeceiver)\J, - (m).Cop) : m 9 D } U
{((Sendl (m) I Medl(m) ] Receiver)\J, -5-~(m). Cop) : m 9 D} U
{((Send1 (rn) ] Medium I -o--ff'~(m).-~-~.Receiver)\J, "o'-~(m). Cop) : m 9 D} U
{((Sendl (m) ]~-g.Medium I Receiver)\J, "5-~(rn).Cop) : m 9 D}
is an observable bisimulation. []
There is also an intimate relationship between observable bisimulation equi-

valence and observable modal logic, F.
P r o p o s i t i o n 2 If E ~, F then E --r F.
Notice that this result is not true if we include the modalities [K] and (K), or
the divergence sensitive modality [~]. The converse of Proposition 1 holds for
observably image finite processes. A process E is immediately image finite if for
each a 9 O U {r the set { F : E ~ F } is finite, and E is observably image
finite if each member of the set { F : 3w 9 ((9 U {e})*} is immediately image
finite.
Proposition 3 If E and F are observably image finite and E - F F then

E~F.
13 We have slightly departed from standard terminology, where ~ is called weak bisim-
flarity, and Definition 1 above defines what is usually called a weak bisimulation
relation.
181
So far there is a very smooth transition from previous results concerning

the transitions a to observable transitions 3 . This does break down at an
important point. Observable bisimilarity is not a congruence for the + operator
because of the initial preemptive power of v. The two processes E and v.E are
observably bisimilar but for many instances of F the processes E + F and v . E + F
are not. In CCS [39, 52] an important equivalence is the largest subset of ~ which
is also a congruence. As observable bisimilarity is a congruence for all the other
operators 14 of CCS, this congruence, denoted by ~c, can also be described using
transitions. For it is only that initial preemptive ~- transition that causes failure.
D e f i n i t i o n 2 E ~ F iff
1. E ~ F
2. i f E r ~ E ! t h e n F T, F1 ~ F ' and E ' ~ F ' for some F1 and F', and
3. i f F r , F, then E r ) E1 ==~ E' and E ' ~ F ' for some E1 and E'.
When E and F are stable (as is the case with Protocol and Cop of example 1)
E ~ F implies E ~c F.
There is a finer observable bisimulation equivalence called branching bisim-
ulation equivalence which also has a logical characterization [27]: we consider it
briefly in section 3.2. Observable bisimilarity and its congruence are not sensitive
to divergence. So they do not preserve the strong necessity properties discussed
at the end of section 2.2. However it is possible to define equivalences that take
divergence into account [36, 40, 71].
2.7 Equivalence checking
A direct proof that two processes are (observably) bisimilar is to exhibit the
appropriate bisimulation relation which contains them. Example 7 of section 2.4
and example 1 of section 2.6 exemplify this proof technique. In the case that
processes are finite state this can be done automatically. There is a variety of
tools which include this capability including the Edinburgh Concurrency Work-
bench [25] which exploits efficient algorithms for checking bisimilarity between
finite state processes, as developed in [41].
Alternatively equivalence proofs can utilize conditional equational reasoning.
There is an assortment of algebraic, and semi-algebraic, theories of processes
depending on the equivalence and the process combinators: for details see [36,
40, 6, 52]. It is essential that the equivalence is a congruence. To give a flavour of
equational reasoning we present a proof in the equational theory for CCS that a
simplified slot machine without data values is equivalent to a streamlined process
description. The congruence is ~c which was defined in the previous section.
The following are important CCS laws which are used in the proof:
14 More generally only case 2 of Proposition 4 of section 2.4 fails for ~.
182
U.T.X --~ a.x

x -4- r . x = r.x
(x + y ) \ K = + y\K
= a if,, r K U K
(a.x)\K - - 0 ifa6KUK
x+O =x
The last four are clear from the behavioural meanings of the operators. T h e first
two are T-laws and show that we are dealing with an observable equivalence.
There is also appeal to a rule schema, called an expansion law by Milner [52],
relating concurrency and choice:
if xi = ~ { a i j . x i j : 1 < j < hi} for i : 1 < i < m then Xl ] . . . [ xm =

E { a i j . ( x l I ... I xi-1 I xij I xi+l I . . . I xm) : 1 < i < m and 1 <_j <_ hi} +
E{W'(Xl [ "'" I Xk-1 I Z k l I Xk+l [ "'" ]Xi-1 [ X i j [Xi'[-1 [ ' ' " [~rrt) :
1 < k < i < m and akt = W/j}
P r o o f rules for recursion are also needed. In the case t h a t E does not contain
any occurrence of [, we say that P is guarded in E if all its occurrences in E
are within the scope of a prefix a. operator when a is an observable action. This
condition guarantees that the equation P = E, when the only process constant
E contains is P , has a unique solution up to ~c: t h a t is, if F ~ E { F / P } and
G ~ E { G / P } then F ~ G. This justifies the following two conditional rules
for recursion:
- if P d=efE then P = E.
- if P = E and P is guarded in E, and Q = F and Q is guarded in F, and
E { Q / P } = F, then P = F.
The slot machine S M without data values, and its succinct description S M '
appear in figure 15. We prove that S M = SM'. The idea of the proof is to first
simplify S M by showing that it is equal to an expression which does not contain
the parallel operator. The proof proceeds on S M using the expansion law and
the laws earlier for \ K , 0 and r (and the first recursion rule):
SM = (,,lot.IO~ [ bar~.B~ [taax.D1)\K

= (slo*,.(I01 I B I D) + ba.~.(IO I B~ l D) + taax.(IO I B I D1))\K
= ( s l o t . ( I 0 1 [ B [ D))\K + (bank.(IO [ B1 [ D))\K + (taax.(IO [ B [ D1))\K
= slot.(I01 I B I D)\K + 0 + 0
= sZot.(I01 [B [D)\K
Let SM1 = (101 [ B [ D ) \ K . By similar reasoning to the above we obtain:
SM1 = r.r.(I02 [ Ze~t.B [ D I ) \ K

Assume SM2 - (I02 ] le:~t,.B [ D1)\K. Similarly, SM2 = r.SM3 + r.SM4:
183
I 0 d__._~fslot.IO1 I01 ~f b-~k.I02

I0~ d=ef1ost.Ioss.IO + release.win.IO
B d__~fbank.B1 B1 d__~~-~.left.B
D de( max.D1 DI d___e~lost.left.D + release.left.D
SM -- (IOIB ID)kK where K = {bank,max, left, release}
SM' ~f slot.(r.l-~6.SM' + r . ~ S M ' )
Fig. 15. A simplified slot machine
SM3 - (~-~-6.I0 I l e f t . B l i - ~ - t . D ) \ K
SM4 - (~-n.IO I l e f t . B I Y C ~ . D ) k K
The r-laws are used in the following chain of reasoning
SM3 = (1--6-~,I0 I l e f t . B I Y o - ~ . D ) \ g
= xoss(IO I Xe~t.B I Y ~ . D ) \ K + r ( X - ~ . I O JB I D)
= loss.(r.SM + slot.(IO1 Ileft.B lie-{-t.D)\K) + r.loss.SM
= Xo.~.(r.SM + sXot.r.(101 lS fD)\K) + r.Xos~.SM
= loss.(r.SM + slot.(IO1 I B ID)\K) + r.loss.SM
= loss.(r.SM + SM) + r.loss.SM
= loss.r.SM + r.loss.SM
= r.loss.SM
By similar reasoning SM4 = r.win.SM. Backtracking and substituting equals

for equals, and then applying r laws:
S M = slot.SM1
= slot.r.r.SM2
= slot.r.r.(r.SMa + r.SM4)
= slot.r.r.(r.r.loss.SM + r.r.,in.SM)
= slot.(r.1--ff~.SM + r.win.SM)
We have now shown that S M = E where E does not contain the parallel
operator, and where S M is guarded in E. The expression E is very close to the
definition of S M ' . Clearly E { S M ' / S M } = slot.(r.l--C~.SM' + r.win.SM'),
and so by the second recursion rule S M = S M ' which completes the proof.
184
3 Temporal Properties
ModM logic as introduced in sections 2.1 and 2.2 is able to express local capabil-
ities and necessities of processes such as that t i c k is a possible next (observable)
action or that it must happen next. However it cannot express enduring capab-
ilities (such as that t i c k is always possible) or long term inevitabilities (such
as that t i c k must eventually happen). These features, especially in the guise of
safety or liveness properties, have been found to be very useful when analysing
the behaviour of concurrent systems. Another abstraction from behaviour is a
run of a process which is a finite or infinite length sequence of transitions. Runs
provide a basis for understanding longer term capabilities. Logics where prop-
erties are primarily ascribed to runs of systems are called temporal logics. An
alternative foundation for temporal logic is to view these enduring features as
extremal solutions to recursive modal equations.
3.1 Modal properties revisited
A property separates a set of processes into two disjoint subsets, those with the
property and those without it. For example ( t i c k ) t t divides {Cl],tock.C/1}
into the two subsets {Cll} and {rock.C/i} when Cll d_._,ftick.rock.C/1. We let
n4~ ]0e be the subset of the family of processes s having the modal property ~,
the set {E 9 E : ~eE.~ ~}. Consequently any modal formula 9 partitions $ into
n~n e and $ - ]4~
The set nO If is definable directly by induction on the structure of 9 provided
that s obeys a closure condition described below. First the boolean connectives:
Ilttll e = e
II~ll e =
I 1 ~ ^ ~11 e = H~II e n II~n e
I I ~ v ~11e = II~H e u I1~11e
When # E {[K], (K/, [ ], (( //, [~]} is a modal operator the definition of the
subset of processes with the property # ~ appeals to the process transformer
I[# If mapping subsets of C into subsets of E.
The operator II# IIe is the semantic analogue of # in the same way that N is the
interpretation of A. In the cases of [K] and (K) these transformers are:
H[KI IIe = AN c_ ~. {F 9 ~ : if F a.., E and a 9 K then E 9 X}

"II(K) IIe = A X C _ E . { F 9 : SE 9 3a 9 a>E}
Of course we would like the direct inductive definition of el9 Jle to coincide
with its definition as {E 9 s : E ~ O}. But this is only guaranteed when $
185
is a transition closed set, which obeys the condition if E E E and E a ~ F

then also F E E. In the sequel we use :P to range over non-empty transition
closed sets. Notice that the set of processes of a transition diagram is transition
closed. Therefore we also introduce the notation 7~(E) to be the smallest trans-
ition closed set containing E. If a set is transition closed then it is also closed
with respect to the thicker transitions :=~ and = ~ . In the following result it is
assumed that [[4~ ~' is determined by its inductive definition.
P r o p o s i t i o n 1 I f E 9 P then E 9 [[~[[~' iff E ~ q~.
The following features will be exploited when we develop the temporal logic
later.
Proposition 2 / f s C 5r and :if: 9 {[K], ( g ) , [ ] , (()), Ill} then
II 9 IIv n ~ c_ II r II~' n :r, II~ II~' u c c_ I1~ II~' u :r, and II # II~' E c_ H# II~' :r.
A property on a transition closed set of processes is that subset which has
def
it. Consider the family of clocks P = {C//, Cl : i > 0}, where Cl = t i c k . C /
and C//+1 def t i c k . C// for every i > 0. W h a t distinguishes C1 from the rest
of :P is its long term capability for ticking endlessly. Each Cl i ticks exactly i
times before stopping. This property divides P into the two subsets {Cl} and
P - { Cl}. But this feature can not be captured by any single modal formula 15
of the modal logics in sections 2.1 and 2.2.
P r o p o s i t i o n 3 For any modal q~, if Cl 9 ~[[~' then there is a j >_ 0 such that
for all k > j, el k 9 ~]]~.
3.2 Processes and their runs
Proposition 3 of the previous section shows that modal formulas are not very ex-
pressive. Although able to describe immediate capabilities and necessities, they
cannot capture more global or long term features of processes. We can contrast
the local capability for ticking with the enduring capability for ticking forever,
and the urgent inevitability that tick must happen next with the lingering inev-
itability that tick eventually happens.
Another abstraction from behaviour, which throws light on this contrast
between immediate and long term, is that of a run of a process E0 which is a finite
or infinite length sequence of transitions of the form E0 a l E1 a2 .... When a
run has finite length its final process is then unable to perform a transition. So a
run from E0 can be viewed as a computation from E0, a maximal performance
of actions.
Game or bisimulation equivalence, as defined in section 2.4, "preserves" runs
as stated by the next Proposition.
P r o p o s i t i o n 1 Suppose that Eo "~ Fo,

15 Of course, for each CP there is the formula ( t i c k ) i + l t t which it fails and which
holds of Cl.
186
1. i f Eo al ) E i a2 ~ . . . -a,
' ~ En is a finite length run f r o m Eo then there
is a run Fo al) F1 a2 ) . . . a, ) Fn f r o m Fo such that El ", Fi f o r all
i : O < i < n, and
2. if Eo a, ) E i a2 ) . . . is an infinite length run f r o m Eo then there is an
infinite length run Fo al ' F1 a2 , .. . f r o m Fo such that Ei "~ Fi f o r all i.
Because E0 ,,, F0 implies F0 "~ E0, each run from F0 also has to be matched
with a run from E0. A simple consequence is t h a t the clock C! is not bisimilar
to any clock Cl i because Cl has a run which cannot be emulated by Cl i.
Clearly observable bisimulation equivalence, ~ , from section 2.6 does not
preserve runs in the sense of Proposition 1. A simple example is t h a t the infinite
run Div r ~ Div r ) . . . has no correlate from r.0 although Div ~ 7".0 when
def
Div = v.Div. We m a y try and weaken the matching requirement. For any run
from E0 there is a corresponding run from F0 such t h a t there is a finite or infinite
partition across these runs containing equivalent processes. However this induces
a finer equivalence than observable bisimulation, called branching bisimulation
[33]. It should also be compared with "stuttering" equivalence as proposed within
[19].
Observable bisimilarity does preserve observable runs whose transitions are
given by the thicker arrows - - ~ and 3 . B u t there is a drawback because of
=:~ transitions. The process C l de f t i c k . C / has the observable inactive run
Cl ~ Cl ~ . . . which means t h a t it fails to have the observable property that
t i c k must eventually happen.
Many significant properties of systems can be understood as features of all
their runs. Especially i m p o r t a n t is a classification of properties into safety and
liveness, originally due to L a m p o r t [43]. A safety property states that nothing
bad ever happens whereas a liveness property expresses that something good does
eventually happen. A process has a safety property just in case no run from it
contains the bad feature, and it has a liveness property when each of its runs
contains the good trait.
E x a m p l e 1 A property distinguishing each clock Cl i from Cl is eventual ter-

mination. The good characteristic is expressed by the formula [ - ] f f . On the
other hand this can also be viewed as defective, as exhaustion of the clock. In
which case Cl has the safety property of absence of deadlock, which each Cl i
fails. []
E x a m p l e 2 The level crossing of figure 7 should have the crucial safety property
that it is never possible for a train and a car to cross at the same time. In terms
Of runs this means that no run of Crossing passes through a process that can
perform b o t h t c r o s s and c c r o s s as next actions, and so the bad feature is
Liveness and safety properties of a process concern all its runs. We can weaken
t h e m to features of some runs. A weak safety property states that something
bad does not h a p p e n in some run, and a weak liveness property asserts t h a t
187
something good may eventually happen, that it eventually happens in some run.
E x a m p l e 3 A weak liveness property of the slot machine S M , of figure 10 is

that it may eventually pay out a windfall: the good thing is given by the formula
(w--i-n(lO6))tt. []
There is considerable middle ground between all and some runs, Often we
are only interested in liveness and safety in the case of a subset of runs that obey
a particular condition.
E x a m p l e 4 A desirable property of the level crossing is that whenever a car

approaches eventually it crosses: any run containing the action caz also contains
the later action c c r o s s . []
Sometimes these conditions are complex and depend on assumptions outwith

the possible behaviour of the process itself. For example the protocol of figure 9
fails to have the property that whenever a message is input eventually it is
output because of runs where a message is forever retransmitted. However we
may make the assumption that the medium must eventually pass to the receiver
a repeatedly retransmitted message, and that therefore these deficient runs are
thereby precluded.
Other properties are important such as cyclic properties: The clock Cll earlier
performs t i c k immediately followed by t o e k cyclically starting with t i c k .
E x a m p l e 5 The scheduler of section 1.4 ensures that the sequence of actions

al . . . an is performed cyclically starting with al. In this example other actions
(silent actions and the task termination actions bj) may be interspersed before
and after each ai. []
Modal logic expresses properties of processes as their behaviour unfolds
through transitions. Temporal logic, on the other hand, ascribes properties to
processes by expressing features of some or all of their runs. (For surveys of
temporal logic see [31, 49, 64].) In fact there is not a clear demarcation because
modal operators can also be viewed as temporal operators, which express "next" :
E0~[g]4~ iffforallE0runsE0 a , E1 a2 . . . , i f a l E K t h e n E l ~ 4 ~ .
E0 ~ ( g ) ~ i f f f o r s o m e E 0 r u n E 0 a l E1 a2 . . . , al e K a n d E 1 ~45.
In this work we do not base temporal logic upon the notion of a run. It is of
course a very useful abstraction. A run is simply a subset of a transition closed
set. Although the properties described in the examPles above are not expressible
in modal logic of section 2 we shall find appropriate closure conditions on sets
of processes which define them, by appealing to inductive definitions built out
of modal logic. The idea is, for instance, that a long term capability is just a
particular closure of an immediate capability.
188
3.3 Modal equations and fixed points

9 . 9 def
Defimtlonal equahty, - , is indispensable for describing perpetual processes, as in
the simple case of the uncluttered clock CI that ticks forever. Imagine adding this
facility to modal logic, following Larsen [44]. For instance the modal equation
Z dej ( t i c k ) t t stipulates that Z expresses the same property, an ability to
perform t i c k , as ( t i c k ) t t . On any transition closed set 7) this characteristic is
given by the set ~( t i c k ) t t lilY.
def
A more intricate modal equation is Z = ( t i c k ) Z where both occurrences
def
of Z select the same trait. Unlike the use of = in the definition of a process,
a recursive modal equation may express various properties on a set P, each of
which is a subset s of processes obeying the condition E - ~(tick)[[9 s Any
such solution E is a fixed point of the function f = AX C :P. [I ( t i c k ) [[9 X,
as f(E) = E. The equality can be bisected: E is a prefixed point of f , that is
f(s C E, and it is a postfixed point of f which is the other half, s C f(g). These
halves can be viewed as closure conditions on any potential solution set E:
PRE i f F E E a n d E E T ) andE~iCkFthenEEs
POST if E E E then E ~ick F for some F E s
One solution is the empty set as it trivially fulfills both conditions. When 7) is
{ Cl}, the other subset { Cl} also obeys both conditions because of the transition
Cl tick Cl. In this instance both candidate solutions are successful fixed points,
and they can be ordered by subset, 0 C {Cl}. In the case that 7) is generated by
the more sonorous clock Cll deg t i c k . r o c k . Cll that alternately ticks and tocks,
there are more candidates for solutions but besides 0 all the rest fail PRE or fail
POST 9
With respect to any transition closed set the equation Z de__f( t i c k / Z has
both a least and a greatest solution (which m a y coincide) relative to the subset
ordering9 The general result guaranteeing this is due to Tarski and Knaster. It
shows that the least solution is the intersection of all prefixed points, of all those
subsets obeying PRE, and that the greatest solution is the union of all post'
fixed points, of all those subsets fulfilling POST. The result applies to arbitrary
monotonic functions from subsets of 7) to subsets of P. The set 29 is the set of
all subsets of 7), and the function g : 2~' --~ 2~' is monotonic with respect to C if
s C .T' implies g(s C g(J=)9
P r o p o s i t i o n 1 If g : 29 --~ 29 is monotonic with respect to C_ then g
i. has a least fixed point with respect to C given by N{E c 7) : g(s C s
ii. has a greatest fixed point with respect to C given by U{s C_7) : s C_g(E)}.
Proposition 1 applies to any modal equation' Z dej ~ when ~P is built from

modal operators, boolean connectives, the constants t t and f f , and Z: this
follows directly from Proposition 2 of section 3.1, which shows that all these
operators induce semantically monotonic functions. Relinquishing the equational
189
format we let pZ. kh express the property given by the least solution of Z de f ~ ,
and we let uZ. ~P express the property determined by its largest solution.
For the equation earlier, the least solution/~Z. ( t i c k ) Z expresses the same
property as r irrespective of P, the empty set obeys condition PRE. Much
more stimulating is that uZ. ( t i c k ) Z expresses the long-standing capability for
performing the action t i c k forever. Let E C :P consist of all those processes
E0 that have an infinite length run of the form E0 tick E1 ,ick .... It is clear
that E obeys POST, and that it is the largest such set. As shown in section 3.1
this capability is nol expressible within modal logic. More generally, uZ. ( K ) Z
expresses a capability for performing K actions forever. Two special cases are
striking, uZ. ( - ) Z expresses a capacity for never-ending behaviour and uZ. ( r ) Z
captures divergence, the ability to engage in infinite internal chatter.
A more composite equation schema is Z def 45 V ( K ) Z where 9 does not
contain Z. Any solution 8 C "P divides into the following two closure conditions:
PRE ifEEPand(E~4~orE a,FforsomeaEKandFEE) thenEEg

POST i f E E E t h e n E ~ r a,FforsomeaEKandFEs
Every subset E fulfilling PRE must contain those processes in P with the prop-
erty 4~, and also includes those processes that fail 4~, but are able to perform a
K action and become a process having ~, and so on. Therefore a process E0 has
the property #Z. r V ( K ) Z if it has a finite or infinite length run of the form
E0 4 0 ... a._~ En ~"~ ... with En ~ 4~ for some n and where each action aj,
j < n, belongs to K: that is, E0 is able to perform K actions until 9 holds. The
maximal solution, uZ. q~V (K)Z, also includes the extra possibility of performing
K actions forever without r ever becoming true.
Two general case s of/~Z. ~V ( K ) Z are worth noting. When K is the complete
set of actions it expresses weak liveness, that 4~ is eventually true in some run,
and when K is the singleton set {r} it expresses that after some silent activity
r is true, that is (())4~. Recall that the modality (()) is not definable within the
modal logic of section 2.1.
Another useful composite schema (assuming again that 45 does not contain
Z) is Z d___ef4~A (K)Z. The least solution is of no interest as it is expressed by f f .
The maximal solution over ~' is the union of all subsets g obeying the following
condition POST
POST i f E E E t h e n E ~ 4 ~ a n d E a,F for s o m e F E . g a n d a E K
which requires there to be a perpetual run involving only K actions and with
4~ true throughout. A slight weakening is that 9 holds throughout a maximal
performance of K actions, as expressed by uZ. q~A ( { K ) Z V [K]ff), and when K
is the set of all actions it expresses a weak safety property.
The complement of weak liveness is safety. A process fails /JZ.4~ V ( - ) Z
if 4~ never becomes true in any run. Similarly the complement of weak safety
is liveness. A process lacks uZ. 45 A ( ( - ) Z V [-]~f) if in every run eventually
is false. Complements are expressible when negation is freely admitted into
190
formulas with its intended meaning, [I--4~ ~7, is the set of processes • - ~~ II7".
But then not every modal equation has extremal solutions, a simple instance
is zd--ef --Z. It fails the monotonicity requirement of Proposition 1' However, if
def
we restrict the form of an equation Z = 4~ so that every free occurrence of Z
in 9 lies within the scope of an even number of negations then mon0tonicity is
guaranteed.
However, the complement of a formula is also in the logic without the explicit
presence of negation. Let ~c be the complement of ~, which is defined inductively
as follows (assuming that Z c = Z):
ttc : ff ffc : tt
r
([K]4~) r - (K)r c ((K)r r = [K]r c

= =
It follows that ~ ~' = : P - [[~[I~'.

If a property is an extremal solution to the equation Z d=ef~ then its com-
def ~ c .
plement is the dual solution to Z = Consider convergence which holds of a
process when it cannot perform silent actions for ever. The formula vZ. (r)Z ex-
presses its complement, divergence, and so convergence is captured by pZ. [r]Z.
More generally pZ. [ - ] Z expresses that all behaviour is finite, that there are no
infinite length runs.
A strong invariance property is that 9 holds throughout every ongoing per-
formance of K actions. This fails precisely when a process may perform K actions
continuously until 4~c holds. Failure here is given by the formula pZ. 4~c V (KIZ
whose complement is therefore vZ.~)A [K]Z. A particular case is that [ ] 9 is
expressed as vZ. ~ A [r]Z. Safety properties, that nothing bad ever happens, fall
under this format.
A strong until property is that every continuous performance of K actions
eventually leads to the holding of r This is therefore the complement of the
formula vZ. g'c A ((K)Z V [ g ] f f ) which is pZ. 9 V ([K]Z A ( g ) t t ) . Liveness
properties, that something good must eventually happen, have this form (when
K is replaced by - ) . An example is that the slot machine must eventually output
(winnings or an indication of loss). A better description is that whenever a coin
is input the slot machine must eventually output, a property expressed using
both fixed point operators. However embedding fixed point operators within
each other goes beyond the simple equational format which motivated their
introduction.
3.4 M o d a l mu-calculus
Instead of appealing to modal equations to express temporal properties, we add

to modal logic propositional variables ranged over by Z, and the extremal fixed
point operators vZ and pZ. As before assume that K ranges over subsets of ,4.
The formulas of the logic, modal mu-calculus, are:
191
I 9 ::= z I 4 1 ^ ~ 2 I ,~1v,#2 I[KI41(K)41vZ.41gZ.~ I

The constant formulas t t and f f are definable as vZ. Z and/~Z. Z. However
when describing properties we will freely use these constants.
In the sequel we let a range over the set {~u,v}. A fixed point formula has the
form a Z . 4 in which crZ binds free occurrences of Z in 4~, and an occurrence of Z
is free if it is not within the scope of a binder ~Z. We assume that ~rZ has wider
scope than the boolean connectives V and A. Formulas m a y contain multiple
occurrences of fixed point operators, as in vZ. #Y. vX. [a](((b)X A Z) V [K]Y).
Also a Z may bind more than one occurrence of Z, as in vZ. ( t i c k ) g h ( t o c k ) Z .
Assume a fixed transition closed set of processes 7). We wish to inductively
define when the process E E 7) has a temporal property. Semantic clauses for
when a process satisfies a fixed point formula ~rZ.~ are needed. However such
clauses depend on interpreting subformulas of 9 with possible free occurrences
of variables with respect to subfamilies of 7). The satisfaction relation, ~ , is
therefore defined indirectly in terms of n 4 n~, the set of all processes in 7)
with the property +. Subformulas containing free propositional variables are
dealt with using valuations, functions ranged over by ]2 which assign to each
variable Z a subset I;(Z) of processes in 7). A customary updating notation is
also assumed: I;[C/Z] is the valuation Y' which agrees with 12 on all variables
except Z, when 12'(Z) = C..
The subset of processes in 7) satisfying an arbitrary formula ~ relative to the
valuation 1? is inductively defined as the set [[# n~, where for ease of notation
we drop 'the superscript 7) which is assumed fixed throughout:
IIz Hv = v(z)
H+^ a~llv = II+Hv n Ila~llv
H~ v ~'llv = II~llv u H~Hv
H[K]~ IIv = II[K]H 114 IIv
II(K)411v H(K)I11141Iv
IlvZ.+lv = U{~ c_ 7) : E c_ll+llvte/z]}
Ill, Z.~nv -- f l { c c_ 7) : 114llvt~/zlC_ E}
The subset of 7) with the property Z is that stipulated by the function i;. The
semantic clauses for the boolean operators are as in section 3.1, except for the
additional valuation component for understanding free variables. The meanings
of the modal operators appeal to the transformers [[[K] [[~' and [[( g ) ~ defined
in section 3.1. (The derived clauses for the boolean constants are [[t t IIv = 7)
and nf f Ilv = 0.)
It is straightforward to show that any formula 4 determines the monotonic
function ~g C_7). 114IlWte/z] with respect to the variable Z, the valuation 12, and
the transition closed set 7). Hence the meanings of the fixed point formulas are
instances of Proposition 1 of section 3.3: the greatest fixed point is given as the
union of all postfixed points whereas the least fixed point is the intersection of
192
all prefixed points. One consequence is that the meaning of ~Z. ~ is the same as
its unfolding r
Formulas of the logic without free variables are closed under complement: this
follows from the observations in the previous section. In particular (uZ. ~)r is
/~Z. ~c and (/~Z. 4~)e is uZ. Ce: for instance (uZ. I~Y. uX. [a](((b)XA Z) V [K]Y)) r
is the formula #Z. uY. I~X. (a)(([b]X V Z) A (K)Y). This is not true for open
formulas containing free variables. For example the formula Z does not have an
explicit complement. However as we employ valuations we are free to introduce
the understanding that a free variable Y has the meaning of the complement of
a different free variable Z.
Modal mu-calculus was originally proposed by Kozen [42] (and also see Pratt
[60]) but not for its use here 16. Its roots lie with more general program logics
employing extremal fixed points, developed by Park, De Bakker and De Roever,
especially when formulated as relational calculi [8, 9, 56]. Kozen developed this
logic as a natural extension of propositional dynamic logic. Larsen proposed
that Hennessy-Milner logic with fixed points is useful for describing properties
of processes [44]. Previously Clarke and Emerson used extremal fixed points on
top of a temporal logic for expressing properties of concurrent systems [28].
In the case of a closed formula~ (one without free variables), the subset [1~ [Iv
is independent of the particular valuation Y, and so is the same as [[~ ~v, for
any other valuation I / . Therefore when 9 is closed we let [[9 ]~' be the subset of
processes of P with the temporal property 9 relative to an arbitrary valuation,
and we also use the notation E ~ 9 to mean that E E[I r [[~'. More generally
when 9 may contain free variables we write E ~ v 4~ whenever E E [[~b ~v.
E x a m p l e 1 Entangled fixed point formulas are the most difficult to understand.
def D ~ def
Assume that D and D ~ are the two processes D = a.D ~ and = b.O + a.D,
and that 7' is {D, D ~, 0}. Let r and ~P be the following similar formulas:
= uZ. pY. [a](((b)tt A Z) V r )
= #Y. uz. [a](((b)tt V Y) A Z)
The formula 9 expresses that b is possible infinitely often throughout any infinite
length run consisting wholly of a actions, and so all the processes in P have this
property. The set U{E c 7" : E C 1[/~Y.[a](((b)tt A Z) V Y)Uv[e/z]} is 7". To
show this we establish that 7" C_ [[#Y. [a](((b)tt A Z ) V Y)[[v[Wz]. This depends
on proving that
7, = I'l{.r c : II [a](((b)'l;t A Z,) V Y)II(v[~,/z])p:/r]c :r}

Both 0 and D belong to II [a](((b)tt A Z) V Y ) Ikvtwzj)tz/r] because 0 is unable
to perform a, and D --~ D' and D' a ~ 0. Therefore :T must also contain D' as
D' a'D.
is The modalities here slightly extend those of Kozen's logic as sets of labels may
appear within them instead of single labels, and on the other hand Kozen has explicit
negation. Kozen calls the logic "propositional mu-calculus" which would be more
appropriate for boolean logic with fixed points.
193
In contrast r expresses that the action b is almost always possible throughout

any infinite length run consisting only of a actions. This means that ~~ II is the
singleton set {0} because 0 has no infinite length runs. First 0 belongs to the
intersection ~{:T C P : ~ uZ. [a]((/b)tt V Y) A Z) ~v[~/y]C ~'}. So we show
that {0} = U{E c 7~ : E c u [a](((b)tt V Y) A Z) ~(v[{o}/r])[~/z]}.Note t h a t
D i r ~ [a](((b)tt V y ) A Z) ]~v[{o}/r])[e/z] as D does not have the property
Y under this valuation. So D can not belong to any $ which is a subset of
II[a](((b)tt V Y) A Z)[l(v[{o}/r])[e/z]. This means that D is also excluded as its
presence in $ would require D ~ to have the property Z under this valuation. []
In section 2.2 we introduced other modal operators which are not definable
in the modal logic of section 2.1, namely (()), [ 1, and [11. In the presence of
fixed points these modalities are definable as follows (where we assume that Z
is not free in ~):
%f . z . 9 v (r)z
[]4
[11 v %f . z . 9 ^ [r]z
Therefore the derived modalities ((K)), [ K ] , [1 K] are also definable. For
instance, [[K] ~ was defined as 11 [ K ] [ ] ~ which is the fixed point formula
PZ. [K](vY. 9 ^ [r]Y) ^ [r]Z. Observable modal mu-calculus is the sublogic when
the modalities are restricted to the subset {[ 1, (()), [ K ] , ((K))}, when r ~ K.
This fixed point logic is suited for expressing observable properties of processes.
An important feature of modal mu-calculus is that it has the finite model
property: i f a closed formula holds of some process then there is a fiaite state
process satisfying it. A proof of this can be found in [67].
3.5 Approximants
At first sight there is a chasm between the meaning of an extremal fixed point
and techniques (other than exhaustive analysis) for actuMly finding the set it
defines. There is however a more mechanical method, an iterative technique, due
to Tatski and others, for discovering least and greatest fixed points: Let pg be
the least and vg the greatest fixed point of the monotonic function g mapping
subsets of ~' to subsets of 7~.
Suppose we wish to determine the set ug, which is the union of all subsets
E that obey E C_ g(E). Let v~ be the full set •, and let v~+lg be the set
g(u~g). Clearly g(u~ C. u~ that is ulg C u~ and by monotonicity of g this
implies tha~i g(ulg) C g(u~ that is v2g C ulg. Consequently by repeated
application of g it follows that g(uSg) C u~g for each i, and so there is a possibly
decreasing sequence of sets, P 0 g _D v 1 g_D . . . D P'g D_.... The required set Pg is
a subset of each member of this sequence. By definition vg C u~ and therefore
g~(Pg) C g~(p0g) for any n where g"(x) is the application of g to x n times. As
Pg is a fixed point gn(pg) = pg, and gn(pOg) is the set P"g. If pig is equal to
pi+lg then pig is the set Pg, and therefore also pig is Pg for every j > i.
194
These observations suggest a strategy for discovering vg. Iteratively construct

the sets rig starting from i = 0, until vZg is the same as its successor vi+Zg. When
:P is a finite set containing n processes this iteration must terminate at, or before,
the case i = n, and therefore vg is equal to vng.
E x a m p l e I Let 7~ be { Cl, t i c k . 0 , 0}, and let g be hE C 7~. II( t i c k ) Z ~v[~/z].
v~ g = P = {Cl, t i e k . 0 , 0 }
vlg = n (r, ick)Zllvt,,oa/z] = {el, tick.O}
v2 g = ~ (tiek)Z]lvtv,a/z ] = {C/}
= II ( t i c k ) z ]vt,../z] = {Cl}
Stabilization occurs at the stage vZg as this set is the same as v3g, and con-
sequently is the same a s png for all n > 2. Consequently vg is the singleton set
{o}. []
When 7~ is not a finite set of processes, we can still guarantee that vg is reachable
iteratively by invoking ordinals as indices. Ordinals can be ordered as follows:
O, 1 , . . . , w , w + 1 , . . . , w + w , w + w + I , . . .
Here w is the initial limit ordinal (one without an immediate predecessor) while
w + 1 is its successor 17. Assume that c~, fl and ~ range over ordinals. The set
va+lg is defined as g(vag) and rag when ~ is a limit ordinal is N{v~g : c~ < ~}.
Therefore there is the possibly decreasing sequence
v~ D_ ... D_ uCOg D__v~ D__ ...

The set vg is not only a subset of each member of this sequence, but also appears
somewhere within it is, and the first such point is not when the ordinal is a limit.
E x a m p l e 2 Let 7~ be the set {C, Bi : / > 0} when C is the cell C ~ f •

with ~ : N, and B , + I dej down.Bn for each n. Let g be )~s C ~P. ]1( - ) Z ~v[E/z].
The fixed point vg is the empty set. (The formula vZ. ( - ) Z expresses a capability
for infinite behaviour which every member of P lacks.)
v~ =P = { C , Bi : i > 0 }
vlg = ~(-)Z]lv[~,og/z ] = {C, Bi : i > 1}
vJ+l g = ~ (->Z ~v[,Ja/z] = {C, Bi : i >_ j + 1}

The set v~ defined as ~ { u i g : i < w}, is the singleton set {C} as each Bj
fails to belong to it. The next iterate is the fixed point, vW+lg is ~( - ) Z Ilv[v~a/z]
which is ~1. Here stabilization occurs at vW+Zg with 0 as the fixed point vg. []
lr All the processes considered in this work belong to a countable transition closed set
:P, and so we only need to consider those ordinals whose cardinality is at most that
of N.
a8 The proof is similar to that described for the finite state case eaxlier.
195
The situation for the least fixed point #g is dual. The required set is the
intersection of all prefixed points, of all subsets g C_ 79 with the feature that
g(g) C g. Assume that/~0g is the empty set, and that i~i+lg is the set g(p~g).
Therefore there is the possibly increasing sequence of sets/~0g C pig C . . . C
pig C_ ... and #g is a superset of each of the sets i~ig. Again if pig is equal to
its successor #i+lg then/~ig is the required fixed point ttg. An iterative method
for finding/~g is to construct the sets ju'g starting with p0g until it is the same
as its successor. When 79 is finite and consists of n processes this iteration has
to terminate at, or before, l~ng.
Example 3 Let g be Ag C_ 79. II [tiek]ee V (-)Z ~VtelZ] when 79 is as in
example 1.
/~0g = I~
~ag = II[tick]f~ V ( - ) Z Ilvt~og/z] = {0}
~2g = II[ t i c k ] ~ V ( - ) Z Ilvt..~/z] = {tick.O, O}
~3g = [ [ t i c k ] ~ v ( - ) Z nvt..~lZl = {tick,O, o}
Stabilization occurs at ju2g which is the required fixed point. Notice that if we
consider ug instead then we obtain the following different set.
u~g = 79 = { Cl, t i c k . 0 , 0}
~lg = ~ [ t i c k ] ~ v ( - ) Z Ilvt.o~/z] = 79
This stabilizes at the initial point. []
If 79 is not a finite set then again we may need to invoke larger ordinals as
indices. The set / ~ + l g is g(p~g), and #Xg is the union set U{pC'g : o~ < ~}
when $ is a limit ordinal. Therefore there is the possibly increasing sequence
0g C_ ... c_ p~g C_ ~ + l g c _ . . .
The set/~g is a superset of each member of this sequence, and also occurs within
it, and the first such time is not when the ordinal is a limit.
E x a m p l e 4 Consider the following clock Cl'
def
el' =~{cd:i>_o}
def
CI i+1 = t i c k . C l /
CI' describes an arbitrary new clock, which will eventually break down. Let 7)
be the set {Cl', Cl i : i > 0}. As all behaviour is finite each process in 79 has the
property #Z. [tiek]Z. Let g be the function hE C_79. ~[tiek]Z~v[e/z].
/~0g = 0
~,Xg = ~[tick]Zllv[..g/z] = {Cd : j < 1}
p~+lg = B[tick]Z~v[z,g/zl = {C/~ : j < i + 1}

196
So the initial limit point/2~ is U{p~g : i < w} which is {CI j : j > 0}. At the
next iteration the required fixed point is reached as/jW+lg is H[t• IIv[g+g/z]
which is P, and moreover #~g = P for all oL> w + 1. []
The sets cr"g are approzimants for trg in that they converge towards it. Each
v~g approximates vg from above, whereas each p"g approximates/tg from below.
In this way an extremal fixed point is the limit of a sequence of approximants.
We now provide a more syntactic characterization of these fixed point sets in
the extended modal logic Mr of section 2.5. I f g is ,~s C_ :P. 11+ Ilvt~/z] then vg is
IIvZ. 4~ IIv and ~tg is IIp Z . + Ilv (both with respect to P). The initial approximant
v~ is just 1[t t Ilv and #0g is ]1ff ]Iv. Therefore via is ]]9 ]]v[btvlZ] which is the
set 11q~{t,t,/Z} [[v: similarly r is ][~ { f f / Z } ]]v. For each ordinal (~ we define
a Z a.~ as a formula of M ~ . As before let $ be a limit ordinal:
v Z O. ~b = 1;1; pZ ~ ~ = ff.
~,z~+L ~, = +{~,z ~. + / z } ~ z "+~. r = + { ~ z ~, ~ , / z }
~,z ~.+ = h ( ~ Z " . + : ~ < ~) ~,z ~.+ = V ( ~ Z " . + : ~ < ~}
Proposition 1 If g is AE C_ P. IIr Ilv[e/z] then ~"g = ~ ~Z ~. + IIv/or all

ordinals a.
A simple consequence is that we can now give a more direct definition of
E ~ v 4~ when r is a fixed point formula:
E ~ v vZ. r iff E ~ vZ ". 4~ for all a.

E ~ v / ~ Z . 4~ iff E ~ p Z ". 4~ for some a.
E x a m p l e 5 In the previous section we contrasted the definitions of [ ] 9 and

Ill 4~ in modal mu-calculus. Let vZ. ~P be the formula vZ. 4~A [r]Z (expressing
[ ] ~ ) and let pZ. ~ be ~tZ.r A [r]Z (expressing [~]q~)~o. Consider the different
approximants these formulas generate:
vZ ~ ~0 = t t /zZ O. ~ = ff
vZ 1. ~ = (~ A [r]tt = r ~ Z ~. ~ = ~ A [r]~
v Z 2. g~ = ~ ^ [r]~ ~z 2.~ = + ^ N ( + ^ [d~)
~ z ~. + = + ^ [ d ( + ^ [ d ( + A . . . [ d + - - . ) )
pZ ~. ~ = + ^ [ d ( + A [ d ( + ^ . . . [ d ( + A [ d ~ ) . . . ) )
The approximant juZi. !/r carries the extra demand that there can not be a se-
quence of silent actions of length i. Hence [~] ~ requires all immediate v beha-
viour to eventually peter out. []
19 It is assumed that Z is not free in r
197
3.6 Embedded approximants

Approximants provide an iterative technique for discovering fixed point sets. All
the examples in the previous section involved a single fixed point. In this section
we examine the technique in the presence of multiple fixed points, and comment
on entanglement of approximants.
E x a m p l e 1 The vending machine Ven has the property vZ. [2p, Ip]~P A [-]Z,
when r is/zY. ( - ) t t A [--{collectb, co 92 Let 7" be the transition closed
set { Ven, Venb, Vent, c o l l e c t b . Ven, c o l l e c t t . Ven}. First using approximants
we evaluate the embedded fixed point #, and we abbreviate its ith approximant
to #Y~:
/,yO :
0
#y1 = II <-bt A [-{collectb,collect,}]Y~v[.vo/v]
{r Ven, c o l l e c t t . Ven}
/,y2 : II( - b t A [-{coZX.ctb, coner b[~,Y~/n
{ Venb, Vent, r Ven, c o l l e e t t . Ven}
p y 3 = [I(--)i;tA [--{collectb, collecl;t}]Y ~v[uv2/y]
7"
Next the outermost fixed point is evaluated, given that the meaning of # is 7".
We abbreviate its ith approximant to vZ i.
vZ ~ = 7)
. z ! = II[~p, ap]~ A [-]Zb[~zom
=7"
Here the embedded fixed point can be evaluated independently of the outermost
fixed point. []
Example 1 illustrates how the iterative technique works for formulas with
multiple fixed points that are independent of each other. In abstract terms,
the formula of example 1 has the form vZ. r gt(y)) where the notation
makes explicit which variables can be be free in subformulas: here Z does not
occur free within the subformula/,Y, gt(y) but may occur within ~(Z,/,Y. ~P(Y)).
Consequently when evaluating the outermost fixed point we have that:
vZ ~ = 7'
.z 1 = II*(z, ~v. ~(v))Ilv[~zom
uz ~+x = ~o(z, tN. ~(g))IIv[~z,m
Throughout these approximants the meaning of the subformula pY. gt(y) is in-
variant because it does not contain Z free: consequently ~ltY. ~(Y) [[v[,,z'vz] is
the same set as [[laY. ~(Y) ~v[vz~'/z] for any ordinals a and ft.
198
E x a m p l e 2 Assume that D and D' are as in example 1 of section 3.4, where

D a D I , D I a , D , a n d D ~ b , 0 , and 79 is {D, D,, 0}. Also recall the pair of
formulas # and #.
= ,.,z. ~v. [a](((b)tt ^ z ) v Y)
~' = I~Y. v Z . [a](({b)tt V Y) A Z)
Consider now evaluating 4~ using approximants.
v Z ~ = 79
pZ 1 - - " ~uY. [a](((b)tt A Z) V Y)Ilvt,.~om
#y00 = 0
juY O1 ----- ~[a](((b)tt A Z ) V Y ) I I ( v t . z o / z ] ) t . Y o . / v )
= {0, D}
#yO2 = 11[a]((<b)'l;'t A Z ) V Y)U(vt.zo/zl)t.Yo,./v)
=79
So v Z 1 = 79
Here calculating v Z 1 depends on cMculating the innermost fixed point when Z is

contained within it, and therefore when it initially receives the value v Z ~ for Z.
Hence the notation: # y y i represents the ith approximant of the subformula pre-
faced with/JY when any free occurrence of Z is understood as the approximant
v Z i . The case of ~ illustrates this further.
t~Y ~ = O
t'Y1 = NvZ. [a](((b)tt v Y) ^ Z)Ilvt.yo/yl
v Z ~176= 79
- z ~ - II[a](((b)tt V Y) ^ Z)kvt.Y./YDt,,zoo/z]
= {0, D}
v Z ~ -" II[a](((b)i;t V Y ) A Z ) ~(v[.yo/y])[vzol/z]
= {o}
v Z ~ -" ~[a](((b)i;t V Y ) A Z)II(vt.Y./Yl)t~zo~/z]
= (o}
So/~y1 = {0}
~,y2 = II~,z. [a](({b)'t;t V Y ) A Z ) I l v t . v , / v l
v Z 1~ = 79
= ~[a](({b)tt V Y ) A Z)[[(v[uYUrl)[~,zlo/z]
vZ n
= {0, O}
vz12 = II[a](((b)tt v Y) ^ Z) ~(V[Uyx/y])tvZxa/g]
= {o}
~'z~" -- U[a](((b)tr V Y) A Z)II(vt.Y,/Y])t,.z,"/z]
= {o}
So/~y2 = {0}
Here we need to evaluate the innermost fixed point with respect to more than
one outermost approximant. [3
199
Example 2 illustrates dependency of fixed points. The first formula has the
shape vZ. 4~(Z,/~Y. ~V(Z, Y)) where Z is free in the innermost fixed point 9 Eval-
uation of such a formula using approximants takes the form:
vZ ~ = 79
~,z 1 = U+(z, ~,Y. ~(z, Y)) llvt,,~o/z]
I~Y ~176= I~
I~Y ~ = ] ~ ( Z , Y ) ~(VtvZo[Z])[ljytm/y]
~ z ~+' = IlO(z, ~Y. g~(z, Y))Ilvt,~z,/z]

lzy iO --__
I~Y ~1 = ~qz( Z, Y ) [[(v[~,Z'lZl)[uY'o/Y]
The meaning of the subformula pY. ~/'(Z, Y) may vary according to the inter-
pretation of Z.
Approximants for uZ. ~ and #Z. ~) start from the sets v Z ~ = 79 and # Z ~ = 0.
In principle, there will he fewer calculations if the initial approximants are closer
to the required fixed points. A set v Z ~ = C where 7) __DC _DIIuZ. ~ ~ could be a
better initial point than 79. This observation can be utilized when evaluating an
embedded fixed point formula whose shape is v Z . 4)(Z, uY. ~P(Z, Y ) ) .
vZ ~ = P
/./21 ---- [[(~'(Z, pg. ~TI(Z, Y) ) ~l)[vZo/Z]
v y ~176= 79
/ty01 = ]lilt(z, Y) U(v[vz~176176 /Y]
. z 2 = Uo(z, ~,Y. ~,(z, Y))llvt.z,m

To evaluate v Z 2 one needs to calculate U v Y . ~ ( Z , Y ) IIv[uzl/z]. However by
monotonicity we know that
II,Y. ~ ( z , Y)Ilvt,,z,/zj c_ ~~,Y. ~ ( z , Y)Ilvv, z o m c_ 79

Therefore we can use II ,.'Y. ~(z, Y) Ilvt,.zo/zl as the initial approximant v y a 0
and so on:
200
vZo 7)
vza = II~ ( z , ~Y. ~ ( z , v ) ) Uvt,,zo/z]
v Y ~176
= O
vY~ = II# ( z , Y) ]l(v[vgo/g])[vyoo/y]
vg 2 = IIr vY. #(Z, Y)) Hvt~zl/z]

vYl~ = IIvY. ~(z, Y) ~v[vzo/z]
vY 11 = II#(z, Y) II(vt,,zo/zl)t~,r-/Yl
~z~+l = II~(z, ~,Y.~(z, Y)) Ilvt,,z,/zl

vY ~+1~ = II~'Y.~(z, Y) Ilvt,,z,/z]
~ y i + U = II#(z, Y) II(vt,,zo/zDt,..r,+,o/r I
This observation can be extended to formulas with multiple embedded maximal

fixed points.
The situation is dual for least fixed points. Choosing the set E for #Z ~ when
0 C s C ]]/~Z. ~ ]] could be a better starting point than 0. In the case of a formula
whose shape is pZ. qb(Z,/zY. ~(Z, Y)), by monotonicity we know that
0 c_ ~ Y . ~ ( z , Y)Ilvt,,z,/z] c_ II~Y. ~ ( z , Y) llvt,,z,,/zl

and so the set II ~Y. ~(z, Y) Ilvt,.,z,/z] can be used as the initial approximant
izy i+1~
This insight is of no help for evaluating alternating fixed points, such as
v Z . 4~(Z, #Y. k~(Z, Y)). We cannot use the set []pY. !It(Z, Y)Ilvt~zo/z] as the initial
approximant for ][ laY. ~(Z, Y) ]]v[vzl/z] becaus.e the ordering is now reversed:
vZ ~ D.._vZ 1, and so ][laY. kh(Z, Y) ]]v[vzo/z] D_ ~laY. k~(Z, Y)]]v[vzl/z]. We do not
know how to approximant a least fixed point from above or a greatest fixed point
from below. The amount of alternation of fixed points in a formula has become
a crucial measure when developing algorithms for checking properties of finite
state systems, see [30, 47]9
3.7 Preservation of bisiraulation equivalence
Modal logic characterizes strong bisimulation equivalence, as was shown in sec-

tion 2.5. There are two halves to this result. First, two bisimilar processes have
the same modal properties (even when enriched with modalities of section 2.2).
Second, two image finite processes with the same modal properties are bisimilar.
As modal logic is merely a sublogic of modal mu-calculus the second of these
results remains true for this richer logic (and indeed for any extension of modal
201
logic). We may wonder if the restriction to image finite processes is still necessary
for this result given that fixed points are expressible using infinitary conjunction
and disjunction, and that infinitary modal logic Moo characterizes bisimulation
equivalence exactly. Recall the example of the two clocks in section 2.5 that
showed t h a t image finiteness is essential in the case of modal logic. The two
clocks have the same modal properties but they are not bisimilar. The presence
of fixed points allows us to distinguish them because one of the clocks has an in-
finite tick capability expressed by the formula uZ. (tick) which the other lacks.
The following more complex example due to Roope Kaivola shows the continu-
ing need for image finiteness (or a weakened version of it). Let {Qi : i E I} be
the set of all finite state processes whose actions belong to {a, b}, and assuming
n E N let P(n) def=an.b.P(n+ 1), R def=7~{a.Qi : i E I}, and pd_ef P(1) + R
(where a~ is E and a n + l . E is a'~.a.E). The behaviour of P(1) is:
P(1) - - ~ P(2) 2 ~ e ( 3 ) ~ t . . . ~"b P ( n + 1) a"+~b...
Consequently P and R are not bisimilar as this would require there to be a

finite state process Qj that is bisimilar to b.P(2), which is not possible (via the
pumping lemma for regular languages). On the other hand, P and R have the
same closed modal mu-calculus properties.
It also turns out that two bisimilar processes have the same modal mu-
calculus properties provided that they are expressed using closed formulas. Let
F be this set of closed formulas, and let - / , be as in section 2.5.
P r o p o s i t i o n 1 I r E ,~ F then E =-r F.
Notice the significance of this result. Bisimilar processes not only have the same
safety properties but also the same liveness, fairness, and cyclic properties when
expressed using closed formulas. There is an indirect proof of this Proposition
via Moo as the set F is a sublogic of it, and bisimulation equivalence preserves
properties expressible within it. However we shall show how it can be proved
directly, as we wish to expose some of the inductive structure of modal mu-
calculus.
Let 7) be a fixed transition closed set of processes. A subset E of P is bisim-
ulation closed if it obeys the condition: if E E E and F E P and E ,~ F then
F E E. Proposition 1 is equivalent to the claim that for any closed 9 and set 7~
the subset [[4} [[ is bisimulation closed.
L e m m a 1 If E and yr are bisimulation closed subsets of P then the sets C n y ,

E U ~-, ~[K] II7' C, and II(K)II ~' E are bisimulation closed.
Associated with any subset C of P are the following two subsets:
ca={EEC : if E N F and F E T) then F E C}

C~={EE7 ) : E..~FandFEE}
The set C a is the largest bisimulation closed subset of C, and E ~ is the smallest
bisimulation closed superset of s both with respect to P.
202
L e m m a 2 For any subsets S and yr of 79, the sets Sd and gu are bisimulation
closed and g d C g C Su. Moreover, if S is bisimulation closed then sd = S~,
and if g C_ 9~ then ~ C_.~d and gu C_ yrs.
A valuation 1) mapping variables to subsets of 7~ is bisimulation closed if for

each variable Z the set 12(Z) is bisimulation closed. Therefore we can associate
the two important bisimulation closed valuations 1)d and Vu with any valuation
V: for any variable Z the set ])d(Z) = (V(Z)) d and V~(Z) = (V(Z)) ~. Propos-
ition 1 is a corollary of the following result where 9 is an arbitrary formula of
modal mu-calculus which therefore may contain free variables.
P r o p o s i t i o n 2 / f i) is bisimulation closed then 11q~ [Iv is bisimulation closed.

The proof of Proposition 2 is by simultaneous induction on the structure of
with the following three propositions:
1. If ]2 is bisimulation closed then ~ IIv is bisimulation closed.

2: If ~r s then ~r s
3. I f g C_ ]]~[[v then g~ C__]]~][v*.
This result tells us more than that bisimilar processes have the same properties
when expressed using closed formulas. They also have the same properties when
expressed by open formulas provided that the meanings of the free variables are
bisimulation closed. The proof of this result also establishes that closed formulas
of observable modal mu-calculus (built using/he modal operators [ g ] , [ ], ((lC)),
and (())) are preserved by observable bisimulation equivalence.
3.8 Expressing properties

Modal mu-caleulus is a very powerful temporal logic which permits expression
of a very rich class of properties. In this section we examine how to express a
range of properties that pick out important features of processes.
Informally a safety property states that some bad feature is Mways precluded.
Safety can either be ascribed to states, that bad states can never be reached, or
to actions, that bad actions never happen. In the former case if the formula ~c
captures those bad states then vZ. 9 A [ - ] Z expresses safety.
E x a m p l e 1 The safety property for the crossing of figure 7 is that it is never
possible to reach a state where a train and a car are both able to cross: these
bad states can be captured by the formula ( [ t c r o s s ] f f V [ccross]ff)% Therefore
the required safety property is u Z . ( [ t c r o s s ] f f V [ccross]ff) A [-]Z. []
It is useful to allow the full freedom of the property notation by employing
open formulas with free variables and appropriate valuations which capture their
intended meaning. For instance i n the case of safety assume that S is the family
of bad states, and so the formula uZ. Q A [ - ] Z expresses safety relative to the
valuation 12 which assigns 7~ - E to Q. The variable Q has a definite intended
meaning as given by V.
203
E x a m p l e 2 A safety property for the slot machine in figure 10 is that it never

has a negative amount of money and therefore never pays out more than it
contains. To express this we appeal to the open formula uZ.QA[-]Z with the free
variable Q relative to the valuation 1) which assigns the set 7) - {SM i : j < 0}
to Q. Here a bad state is a slot machine with a negative amount of money. []
The idea is that free variables should only express immediate properties of pro-
cesses, as in example 2 (and not temporal features). When 12 is bisimulation
closed with respect to the free variables of ~, we say that the property expressed
by 9 relative to 1) is extensional: by Proposition 2 of the previous section this
implies that ~ r IIv is also bisimulation closed 2 of the previous section. The
safety formula in example 2 is extensional. If Q expresses a feature such as "has
at least three parallel components" then it is intensional.
Safety can also be ascribed to actions, that no action in K ever happens,
which is expressed by the formula uZ. [ K ] f f A [-]Z. However there is really no
distinction between safety in terms of bad states and in terms of bad actions. For
the action case is just equivalent to saying that a bad state obeying ([K]ff) c,
that is ( K ) t t , can not be reached.
A liveness property states that some good feature is eventually fulfilled. Again
it can either be ascribed to states, that a good state is eventually reached, or
to actions, that a good action eventually happens. If 4~ captures the good states
then pZ.4~ V ( ( - ) t t A [-]Z) expresses liveness with respect to state. Note the
presence of ( - ) g g to ensure that 9 does become true. In contrast that eventually
some action in K happens is expressed by the formula #Z. ( - ) t t A [-K]Z which
states that any performance of actions other than K is well-founded, and not
because the process terminates.
There is not a reformulation of liveness with respect to actions in terms of
liveness with respect to state, as a formula of the f o r m / z Z . ~ V ( ( - ) t t A [-]Z)
where 4~ does not contain fixed points. For instance it is not expressed by either
of the following pair:
(K)tt v (<-)it ^ [-]Z)

/zZ. ( ( - ) t t A [ - K ] f f ) V ( ( - ) t t A [-]Z)
The first is too weak as it merely states that eventually some action in K is
possible without any guarantee that it happens. The second is too strong as
it states that eventually only K actions are possible (and therefore must then
happen).
Weak liveness and safety properties may also be ascribed to states or actions.
However recall that weak liveness is the complement of safety and weak safety
is the complement of liveness. That 9 is eventually true in some run is given by
(vZ. 4~c A [-]Z) c which is the formula #Z. 9 V ( - ) Z . And that some action in K
happens in some run is expressed by (uZ. [ K ] f f A [-]Z) c which is the formula
#Z. ( K ) t t V ( - ) Z . Weak state safety, that q~ is true throughout some run, is
expressed by (/zZ. ~ V ( ( - ) t t A [-]Z)) c, which is the formula vZ. 4i A ( [ - ] f f V
(-}Z) and that there is a run where no action in K occurs is (#Z. ( - } t t A
204
[ - K ] Z ) c which is vZ. [ - ] f f V ( - K ) Z . So in the case of weak safety there is the

distinction between state and action.
Liveness and safety may relate to subsets of runs. For instance they may be
triggered by particular actions or states. A simple case is that if action a ever
happens then eventually b happens, so any run with an a action must contain a
later b action. This is expressed by the formula uZ. [al(ttY. ( - ) t t A [-b]Y)A [-I Z.
A safety example is that whenever ~P becomes true, 4~c is then always precluded,
expressed by uZ. (~Vc V (kv A uY. 9 A [-]Y)) A [ - ] Z .
More complex is the expression of liveness properties under fairness. An ex-
ample is the property that in any run if the actions b and c happen infinitely
often then so does a which is expressed as follows:
gZ. (~tX. [b](gV. [c](vVl. X A [-a]Vl) A [ - a ] V ) A [ - ] Z )
Here there is an essential fixed point dependency, as the occurrence of X is free

within the fixed point subformula prefaced with vY.
E x a m p l e 3 The desirable liveness property for the crossing of figure 7 is that

whenever a car approaches the crossing eventually it crosses is captured by the
formula
.z. <->tt ^ ^ [-]z

However this only holds if we assume that the signal is fair. Let Q and R be
variables and l) a valuation such that Q is true when the crossing is in any state
where Rail has the form green.tcross.red.Rail (the states E2, Ea, E6 and
El0 of figure 8) and R holds when it is in any state where Road has the form
up.~.down.Road (the states El, t33, /37 and E l l ) . The liveness property
is: for any run if Q~ is true infinitely often and R ~ is also true infinitely often
then whenever a car approaches eventually it crosses. This is expressed by the
following open formula relative to
vV.[car](#X.vVl .( Q V [ - - ~ I ( v V 2 . ( RV X ) A [ - - ~ ] Y 2 ) )A[--~]Y1)A[--]Y
The property expressed here is extensional. In this case we can view Q and R
as probes in the sense of [70]. []
Another class of properties is until properties' These are of the form # remains
true until # becomes true, or in terms of actions K actions happen until a J
action occurs (or a mixture of state and action). Again they can be viewed as
holding of all runs, or some runs, or of a particular family of runs which obey a
condition. The formula/~Y. ~P V (4~ A ( - - ) t t A [-]Y) expresses that 9 holds until
~P in every run. Note here the requirement that ~P does eventually become true.
This commitment can be removed by changing fixed points. The property that
in every run # remains true unless kV holds does not imply that ~P does become
true, and so is expressed as vY. ~PV (r A [-]Y).
Sometimes we are only interested in part of the behaviour of a process. There
are many ways to understand what part of a behaviour means. A simple case is
205
when attention is restricted to a subset of the actions that a process can perform.
Liveness, safety and until properties can therefore be relativized in this way. An
example is the property that 4~ is eventually true in any run consisting of K
actions.
Cyclic properties can also be described in the logic. A simple example is that
each even action is rock: if E0 a~ E1 a2 ... is a finite or infinite length run
then each action a2i is took. This is expressed as vZ. [ - ] ( [ - - r o c k i e r A [ - ] Z ) .
def
The clock Cll = t i c k . t o o k . Cll has this property. It also has the tighter cyclic
property that every run involves the repeated cycling of t i c k and r o c k actions,
expressed as vZ. [ - t i c k ] f f h [ t i c k ] ( [ - t o c k ] f f A [ - ] Z ) 2~ These properties can
also be weakened to some family of runs. Cyclic properties that allow other
actions to intervene within a cycle can also be expressed:
E x a m p l e 4 Recall the scheduler from section 1.4 which timetables a sequence

of tasks, and which must ensure that a task cannot be restarted until its previ-
ous performance has finished. Suppose that initiation of one of the tasks is given
by the action a and its termination by b. The scheduler therefore has to guar-
antee the cyclic behaviour a b when other actions may occur before and after
each occurrence of a and each occurrence of b. This property can be defined
inductively:
cycle(ab) = [b]ff A [a] cycle(ha) A [-a]cycle(ab)

cycle(ba) = [a]ff A [b] cycle(ab)/~ [-b] cycle(ba)
Here we have left open the possibility that runs have finite length: appropriate
occurrences of ( - - ) t t preclude it. An important issue is whether these recursive
definitions are to b e interpreted with least or greatest fixed points, or even with
a mixture of them. This depends upon whether intervening actions are allowed
to go on forever without the next a or b happening. If we prohibit this, the
property is expressed as follows:
pY. [b]ff A [a](~uZ. [a]ff A [b]Y A [-b]Z) A [-a]Y
The number of actions in the cycle can be extended. []

Another class of properties is given by counting. An instance is that in each
run there are exactly two a actions, given by:
/tX. [a](#Y. [a](vZ. [a]ff A [ - ] Z ) A ( - - ) t t A [-a]Y) A ( - - ) t t A [-a]X
Another example is that in each run a can only happen finitely often, I.tX. uY. [a]XA
I-elY.
However there are also many counting properties that are not expressible
in the logic. A notable case is the following property of a buffer (which is a
consequence of [62]): the number of out actions never exceeds the number of i n
actions.
s0 This formula leaves open the possibility that a run has finite length. To preclude it
one adds ( - ) t t at the outer and inner level.
206
4 Verifying Temporal Properties
A very rich temporal logic has been introduced which is able to describe useful
liveness, safety, cyclic and other properties of processes. The next step is to
provide techniques for verification, for showing when processes have, o r fail to
have, these features.
To show that a process has, or fails to have, a modal property we can ap-
peal to the inductive definition of satisfaction between individual processes and
formulas, and a proof of a modal property thereby reduces to proofs of sub-
properties, as stipulated by the inductive definition of satisfaction. Therefore
the transition graph of a process is not needed when proving modal properties.
However in the case of modal mu-calculus the satisfaction relation between
processes and formulas is defined indirectly. The primary semantics of a formula
is defined in terms of every process in a transition closed set which has the
property. One m e t h o d for determining whether E has r is to first present a
transition closed set of processes containing E, second to calculate ~~ IIv with
respect to this set, and then finally to check whether E belongs to it. When E
has a small transition graph this is a reasonable technique. A s a general method
it is cumbersome and not feasible for processes that determine enormous let
alone infinite state transition graphs. Moreover, picking out all processes in a
transition Closed set which have a weak liveness, safety or cyclic property may
involve considerable redundancy if the intention is to show that a particular
process has it.
An alternative approach to showing that processes satisfy formulas is to
appeal to their approximants as described in sections 3.5 and 3.6. A more direct
definition of satisfaction is then available. However proofs will now require the
use of induction over ordinals, and some care must be taken with limit ordinals.
In the presence of embedded fixed points this will require the use of embedded
induction. Moreover, we will then lose that simple idea that a proof of a property
reduces to proofs of subproperties.
Discovering fixed point Sets in general is not easy, and is therefore liable to
lead to errors. Instead we would like simpler, and consequently safer, methods
for checking whether temporal properties hold. Towards this end we first provide
a different characterization of the satisfaction relation between a pro~ess and a
formula in terms of games. It turns out that a process has a property just in
case player II has a winning strategy for the game associated with this pair.
Underpinning player II's successful strategy is the notion of a successful tableau.
We therefore also present tableau proof systems for property checking, which
were originally developed with David Walker [66] and Julian Bradfield [17].
4.1 Games and constants
In this section we present an alternative characterization of the satisfaction re-

lation between a process and a formula relative to a valuation in terms of game
playing. A property checking game is a pair, a process and a formula, (E, r
relative to a valuation N. As with equivalence games there are two players, I and
207
II. Player I a t t e m p t s to show t h a t E fails to have the property 4~ relative to

l) whereas player II wishes to establish that E does have ~. Unlike equivalence
games, players here do not necessarily move in turn 21.
A play of the property checking game (E0,~0) relative to V is a finite or
infinite length sequence of the form (E0, ~0). 99(En, 4i,) .... The next move in a
play, the step from (Ej, ~ j ) to ( E j + I , ~ + 1 ) and which player makes it is determ-
ined by the main connective of ~ i . An essential ingredient is the use of auxiliary
propositional constants, ranged over by U, which are introduced as fixed point
formulas are met. Suppose an initial part of a play is (E0, r (Ej, 4i/). The
next pair ( E j + ~ , ~ j + I ) is determined by one of the moves of figure 16, accord-
ing the main operator of 4i~ Note the duality between the rules for A and V,
if #~ = #1 A !P2 then player I chooses one of the conjuncts #~: the process Ej+I is
Ej and #j+l is #~.
i r e i = !/rl V k~2 then player II chooses one of the disjuncts k~i: the process Ej+I is
Ej and # j + l is ~i.
if Cj = [K]k~ then player I choosesa transition Ej --2-+Ej+I with a E K and #j+l
is ~.
if ~j = {K)k~ then player II chooses a transition Ej a Ej+I with a E K and
~j+~ is ~.
- if ~j = vZ. ~ then player I chooses a new constant U and sets U ~'~f vZ. k~: the
process Ej+I is Ej and ~j+l is U.
- if ~j = ~tZ. k~ then player II chooses a new constant U and sets U d=efttZ. k~: the
process Ej+I is Ej and ~j+l is U.
- if ~j = U and U ~f vZ. ~ then player I unfolds the fixed point so ~3+1 is k~{U/Z}
and Ej+I is Ej.
- if Cj = U and U d=_~f#Z. k~ then player II unfolds the fixed point so 4i+1 is ~{U/Z}
and Ej+I is Ej.
Fig. 16. Rules for the next move in a game play
[K] and (K), vZ. ~ and #Z. kP as they complement each other. Each time the
current game configuration is (E, a Z . ~ ) a new constant U is introduced as an
abbreviation for crZ.4~, and at the next step this fixed point is, in effect, unfolded
once as the formula becomes r 22. The point of constants is to provide a
mechanism for understanding when embedded fixed points recur.
The rules for a next move are backwards sound with respect to the inten-
tions of the players. If player I makes the move ( E j + I , O j + l ) from (Ej, Oj) and
21 It is straightforward to reformulate their definition so that players take turns.
22 The decision to make player I responsible for introducing and unfolding constants
for maximal fixed point formulas and player II responsible for least fixed points is
somewhat axbitrary, as these moves never provide real choice for either player. An
alternative exposition is to appeal to a third participant, a referee who makes these
moves.
208
Ej+l ~:v (~j-bl t h e n Ej ~ v 4~j. In contrast, if player II makes this move and
Ej+I ~ v 45j+1 then Ej ~ v ~bj. This is clear for the rules which govern boolean
and modal operators. In the case of a fixed point formula this follows provided we
understand the presence of a constant to be its defined equivalent. Formulas are
no longer "pure" as they may contain constants. However we can recover a pure
formula from an impure formula by replacing constants with their defined fixed
def def
points in reverse order of introduction: assuming that U1 - gzl ... Un = grn is
the sequence of declarations in order of introduction, the meaning of ~ is just
~P{g/n/Un}... {~Pl/U1}. Consequently the fixed point unfolding principle, that
E ~ v a Z . ~ iff E ~ v ~{crZ.r justifies the backwards soundness of the
moves determined by constants.
A player wins a play of a game in the circumstances depicted in figure 17.
If the configuration (E, t t ) or (E, Z) when E E ])(Z) is reached in a play
Player II wins Player I w i n s
1. The play is (Eo, 40)... (En, 4n) 1'. The play is (Eo, 4 0 ) . . . (E,,, 4, 0
and either 4 . = t t or and either 4 , = f f or
4 . = Z and E E I;(Z). 4 , = Z and E ti~ V(Z).
2. The play is (E0,4o)... (E,,,4~) 2'. The play is (Eo,4o)... (E~,4,)

and 4n = [K]~ and the set and 4 . = ( K ) ~ and the set
{F : E - - ~ F andaE K } = O . {F : E ~', F and a E K } =O.
3. The play is (Eo,4o)... (E,~,4.) 3'. The play is (Eo, 4 0 ) . . . (En, 4n)
and 4~ = U and U ~f uZ. 4 and and 4,~ = U and U d__~f/zZ.4 and
Ei=E~anddi=4~fori<n. Ei=En anddi=4~fori<n.
4. The play (E0,40)... (El, 4 i ) . . . 4'. The play (Eo,40)... ( E i , d i ) . . .

has infinite length and there is a has infinite length and there is a
constant U d___efvZ. 4 such that for constant U d__e~#Z. 4 such that for
infinitely many j, 4j = U. infinitely many j, 4j = U.
Fig. 17. Conditions for winning a game play
then player I cannot refute that E ~ v t t or E ~ v Z, and therefore player II

wins. Instead if the configuration reached is (E, ( K ) ~ ) and there are no available
transitions from E then player II is unable to establish that E ~ v (K)dL Similar
comments apply to the dual conditions 1~ and 2. The other circumstances when
a player is said to win a play concern repetition. If the configuration (E, U)
is repeated in a play when U abbreviates a maximal fixed point formula then
player II wins. Dually if U abbreviates a least fixed point it is player I that
209
wins 23. More generally as a play can have infinite length this repeat condition
for winning is generalized. Player I wins an infinite length play if there is a least
fixed point constant U which is traversed infinitely often, and player II wins if
there is a greatest fixed point constant U which occurs infinitely often, and only
one of these can happen.
L e m m a 1 If (Eo,~o)... (En, ~ n ) . . . is an infinite length game play then there
is exactly one constant U which for infinitely many j, ~1 = U.
This lemma shows the role of constants (as they provide an exact account of
when the same fixed point subformula is repeated).
As with equivalence games, a strategy for a player is a family of rules which
tells her how to move depending on what has happened earlier in the play. A
player uses the strategy Ir in a play if all her moves in the play obey the rules
in It. The strategy ~ is winning if the player wins every play in which she uses
lr. Every game (E, 4~) relative to l; is determined, that is either player I has a
winning strategy or player II has a winning strategy, and this strategy is history
free in that the rules do not need to appeal to moves that occurred earlier in the
play. So a strategy for player I tells her how to move in the game configurations
(E, ~1 A ~2), (E, [g]~), (E, vZ. ~) and (E, U) when U dej vZ. (~, and a strategy
for player II is similar, as it decides the next configuration when the current one
is ( E , ~ I V~2), (E, ( g ) r ( E , # Z . ~ ) and (E, U) when V dee ]AZ.~.
Player II has a winning strategy for (E, # ) relative to 13 just in case E has
the property 9 relative to 1).
T h e o r e m 1 E ~ v ~ iff player H has a winning strategy for the game (E,r
relative to l;.
Theorem 1 yields an alternative account of the satisfaction relation between pro-
cesses and formulas. Game playing does not require explicit calculation of fixed
points, nor does it depend on induction over approximant indices. Moreover it
does not require the construction of the transition graph of a process. Game
playing also maintains the principle that a proof of a property reduces to sub-
proofs of subproperties, provided that we view the unfolding of a fixed point
formula as a subformula. There is another feature which could be exploited, the
possibility of more sophisticated game playing where moves m a y also be guided
by the algebraic structure of a process expression.
As an infinite length game play must traverse a particular constant infinitely
often, it follows that when E is finite state a play of (E,q~) has finite length.
There is also an exponential upper bound on the number of different plays up to
renaming of constants of such a game. Property checking of finite state processes
via game playing is therefore decidable. However this is not a very time efficient
method as the length of a play may be exponential in the number of fixed point
operators in a formula. In section 4.3 we provide less costly techniques based on
games. For the remainder of this section we illustrate game playing.
23 These two conditions 3 and 3' are in fact redundant. We only include them because
they guarantee that any play of (E, ~) has finite length when E is finite state.
210
E x a m p l e 1 Player II has a winning strategy for the game (Cl, uZ. (tick)Z).
The only possible play is (Cl, ~Z. (tick)Z) (Cl, U) (Cl, (tick)U) (Cl, U) up to
renaming the constant: the winning strategy here is, in effect, the empty set
of rules, as player II has to make the move (Cl, U) from the configuration
(Cl, (tick)U), and choice of fixed point constants does not affect play. Player II
also has a winning strategy for (Cls, vZ. (tick)Z) with respect to the slightly
different clock Cl5 deg tick.C/5 + tick.0. A winning play is almost identical
to the previous game play, (Cls, uZ. (tick)Z) (Cls, U) (Cls, (tick)U) (Cls, U):
the important part of the winning strategy is the rule, if (Cls, (tick)U) is the
current configuration then choose (CI~, U) as the next move. []
E x a m p l e 2 Cat is a simple infinite state system, Cat def up.(Cnt I down.0). It
has the property that it may do up forever, as the single play of (Cat, ~,Z. (up/Z)
is won by player II. However this play has infinite length:
(c.t, <up>Z)(c.t, u)(c.t, <up>U)(c.t I do.n.0, u)...

Player II wins because the constant U recurs infinitely often. For a similar reason
player I wins the only play of (Cat, #Z. [up]Z) as then a least fixed point constant
occurs infinitely often. V3
E x a m p l e 3 Assume that D and D ~ are as in example 1 of section 3.4, with
D a , D ~,D, a , D a n d D ~ b~0, and let gr be the formula:
I.tY. uZ. [a](((b)tt V Y) A Z)

D' (and D) fails to have the property kP, and so player I has a winning strategy for
the game (D', ~). The important rules in this strategy are: if (D, ((b)ttVU1)AU2)
is the current configuration, for any [/1, 0"2, then choose (D, (b)tt V [/1) and if
it is (D', ((b)tt V U1) A [/2) then choose (D', U2). The play proceeds:
(D', ~P)(D', U) (D', uZ. [a](((b)tt V U) A Z)) (D', V)
(D', [al(((b)tt V U) A V))(D, ((b)tt V U) A V) (D, (b)tt V U)
At this last configuration player II has a choice. If she chooses the first disjunct
she then loses because there is not a b transition from D. So the play proceeds:
(D, U) (D, uZ. [al(((b)tt V U) A Z)) (D, W)
(D, [al(((b)tt V U) A W)) (D', ((b)tt V U) A W) (D', W)
(D', [a](((b)tt V U) h W)) (D, ((b)tt V U) h W) (D, (b)tt V U)
Again player II has a choice at (D, (b)tt V U), but both options lose: as D has no
b transition she can not choose the first disjunct, and the second disjunct gives
a repeat configuration. Note the essential requirement in game playing that a
new constant is introduced when a fixed point is met, and so both V and W are
introduced for the same fixed point formula. []
211
4.2 Tableaux
When processes are game equivalent, as developed in section 2, a bisimulation

relation expresses player II's winning strategy. We now develop a tableau proof
system for property checking so that a successful proof tree captures a winning
strategy for player II. Here we restrict ourselves to finitely branching processes.
The proof system here was first presented in [66]. It is guaranteed to show
properties of finite state processes, and is a precursor of a later property checker
Which can also establish temporal features of infinite state processes.
A proof is built from sequents of the form E ~-w ~ which are analogues of
the semantic notion E ~w 4 and of the game configuration (E, 4 ) relative to
1;. Usually the index l; is dropped from Fy 9 The proof system is goal directed,
similar in style to the rules we presented for transitions in section 1. Each proof
rule has the form
with n _> 1 and possibly with side conditions. The premise sequent E F 4~
is the goal to be achieved (that E has the temporal property 4 ) while the
consequents are the subgoals. The rules are presented in figure 18. Again we use
EF~A~
A
EF4~ EF~
EF~v~ EF~v~
V v
EF4~ EF@
E F [g]~ { f : E - - ~ F and a E K} = { E 1 , . . . , E , }
[K] E 1 F r ... E n F r
E F
(K/+ E - ~ F a n d a e K
(g) FFr
a'Z. E F aZ. + U d~--4~aZ. ~ and U is new
Et-U
U E~-U U =deaf Z . ~
E ~- + ( U / Z }
Fig. 18. Tableau rules
auxiliary propositional constants~ ranged over by U, as abbreviations of fixed

point formulas.
The rules are backwards sound in the sense that if all the consequents of any
rule are true then so is the premise goal. This is clear for fixed point formulas
provided we understand the presence of a constant to be its defined equivalent
as in the previous section.
212
To test whether E has the property 9 relative to V, one tries to achieve

the goal E Fv 9 by building a successful tableau, a finite proof tree whose root
is labelled with this initial sequent, and where all the leaves are labelled by
sequents that are true. Sequents labelling the i m m e d i a t e successors of a node
labelled F I- k~ are determined by an application of one of the rules, dependent
on the form of ~. As the rules are backwards sound, it follows that if the leaves
of a finite proof tree are true then so is the root. So we need to present conditions
for when a node in a proof tree counts as a leaf.
We assume t h a t the rules above only apply to nodes of a proof tree that are
not terminal. A node n labelled with the sequent F F !/+ is terminal if one of the
following conditions hold:
Successful terminal Unsuccessful terminal
1.~=tt or~=ZandFEV(Z) 1'. ~ = f f or ~' = Z and F ~ V(Z)

2. ~ = [K]O and the set 2 ' . ~ -- (K)O and the set
{E : F a,EandaEK}=O { E : F--~-+ E and a E K } =O
3. gr = U and U d__.efvZ. 9 and 3 / ~ = U and U d__ef#Z. q~
and there is a node above and there is a node above
n labelled F h n labelled F h
It is clear that nodes labelled with sequents which obey 1 or 2 are successful
as then F has the property ~ relative to 1), and similarly nodes labelled with
sequents fulfilling 1~ or 2 ~ are not true. The remaining two conditions are ana-
logues of termination of a finite length game play through repetition, and are
pictured in figure 19. It is at this point that we distinguish in the proof theory
9
U d=
ef
uZ.~ U de~
= #Z.~
F~-U FFU
:
FI-U FFU
Successful Unsuccessful
Fig. 19. Termination through repetition
between the two kinds of fixed points as they are not differentiated by the rules
earlier9
213
D e f i n i t i o n 1 A successful tableau for E by 4 is a finite proof tree whose root

is labelled with E t-v 4, and all other nodes are labelled with sequents which
are the result of an application of one of the rules to the sequent labelled at
the node immediately above them, and all of whose leaves are successful (obey
conditions 1, 2 or 3 above).
A path in a finite proof tree for E0 ~ 40 is a finite sequence of labelled nodes
E0 t- 4 0 . . . E n ~ 4n where each one lies directly beneath its predecessor, and
where the final node (labelled En ~ 4n) is a leaf. Associated with a path is
the game play (E0,40)... ( E , , 4 , ) . In the case of a successful tableau, player
II wins each of these plays. Moreover all the possible choices player I can make
are present in the proof tree (up to renaming of constants), A successful tableau
for E F r is a concrete expression of player II's winning strategy for the game
(E, 4), and is therefore a proof that E has the temporal property 4.
P r o p o s i t i o n 1 If E F'v 4 has a successful tableau then E ~ v 4.
E x a m p l e 1 A complete description of the clock Cl is that it perpetually ticks
and can do nothing else. This singular capability is expressed by the following
formula, vZ. ([--tick]ff A ( - / t t ) A [-]Z. Below is a proof that C! has this
property, where we omit the side conditions on the [K], (K/, #Z, and constant
9rules.
Cl k . z . ^ <-)it) ^ [ - ] z
Clk U
Cl e ^ <-)tt) ^ [-]u
cl [-tick] ^ (->it
ct F [-tick] Ct k (-)it CI~ U
Cl N tt
There are three kinds of successful leaf here. []
E x a m p l e 2 The vending machine Ven, from section 1.1, has the property that
whenever 2p is deposited eventually a big item is collected, which is expressed by
the formula ~P= uZ. [2p](#Y. ( - ) t t A [ - c o l l ectb]Y) A [-]Z. A successful tableau
is presented in two stages in figure 20 where 4 abbreviates the subformula
#Y. ( - ) t t A [--collectb]Y, and cb. Ven and ct. Ven abbreviate collectb. Ven
and coZlectl. Ven. Notice how similar the subtableaux T1 and T2 are. Later we
examine how to amalgamate their proof trees. []
E x a m p l e 3 Let D and 4 be as in example 1 of section 3.4. The resulting
successful tableau for D b 4 is presented in figure 21. Notice the important
requirement that a new constant is introduced when a fixed point is met. Both
V and W abbreviate the same fixed point formula. []
The tableau proof system presented here is complete for finite state processes.
This is a consequence of the game characterization of satisfaction.
214
Ven h ~P
Venh U
re. F [2p]~ ^ [ - ] u
Veil F- [2p]~ Ven I-- [-]U
Venb h T1 T2
Ven~, h V
Venb }- (--)it^ [--r

Venb [- (--)it Venb I- [ - c o l l e c t b ] V
r Veil 1"- tt cb. Ven I- V
cb. Veil ~- (-)it A [-r

cb. Veil }- ( - - ) t t c b . Ven ~- [-collec%]V
Ven ~- tt
T1
Venb h U
wil~ F- [2p]~ ^ [ - ] u
v~.~ ~- [2p]~ w . ~ ~- [ - ] u
Venb I- [-]U
cb. Ven F- U
cb. Wn b [2p]~ ^ [ - ] U
~ . Veil ~- [2p]~ cb. wil ~- [-]u
Ven h U
T2
Venl b- U
Wn, ~- [2d~ ^ [-]U

Vent I- [2p]~ Veto I- [-]U
Vent I- [-]U
c~. Ven I- U
~,. veil F [2p]~ ^ [ - ] v

ct. Veil I- [2p]~ cl. Ven I- [ - ] U
Ven I- U
Fig. 20. A successful tableau for Ven
215
DI-~
DFU
D F- I~Y.[a](((b)tt A U) V Y)
D~'V
D I- [a](((b}tt A U) V V)
D' I- ( ( b ) t t A U) V V
D' t- (b)tt A U
D' F"(b)tt D' F" U
OI-tt D' I- #Y. [al(((b)tt A U) V Y)
D'~-W
D' I- [a](((b)tt A U) V W)
D ~ ((b)tt^ u) v w
DFW
D F [a](((b)tt h U) V W)
D' F ((b)tt A u) v w
D' F (b)tt A U
D'l-(b}tt D'~-U
OI-tt
Fig. 21. A successful tableau for D t-
P r o p o s i t i o n 2 I f E is a finite state process and E ~ v ~ then E k v 9 has a

successful tableau:
4.3 Refinement of games and tableaux
In this section we refine the definition of game play to provide a more efficient
characterization of the satisfaction relation by reintroducing constants. We then
show how this refinement affects the construction of tableaux.
Figure 16 contains the rules for the next move in a play whose initial part is
(E0,4~0)... (Ej, 45j). We now change the rules for introducing constants for fixed
points, and divide each of them into two cases.
- if 4ij = vZ. ~ and player I has not previously introduced a constant V dej
216
uZ. ~P then player I chooses a new constant U and sets U ~ f uZ. ~P: the
process Ej+I is Ej and ~ j + l is U.
def
- if ~j = / ~ Z . ~ and player II has not previously introduced a constant V =
def
pZ. kV then player II chooses a new constant U and sets U = #Z. ~: the
process Ej+I is Ej and ~j-]-I is U.
- if 4 j = t,Z. kv and player I has previously introduced a constant V d__efvZ.
then Ej+I is Ej and ~ j + l is V.
- i f ~ j = #Z. ~ and player II has previously introduced a constant V d__cf#Z. ~P
then Ej+I is Ej and 4j+1 is V.
This change means t h a t constants are reintroduced as abbreviations for the same
fixed point formula. All the other moves and who is responsible for t h e m remain
unchanged.
9We also need to change the criteria for when a player wins a play. The
winning conditions for the earlier games are given in figure 17. We retain the
conditions 1, 2, 1~ and 2~: for instance if the configuration reached in a play is
(F, [K]kV) and the set {E : r a E and a e K } is e m p t y then player II wins.
The other conditions 3, 4, 3 ~ and 4' need to be redefined because constants are
reintroduced. An infinite length play m a y now contain more than one constant
that recurs infinitely often.
The following definition provides a useful notion t h a t will be used in the
reformulated termination conditions.
D e f i n i t i o n 1 The constant U is active in 9 iff either U occurs in q~, or some
def
constant V = erZ.~P occurs in 4, and U is active in ~Z.~P.
The discipline of introducing constants ensures t h a t being active is well defined.
If U1 def
: O'Zl.k[r ...Un def: ~rZn.kVn is the sequence of declarations of distinct
constants in order of their initial introduction then although Ui can be active in
Uj when i < j it is not possible for Uj to be active in Ui. Activity of a constant
can be extended to finite or infinite length sequences of formulas: we say t h a t U
is active throughout 4 0 . . . 4n . . . if it is active in each t i -
The following l e m m a governs the remaining Winning conditions.
L e m m a 1 i. / f ( E 0 , 4 0 ) . . . ( E n , 4 n ) is an initial part of a game play and
r = 4n for some i < n, then there is a unique constant U which is active
throughout r and which occurs there, ~j = U for some j : i <_j <_ n.
ii. If (Eo, 4 0 ) . . . (En, 4 n ) . . . is an infinite length game play then there
is a unique constant U which occurs infinitely often and is active throughout
r . . . 4 , , ... for some j >_ O.
A repeat configuration (E, ~P) when ~P is any formula, and not just a constant,
terminates play. W h o wins depends on the sequence of formulas between (and
including) the identical configurations. There is exactly one constant U which
is active throughout this cycle and which occurs within it: if it abbreviates a
m a x i m a l fixed point formula then player II wins and otherwise it abbreviates a
217
least fixed point formula and player I wins. This replaces conditions 3 and 3 ~ of
figure 17. In any infinite length play there is a unique constant which is traversed
infinitely often and which is active for all but a finite prefix: if this constant
abbreviates a maximal fixed point formula player II wins and otherwise player
I wins. This replaces conditions 4 and 4 ~ of figure 17. These revised termination
conditions are pictured in figure 22. Again the conditions 3 and 3 ~ are redundant,
and are only included because they guarantee that any play from a finite state
process has finite length.
Player I l w i n s Player I wins
: U~fvZ.# : U~fI~Z.#
(E,~) T (E,~I') T
: U active : U active
(F, U) (F, U)
: throughout : throughout
(E,~) I (E,~) I
Player II wins Player I wins
9 U de=fvZ. 9 " U %~ zZ.

9 o
(Ek, U) (Ek~,U)
:
(E3, U) T (Ej, U) T
U active . U active
(E~, U) (E,~, U)
throughout throughout
Fig. 22. Revised repeat winning conditions
A strategy is again a set of rules which dictates how a player should move,
and it is winning if the player wins every play in which she uses it. For each
218
game (E, ~) one of the players has a winning strategy, which is again history
free.
T h e o r e m 1 E ~ v ~ iff player II has a winning strategy for (E, ~) relative to
13.
When E is a finite state process let IEI be the number of processes in 7~(E),
and let I~1 be the size o f ~ (the number of symbols within it). There are at most
IEI • I~1 different configurations in any game play (up to renaming of constants).
This means that any play of ( E , r has length at most 1 + (IEI • I~1).
E x a m p l e 1 A case where game playing is shorter is example 3 of section 4.1.
Let D a D', D' a D and D' b_~ 0, and let ~ be I~Y. uZ.[a](((b)ttVY)AZ).
Player I's winning strategy for (D ~, ~) is the same as in that example. The play
proceeds:
(D', ~) (D', U) (D', uZ. [a](((b)tt V U) A Z)) (D', V)
(D', [a](((b)tt V U) A V)) (D, ((b)tt V U) A V) (D, (b)tt V U)
At this configuration player II has a choice. If she chooses the first disjunct
she then loses because there is not a b transition from D. Otherwise the play
proceeds:
(D, U) (D, uZ. [a](((b)tt V U) A Z)) (D, V)
(D, [a](((b)tt V U) A Y)) (D', ((b)tt V U) A V) (D', V)
There is now a repeat configuration (D ~, V). Consider the sequence of formulas

in this game cycle, between and including these identicM configurations:
Y [a](((b)tt V U) A V) ((b)tt V U) A V (b)tt V U U
uZ.[a](((b)ttVU)AZ) [a](((b)ttVU)AV) ((b)ttVU)AV V
The constant V is not active throughout this sequence (because it is not active
in the formula uZ. [a](((b)tt V U) A Z)). However V is active throughout and
also occurs there, and because it abbreviates a least fixed point formula player
I is the winner. []
A tableau proof system was introduced in section 4.2 in such a way that a
successful tableau concretely represents a winning strategy for player II (when
the game process is finite state). Given the refinements above to game playing
we now redefine this tableau proof system. The only change to the rules is that
when a fixed point formula is met again the same constant is reintroduced, new
constants are only introduced for fixed point formulas that have not been met
before.
To test whether E has the property ~ one tries to build a successful tableau
for E ~-v ~ which is a finite proof tree whose root is labelled with this sequent.
The leaves have to be successful as defined in section 4.2, except for the case of
termination because of repetition. The new conditions for terminating through
repetition are:
219
9 U~f~Z.r : U~fpZ.r
:
E~, T E~, T
: U active : U active
F~-U Ft-U
: throughout : throughout
Again it is at this point that we distinguish in the proof theory between the
two kinds of fixed points, as they are not differentiated by the rules earlier. As
before a successful tableau for E ~- 9 expresses player II's winning strategy for
the game (E, ~) and is therefore a proof that E has the property ~.
P r o p o s i t i o n 1 I f E t-v ~) has a successful tableau then E ~ v ~.
E x a m p l e 2 The tableau proof that D satisfies q~ = L,Z. pY. [a](((b)tt A Z) V Y)
w h e n D a ) D ~ a ) D a n d D ~ b) 0 is given in figure 23. This proof is shorter
than the previous proof in figure 21. As U, a maximal fixed point constant, is
active throughout the cycle from D ~- V to D ~- V and occurs within it the
tableau is successful. []
The tableau proof system presented here is again complete for finite state
processes. This is again a consequence of the game chaiacterization of satisfac-
tion.
P r o p o s i t i o n 2 I f E is a finite state process and E ~w ~ then E ~-v 4~ has a
successful tableau.
4.4 Game graphs and algorithms
Assume that E is a finite state process. The game graph for (E, 4~) relative
to ]) is the graph representing all possible plays of the game ( E , ~ ) , of the
previous section, modulo a canonical means of choosing constants. The vertices
are pairs (F, ~), configurations of a possible game play, and there is a directed
edge between two vertices vl ) v2 if a player can make as her next move v2
from vl. Let G ( E , ~ ) be the game graph for ( E , ~ ) , and let IG(E,~)I be its vertex
size which we know, from the previous section, is no more than IE[ x Ir The
complexity of property checking is NP N co-NP. This follows from the observation
that giyen a strategy for player II or player I it is straightforward to check in
polynomial time whether or not it is winning: the technique in [29] is easily
convertible into game playing.
220
Dt-~
DI--U
D I- #Y. [a](((b)tt A U) v Y)
D~-V
D I- [a](((b)tt h U) V V)
D' F ((b)tt A U) V V
D' F (b)tt A U
D' I- (b)tt D'FU
OFtt D' t- #Y. [a](((b)tt A U) V Y)

D'F V
D' F [a](((b)tt A U) V V)
D F ((b)tt A U) V V
DFV
Fig. 23. A successful tableau for D b- 4~
We can easily ensure that game playing must proceed to infinity by adding
extra moves when a player is stuck (and removing the redundant repeat ter-
mination conditions 3 and 31 of the previous section). The resulting game graph
is then an alternating automaton: the and-vertices are the configurations from
which player I proceeds and the or-vertices are those from which player II moves,
and the acceptance condition is given in terms of active constants. See [10] which
directly uses alternating automata for property checking.
An important open question is whether model checking modal mu-calculus
formulas can be done in polynomial time (with respect to IEI x 14~1).One direction
for research is to provide a finer analysis of successful strategies, and to be able
to describe optimizations of them. New insights may come from the relationship
between the games developed here and other graph games where there are such
descriptions.
The property checking game can be (easily) abstracted into the following
graph game. A game is a graph with vertices { 1 , . . . , n} where each vertex i has
two directed edges i ---. j l and i * J2. Each vertex is labelled I or II. A play is
an infinite path through the graph starting at vertex 1, and player I moves from
vertices labelled I and player II from vertices labelled II. The winner of a play is
determined by the label of the least vertex i which is traverse.d infinitely often:
if i is labelled I then player I wins, and if it is labelled II then player II wins. A
221
player wins the game if she has a winning strategy (which again is history free).
For each game one of the players has a winning strategy. Notice that this graph
game is described without mention of property checking.
Simple stochastic games [26] are graph games where the vertices are labelled
I, II or A (average), and where there are two special vertices I-sink and II-sink
(which have no outgoing edges). As above each I, II (and A) vertex has two
outgoing edges. At an average vertex during a game play a coin is tossed to
determine which of the two edges is traversed each having probability 89 More
generally one can assume that the two edges are labelled with probabilities of
the form a where {3 < p < q < 2"~ for some m, as long as their sum is 1. A game
play ends when a sink vertex is reached: player II wins if it is the II-sink, and
player I otherwise. The decision question is whether the probability that player
II wins is greater than 89 I t is not known whether this problem can be solved in
polynomial time, although in [26] it is shown that it does belong to to NPf3co-
NP. In [48] a "subexponential" (2 ~ algorithm is presented, which works by
refining optimal strategies. A polynomial time algorithm for simple stochastic
games would imply that extending space bounded alternating Turing machines
with randomness does not increase the class of languages that they accept.
Mark Jerrum noted that there is a reduction from the graph game to the
simple stochastic game. The idea is to add the two sink vertices, and an average
vertex il for each vertex i for which there is an edge j ~ i with j > i. Each
such edge j ~ i when j > i is changed to j ~ il. And the vertex il has an
edge to i, and to I-sink if i is labelled I or to II-sink otherwise. With suitable
rational probabilities on the edges, player II has a winning strategy for the graph
game iff she has one for the simple stochastic game.
4.5 Generalizing tableaux
We have presented characterizations of when a process has a temporal prop-

erty using games. We also developed tableau proof systems for verifying that
processes have properties. However, a successful proof is only guaranteed in the
case that a property holds of a finite state process. We would like a more gen-
eral proof technique that also allows us to show properties of processes that are
infinite state. Even in the finite state case a more general proof m e t h o d may be
useful, as a tableau proof may become too unwieldy because of its size.
There are various classes of infinite state system. Process definitions may
involve explicit parameterization: examples include the counter Cti and register
Reg~ of section 1.1, and the slot machine SMn of section 1.2. Each iristantiation
of these processes is itself infinite state and contains the other family members
within its transition graph. However the parameterization is very useful as it
reveals straightforward structural similarities within these families of processes.
Another class of processes that is infinite state is entirely due to the presence
of data values. The protocol of section 1.2 is a paradigm example. However there
are different degrees of involvement of data within these processes, depending
on the extent to which data determines future behaviour. At one extreme are
222
examples such as the Protocol which pass data items through the system ob-
livious of their particular values. A number of authors has identified classes of
processes which are in this sense data independent. At the other extreme are
systems such as T(i) of section 1.1 where future behaviour strongly depends on
the value i. In between are systems such as the register where particular values
are essential to change of state.
A third class of processes is infinite state independently of parameterization.
An instance is the counter Count of section 1.5. Here the system evolves its
structure as it performs actions. In certain cases processes that are infinite state
in that they determine an infinite state transition graph are in fact bisimulation
equivalent to a finite state process. A simple example is that C de f a.C I b.C is
bisimilar to C' ~ f a.C' + b.C'. Another interesting subclass of infinite state pro-
cesses are those for which bisimulation equivalence is decidable. Two examples
are the context free processes and the basic parallel processes [23, 22].
A final class of systems is also parameterized. However for each instance of
the parameter the system is finite state. Two paradigm examples are the buffer
B u f f , and the scheduler Sched,, both from section 1.4. Although the techniques
for verification of temporal properties apply to instances they do not apply to
the general families. In such cases we would like to prove properties generally, to
show for instance that for each n > 1 Sched, is free from deadlock: T h e proof
of this requires exposing structure that is common to this whole family.
In this section we present a simple generalization of satisfaction, and examine
how it can be used to provide a tableau proof system. The full story of this proof
system (presented with Julian Bradfield in [18]) continues into the next section.
A straightforward generalization of satisfaction is as a relation between a set
of processes and a formula. We use the same relation ~ v for this extension. If
79 is a transition closed set with g C 79 then
I s ~v r iff g C II4~ IIv

~ I
As before we write g ~ r when there is no valuation, or when the valuation can
be understood from the context.
E x a m p l e 1 The family of counters of figure 4, {Cti : i > 0}, has the prop-
erty [up]([round]ff A [up] (do,n)(down)tt). The following proof uses the expected
inductive definition of s ~ 4~ (which is discussed below):
{Ct.i : i > O} ~ [up]([round]ffA [up](do.n)(down)it)

iff {Cti : i > i} ~ [round]:ffA [up](down)(do.n)tt
iff { Cti : i > l} ~ [round]ffand {Ctl : i _> l) ~ [up](doun)(doun)tt
iff { Cti : i >_ 1} ~ [up](do.n>(down)tt
iff { Cti : i >__2} ~ (do.n)(down)tt
iff { Cti : i > 1} ~ (do.n)tt
iff { Cli : i > 0} ~ tt
This proof is more direct than appealing to induction on process indices. []
223
Example 1 utilizes some obvious properties of satisfaction between sets of

processes and formulas. Below are necessary and sufficient conditions for all the
connectives using a little notation which we shall explain.
E~v~IA~2iffE~vr andE~v~2
E ~V ~1 V ~2 iff 3El, E2. E1 U E2 = E and ~1 ~ r and E2 ~v 4~2
E ~ v (K)~ iff there is a choice function f : E , K(E) and f(E) ~ v

E ifr E
The case of conjunction is the most straightforward. Disjunction is more com-

plex. When E ~ v ~1 V ~2 the set C can be spit into two subsets E1 and E~ with
Ei ~ ~i: note that one of these sets could be empty 24. For the modal cases we
utilise notation. If E is a set of processes and K is a set of actions then K ( E ) is
the set { F : 3 E E E.3a E K. E ._L. F}, which is the set of processes reachable
by K transitions from members of E. In example 1 { u p } ( { C t l : i > 0}) = { C t i :
i > 1}. The set E has the property [K]~ iff K(E) satisfies 4~. For the diamond
modality we appeal to functions. A function f : E > K(E) is a choice function
provided that for each E E E there is an a E K with the feature that E a ~ f ( E ) .
When f is such a function we let f ( E ) = { f ( E ) : E e E}. The set E satisfies
(K)4~ just in case there is a choice function f : E , K ( E ) where f ( E ) satisfies
4~. In example 1 there is the function f : { C t i ; i > 2} , { d o w n } ( { C t i ; i > 2})
given by f ( C t i + l ) = Cti, which justifies one of the proof steps. This leaves the
difficult cases of the fixed points. We shall make use of the principles developed
in previous sections which appeal to games. Note however that the fixed point
unfolding principle holds for the generalized satisfaction relation.
We wish to extend the tableau proof system of section 4.2 to encompass sets
of processes having a property. Therefore we extend the basic sequent E [-v
to E t-v ~, and as usual we drop the index ]) wherever possible. Each proof rule
has one of two forms:
possibly with side conditions. As in section 4.2 the premise sequent E F- ~ is the
goal to be achieved (that every process in E has the property ~) while the con-
sequents are the subgoals. The tableau proof rules are presented in figure 24. As 9
we are generalizing the proof system of section 4.2 new constants are introduced
as fixed point formulas are met: this makes termination less complex than if
we generalized the proof system of section 4.3 where constants are reintroduced.
There is one new kind of rule, a structural rule Thin, which allows the set of
processes in a goal sequent to be expanded. Clearly, the rules are backwards
sound.
To show that all the processes in E have the property 4~ relative to 13, one tries
to achieve the goal E Fv r by building a successful tableau. As before a successful
24 By definition 0 ~ v ~ for any ~.
224
A v C=E~ u82
(K) Ef ( F-
E )(K)#
.P r~ f : E -~ K(E) is a choice function
[K] K ( e ) P
g l - aZ.q~
a'Z. U ~f aZ. ~ and U is new
EFU
U g F O{U/Z} o'Z. ~ Thin ~ e C -~"
Fig. 24. Tableaux rules
tableau is a finite proof tree whose root is labelled with this initial sequent,
and where all the leaves are labelled by sequents that are successful. Sequents
labelling the immediate successors of a node labelled :~ F ~ are determined
by an application of one of the rules, either by Thin or by the rule for the
main connective of k~. The crucial missing ingredient is when a node counts as
a terminal node.
The definition of a leaf in a tableau is, as we shall see in the next section,
underpinned by the game theoretic characterization of satisfaction. A tableau
now captures a whole family of games. For each process in the set of processes
on the left hand side of a sequent determines a play from it and the property
on the right hand side. A node n labelled by the sequent ~ F !P is terminal in
the circumstances described in figure 25. Clearly a node labelled with a sequent
Successful terminal Unsuccessful t e r m i n a l
I. ~ = tt or 1'. k ~ = f f o r
k~ = Z and Y C_ l;(Z) = Z and ?" ~ / 2 ( Z )
2. ~ ' = 0 2'. ~P = (K)~ and for some

F ~ 7 . K({F}) = 0
3. ~ = U and U ~ f vZ. ~ and 3.' k~ = U and U d___cf#Z. 9 and

there is a node above n there is a node above n
labelled 8 ~ U with E D ~r labelled s F U with ~" _.DE
Fig. 25. Tableau terminals
fulfilling 1 or 2 is successful, and similarly any node labelled with 1' or 2' is not
225
true. The other two conditions are generalizations of those for the proof system
def
: U~uZ.4 , : U = #Z.O
: C~_F : ~_C
EFU E.I--U
OrFU ~FU
Fig. 26. "Repeat" termination conditions
of section 4.2, and are pictured in figure 26. The justification for the success
of condition 3 can be seen by considering any infinite length game play from a
process in E with respect to the property U which cycles through the leaf ~" t- U.
As :T C ,~ the play continues from this companion node. Such an infinite play
must pass through U infinitely often, and is therefore a win for player II.
A successful tableau for E ~-v 4i is a finite proof tree all of whose leaves are
successful. A successful tableau only contains true leaves.
P r o p o s i t i o n 1 I f E b'v q~ has a successful tableau then E ~ v O.
However as the proof system stands, the converse is not true. A further termin-
ation condition is needed for least fixed point constants. However this condition
is a little complex and so we delay its discussion until the next section. Instead
we present various examples that can be proved without it. In the following we
write E ~- 4~ instead of {E} ~- q~.
E x a m p l e 2 It is not possible to show that Cnt has the property uZ. (up)Z using
the tableau proof system of section 4.2, when Cnt is the infinite state process,
Cnt ~ f u p . ( C n t [ down.0). There is a very simple proof within this more general
proof system. Let Cnto be Cnt and let Cnti+l be Cnti I down.0 for any i > 0.
Cnt F uZ. (up)Z

{Cnt : i _> 0} . z . (up)Z
{ Cnt~ : i > O} ~- U
{Cnt : i >_ 0} (up)U
{ Cnti : i >_ l } l- U
Notice here the essential use of the Thin rule, and the simple condition for
termination. The choice function which we have left implicit maps each Cntl to
Cnti§ l . []
226
E x a m p l e 3 The slot machine in figure 10 is infinite state. The safety property,

that the machine never pays out more than it has in its bank as described in
example 2 of section 3.8, has the following tableau where the falsity of Q indicates
that the slot machine owes money:
{ S M . : n >_ O} t- vZ.Q A [ - ] Z
c F ~,Z.Q ^ [-]z
~F-U
r QA[-]U
~Q ~ [-Iv
g~-u
Here the Thin rule is used to enlarge the set of slot machines to the set ~ which
is 7)( SM,~ ). []
The proof system is also applicable to finite state examples, providing a much
more succinct presentation of player II's winning strategy for a game.
E x a m p l e 4 Recall the level crossing of figure 7. Its safety property is expressed
as v Z . ( ~ f f V [cc--5~5~]ff) A [ - ] Z . Let 9 be this formula. We employ the
abbreviations in figure 8, and we let E be the full set { E 0 , . . . E l l } . Below is a
successful tableau showing that the crossing has this property:
Crossing t-
E~U
E F ([~]~ v [~]~f) ^ [-]u
~~ ~ v [~]~f c ~ [-]u
s - {Es, ET} e [ ~ - ~ - ~ ~ - {E4, E6} e [ ~ ] ~ ~ e U
0 ~ f~ 0F ~
Again notice the essential use of the Thin rule at the first step. []
E x a m p l e 5 In example 2 of section 4.2 we noted how similar the two subtableaux
T1 and T2 are. These can be amalgamated as follows (where the same abbrevi-
ations are used):
227
{ Venb, Vent} b U
{ venb, Vent} ~- [2fie ^ [-]u
{ Venb, Vent} t- [2p]~ (genb, genl} ~- [-IV
{ Venb, Yen,} ~- [-W
{cb. Ven, ct. Ven} ~- U
{r Yen, ~t. Ven} F [:p]~ ^ [-]U
{r Ven, r Ven} e [2p]r {r Ven, et. Ven} F [-]U
Ot"~ Venb U
The terminals have changed slightly. 0
4.6 Well f o u n d e d n e s s
The proof system of the previous section is not complete. An example for which
there is not a successful tableau is given by the following cell, C d=ef in(x).Bx
when x : N and Bn+l def down.Bn. This cell has the property of eventual ter-
mination, I-tZ. [-]Z, The only possible tableau for C b pZ. [ - ] Z up to renaming
the constant, and inessential applications of Thin is:
c ~- ~z. [-]z
CbU
c ~ [-]u
(1) {Bi : i _ > O } b U
(2) {Bi : i >_ O} I-- [-]U
(3) {Bi : i > 0 } [ - U
The final node (3) is terminal because of the node labelled (1) above it, and it
is unsuccessful because U is a least fixed point constant. However any play of
the game (C,/~Z. I-]Z) is won by player IL One solution to the problem is to
permit induction on top of the current proof system by showing that each Bi
has the property U. However we would like to avoid explicit induction principles.
Instead we shall present criteria for success which captures player II's winning
strategy. This requires one more condition for termination.
The additional circumstance for being a leaf node of a proof tree concerns
least fixed point constants. A node n labelled by the sequent 2" b U is also a
terminal if it obeys the (almost repeat) condition of figure 27. This circumstance
is very similar to condition 3 of the previous section except it is with respect
228
def
: U -- # Z . ~
~c_E
CFU
~'FU
Fig. 27. New terminal
to a least fixed point constant, and it is also similar to 3' except that the set
of processes ~" at the leaf is a subset of C. Not all nodes that obey this new
condition are successful. The definition of success (taken from [18]) is intricate,
and requires some notation.
A leaf which obeys condition 3 of being a terminal from the previous section
or the new terminal condition above is called a (r-terminal, where ~r m a y be
instantiated by a v or p depending on the kind of constant involved. Suppose
node n ' is an immediate successor of n, and n is labelled by E F ~ and n ~ is
labelled E ~ h ~ .
n: s
A game play proceeding through (E, ~) where E E E can have as its next
configuration (E~,~ ') where E ~ E C' provided the rule applied at n is not Thin.
Which possible processes E ~ E C~ can be in this next configuration depend on
the structure of ~. This motivates the following notion 9 We say that E ' E E' at
n ~ is a dependant of E E E at n if
- the rule applied to n is A, V, U, a Z , or Thin, and E - E ~, or

- the rule i s [ K ] a n d E a ) E ~ for some a E K, or
- the rule is (K), and E ' = f(E) where f is the choice function.
All the possibilities are covered here. An example is that each Bi at node (2) in
the tableau earlier is a dependant of the same Bi at node (1), and each Bi at
(1) is a dependant of C at the node directly above it.
Assume t h a t the companion of a cr-terminal is the most recent node above
it which makes it a terminal. (There may be more than one node above a a-
terminal which makes it a leaf, hence we take the lowest one.) Next we define
the notion of a trail.
D e f i n i t i o n 1 Assume that node nk is a p-terminal and node na is its compan-
ion. A trail from process E1 at n l to Ek at nk is a sequence of pairs of nodes
and processes (nl, E l ) . . . . , (nk, Ek) such that for all i with 1 _< i < k either
1. Ei+l at ni+l is a dependant of Ei at nl, or

229
2. ni is the immediate predecessor of a #-terminal node n ' (where n I ~ nk)

whose companion is nj for some j : 1 < j < i, and ni+l = nj and Ei+l at n ~
is a dependant of El at nl.
((1), B2)((2), B2) ((3), B1) is a simple trail from B~ at (1) to B1 at (3) in the
tableau earlier. In this case B2 at (2) is a dependant of B2 at (1), and B1
at (3) is a dependant of B2 at (2). Condition 2 of Definition 1 is needed to
take account of the possibility of embedded fixed points as pictured in figure 28.
A trail from (n~, E l ) to (nk, E~) may pass through node nj repeatedly before
9 nl EFU
n3 C~)-V
nk ~'t-U n' 2-1 t- V
Fig. 28. Embedded terminals: ~" C g and ~'1 C gl.
continuing to nk. In this case nk is a p-terminal but n ~ may be either a p or a

u-terminal. In fact node nj here could be na with nk and n ' both sharing the
same companion. This can be further iterated when there is another #-companion
along the path from nj to n| and a further leaf n ' , and so on. Note that there
is an intimate relationship between the sequence of processes in a trail and a
sequence of processes in part of a game play from from the companion node to
the terminal.
Each companion node n of a p-terminal induces a relation Dn:
D e f i n i t i o n 2 E t > n F if there is a trail from E at n to F at a p-terminal whose

companion is n.
We now come to the definition of a successful p-terminal.
D e f i n i t i o n 3 A p-terminal whose companion node is n is successful if there is

no infinite "descending" chain E0 Dn E1 I>n ....
Success means that the relation <ln induced by the companion of a p-terminal is
well-founded. This precludes the possibility of an infinite game play asssociated
with a tableau which cycles through the node n infinitely often.
A tableau is successful if it is finite and all its leaves obey one of the conditions
for being a successful terminal (either 1, 2 or 3 from the previous section, or
that of being a successful p-terminal). The tableau technique is both sound and
complete for arbitrary (infinite state) processes. Again the result is proved using
230
the game characterization of satisfaction.

T h e o r e m 1 g bv 9 has a successful tableau iff g ~ v ~.
E x a m p l e 1 The tableau at the start of this section is successful. The only
trail from S~+l at (1) to (3) is ((1), B~+I)((2), Bi+l)((3), Bi), and therefore
Bi+l l>(a) B~.
Suppose we amend the definition of Bi+l to Bi+l d_efdown.Bi +up.Bi+2. Each
Bi+l has the extra capability for performing up. An attempt to prove that C
eventually terminates yields the same tableau as at the beginning of the section.
However this tableau is now unsuccessful. There are two two trails from Bi+l at
(1) to (3): ((1), Bi+I) ((2), Bi+I) ((3), Bi) and ((1), Bi+I) ((2), Bi+l) ((3), Bi+2).
Hence, both Bi+l t>(a) Bi and Bi+l t>(a) Bi+2. Consequently there is a variety
of infinite decreasing sequences from Bi+l such as Bi+l t>(a) Bi+2 t>(a) Bi+l ....
[]
E x a m p l e 2 The liveness property of the crossing subject to the assumption of
fairness of the signal, as we saw in example 3 of section 3.8, is expressed by the
following open formula vY.[car]@l A [-]Y, where ~q is
I~X.vYl.(O V [-r162 V X) A [-r A [--r162
and where Q holds when the crossing is in any state where Rail can by itself
perform green and R holds in any state where Road can by itself perform up. We
employ the abbreviations in figure 8, and we let g be the full set {E0, ..., Ell}.
The states that Q holds at are E~, E3, E6 and El0 and R holds at El, Ea,
ET, and Ell. A proof that the crossing has this property is given in stages in
figure 29.
In this tableau there is one/~-terminal, labelled (1) whose companion is (c).
The relation E>r is well founded as we only have: E1 t>c E4, E4 t>r Es and
E3 I:>e E6. Therefore the tableau is successful. []
E x a m p l e 3 The verification that the slot machine has the weak liveness prop-
erty that a million pounds can be won infinitely often is given by the following
successful tableau:
{SMn : n >_O} b vY.I~Z.(~'~(IO6)}Y V ( - ) Z

g b vY.#Z.(~"~(IO6))Y Y ( - ) Z
s
g ~- #Z.(~-n(lO6)>V V ( - ) Z
(x) v
(2) s t- (w-~(lO6))U V ( - ) V
E1 F- (u-~(lO6))U (3) s b ( - ) V
el u (4) v
231
{ Cros~,,g} F ~Y.[r A FlY

g }- .Y.[car]~l ^ [-]Y
g'F U
E l- [r ^ [-iU
E F [car]~l c ~- [ - W
{EI,E3,ET,Ell } t- q/1 CI-U
T1
~1 "~ { E l , E 3 , E 4 , E 6 , E T , E l l }
T1
(e) E~ e v
C1 F ~,Y~.(Q v [-r162 v V) ^ [-r162 ^ [ - r162
~'1 I- U1
~r I- Q v [ - ~ ] ( l p Y 2 . ( R v V) A [ - ~ ] Y 2 ) A [-cc-"~ro'-~]Ui
E, F Q v [-~r v V) ^ [-r162 c~ e [ - ~ ] v ,
{E3,E~} F Q T2 E~ t- UI
T2
{El, E~, E~ , Ell} ~- [ - c c ~ ] ( v Y 2 . ( R v V) A [-cc--SVS-~]Y2)
{E,,E3,E4,E6,Ell} F .Y2.(R v V) ^ [ - ~ ] 8 9
{E,,E3,E4,E6,E~,E~I} ~- . 8 9 v V) ^ [ - ~ ] 8 9
{E1,E3,E~,E6,E~,E.} F U2
{E1,Ez,E,,E6,Er,E. } F ( R v V ) A [ - ~ ] U ~
{ EI, E3, E4, E6, ET , Ell } I- R V V { E~ , Ea, E4, E6, ET , E ~ } I- [ - ~ ] U 2
{E~,Ea,ET,EI~} I- R (1) {E4,E~} I- V {E~,Ez,E4, E6,ET,E~I} t- U2
Fig. 29. Liveness proof for the Crossing

232
E is the set of all derivatives. The vital rules in this tableau are the disjunction at
node (1), where El is exactly those processes capable of performing a ~in(106)
action, and E2 is the remainder; and the (K) rule at node (3), where J" is defined
to ensure that s is eventually reached: for a process with less than 10 s in the
bank, f chooses events leading towards loss, so as to increase the amount in the
bank; and for processes with more than 106, f chooses to release(106). The
formal proof requires partitioning s into several classes, each parametrized by
an integer n, and showing that while n < 106, n is strictly increasing over a cycle
through the classes; then when n = 106, f selects a successor that is not in E2,
and so a Chain from E0 through nodes (1), (2), (3), (4) terminates. []
E x a m p l e 4 Consider the following family of processes for i > i from section 1.1:
T(i) dej if even(i) then 5-~(i).T(i/2) else -6~(i):T((3i + 1)/2)
If T(i) for all i _> 1 stabilizes into the cycle T(2) *-'~'(~)T(1) ,-~(1)) T(2) then the
following tableau is successful, and otherwise it is not. But which of these holds
is not known!
{T(i) : i >_ 1} [-/tY. (o--ff[(2))tt V [-]Y

{T(i) : i > 1 } F U
{T(i) : i > 1} F (o---ff~(2))tt V [-]U
T(2) {T(i) : i > 1 ^ i # 2} e [ - ] u
T(1) [- tt {T(i) : i > l } [ - U
The problem is that we dont know if the relation induced by the companion of
this leaf is well-founded. []
5 Concluding Comments
In previous sections we used modal logic and modal mu-calculus for analysing
properties of processes. We also noted the close relationship between bisimilarity
and having the same properties. Some of the techniques mentioned, especially in
the case of finite state processes, are implemented in the Edinburgh Concurrency
Workbench 25. Another tool is the infinite state model checker for Petri nets based
on tableaux, described in [16].
An important topic which we have not discussed is to what extent verification
can be guided by the theory of processes. Game playing and the tableau proof
rules are directed by the logical structure of the property. A simple case of where
the theory of processes m a y impinge is the following proof rule that can be added
to the tableaux proof systems of sections 4.2 and 4.3 when r is a closed formula.
25 Which is freely available by emailing Perdita.Stevens@dcs.ed.ac.uk, or from the
WWW, http://www.dcs.ed.ac.uk/packages/cwb/index.html.
233
EF~
F,,,E Fh~
This is justified because as we saw in section 3.7 bisimulation equivalence pre-
serves temporal properties. Moreover if r belongs to weak modal mu-calculus
then we only need the subgoal F ~ E. Use of this rule could appeal to the
theory of bisimulation, and techniques for minimizing process descriptions. Al-
ternatively it could appeal to the equational theory of processes.
9Process behaviour is chronicled through transitions. But processes also have
structure, defined as they are from combinators. To what extent can process
properties be defined without appealing to transition behaviour, but instead to
this algebraic structure? The ascription of boolean combinations of properties to
processes does not directly depend on their behaviour: for instance, E satisfies
Y kP provided it satisfies one of the disjuncts. Consequently it is the modal
(and fixed point) operators that we need to concern ourselves with, how algebraic
structure relates to them. Some simple cases are captured in the following lemma.
L e m m a 1 i. if a ~ K then a.E ~ [K]4~ and a.E ~ <K)cP, ii. i f a E K then

a.E ~ [K]O iff E ~ ~, iii. i f a E K then a.E ~ (K)~ iff E ~ ~, iv.
E { E i : i E I} b [K]4~ iff for all j E I. Ej ~ [K]4~, v. E { E i : i E I} b (K)~
iff for some j E I. Ej ~ (K)4), vi. i f p d e = f E and E b q~ then P ~ ~.
Restriction \ J is dealt with by defining its effect on formulas ~ as ~ \ J
inductively as follows where J # is the set J U J:
(~n +)\J = ~\Jn+\J (~v~)\J :*\Jv ~\J

( [ K ] + ) \ J : [K - J # ] ( + \ J ) ( ( K ) + ) \ J : (K - J # ) ( + \ J )
~z.+\J = ~z.(v\J) ~z.+\J = ~z.(+\J)
and where + \ J - 9 when + is Z, tl:, or f f . The operator \ J on formulas is an

inverse of its application to processes, E \ J ~ + if[ E ~ r Similar inverse
operators on formulas can be defined for renaming [f] and hiding \ \ J . This forms
the basis for a notion of abstraction which can be used in some cases to simplify
verification, see [20].
Using these results we can extend the tableau proof rules (and game playing)
by adding rules such as:
E + F h [K]~ E \ \ J h ~)
,E }- [K]+ F ~- 4} E E +\\J
The harder question is how to deal with parallel, some proposals can be found
in [63, 45, 2, 3].
234
References
1. Abramsky, S., (1995). Interaction categories, This Volume.

2. Andersen, H., "and Winskel, G. (1992). Compositional checking of satisfaction.
Formal Methods in System Design, 1.
3. Andersen, H., Stirling, C., and Winskel, G. (1994)i A compositional proof system
for the modal mu-calculus. Procs 9th IEEE Symposium on Logic in Computer
Science, 144-153.
4. Austry, D., and Boudol, G. (1984). Algebra de processus et synchronisation. The-
oretical Computer Science, 30, 90-131.
5, Baeten, J., Bergstra, J., and Klop, J. (1987). Decidability of bisimulation equival-
ence for processes generating context-free languages. Lecture Notes in Computer
Science, 259, 94-113.
6. Baeten, J, and Weijland, W. (1990). Process Algebra. Cambridge University Press:
7. Baeten, J., Bergstra, J., I-Ioare, C., Milner, R., Parrow, J., and de Simone, R.
(1992). The variety of process ~lgebra. Manuscript.
8. De Bakker, J. (1980). Mathematical Theory of Program Correctness, Prentice-
Hall.
9. De Bakker, J., and De Roever, W. (1973). A calculus for recursive program
schemes. In Automata, Languages and Programming, ed. Nivat, M. 167-196,
North-Holland.
10. Bernholtz, O., Vardi, M. and Wolper, P. (1994). An automata-theoretic approach
to branching-time model checking. Lecture Notes in Computer Science, 818, 142-
155.
11. Bergstra, J. and Klop, J. (1989). Process theory based on bisimulation semantics.
Lecture Notes in Computer Science, 354, 50-122.
12. van Benthem, J. (1984). Correspondence theory. In Handbook of Philosophical
Logic, Vol. II, ed. Gabbay, D. and Guenthner, F., 167-248, Reidel.
13. Bloom, B., Istrail, S., and Meyer A. (1988). Bisimulation cant be traced. In 15th
Annual Symposium on the Principles of Programming Languages, 229-239.
14. Boudol, G. (1985). Notes on algebraic calculi of processes, in Logics and Models
of Concurrent Systems, Springer.
15. Bradfield, J. (1992). Verifying Temporal Properties of Systems. Birkhauser.
16. Bradfield, J. (1993). A proof assistant for symbolic model checking. Lecture Notes
in Computer Science, 663, 316-329.
17. Bradfield, J. and Stirling, C. (1990). Verifying temporal properties of processes.
18. Bradfield, J: and Stirling, C. (1992). Local model checking for infinite state spaces.
Theoretical Computer Science, 96, 157-174.
19. Browne, M., Clarke, E., and Grumberg, O. (1988). Characterizing finite Kripke
structures in propositional temporal logic. Theoretical Computer Science, 59, 115-
131.
20. Bruns, G. (1993). A practical technique for process abstraction. Lecture Notes in
Computer Science, 715, 37-49.
21. CamiUeri, J., and Winskel, G. (1991). CCS with priority. Procs 6th IEEE Sym-
posium on Logic in Computer Science, 246-255.
22. Christensen, S., Hirshfeld, Y., and Moiler, F. (1993). Bisimulation is decidable for
all basic parallel processes. Lecture Notes in Computer Science, 715, 143-157.
235
23. Christensen, S., Hfittel, H., and Stirling, C. (1992). Bisimulation equivalence is
decidable for all context-free processes. Lecture Notes in Computer Science, 630,
138-147.
24. Cleaveland, R., and Hennessy, M. (1988). Priorities in process algebra. Proe. 3rd
IEEE Symposium on Logic in Computer Science, 193-202.
25. Cleaveland, R, Parrow, J, and Steffen, B. (1989). The concurrency workbench.
26. Condon, A. (1992). The complexity of stochastic games. Information and Com-
putation, 96, 203-224.
27. De Nicola, R. and Vaandrager, V. (1990). Three logics for branching bisimulation.
Proc. 5th IEEE Symposium on Logic in Computer Science, 118-129.
28. Emerson, E, and Clarke, E. (1980). Characterizing correctness properties of par-
allel programs using fixpoints. Lecture Notes in Computer Science, 85, 169-181.
29. Emerson, E., and Jutla, C. (1991). Tree automata, mu-calculus and determinacy.
In Proc. 32rid 1EEE Foundations of Computer Science.
30. Emerson, E, and Lei, C. (1986). Efficient model checking in fragments of the
propositional mu-calculus. In Proc. 1st IEEE Symposium on Logic in Computer
Science, 267-278.
31. Emerson, E, and Srinivasan, J. (1989). Branching time temporal logic. Lecture
Notes in Computer Science, 354, 123-284.
32. van Glabbeek, J. (1990). The linear time-branching time spectrum. Lecture Notes
33. van Glabbeek, J. F., and Weijland, W.P. (1989). Branching time and abstraction
in bisimulation semantics. Information Processing Letters, 89, 613-618.
34. Groote, J. (1993). Transition system specifications with negative premises. The-
oretical Computer Science, 118, 263-299.
35. Groote, J. and Vaandrager, F. (1989), Structured operational semantics and
bisimulation as a congruence. Lecture Notes in Computer Science, 372, 423-438.
36. Hennessy, M. (1988). An Algebraic Theory of Processes. MIT Press.
37. Hennessy, M. and Ingolfsdottir. (1990). A theory of communicating processes with
value-passing. Lecture Notes in Computer Science, 443, 209-220.
38. Hennessy, M. and Milner, R. (1980). On observing nondeterminism and concur-
rency. Lecture Notes in Computer Science, 85, 295-309.
39. Hennessy, M. and Milner, R. (1985). Algebraic laws for nondeterminism and con-
currency. Journal of Association of Computer Machinery, 32, 137-162.
40. Hoare, C. (1985). Communicating Sequential Processes. Prentice Hall.
41. Kannellakis, P. and Smolka, S. (1990). CCS expressions, finite state processes,
and three problems of equivalence. Information and Computation, 86, 43-68.
42. Kozen, D. (1983). Results on the propositional mu-calculus. Theoretical Computer
Science, 27, 333-354.
43. Lamport, L. (1983) Specifying concurrent program modules. A C M Transactions
of Programming Language Systems, 6, 190-222.
44. Larsen, K. (1990). Proof systems for satisfiability in Hennessy-Milner logic with
recursion. Theoretical Computer Science, 72, 265-288.
45. Larsen, K. (1990). Ideal specification formalism; Lecture Notes in Computer Sci-
ence , 458, 33-56.
46. Larsen, K. and Skou. (1989). Bisimulation through probabilistic testing. In 16th
Annual A CM Symposium on Principles of Programming Languages.
236
47. Long, D., Browne, A., Clarke, E., Jha, S., and Marrero, W. (1994). An improved
algorithm for the evaluation of fixpoint expressions. Lecture Notes in Computer
Science, 818.
48. Ludwig, W. (1995). A subexponential randomized algorithm for the simple
stochastic game problem. Information and Computation, 117, 151-155.
49. Manna, Z, and Pnueli, A. (1991). The Temporal Logic of Reactive and Concurrent
Systems. Springer.
50. Milner, R. (1980). A Calculus of Communicating Systems. Lecture Notes in Com-
puter Science, 92.
51. Milner, R. (1983). Calculi for synchrony and azynchrony. Theoretical Computer
Science, 25, 267-310.
52. Milner, R. (1989). Communication and Concurrency. Prentice Hall.
53. Milner, R., Parrow, J., and Walker, D. (1992). A calculus of mobile processes,
Parts I and II, Information and Computation, 100, 1-77.
54. Moiler, F. and Tofts, C. (1990). A temporal calculus of communicating processes.
55. Nicollin, X. and Sifakis, J. (1992). An overview and synthesis on timed process
algebras. Lecture Notes in Computer Science, 575, 376-398.
56. Park, D. (1969). Fixpoint induction and proofs of program properties. Machine
Intelligence, 5, 59-78, Edinburgh University Press
57. Park, D. (1981). Concurrency and automata on infinite sequences. Lecture Notes
58. Parrow, J. (1988). Verifying a CSMA/CD-Protocol with CCS. In Protocol Spe-
cification, Testing, and Verification VIII, 373-384. North-Holland.
59. Plotkin, G. (1981). A structural approach to operational semantics. Technical
Report, DAIMI FN-19, Aarhus University.
60. Pratt, V. (1982). A decidable mu-calculus, 22nd1EEE Symposium on Foundations
of Computer Science, 421-427.
61. Simone, R. de (1985). Higher-level synchronizing devices in Meije-SCCS. Theor-
etical Computer Science, 37, 245-267.
62. Sistla, P., Clarke, E., Francez, N. and Meyer, A. (1984). Can message buffers be
axiomatized in linear temporal logic? Information and Control, 68, 88-112.
63. Stirling, C. (1987). Modal logics for communicating systems, Theoretical Com-
puter Science, 49, 311-347.
64. Stirling, C. (1992) Modal and temporal logics. In Handbook of Logic in Computer
Science Vol. 2, ed. Abramsky, S, Gabbay, D, and Ma~baum, T., 477-563, Oxford
University Press.
65. Stifling, C. (1995). Local model checking games. Lecture Notes in Computer Sci-
ence, 962, 1-11.
66. Stirling, C. and Walker, D. (1991). Local model checking in the modal mu-
calculus. Theoretical Computer Science, 89, 161-177.
67. Streett, R. and Emerson, E. (1989). An automata theoretic decision procedure
for the propositional mu-calculus. Information and Computation, 81,249-264.
68. Taubner, D. (19.89). Finite Representations of CCS and TCSP Programs by Auto-
mata and Petri Nets. Lecture Notes in Computer Science, 369.
69. Walker, D. (1987). Introduction to a calculus of communicating systems. Technical
Report ECS-LFCS-87-22, Dept. of Computer Science, Edinburgh University.
70. Walker, D. (1989). Automated analysis of mutual exclusion algorithms using CCS.
Formal Aspects of Computing, 1, 273-292.
237
71. Walker, D. (1990). Bisimulations and divergence. Information and Computation,

85, 202-241.
72. Winskel, G. (1988). A category of labelled Petri Nets and compositional proof
system. Procs 8rd 1EEE Symposium on Logic in Computer Science, 142-153.
73. Wolper, P. (1983). Temporal logic can be more expressive. Information and Con-
trol, 56, 72-99.
An Automata-Theoretic Approach
to Linear Temporal Logic
M o s h e Y. Vardi*
Rice University
Department of Computer Science
P.O. Box 1892
Houston, TX 77251-1892, U.S.A.
Email: vardi@ es.rice.edu
Abstract. The automata-theoretic approach to linear temporal logic uses the

theory of automata as a unifying paradigm for program specification, verification,
and synthesis. Both programs and specifications are in essence descriptions of
computations. These computations can be viewed as words over some alphabet.
Thus, programs and specifications can be viewed as descriptions of languages over
some alphabet. The automata-theoretic perspective considers the relationships
between programs and their specifications as relationships between languages. By
translating programs and specifications to automata, questions about programs and
their specifications can be reduced to questions about automata. More specifically,
questions such as satisfiability of specifications and correctness of programs with
respect to their specifications can be reduced to questions such as nonemptiness
and containment of automata.
Unlike classical automata theory, which focused on automata on finite words, the
applications to program specification, verification, and synthesis, use automata
on infinite words, since the computations in which we are interested are typically
infinite. This paper provides an introduction to the theory of automata on infinite
words and demonstrates its applications to program specification, verification,
and synthesis.
1 Introduction
While program verification was always a desirable, but never an easy task, the advent o f
concurrent programming has m a d e it significantly more necessary and difficult. Indeed,
the conceptual complexity o f concurrency increases the likelihood o f the program con-
raining errors. To quote from [OL82]: "There is a rather large b o d y o f sad experience to
indicate that a concurrent program can withstand very careful scrutiny without revealing
its errors"
The first step in program verification is to come up with aformal specification o f the
program. One o f the m o r e widely used specification languages for concurrent programs
is temporal logic [Pnu77, MP92]. Temporal logic comes in two varieties: linear time and
branching time ([EH86, Lain80]); we concentrate here on linear time. A linear temporal
specification describes the computations o f the program, s o a program satisfies the
* Part of this work was done at the IBM Almaden Research Center.
239
specification (is correct) if all its computations satisfy the specification. Of course, a
specification is of interest only if it is satisfiable. An unsatisfiable specification cannot
be satisfied by any program. An often advocated approach to program development is to
avoid the verification step altogether by using the specification to synthesize a program
that is guaranteed to be correct.
Our approach to specification, verification, and synthesis is based on an intimate
connection between linear temporal logic and automata theory, which was discussed
explicitly first in [WVS83] (see also [LPZ85, Pei85, Sis83, SVW87, VW94]). This
connection is based on the fact that a computation is essentially an infinite sequence
of states. In the applications that we consider here, every state is described by a finite
set of atomic propositions, so a computation can be viewed as an infinite word over
the alphabet of truth assignments to the atomic propositions. The basic result in this
area is the fact that temporal logic formulas can be viewed as finite-state acceptors.
More precisely, given any propositional temporal formula, one can construct a finite
automaton on infinite words that accepts precisely the computations satisfied by the
formula [VW94]. We will describe the applications of this basic result to satisfiability
testing, verification, and synthesis.
Unlike classical automata theory, which focused on automata on finite words, the
applications to specification, verification, and synthesis, use automata on infinite words,
since the computations in which we are interested are typically infinite. Before going
into the applications, w e give a basic introduction to the theory of automata on infinite
words. To help the readers build their intuition, we review the theory of automata on
finite words and contrast it with the theory of automata on infinite words. For a more
advanced introduction to the theory of automata on infinite objects, the readers are
referred to [Tho90].
2 Automata Theory
We are given a finite nonempty alphabet 22. A finite word is an element of S * , i.e., a
finite sequence at, ..., an of symbols from S . An infinite word is an element of S ~
i.e., an w-sequence 2 a0, a l , . . , of symbols from S . Automata on finite words define
(finitary) languages, i.e., sets of finite words, while automata on infinite words define
infinitary languages, i.e., sets of infinite words.
2.1 A u t o m a t a on Finite Words - Closure
A (nondeterministic finite) automaton A is a tuple ( S , S, S t, p, F ) , where 22 is a finite

nonempty alphabet, S is a finite nonempty set of states, S O C_ S is a nonempty set of
initial states, F C S is the set of accepting states, and p : S x 22 ~ 2 s is a transition
function. Intuitively, p(s, a) is the set of states that A can move into when it is in state
s and it reads the symbol a. Note that the automaton may be nondeterministic, since
it may have many initial states and the transition function may specify many possible
transitions for each state and symbol. The automaton A is deterministic if IS~ = 1 and
[p(s, a)l < 1 for all states s E S and symbols a E S. An automaton is essentially an
z w denotes the first infinite ordinal.
240
edge-labeled directed graph: the states of the automaton are the nodes, the edges are
labeled by symbols in S , a certain set of nodes is designated as initial, and a certain set
of nodes is designated as accepting. Thus, t E p(s, a) means that that there is edge from
s to t labeled with a. When A is deterministic, the transition function p can be viewed
as a partial mapping from S • S to S, and can then be extended to a partial mapping
from S x S* to S as follows: p(s, e) = s and p(s, xw) = p(p(s, x), w) for x E S and
wES*.
A run r of A on a finite word w = at, 9 an-1 E z~,* is a sequence so,.. :, sn of
n + 1 states in S such that so E S ~ and Si+l E p(si, ai) for 0 < i < n. Note that a
nondeterministic automaton can have many runs on a given input word. In contrast, a
deterministic automaton can have at most one run on a given input word. The run r is
accepting if s,, E F. One could picture the automaton as having a green light that is
switched on whenever the automaton is in an accepting state and switched off whenever
the automaton is in a non-accepting state. Thus, the run is accepting if the green light
is on at the end of the run. The word w is accepted by A if A has an accepting run on
w. When A is deterministic, w E L(A) if and only i f p ( s ~ w) E F, where S O = {so).
The (finitary) language of A, denoted L(A), is the set of finite words accepted by A.
An important property of automata is their closure under Boolean operations, We
start by considering closure under union and intersection.
Proposition 1. [RS59] Let A l, A2 be automata. Then there is an automaton A such that

L(A) = L(AI) U L(A2).
Proof: Let A| = (S, S1, S ~ Pl,/71) and A2 = ( S , $2, S ~ p2, F2). Without loss of
generality, we assume that S1 and $2 are disjoint. Intuitively, the automaton A nonde-
terministically chooses AI or A2 and runs it on the input word.
Let A = ( S , S, S O, p, F), where S = S1 U $2, S O = S O U S ~ F = FI U F2, and
p(s, a) = f p'(s' a) if s E $1
[p2(s,a) i f s E $2
It is easy to see that L( A ) = L( A1) U L( A2 ). |
We call A in the proof above the union of A1 and A2, denoted A1 U A2.
Proposition 2. [RS59] Let A I, A2 be automata. Then there is an automaton A such that

L(A) = L(A1) O L(A2).
Proof: Let A1 = (E, $1, S ~ pl, FI) and A2 = ( Z , $2, S ~ p2,/72). Intuitively, the
automaton A runs both A1 and A2 on the input word.
Let A = ( S , S, S ~ p, F ) , where S = $1 x $2, S O = $1~ x S ~ F = FI • and
p((s, t), a) = Pl (s, a) x p2(t, a). It is easy to see that L(A) = L(A1) N L(A2). |
We call A in the proof above the product of A1 and A:, denoted A1 x A2.
Note that both the union and the product constructions are effective and polynomial
in the size of the constituent automata.
Let us consider now the issue of complementation. Consider first deterministic
automata.
241
P r o p o s i t i o n 3. [RS59] Let A = ( S , S, S ~ p, F) be a deterministic automaton, and let

-A = ( S , S, S ~ p, S - F), then L(-A) = S* - L(A).
That is, it is easy to complement deterministic automata; we just have to complement
the acceptance condition. This will not work for nondeterministic automata, since a
nondeterministic automaton can have many runs on a given input word; it is not enough
that some of these runs reject (i.e., not accept) the input word, all runs should reject
the input word. Thus, it seems that to complement nondeterministic automaton we.first
have to determinize it.
Proposition4. [RS59] Let A be a nondeterministic automaton. Then there is a deter-

ministic automaton Aa such that L(Aa) = L(A).
Proof: Let A = (S, S, S t, p, F). Then Aa = ( S , 2 s, {so}, pa, Fd). The state set of
Aa consists of all sets of states in S and it has a single initial state. The set Fa =
{T [ T f3 F ~ 0} is the collection of sets of states that intersect F nontrivially. Finally,
pa(T, a) = { t i t E p(s, a) for some s E T}. 1
Intuitively, Aa collapses all possible runs of A on a given input word into one run
over a larger state set. This construction is called the subset construction. By combining
Propositions 4 and 3 we can complement a nondeterministic automata. The construction
is effective, but it involves an exponential blow-up, since determinization involves an
exponential blow-up (i.e., i f A has n states, then Aa has 2'* states). As shown in [MF71],
this exponential blow-up for determinization and complementation is unavoidable.
For example, fix some n > 1. The set of all finite words over the alphabet S =
{a, b} that have an a at the nth position from the right is accepted by the automaton
A = (S, {0, 1 , 2 , . . . , n}, {0}, p, {n}), where p(0, a) = {0, 1}, p(0, b) = {0}, and
p(i, a) = p(i, b) = {i + 1} f o r 0 < i < n. Intuitively, A guesses a position in the input
word, checks that it contains a, and then checks that it is at distance n from the right
end of the input.
Suppose that we have a deterministic automaton Aa = ( S , S, {so}, pa, F) with
fewer than 2 n states that accepts this same language. Recall that pa can be viewed as a
partial mapping from S x S* to S. Since ISI < 2-, there must be two words uavl and
ubv2 of length n for which pa(s ~ nay1) = pd(s ~ ubv2). But then we would have that
pa(s ~ uavlu) = pa(s ~ ubv2u); that is, either both uavtu and ubv2u are members of
L(Aa) or neither are, contradicting the assumption that L(Aa) consists of exactly the
words with an a at the nth position from the right, since lavxul = Ibv2ul = n.
2.2 Automata on Infinite Words - Closure
9 Suppose now that an automaton A = ( S , S, S o , p, F ) is given as input an infinite word

w = at, a l , . . , over S . A run r of A on w is a sequence so, sl, .... where so E S O and
Si+l E p(si, ai), for all i > 0. Since the run is infinite, we cannot define acceptance by
the type of the final state of the run. Instead we have to consider the limit behavior of
the run. We define lim(r) to be the set {s [ s = si for infinitely many i's}, i.e., the set of
states that occur in r infinitely often. Since S is finite, lim(r) is necessarily nonempty.
The run r is accepting if there is some accepting state that repeats in r infinitely often,
242
i.e., lim(r ) N F # 0. If we picture the automaton as having a green light that is switched
on precisely when the automaton is in an accepting state, then the run is accepting if the
green light is switched on infinitely many times. The infinite word w is accepted by A
if there is an accepting run of A on w. The intinitary language of A, denoted L,o (A), is
the set of infinite words accepted by A.
Thus, A can be viewed both as an automaton on finite words and as an automaton
on infinite words. When viewed as an automaton on infinite words it is called a Bfichi
automaton [Btic621.
Do automata on infinite words have closure properties similar to those of automata
on finite words? In most cases the answer is positive, but the proofs may be more
involved. We start by considering closure under union. Here the union construction does
the fight thing.
Proposition5. [Cho74] Let A1, A2 be Bachi automata. Then Lo~(AI U A2) = L~ (A1) U
L,~(A2).
One might be tempted to think that similarly we have that Lo~(AI x A2) = Lo~(A1) N
Lo~(A2), but this is not the case. The accepting set of A1 x A2 is the product of the
accepting sets of AI and A2. Thus, A1 x A2 accepts an infinite word w if there are
accepting runs rl and r2 of A1 and A2, respectively, on w, where both runs go infinitely
often and simultaneously through accepting states. This requirement is too strong. As a
result; Loj (A1 x A2 ) could be a strict subset of L,o (A~) n L~ (A2). For example, define the
two Btichi automata A1 = ({a}, {s, t}, {s}, p, {s}) and A2 = ({a}, {s, t}, {s}, p, {t})
with p(s, a) = {t} and p(t, a) = {s}. Clearly we have that L,o (A1) = L,o (A2) = {a ~~},
but L,o (AI x A2) = 0.
Nevertheless, closure under intersection does hold.
Proposition 6. [Cho74] Let A1, A2 be Bfichi automata. Then there is a Bachi automaton
A such that Lo~(A) = Lo~(A1) tq Lo~(A2).
Proof: LetA1 = (27, $1, S~1,pl, F1) andA2 = (27, $2, sO, p2, F2). LetA = (27, S, S t, p, F),
where S = S I X $2 X {1,2}, S ~ = S~I x S~ x {1}, F = F1 x $2 x {1}, and
(s',t',j) E p((s,t,i),a) i f s ' ~ pl(s,a), t' ~ p2(t,a), a n d i = j , unless i = 1 a n d
s E/;1, in which case j = 2, or i = 2 and t E F2, in which case j = 1.
Intuitively, the automaton A runs both A1 and A2 on the input word. Thus, the
automaton can be viewed has having two "tracks", one for each of A1 and A2. In
addition to remembering the state of each track, A also has a pointer that points to one
of the tracks (1 or 2). Whenever a track goes through an accepting state, the pointer
moves to the other track. The acceptance condition guarantees that both tracks visit
accepting states infinitely often, since a run accepts iff it goes infinitely often through
F1 x $2 x {1}. This means that the first track visits infinitely often an accepting state
with the pointer pointing to the first track. Whenever, however, the first track visits an
accepting state with the pointer pointing to the first track, the pointer is changed to point
to the second track. The pointer returns to point to the first track only if the second
track visits an accepting state. Thus, the second track must also visit an accepting state
infinitely often. |
243
Thus, B tichi automata are closed under both union and intersection, though the con-
struction for intersection is somewhat more involved than a simple product. The situation
is considerably more involved with respect to closure under complementation. First, as
we shall shortly see, Biichi automata are not closed under determinization, i.e., non-
deterministic Btichi automata are more expressive than deterministic Biichi automata.
Second, it is not even obvious how to complement deterministic Biichi automata. Con-
sider the deterministic Btichi automaton A = (S, S, S ~ p, F ) . One may think that it
suffices to complement the acceptance condition, i.e., to replace F by S - F and define
= (S, S, S ~ p, S - F). Not going infinitely often through F , however, is not the
same as going infinitely often through S - F. A run might go through both F and S - F
infinitely often. Thus, L~ (A) may be a strict superset of S ~ - L~o(A). For example,
Consider the Btichi automaton A = ({a}, {s,t}, {s},p, {s}) with p(s,a) = {t} and
p(t, a) = {s}. We have that Lo~(A) = L~(A) = {a~}.
Nevertheless, Biichi automata (deterministic as well as nondeterministic) are closed
under complementation.
Proposition 7. [Biic62] Let A be a Bfichi automaton over an alphabet 2~. Then there is
a (possibly nondeterministic) Bachi automaton-A such that Lo~(-A) = S ~ - L~ (A).
The construction in [Btic62] is doubly exponential. This is improved in [SVW87] to

a singly exponential construction with a quadratic exponent (i.e., ifA has n states then A
has c n2 states, for some constant c > 1). In contrast, the exponent in the construction of
Proposition 4 is linear. We will come back later to the complexity of complementation.
Let us return to the issue of detenninization. We now show that nondeterministic
B0chi automata are more expressive than deterministic Btichi automata. Consider the
infinitary language F = (0+ 1)* 1~ i.e., F consists of all infinite words in which 0 occurs
only finitely many times. It is easy to see that F can be defined by a nondeterministic
Biichi automaton. Let A0 = ({0, 1}, {s, t}, {s}, p, {t}), where p(s, O) = p(s, 1) =
{s, t}, p(t, 1) = {t} and p(t, 0) = 0. That is, the states are s and t with s the initial
state and t the accepting state, As long as it is in the state s, the automaton A0 can read
both inputs 0 and 1. At some point, however, A0 makes a nondeterministic transition
to the state t, and from that point on it can read only the input 1. It is easy to see that
F = Lo~(A0). In contrast, F cannot be defined by any deterministic Biichi automaton.
Proposition 8. Let F = (0 + 1)* 1'~ Then there is no deterministic Bfichi automaton A

such that F = Lo~(A),
Proof: Assume by way of contradiction that F = Lo~(A), where A = (S, S, {s ~}, p, F )

for S = {0, 1}, and A is deterministic. Recall that p can be viewed as a partial mapping
from S x S* to S.
Consider the infinite word w0 = 1`~ Clearly, w0 is accepted by A, so A has an
accepting run on wo. Thus, w0 has a finite prefix u0 such that p(s ~ uo) E F. Consider
now the infinite word wl = u001 ~ Clearly, Wl is also accepted by A, so A has an
accepting run on wl. Thus, wl has a finite prefix uoOul such that p(s ~ u00ul) E F. In a
similar fashion we can continue to find finite words ui such that p(s ~ u00Ul0... Oui) E
F. Since S is finite, there are i, j, where 0 < i < j, such that p(s ~ u00Ul0... Oui) =
244
p(8 O, uoOUlO...OuiO... OUj). It follows that A has an accepting run on
ztoOuiO...Oui(O...O•j) w .
But the latter word has infinitely many occurrences of O, so it is not in F. {
Note that the complementary language Z w - F = ( ( 0 + 1) *O)'~ (the set of infinite words
in which 0 occurs infinitely often) is acceptable by the deterministic Biichi automaton
A = ({0, 11, {s,t}, {s},p, {sl),wherep(s,O) = p(t,O) = {slandp(s, 1) = p(t, 1) =
{t}. That is, the automaton starts at the state s and then it simply remembers the
last symbol it read (s corresponds to 0 and t corresponds to 1). Thus, the use of
nondeterminism in Proposition 7 is essential.
To understand why the subset construction does not work for Btichi automata, con-
sider the following two automata over a singleton alphabet: AI = ({a}, {s, t}, {s}, Pl, {t})
and A2 = ({a}, {s, t}, {s}, P2, {t}), where pl(s, a) = {s, t}, pl(t, a) = O, p2(s, a) =
{s, t}, and p2(t, a) = {s}. It is easy to see that A1 does not accept any infinite word,
since no infinite run can visit the state t. In contrast, A2 accepts the infinite word a ~,
since the run (st) ~ is accepting. If we apply the subset construction to both automata,
then in both cases the initial state is {s}, pa({s}, a) = {s, t}, and pa({s, t}, a) = {s, t}.
Thus, the subset construction can not distinguish between A1 and A2.
To be able to determinize automata on finite words, we have to consider a more
general acceptance condition. Let S be a finite nonempty set of states. A Rabin condi-
tion is a subset G of 2 s • 2 s, i.e., it is a collection of pairs of sets of states, written
[(L1, U 1 ) , . , . , (Lk, Uk)] (we drop the external brackets when the condition consists of
a single pair). A Rabin automaton A is an automaton on infinite words where the accep-
tance condition is specified by a Rabin condition, i.e., it is of the form ( S , S, S ~ p, G).
A r u n r ofAisacceptingifforsome iwehavethatlim(r)flLi # 0 andlim(r)NUi = 0,
that is, there is a pair in G where the left set is visited infinitely often by r while the
right set is visited only finitely often by r.
Rabin automata are not more expressive than Btichi automata.
Proposltion9. [Cho741 Let A be a Rabin automaton, then there is a Bachi automaton

Ab such that L~(A) = Lo~(Ab).
Proof: Let A = (S, S, S ~ p, G), where G = [(L1, U1),..., (Lk, Uk)]. It is easy to
see that L~(A) = U~=IL~(Ai ), where Ai = (S, S, S ~ p, (Li, Ui)). Since Biichi au-
tomata are closed under union, by Proposition 5, it suffices to prove the claim for Rabin
conditions that consists of a single pair, say (L, U).
The idea of the construction is to take two copies of A, say Al and A2. The
Btichi automaton Ab starts in A~ and stays there as long as it "wants". At some point it
nondeterministically makes a transition into A2 and it stays there avoiding U and visiting
L infinitely often. Formally, Ab = (S, Sb, S ~ Pb, L), where Sb = S • {0} U (S - U),
S o = S O • {0}, pb(s,a) = p(s,a) -- U for s E S - U, mid pb((s,O), a) = p(s,a) X
{0} u (p(s, .) - i ) . !
Note that the construction in the proposition above is effective and polynomial in the
size of the given automaton.
245
If we restrict attention, however, to deterministic automata, then Rabin automata are

more expressive than Btichi automata. Recall the infinitary language F = (0 + 1)* 1W.
We showed earlier that it is not definable by a deterministic Btichi automaton. It is easily
definable, however, by a Rabin automaton. Let A = ({ 0, 1 }, {s, t }, { s }, p, ({ t }, {s })),
where p(s, O) = p(t, 0) = {s}, p(s, 1) = p(t, 1) = {t}. That is, the automaton starts at
the state s and then it simply remembers the last symbol it read (s corresponds to 0 and
t corresponds to 1). It is easy to see that F = Lo~(A).
The additional expressive power of Rabin automata is sufficient to provide closure
under determinization.
Proposition 10. [McN66] Let A be a Bachi automaton. There is a deterministic Rabin

automaton Ad such that L~ (Ad) = Lo~(A).
Proposition 10 was first proven in [McN66], where a doubly exponential construc-
9tion was provided. This was improved in [Saf88], where a singly exponential, with
an almost linear exponent, construction was provided (if A has n states, then Ad has
2o(,, log,) states and O(n) pairs). Furthermore, it was shown in [Saf88] (see also [EJ89])
how the determinization construction can be modified to yield a co-determinization
construction, i.e., a construction of a deterministic Rabin automaton A~ such that
L~ (Ad) = L-~ - L~ (A~), where S is the underlying alphabet. The co-determinization
construction is also singly exponential with an almost linear exponent (again, if A
has n states, then A~ has 2 ~ logn) states and O(n) pairs). Thus, combining the co-
determinization construction with the polynomial translation of Rabin automata to B tichi
automata (Proposition 9), we get a complementation construction whose complexity is
singly exponential with an almost linear exponent. This improves the previously men-
tioned bound on complementation (singly exponential with a quadratic exponent) and is
essentially optimal [Mic88]. In contrast, complementation for automata on finite words
involves an exponential blow-up with a linear exponent (Section 2.1). Thus, comple-
mentation for automata on infinite words is provably harder than complementation for
automata on finite words. Both constructions are exponential, but in the finite case the
exponent is linear, while in the infinite case the exponent is nonlinear.
2.3 A u t o m a t a on Finite W o r d s - A l g o r i t h m s
An automaton is "interesting" if it defines an "interesting" language, i.e., a language

that is neither empty nor contains all possible words. An automaton A is nonempty if
L(A) ~ 0; it is nonuniversal if L(A) ~ S*. One of the most fundamental algorithmic
issues in automata theory is testing whether a given automaton is "interesting", i.e.,
nonempty and nonuniversal. The nonemptinessproblem for automata is to decide, given
an automaton A, whether A is nonempty. The nonuniversalityproblem for automata is
to decide, given an automaton A, whether A is nonuniversal. It turns out that testing
nonemptiness is easy, while testing nonuniversality is hard.
Proposition 11. [RS59, Jon75]
1. The nonemptiness problem for auwmata is decidable in linear time.

2. The nonemptiness problem for automata is NLOGSPACE-complete.
246
Proof: Let A = (27, S, S ~ p, F ) be the given automaton. Let s, t be states of S. We say

that t is directly connected to s if there is a symbol a E E such that t E p(s;a). We
say that t is connected to s if there is a sequence s l , . . . , sin, rn > 1, Of States such that
sl = s, sn = t, and si+l is directly connected to sl for 1 < i < m. Essentially, t is
connected to s if there is a path in A from s to t, where A is viewed as an edge-labeled
directed graph. Note that the edge labels are ignored in this definition. It is easy to see
that L(A) is nonempty iff there are states s E S O and t E F such that t is connected
to s. Thus, automata nonemptiness is equivalent to graph reachability. The claims now
follow from the following observations:
1. A breadth-first-search algorithm can construct in linear time the set of all states
conncected to a state in S O [CLR90]. A is nonempty iff this set intersects F
nontriviaUy.
2. Graph reachability can be tested in nondeterministic logarithmic space. The al-
gorithm simply guesses a state so E S ~ then guesses a state sx that is directly
connected to so, then guesses a state s2 that is directly connected to sl, etc., until it
reaches a state t E F. (Recall that a nondeterministic algorithm accepts if there is a
sequence of guesses that leads to acceptance. We do not care here about sequences
of guesses that do not lead to acceptance [GJ79].) At each step the algorithm needs
to remember only the current state and the next state; thus, if there are n states the
algorithm needs to keep in memory O (log n) bits, since log n bits suffice to describe
one state. On the other hand, graph reachability is also NLOGSPACE-hard [Jon751.
II
Proposition 12. [MS72]
1. The nonuniversality problem for automata is decidable in exponential time.

2. The nonuniversality problem for automata is PSPACE-complete.
Proof: Note that L(A) ~ S* iff S* - L(A) ~ 0 iff L ( ~ ) ~ 0, where A is the

complementary automaton of A (see Section 2.1). Thus, to test A for nonuniversality,
it suffices to test A for nonemptiness. Recall that A is exponentially bigger than A.
Since nonemptiness can be tested in linear time, it follows that nonuniversality can be
tested in exponential time. Also, since nonemptiness can be tested in nondetenninistic
logarithmic space, nonuniversality can be tested in polynomial space,
The latter argument requires some care. We cannot simply construct_A and then test
it for nonemptiness, since A is exponentially big. Instead, we construct A "on-the-fly";
whenever the nonemptiness algorithm wants to move from a state tl of A to a state t2,
the algorithm guesses t2 and checks that it is directly connected to t 1. Once this has been
verified, the algorithm can discard_ tl. Thus, at each step the algorithm n_eeds to keep in
memory at most two states of A and there is no need to generate all of A at any single
step of the algorithm.
This yields a nondeterministic polynomial space algorithm. To eliminate nonde-
terminism, we appeal to a well-known theorem of Savitch [Say70] which states that
247
N S P A C E ( f ( n ) ) C_ D S P A C E ( I ( n ) 2 ) , for f ( n ) > log n; that is, any nondetermin-

istic algorithm that uses at least logarithmic space can be simulated b y a determin-
istic algorithm that uses at most quadratically larger amount of space. In particular,
any nondeterministic polynomial-space algorithm can be simulated by a deterministic
polynomial-space algorithm.
To prove PSPACE-hardness, it can be shown that any PSPACE-hard problem can be
reduced to the nonuniversality problem. That is, there is a logarithmic-space algorithm
that given a polynomial-space-bounded Turing machine M and a word w outputs an
automaton AM,,o such that M accepts w iff AM,~o is non-universal [MS72, HU79]. |
2.4 Automata on Infinite Words - Algorithms

The results for Bfichi automata are analogous to the results in Section 2.3.
Proposition13.
1. [EL85b, ELg5a] The nonemptiness problem for Bfichi automata is decidable in
linear time.
2. [VW94] The nonemptiness problem for Bfichi automata is NLOGSPACE-complete.
Proof: Let A = (S, S, S ~ p, F ) be the given automaton. We claim that Lo,(A) is

nonempty iff there are states so E SO and t E F such.that t is connected to so and t is
connected to itself. Suppose first that Lo, (A) is nonempty. Then there is an accepting
run r = s o , sl, 999 of A on some input word. Clearly, si+x is directly connected to si
for all i _> 0. Thus, sj is connected to si whenever i < j. Since r is accepting, some
t E F occurs in r infinitely often; in particular, there are i, j, where 0 < i < j, such that
t = si = sj. Thus, t is connected to so E S Oand t is also connected to itself. Conversely,
suppose that there are states so E S o and t E F such that t is connected to so and t is
connected to itself. Since t is connected to so, there are a sequence of states Sl, 9 sk and
a sequence of symbols a l , . . . , ak such that sk = t and si E p(si-1, ai) for I < i < k.
Similarly, since t is connected to itself, there are a sequence of states to,t1,... ,tt
and a sequence of symbols b l , . . . , bt such that to = tk = t and ti E p(ti-1, hi) for
1 < i _< I. Thus, ( s o , s l , . . . , s k _ l ) ( t o , t l , . . . , t t _ l ) ~ is an accepting run of A on
( a l , . 9 ak)(bt, 99 9 bl) ~ so A is nonempty.
Thus, Biichi automata nonemptiness is also reducible to graph reachability.
1. A depth-first-search algorittma can construct a decomposition of the graph into

strongly connected components [CLR90]. A is nonempty iff from a component that
intersects S Onontrivially it is possible to reach a nontrivial component that intersects
F nontrivially. (A strongly connected component is nontrivial if it contains an edge,
which means, since it is strongly connected, that it contains a cycle).
2. The algorithm simply guesses a state so E SO, then guesses a state s~ that is directly
connected to so, then guesses a state s2 that is directly connected to s~, etc., until it
reaches a state t E F. At that point the algorithm remembers t and it continues to
move nondeterministically from a state s to a state s' that is directly connected to
s until it reaches t again. Clearly, the algorithm needs only a logarithmic memory,
since it needs to remember at most a description of three states at each step.
248
NLOGSPACE-hardness follows from NLOGSPACE-hardness ofnonemptiness for

automata on finite words.
Proposition 14. [SVW87]
1. The nonuniversality problem for Bachi automata is decidable in exponential time.

2. The nonuniversality problem for Bfichi automata is PSPACE-complete.
P r o o f : Again L~ (A) # L-~ iff LT M - Lo~(A) # 0 iff Lo~(~) # 0, where A is the

complementary automaton of A (see Section 2,2). Thus, to test A for nonuniversality,
it suffices to test A for nonemptiness. Since A is exponentially bigger than A and
nonemptiness can be tested in linear time, it follows that nonuniversality can be tested in
exponential time. Also, since nonemptiness can be tested in nondeterministie logarithmic
space, nonuniversality can be tested in polynomial space. Again, the polynomial-space
algorithm constructs A "on-the-fly".
PSPACE-hardness follows easily from the PSPACE-hardness of the universality
problem for automata on finite words [Wo182]. I
2.5 Automata on Finite Words - Alternation
Nondeterminism gives a computing device the power of existential choice. Its dual gives
a computing device the power of universal choice. (Compare this to the complexity
classes NP and co-NP [GJ79]). It is therefore natural to consider computing devices that
have the power of both existential choice and universal choice. Such devices are called
alternating. Alternation was studied in [CKS81] in the context of Turing machines
and in [BL80, CKS81] for finite automata. The alternation formalisms in [BL80] and
[CKS81] are different, though equivalent. We follow here the formalism of [BL80].
For a given set X, let B + (X) be the set ofpositive Boolean formulas over X (i.e.,
Boolean formulas built from elements in X using A and V), where we also allow the
formulas true and false. Let Y C_ X. We say that Y satisfies a formula 0 E 13+(X)
if the truth assignment that assigns true to the members of Y and assigns false to the
members of X - Y satisfes 0. For example, the sets {Sl, s3} and {sl, s4} both satisfy
the formula (sl V s2) A (s3 V 84).
Consider a nondeterministic automaton A = (27, S, S ~ p, F). The transition func-
tion p maps a state s E S and an input symbol a E S to a set of states. Each dement
in this set is a possible nondeterministic choice for the automaton's next state. We
can represent p using B+(S); for example, p(s, a) = {sl, s2, s3} can be written as
p(s, a) = sl V s2 V s3. In alternating automata, p(s, a) can be an arbitrary formula from
B + (S). We can have, for instance, a transition
~(8, a) : (81 A 82) V (83 A .54) ,
meaning that the automaton accepts the word aw, where a is a symbol and w is a word,
when it is in the state s if it accepts the word w from both Sl and s2 or from both s3 and
249
s4. Thus, such a transition combines the features 'of existential choice (the disjunction
in the formula) and universal choice (the conjunctions in the formula).
Formally, an alternating automaton is a tuple A = ( S , S, s t, p, F ) , where S is
a finite nonempty alphabet, S is a finite nonempty set of states, s o E S is the initial
state (notice that we have a unique initial state), F is a set of accepting states, and
p : S x S ~ B + (S) is a transition function.
Because o f the universal choice in alternating transitions, a run o f an alternating
automaton is a tree rather than a sequence. A tree is a (finite or infinite) connected
directed graph, with one node designated as the root and denoted by e, and in which
every non-root node has a unique parent (s is theparent of t and t is a child of s if there
is an edge from s to t) and the root e has no parent. The level of a node x, denoted Iz I,
is its distance from the root e; in particular, lel = 0. A branch fl = x0, X h . . . of a tree
is a maximal sequence of nodes such that x0 is the root e and xi is the parent of Xi+l
for all i > 0. Note that fl can be finite or infinite. A E-labeled tree, for a finite alphabet
S , is a pair (r, T), where r is a tree and T is a mapping from nodes(r) to S that
assigns to every node of r a label in S . We often refer to T as the labeled tree. A branch
/3 = x0, X l , . . . of T defines an infinite word T(fl) = T(xo), T ( x l ) , . . . consisting o f
the sequence of labels along the branch.
Formally, a run of A on a finite word w = a0, al, 9 9 9 an- 1 is a finite S-labeled tree
r such that r(e) = s o and the following holds:
if Ixl = i <., r(x) = s, and p(s, ai) =/9, then x has k children Zl,... , Zk,
for some k < ISI, and { r ( x l ) , . . . , r ( x k ) } saUsfies 0.
For example, if p(s ~ at) is (sl V s2) A (s3 V s4), then the nodes of the run tree at level 1
include the label sl or the label s2 and also include the label s3 or the label s4. Note that
the depth of r (i.e., the maximal level o f a node in r) is at most n, but not all branches
need to reach such depth, since if p(r(x), ai) = true, then x does not need to have any
children. Note that if I~1 = i < n and r ( x ) = s, then we cannot have p(s, ai) = false,
since false is not satisfiable.
The run tree r is accepting if all nodes at depth n are labeled by states in F . Thus,
a branch in an accepting run has to hit the true transition or hit an accepting state after
reading all the input word.
What is the relationship between alternating automata and nondetenninistic au-
tomata? It turns out that just as nondeterministic automata have the same expressive
power as deterministic automata but they are exponentially more succinct, alternating
automata have the same expressive power as nondetenninistic automata but they are
exponentially more succinct.
We first show that alternating automata are at least as expressive and as succinct as
nondeterministic automata.
Proposition 15. [BL80, CKS81, Lei81] Let A be a nondeterministic automaton. Then

there is an alternating automaton A , such that L( Aa ) = L( A ).
Proof: Let A = (S, S, S ~ p, F). Then Aa = ( S , S U {sO}, s t, pa, F ) , where s o is a
new state, and p~ is defined as follows, for b E S and s E S:
- p.(s ~ b) = VtEso,~,ep(t,b) t',

250
- - p a ( 8 , b) = V t E p ( s , b ) t .
(We take an empty disjunction in the definition of pa to be equivalent to false.) Es-

sentially, the transitions of A are viewed as disjunctions in Aa. A special treatment is
needed for the initial slate, since we allow a set of initial states in nondeterministic
automata, but only a single initial state in alternating automata. |
Note that Aa has essentially the same size as A; that is, the descriptions of A~ and A
have the same length.
We now show that alternating automata are not more expressive than nondetermin-
istic automata.
Proposition 16. [BL80, CKS81, Lei81] Let A be an alternating automaton. Then there
is a nondeterministic automaton An such that L( An ) = L( A ).
Proof: Let A = (S, S, s t, p, F ) . Then A,~ = ( S , Sn, {{sO}}, Pn, Fn), where Sn = 2 s,
-fin : 2 F, and
pn(T, a) = { T ' I T ' satisfies A p(t, a)}.
tET
(We lake an empty conjunction in the definition of pn to be equivalent to true; thus,
0 E Pn (0, a).)
Intuitively, An guesses a run tree of A. At a given point of a run of An, it keeps in its
memory a whole level of the run tree of A. As it reads the next input symbol, it guesses
the next level of the run tree of A. |
The translation from alternating automata to nondeterministic automata involves an

exponential blow-up. As shown in [BL80, CKS81, Lei81], this blow-up is unavoidable.
For example, fix some n > 1, and let S = {a, b}. Let l'n be the set of all words that
have two different symbols at distance n from each other. That is,
1-'n = { u a v b w l u, w E S* and v E ~E'n~l} U { u b v a w I u, w E .~* a n d v E L'n-1}.
It is easy to see that Fn is accepted by the nondeterministic automaton A = (S, {p, q} U

{1,..., n} • {p}, p, {q}),wherep(p, a) = {p, (1, a)},p(p, b) = {p, (1, b)},p((a, i), =) =
{(a,i + 1)} andp({b,i),z) = {(b,i + 1)} forz e S a n d 0 < i < n,p((a,n),a) = ~,
p ( ( a , n ) , b ) = { q } , p ( ( b , n ) , b ) = @,p((b,n),a) = { q } , a n d p ( q , x ) = {q} f o r x 6 S .
Intuitively, A guesses a position in the input word, reads the input symbol at that position,
moves n positions to the right, and checks that it contains a different symbol. Note that A
has 2n + 2 states. By Propositions 15 and 17 (below), there is an alternating automaton
Aa with 2n + 3 states that accepts the complementary language ~ = S* - Fn.
Suppose that we have a nondeterministic automaton An d = ( S , S, S o , pn d, F ) with
fewer than 2 n states that accepts Fn. Thus, An accepts all words ww, where w E S " .
2n an accepting run of A , d on ww. Since ISI < 2 n, there are two distinct
Let s 0w , . . . , s w
wordu, v E S n suchthats~ = 8 vn . THUS,8 u~ 0 . . . ~ 8 u~
n s~+l, . . . ~ 8 v2n is an accepting rn n
of And on uv, but uv ~ Fn since it must have two different symbols at distance n from
each other.
One advantage of alternating automata is that it is easy to complement them. We
first need to define the dual operation on formulas in B + (X). Intuitively, the dual 0 of a
251
formula 0 is obtained from 0 by switching V and A, and by switching true and false. For
example, z v (y A z) = ~: A (y V z). (Note that we are considering formulas in B + (X),
so we cannot simply apply negation to these formulas.) Formally, we define the dual
operation as follows:
- ~ = ~:, f o r z E X ,
- true = false,
- false = true,
- (4 ^ = v Z__-),and
- (c~Vfl)=(6Afl).
Supp_ose now that we are given an alternating automaton A = (27, S, s ~ p, F).

Define A = (2?, S, s ~ ~, S - F), where ~(s, a) = p(s, a) for all s E S and a E 2?. That
is, p is the dualized transition function.
Pro__positionl7. [BL80, CKS81, Lei81] Let A be an alternating automaton. Then

L(A) = Z* - L(A).
By combining Propositions 11 and 16, we can obtain a nonemptiness test for alter-
nating automata,
Proposition 18. [CKS81]
1. The nonemptiness problem for alternating automata is decidable in exponential

time.
2. The nonemptiness problem for alternating automata is PSPACE-complete.
Proof: All that remains to be shown is the PSPACE-hardness of nonemptiness. Recall

that PSPACE-hardness of nonuniversality was shown in Proposition 12 by a generic
reduction. That is, there is a logarithmic-space algorithm that given a polynomial-space-
bounded Turing machine M and a word w outputs an automaton AM,w such that M
accepts w iffAM,w is nonuniversal. By Proposition 15, there is an alternating automaton
Aa such that L(Aa) = L(AM,w ) and A~ has the same size as AM,w. By Proposition 17,
L(-A-a~) = S* - L(Aa). Thus, AM,w is nonuniversal iff Taa is nonempty. I
2.6 Automata on Infinite Words - Alternation
We saw earlier that a nondetenninistic automaton can be viewed both as an automaton on

finite words and as an automaton on infinite words. Similarly, an alternating automaton
can also be viewed as an automaton on infinite words, in which case it is called an
alternating Bfichi automaton [MS87].
Let A = (S, S, s ~ p, F ) be an alternating Btichi automaton. A run of A on an
infinite word w = a0, a l , . . , is a (possibly infinite) S-labeled tree r such that r(r = s o
and the following holds:
if Ix[ = i, r(x) = s, and p(s, ai) = 0, then x has k children x l , . . . , x k , for

some k < ISI, and { r ( x l ) , . . . , r(xk)} satisfies 0.
252
The run r is accepting if every infinite branch in r includes infinitely many labels in F .
Note that the run can also have finite branches; if Ix[ = i, r(x) = s, andp(s, ai) = t r u e ,
then z does not need to have any children.
We with alternating automata, alternating Biichi automata are as expressive as non-
deterministic Btichi automata. We first show that alternating automata are at least as
expressive and as succinct as nondeterministic automata. The proof of the following
proposition is identical to the proof of Proposition 19.
Proposition ! 9. [MS87] Let A be a nondeterministic Bfichi automaton. Then there is

an alternating Bachi automaton An such that Lo~( Aa ) = L,, ( A ).
As the reader may expect by now, alternating B tichi automata are not more expressive
than nondeterministic B tichi automata. The proof of this fact, however, is more involved
than the proof in the finite-word case.
Proposition20. [MH84] Let A be an alternating Bachi automaton. Then there is a

nondeterministic Bachi automaton An such that Loj (An) = Lo~(A ).
Proof: As in the finite-word case, An guesses a run of A. At a given point of a run of

An, it keeps in its memory a whole level of the run of A (which is a tree). As it reads the
next input symbol, it guesses the next level of the run tree of A. The nondeterministic
automaton, however, also has to keep information about occurrences of accepting states
in order to make sure that every infinite branch hits accepting states infinitely often. To
that end, An partitions every level of the run of A into two sets to distinguish between
branches that hit F recently and branches that did not hit F recently.
Let A = ( S , S , s ~ Then A , = (S, Sn,S~ where S,~ = 2 s x 2 s
(i.e., each state is a pair of sets of states of A), S O = {({so}, 0)} (i.e., the single initial
state is pair consisting of the singleton set {s o) and the empty set), F , = {0} x 2 s, and
- foru ~ 0,
p,~((U, V), a) = {(U', W) [ there exist X, Y c_ S such t h a t
X satisfies A t ~ v p(t, a),
Y satisfies /~,~v p(t, a),
U'=X-F, andV'=YtO(XOF)},
pn((O, V), a) = {(U', V')I there exists r C_ S such that

Y satisfies At~v p(t, a),
U' = Y - F, and V' = Y f'l F}.
The proof that this construction is correct requires a careful analysis of accepting
runs of A, |
While complementation of alternating automata is easy (Proposition 17), this is not
the case for alternating B tichi automata. Here we run into the same difficulty that we ran
into in Section 2.2: not going infinitely often through accepting states is not the same as
going infinitely often through non-accepting states. >From Propositions 7, 19 and 20.
253
it follows that alternating Biichi automata are closed under complement, but the precise
complexity of complementation in this case is not known.
Finally, by combining Propositions 13 and 20, we can obtain a nonemptiness test
for alternating Biichi automata.
Proposition 21.
1. The nonemptiness problem for alternating Bachi automata is decidable in exponen-
tial time.
2. The nonemptiness problem for alternating Bachi automata is PSPACE-complete.
Proof: All that remains to be shown is the PSPACE-hardness of nonemptiness. We show

that the nonemptiness problem for alternating automata is reducible to the nonemptiness
problem for alternating Biichi automata. Let A = ( S , S, s ~ p, F ) be an alternating
automaton. Consider the alternating Biichi automaton A' = ( S , S, s ~ p', 0), where
p'(s, a) = p(s, a) for s E S - F and a E S , and p'(s, a) = true for s E F and a E S .
We claim that L ( A ) # 0 iff Lw(A') # 0. Suppose first that w E L ( A ) for some
w E S*. Then there is an accepting run r of A on w. But then r is also an accepting
run of A' on wu for all u E LTM,because p~(s,a) = true for s E F and a E S , so
wu E Lw(A'). Suppose, on the other hand, that w E Lo~(A) for some w E L~ . Then
there is an accepting run r of A' on w. Since A' has no accepting state, r cannot have
infinite branches, so by K6nig's Lemma it must be finite. Thus, there is a finite prefix u
of w such that r is an accepting run of A on u, so u E L(A). 1
3 Linear Temporal Logic and Automata on Infinite Words

Formulas of linear-time propositional temporal logic (LTL) are b u t t from a set Prop
of atomic propositions and are closed under the application of Boolean connectives,
the unary temporal connective X (next), and the binary temporal connective U (until)
[Pnu77, GPSS80]. LTL is interpreted over computations. A computation is a function ~
7r : N --~ 2 Pr~ which assigns truth values to the elements of Prop at each time instant
(natural number). For a computation ~r and a point i E ~v, we have that:
- ~r, i ~ p for p E Prop i f f p E ~r(i).

- ~r,i~Ar162
- ~r,i ~ -~9 iffnot 7r, i ~ 9
- ~r,i~X~iff~r,i+l~9.
- ~r, i ~ ~ U r ifffor some j _> i, wehave ~r,j ~ ~ and for allk, i < k < j, we have
Thus, the formula t r u e U 9, abbreviated as F g , says that 9 holds eventually, and

the formula -~F~9, abbreviated G 9, says that 9 holds henceforth. For example, the
formula G(~request V (requestUgrant)) says that whenever a request is made it holds
continuously until it is eventually granted. We will say that 7r satisfies a formula 9,
denoted 7r ~ 9, iff ~', 0 ~ 9.
Computations can also be viewed as infinite words over the alphabet 2 pr~ . We shall
see that the set of computations satisfying a given formula are exactly those accepted
254
by some finite automaton on infinite words. This fact was proven first in [SPH84]. The
proof there is by induction on structure of formulas, Unfortunately, certain inductive
steps involve an exponential blow-up (e.g., negation corresponds to complementation,
which we have seen to be exponential). As a result, the complexity of that translation
is nonelementary, i.e., it may involve an unbounded stack of exponentials (that is, the
complexity bound is of the form
2n
"" 1
where the height of the stack is n.)

The following theorem establishes a very simple translation between LTL and alter-
nating Btichi automata.
Theorem22. [MSS88, Var94] Given an LTL formula T, one can build an alternating
Bachi automaton A~ = ( S, S, s ~ p, F), where Z = 2 Pr~ at/z/IS[ is in O([TI), such
that L~ ( A~ ) is exactly the set of computations satisfying the formula T.
Proof.- The set S of states consists of all subformulas o f t and their negation (we identify
the formula -~mb with r The initial state s o is T itself. The set F of accepting states
consists of all formulas in S of the form --,(~Ur It remains to define the transition
function p.
In this construction, we use a variation of the notion of dual that we used in Sec-
tion 2.5. Here, the dual 0 of a formula is obtained from 0 by switching V and A,
by switching true and false, and, in addition, by negating subformulas in S, e.g.,
-~p V (q A Xq) is p A (-~q V -~Xq). More formally,.
- ~ = --,~, for ~ E S,
- true = false,
- false = true,
- (,~ A ~) = (~ v ~), and
- ( ~ v/~) = ( ~ ^ ~).
We can now define p:
- p(p, a) = true ifp E a,

- p(p, a) = false ifp ~ a,
- ,o(,~ A r a) = p(,~, a) ^ ,o(r a),
- p(-~r a) = p(r ~),
- p(Xe, a ) ---- r
- p(~Ur a) : p ( r a) V (p(~, a) A ~ U r
Note that p(r a) is defined by induction on the structure of r

Consider now a run r of A~. It is easy to see that r can have two types of infinite
branches. Each infinite branch is labeled from some point on by a formula of the form
~Vr or by a formula o f th e form --,(~Ur Since p(-~(~Vr a) = p(r a) A (p(~, a) V
--,(~Ur an infinite branch labeled from some point by --,(~Ur ensures that ~Ur
indeed falls at that point, since r fails from that point on. On the other hand, an infinite
branch labeled from some point by ~Ur does not ensure that ~Ur holds at that point,
since it does not ensure that r eventually holds. Thus, while we should allow infinite
255
branches labeled by --,((U~b), we should not allow infinite branches labeled by (UV.
This is why we defined F to consists of all formulas in S of the form --,(~U!b). |
Example1. Consider the formula ~ = (X-,p)Uq. The alternating Biichi automaton

associated with ~ is A~, = (20',q}, {~, -,to, X-,p, -,X-,p, -~p,p, q, -,q}, ~o, p, {--,~o}),
where p is described in the following table.
s liP(s, {p,q})[p(s, {p})[p(s, {q})lp(s,r

true --,p A ~o true --,p A 9a
-~ false p V ",la false p V "!a
X~p ~p ~p --,p ~p
-,X-,pl p p p p
--,p false false true true
p true true false false
9 q true false true false
-~q false true false true
In the state ~o, if q does not hold in the present state, then A~ requires both X-~p to
be satisfied in the present state (that is, --,p has to be satisfied in next state), and it to be
satisfied in the next state. As ~ ~ F, A~, should eventually reach a state that satisfies q.
Note that many of the states, e.g., the subformulas X - , p and q, are not reachable; i.e.,
they do not appear in any run of A~,. |
By applying Proposition 20, we now get:
Coronary23. [VW941 Given an LTL formula ~, one can build a Bachi automaton
A~, = (S, S, S ~ p, F), where S = 2 P~~ and ISI is in 2 ~ such that L~(A~,) is
exactly the set of computations satisfying the formula ~.
The proof of Corollary 23 in [VW94] is direct and does not go through alternating
Btichi automata. The advantage of the proof here is that it separates the logic from
the combinatorics. Theorem 22 handles the logic, while Proposition 20 handles the
combinatorics.
Example2. Consider the formula to = FGp, which requires p to hold from some point
on. The Biichi automaton associated with ~ is A~o = (2 {p) , {0, 1}, {0}, p, { 1}), where
p is described inthe following table.
slip(s, {p})lp(s, 0)1

90 {0,1} ~0}
1 {1} [
The automaton A~, can stay forever in the state 0. Upon reading p, however, A~, can
choose to go to the state 1. Once A~, has made that transition, it has to keep reading p,
otherwise it rejects. Note that A~, has to make the transition to the state 1 at some point,
since the state 0 is not accepting. Thus, A~o accepts precisely when p holds from some
point on. |
256
4 Applications
4.1 Satisfiability
An LTL formula ~ is satisfiable if there is some computation ~r such that 7r ~ ~. An
unsatisfiable formula is uninteresting as a specification, so unsatisfiability most likely
indicates an erroneous specification. The satisfiability problem for LTL is to decide,
given an LTL formula ~, whether ~ is satisfiable.
Theorem24. [SC85] The satisfiability problem for LTL is PSPACE-complete.
Proof: By Corollary 23, given an LTL formula ~, we can construct a Btichi automaton
A~,, whose size is exponential in the length of ~, that accepts precisely the computations
that satisfy ~. Thus, ~ is satisfiable iff A~ is nonempty. This reduces the satisfiability
problem to the nonemptiness problem. Since nonempljness of Btichi automata can
be tested in nondeterministic logarithmic space (Proposition 13) and since A~ is of
exponential size, we get a polynomial-space algorithm (again, the algorithm constructs
A~ "on-the-fly").
To prove PSPACE-hardness, it can be shown that any PSPACE-hard problem can be
reduc~l to the satisfiability problem. That is, there is a logarithmic-space algorithm that
given a polynomial-space-bounded Turing machine M and a word w outputs an LTL
formula ~g,w such that M accepts w iff ~M,w is satisfiable. 1
An LTL formula ~ is valid if for every computation 7r we have that 7r ~ ~. A
valid formula is also uninteresting as a specification. The validity problem for LTL is to
decide, given an LTL formula ~, whether ~ is valid. It is easy to see that ~o is valid iff
- ~ is not satisfiable. Thus, the validity problem for LTL is also PSPACE-complete.
4.2 Verification
We focus here onfinite-state programs, i.e., programs in which the variables range over
finite domains. The significance of this class follows from the fact that a significant
number of the communication and synchronization protocols studied in the literature
are in essence finite-state programs [Liu89, Rud87]. Since each state is characterized
by a finite amount of information, this information can be described by certain atomic
propositions. This means that a finite-state program can be specified using propositional
temporal logic. Thus, we assume that we are given a finite-state program and an LTL
formula that specifies the legal computations of the program. The problem is to check
whether all computations of the program are legal. Before going further, let us define
these notions more precisely.
A finite-state program over a set Prop of atomic propositions is a structure of the
form P = (IV, w0, R, V), where W is a finite set of states, w0 E W is the initial state,
R C_ W 2 is a total accessibility relation, and V : W ~ 2 Pr~ assigns truth values
to propositions in Prop for each state in W. The intuition is that W describes all the
states that the program could be in (where a state includes the content of the memory,
registers, buffers, location counter, etc.), R describes all the possible transitions between
states (allowing for nondeterminism), and V relates the states to the propositions (e.g.,
it tells us in what states the proposition request is true). The assumption that R is total
257
(i.e., that every state has a child) is for technical convenience. We can view a terminated
execution as repeating forever its last state.
Let u be an infinite sequence u0, u l . . . of states in W such that u0 = w0, and
uiRui+l for all i > 0. Then the sequence V(uo), V ( u l ) . . . is a computation of P. We
say that P satisfies an LTL formula 9 if all computations of P satisfy 9. The verification
problem is to check whether P satisfies 9.
The complexity of the verification problem can be measured in three different
ways. First, one can fix the specification 9 and measure the complexity with respect to
the size of the program. We call this measure the program-complexity measure. More
precisely, the program complexity of the verification problem is the complexity of the
sets {P [ P satisfies 9} for a fixed 9. Secondly, one can fix the program P and measure
the complexity with respect to the size of the specification. We call this measure the
specification-complexity measure. More precisely, the specification complexity of the
verification problem is the complexity of the sets {9 [ P satisfies 9} for a fixed P.
Finally, the complexity in the combined size of the program and the specification is the
combined complexity.
Let C be a complexity class. We say that the'program complexity of the verification
problem is in C if {P [ P satisfies 9} E C for any formula 9. We say that the program
complexity of the verification problem is hard for C if {P I P satisfies 9} is hard for
C for some formula 9. We say that the program complexity of the verification problem
is complete for C if it is in C and is hard for C. Similarly, we say that the specification
complexity of the verification problem is in C if {9 1P satisfies 9} E C for any program
P, we say that the specification complexity of the verification problem is hard for C if
{9 1P satisfies 9} is hard for C for some program P, and we say that the specification
complexity of the verification problem is complete for C if it is in C and is hard for C.
We now describe the automata-theoretic approach to the verification problem. A
finite-state program P = (W, w0, R, V) can be viewed as a Biichi automaton A p =
(S, W, {w0}, p, W), where 2? = 2 P~~ and s' E p( s , a) iff ( s , s' ) E R and a = V ( s ) .
As this automaton has a set of accepting states equal to the whole set of states, any
infinite run of the automaton is accepting. Thus, Lo~(Ap) is the set of computations of
P.
Hence, for a finite-state program P and an LTL formula 9, the verification problem
is to verify that all infinite words accepted by the automaton Ap satisfy the formula 9.
By Corollary 23, we know that we can build a Btichi automaton A~ that accepts exactly
the computations satisfying the formula 9. The verification problem thus reduces to the
automata-theoretic problem of checking that all computations accepted by the automaton
Ap are also accepted by the automaton A~, that is L~ (Ap) C__Lo~(A~). Equivalently,
we need to check that the automaton that accepts Lo~ ( A p ) N L~ (A~) is empty, where
L,~('A-7) = L ~ ( A ~ ) = L ~ - Lo~(A~).
First, note that, b y Corollary 23, Lo~(A~) = Lo~(A-,~) and the automaton A-~ has
2~ states. (A straightforward approach, starting with the automaton A~ and then
using Proposition 7 to complement it, would result in a doubly exponential blow-up,)
To get the intersection of the two automata, we use Proposition 6. Consequently, we
can build an automaton for L,~ ( A p ) CI L , z ( A . ~ ) having I W I , 2 ~ states. We need to
check this automaton for emptiness. Using Proposition 13, we get the following results.
258
Theorem25. [LP85, SC85, VW861
1. The program complexity of the verification problem is complete for NLOGSPACE.

2. The specification complexity of the verification problem is complete for PSPACE.
3. Checking whether a finite-state program P satisfies an LTL formula ~ocan be done
in time O(IPI 92 ~ or in space 0((1~,[ + log IpD2).
We note that a time upper bound that is polynomial in the size of the program and
exponential in the size of the specification is considered here to be reasonable, since the
specification is usually rather short [LP85]. For a practical verification algorithm that is
based on the automata-theoretic approach see [CVWY92].
4.3 Synthesis
In the previous section we dealt with verification: we are given a finite-state program
and an LTL specification and we have to verify that the program meets the specification.
A frequent criticism against this approach, however, is that verification is done after sig-
nificant resources have already been invested in the development of the program. Since
programs invariably contain errors, verification simply becomes part of the debugging
process. The critics argue that the desired goal is to use the specification in the program
development process in order to guarantee the design of correct programs. This is called
program synthesis. It turns out that to solve the program-synthesis problem we need to
use automata on infinite trees.
Rabin Tree Automata Rabin tree automatarun on infinitelabeled trees with a uniform
branching degree (recall the definition of labeled trees in Section 2.5). The (infinite) k-
ary tree ~-k is the set { 1 , . . . , k}*, i.e., the set of all finite sequences over { 1 , . . . , k}.
The elements of rk are the nodes of the tree. If x and xi are nodes of rk, then there is an
edge from x to xi, i.e., z is the parent of zi and xi is the child of z. The empty sequence
e is the root o f r k . A branch/3 = x0, z l , . . , of rk is an infinite sequence of nodes such
that z0 = e, and xi is the parent of zi+l for all i _> 0. A S-labeled k-ary tree T , for a
finite alphabet S , is a mapping 7 : 7-k ~ Z that assigns to every node a label. We often
refer to labeled trees as trees; the intention will be clear from the context. A branch
/3 = a:0, z l , . . , of T defines an infinite word 7(/3) = T(z0), 7-(Xl),... consisting of
the sequence of labels along the branch.
A k-ary Rabin tree automaton A is a tuple ( S , S, S ~ p, G), where 2 is a finite
alphabet, S is a finite set of states, SO C_ S is a set of initial states, G C_ 2 s x 2 s
is a Rabin condition, and p : S x S -~ 2 sk is a transition function. The automaton
A takes as input Z-labeled k-ary trees. Note that p(s, a) is a set of k-tuples for each
state s and symbol a. Intuitively, when the automaton is in state s and it is reading a
node x, it nondeterministically chooses a k-tuple ( s l , . . . , sk) in p(s, T ( x ) ) and then
makes k copies of itself and moves to the node zi in the state si for i = 1 , . . . , k. A
run r : "ok ~ S of A on a Z-labeled k-ary tree 7- is an S-labeled k-ary tree such that
the root is labeled by an initial state and the transitions obey the transition function p;
that is, r(e) E S ~ and for each node x we have ( r ( x l ) , . . . , r ( z k ) ) E p(r(z), 7-(x)).
The run is accepting if r(/3) satisfies G for every branch/3 = z0, x l , . . , of ~-k. That is,
259
for every branch/~ = ~0, xl, .... there is some pair (L, U) E G such that r(xi) E L
for infinitely many i's, but r(xi) E U for only finitely many i's. Note that different
branches might be satisfied by different pairs in G. The language of A, denoted Lo~(A),
is the set of trees accepted by A. It is easy to see that Rabin automata on infinite words
are essentially 1-ary Rabin tree automata.
The nonemptiness problem for Rabin tree automata is to decide, given a Rabin
tree automaton A, whether Lw (A) is nonempty. Unlike the nonemptiness problem for
automata on finite and infinite words, the nonemptiness problem for tree automata is
highly nontrivial. It was shown to be decidable in [Rab69], but the algorithm there had
nonelementary time complexity; i.e., its time complexity could not be bounded by any
fixed stack of exponential functions. Later on, elementary algorithms were described
in [HR72, Rab72]. The algorithm in [HR72] runs in doubly exponential time and the
algorithm in [Rab72] runs in exponential time. Several years later, in [Eme85, VS85],
it was shown that the nonemptiness problem for Rabin tree automata is in NP. Finally,
in [EJ88], it was shown that the problem is NP-complete.
There are two relevant size parameters for Rabin tree automata. The first is the
transition size, which is size of the transition function (i.e., the sum of the sizes of the
sets Ip(s, a)] for s E S and a E S); the transition size clearly takes into account the the
number of states in S. The second is the number of pairs in the acceptance condition G.
For our application here we need a complexity analysis of the nonemptiness problem
that takes into account separately the two parameters.
Proposition 26. [EJ88, PR89] For Rabin tree automata with transition size m and n
pairs, the nonemptiness problem can be solved in time (ran) ~
In other words, the nonemptiness problem for Rabin tree automata can be solved in time
that is exponential in the number of pairs but polynomial in the transition size. As we
will see, this distinction is quite significant.
Realizability The classical approach to program synthesis is to extract a program from

a proof that the specification is satisfiable. In [EC82, MW841, it is shown how to extract
programs from (finite representations of) models of the specification. In the late 1980s,
several researchers realized that the classical approach is well suited to closed systems,
but not to open systems [Di189, PR89, ALW89]. In open systems the program interacts
with the environment; such programs are called reactive programs [HP85]. A correct
reactive program should be able to handle arbitrary actions of the environment. If one
applies the techniques of [EC82, MW84] to reactive programs, one obtains programs
that can handle only certain actions of the environment. In [PR89, ALW89, Di189], it is
argued that the fight way to approach synthesis of reactive programs is to consider the
situation as an infinite game between the environment and the program.
We are given a finite set W of states and a valuation V : W ~ 2 P r ~ . The intuition
is that W describes all the observable states that the system can be in. (We will see
later why the emphasis here on observability.) A behavior r over W is an infinite word
over the alphabet W. The intended meaning is that the behavior w0, w l , . . , describes a
sequence of states that the system goes through, where the transition from wi_ l to wi
was caused by the environment when i is odd and by the program when i is even. That is,
260
the program makes the first move (into the first state), the environment responds with the
second move, the program counters with the third move, and so on. We associate with
r the computation V(r) = V(wo), V(wl), ., and say that r satisfies an LTL formula
if V(r) satisfies 9. The goal of the program is to satisfy the specification 9 in the
face of every possible move by the environment. The program has no control over the
environment moves; it only controls its own moves. Thus, the situation can be viewed
as an infinite game between the environment and the program, where the goal of the
program is to satisfy the specification 9. Infinite games were introduced in [GS53] and
they are of fundamental importance in descriptive set theory [Mos80].
Histories are finite words in W*. The history of a run r = w0, w l , . . , at the even
point i > 0, denoted hist(r, i), is the finite word wl, w 3 , . . . , wi-1 consisting of all
states moved to by the environment; the history is the empty sequence e for i = 0.
A program is a function f : W* ~ W from histories to states. The idea is that if
the program is scheduled at a point at which the history is h, then the program will
cause a change into the state f(h). This captures the intuition that the program acts in
reaction to the environment's actions. A behavior r over W is a run of the program f if
si = f(hist(r, i)) for all even i. That is, all the state transitions caused by the program
are consistent with the program f . A program f satisfies the specification ~ if every
run of f over W satisfies 9. Thus, a correct program can be then viewed as a winning
strategy in the game against the environment. We say that ~ is realizable with respect
to W and V if there is a program f that satisfies 9, in which case we say that f realizes
9. (In the sequel, we often omit explicit mention of W and V when it is clear from the
context.) It turns out that satisfiability of 9 is not sufficient to guarantee realizability of
9.
Example3. Consider the case where Prop = {p}, W = {0, 1}, V(0) = 0, and
V(1) = {p}. Consider the formula Gp. This formula requires that p always be true,
and it is clearly satisfiable. There is no way, however, for the program to enforce this
requirement, since the environment can always moves to the state 0, making p false.
Thus, Gp is not realizable. On the other hand, the formula GFp, which requires p to
hold infinitely often, is realizable; in fact, it is realized by the simple program that maps
every history to the state 1. This shows that realizability is a stronger requirement than
satisfiability. |
Consider now the specification 9. By Corollary 23, we can build a Btichi automaton
A~ = (S, S, S ~ p, F), where S = 2Pr~ and ISI is in 2 ~ such that L~(A~) is
exactly the set of computations satisfying the formula ~o. Thus, given a state set W
and a valuation V : W ~ 2 Pr~ we can also construct a Biichi automaton A~ =
(W, S, S O, p', F ) such that L~ (A~) is exactly the set of behaviors satisfying the formula
9, by simply taking p~(s, w) = p(s, V(w)). It follows that we can assume without loss
of generality that the winning condition for the game between the environment and the
program is expressed by a Btichi automaton A: the program f wins the game if every
run of f is accepted by A. We thus say that the program f realizes a Btichi automaton
A if all its runs are accepted by A . We also say then that A is realizable.
It turns out that the realizability problem for Btichi automata is essentially the solv-
ability problem described in [Chu63]. (The winning condition in [Chu63] is expressed
261
in S1S, the monadic second-order theory of one successor function, but it is known
[Btic62] that S 1S sentences can be translated to Biichi automata.) The solvability prob-
lem was studied in [BL69, Rab72]. It is shown in [Rab721 that this problem can be
solved by using Rabin tree automata.
Consider a program f : W* ---. W. Suppose without loss of generality that W =
{ 1 , . . . , k}, for some k > 0. The program f can be represented by a W-labeled k-ary
tree 7-I. Consider a node z = ioil ... i,,~, where 1 < ii < k for j = 0 . . . . , m. We note
that x is a history in W*, and define T / ( x ) = f ( z ) . Conversely, a W-labeled k-ary
tree 7- defines a program fT-. Consider a history h = ioil . . . ira, where 1 < ii < k
for j = 0 , . . . , m. We note that h is a node of rk, and define fT-(h) = 7-(h). Thus,
W-labeled k-ary trees can b e viewed as programs.
It is not hard to see that the runs of f correspond to the branches of Ty. Let
/~ = z0, 2:1,... be a branch, where x0 = e and ~:j = ~ j - l i j - 1 for j > 0. Then
r = 7-(z0), i0, 7-(zl), il, 7-(x2), 999 is a run of f , denoted r(/~). Conversely, if r =
i0, i l , . . , is a run of f , then 7-I contains a branch/~(r) = z0, ~:1, 99-, where z0 = e,
:ej = xi_li2j+l, and 7-(xj) = i2j f o r j >__0. O n e w a y to visualize thisis to thinkof the
edge from the parent z to its child xi as labeled by i. Thus, the run r(fl) is the sequence
of edge and node labels along ft.
We thus refer to the behaviors r(fl) for branches j3 of a W-labeled k-ary tree 7- as
the runs o f T , and we say that 7" realizes a Biichi automaton A if all the runs of 7" are
accepted by A. We have thus obtained the following:
Proposition27. A program f realizes a Bachi automaton A iff the tree 7-f realizes A.
We have thus reduced the realizability problem for LTL specifications to an automata-
theoretic problem: given a Biichi automaton A, decide if there is a tree 7- that realizes
A. Our next step is to reduce this problem to the nonemptiness problem for Rabin tree
automata. We will construct a Rabin automaton/3 that accepts precisely the trees that
realize A. Thus, Lo~(/3) ~ 0 iffthere is atree that realizes A.
Theorem28. Given a Bfichi automaton A with n states over an alphabet W =

{ 1 , . . . , k}, we can construct a k-ary Rabin tree automaton B with transition size
k 2O( n logn) and O ( n ) pairs such that Loj ( B ) is precisely the set of trees that realize A.
Proof: Consider an input tree T . The Rabin tree automaton B needs to verify that for
every branch/3 of T we have that r(/~) E L~ (A). Thus, B needs to "run A in parallel"
on all branches of 7-. We first need to deal with the fact that the labels in 7- contain
information only about the actions of f (while the information on the actions of the
environment is implicit in the edges). Suppose that A = (W, S, S o , p, F ). We first define
a Btichi automaton A' that emulates A by reading pairs of input symbols at a time. Let
A' = (W 2, S x {0, 1}, S O x {0}, p', S x {1}), where
p'(s, (a, b)) = {(t, O) It ~ p(s', b) F for some s' E p(s, a) - F } U

{ (t, 1) It ~ p(s', b) for some s' e p(s, a) n F } U
{(t, 1) It E p ( J , b) O F for some s' E p(s, a)}.
262
Intuitively, p' applies two transitions of A while remembering whether either transition
visited F. Note that this construction doubles the number of states. It is easy to prove
the following claim:
Claim: A' accepts the infinite word (w0, wl), (w2, w3), 999over the alphabet W 2 iffA
accepts the infinite word w0, wl, w2, w3,.., over W.
In order to be able to run A' in parallel on all branches, we apply Proposition 10
to A' and obtain a deterministic Rabin automaton Ad such that Lo~(Ad) = L~(A').
As commented in Section 2.2, Ad has 2~ log,~) states and O(n) pairs. Let Aa =
(W 2, Q, {q0}, 6, G).
We can now construct a Rabin tree automaton that "runs Ad in parallel" on all
branches o f T . Let B = (W, Q, {q0}, 6~, G), where 6~is defined as follows:
6'(q,a) - 6(q, (a, 1)) x . - - 6 ( q , (a,k)).
Intuitively, B emulates Ad by feeding it pairs consisting of a node label and an edge

label. Note that if 6(q, (a, i)) = 0 for some 1 < i < k, then 6~(q, a) = O.
Claim: L~,(B) is precisely the set of trees that realize A.
It remains to analyze the size of A. It is clear that it has 2 ~ logn)states and O(n)
pairs. Since it is deterministic, its transition size is k2 ~ logn). 1
We can now apply Proposition 25 to solve the realizability problem.
Theorem29. [ALW89, PR89] The realizability problem for Bfichi automata can be
solved in exponential time.
Proof: By Theorem 28, given a Btichi automaton A with n states over an alphabet
W = { 1 , . . . , k}, we can construct a k-ary Rabin tree automaton B with transition size
k2O(n logn) and and O(n) pairs such that L,~(B) is precisely the set of trees that realize
A. By Proposition 26, we can test the nonemptiness of B in time k~176 "=loan). 1
Corollary 30. [PR89] The realizability problem for LTL can be solved in doubly expo-
nential time.
Proof: By Corollary 23, given an LTL formula 9, one can build a Biichi automaton A~
with 20(1~1) states such that L~(A~) is exactly the set of computations satisfying the
formula 9. By combining this with the bound of Theorem 29, we get a time bound of
k 2~(!~'I). 1
In [PR89], it is shown that the doubly exponential time bound of Corollary 30 is essen-
tially optimal. Thus, while the realizability problem for LTL is decidable, in the worst
case it can be highly intractable.
Example4. Consider again the situation where Prop = {p}, W = {0, 1}, V(0) = 0,
and V(1) = {p}. Let ~ be the formula Gp. We have A~ = (W, {1}, {1}, p, W), where
p(1, 1) = {1}, and all other transitions are empty (e.g., p(1,0) = 0, etc.). Note that
A~ is deterministic. We can emulate A~, by an automaton that reads pairs of symbols:
A~ = (W 2, W x {0, 1}, {(1,0)},p', W x {1}), where p((1,0), (1, 1)) = {(1, 1)},
and all other transitions are empty. Finally, we construct the Rabin tree automaton
263
B = (W, W x {0, 1 }, (1, 0), 6', (L, U)), where 6' (s, a) is empty for all states s and
symbol a. Clearly, L~ (B) = 0, which implies that Gp is not realizable. |
We note that Corollary 30 only tells us how to decide whether an LTL formula is
realizable or not. It is shown in [PR89], however, that the algorithm of Proposition 26 can
provide more than just a "yes/no" answer. When the Rabin automaton B is nonempty,
the algorithm returns a finite representation of an infinite tree accepted by B. It turns out
that this representation can be converted into a program f that realizes the specification.
It even turns out that this program is afinite-state program. This means that there are
a finite set N , a function g : W* ~ N, a function a l : N x W --~ N, and a function
c~2 : N ---, W such that for all h E W* and w E W we have:
- f ( h ) = c~2(g(h))
- g(hw) = cq(g(h), w)
Thus, instead of remembering the history h (which requires an unbounded memory),

the program needs only to remember g(h). It performs its action a l ( h ) and, when it
sees the environment's action w, it updates its memory to a2(g(h), w). Note that this
"memory" is internal to the program and is not pertinent to the specification. This is in
contrast to the observable states in W that are pertinent to the specification.
Acknowledgements
I am grateful to Oystein Haugen, Orna Kupferman, and Faron Moiler for their many
comments on earlier drafts of this paper.
References
IALW891 M. Abadi, L. Lamport, and P. Wolper. Realizable and unrealizable concurrent pro-
gram specifications. In Proc. 16th Int. Colloquium on Automata, Languages and Pro-
gramming, volume 372, pages 1-17. Lecture Notes in Computer Science, Springer-
Verlag, July 1989.
[BL69] J.R. B~lchi and L.HG. Landweber. Solving sequentialconditions by finite-state strate-
gies. Trans. AMS, 138:295-311, 1969.
[BL80I J.A. Brzozowski and E. Leiss. Finite automata, and sequential networks. Theoretical
Computer Science, 10:19-35, 1980.
lBilc62] J.R. Btlchi. On a decision method in restricted second order arithmetic. In Proc.
Internat. Congr. Logic, Method and Philos. Sci. 1960, pages 1-12, Stanford, 1962.
Stanford University Press.
[Cho74] Y. Choueka. Theories of automata on w-tapes: A simplified approach. J. Computer
and System Sciences, 8:117-141, 1974.
[Chu63] A. Church. Logic, arithmetics, and automata, In Proc. International Congress of
Mathematicians, 1962, pages 23-35. institut Mittag-Leffler, 1963.
[CKS811 A.K. Chandra, D.C. Kozen, and L.J. Stockmeyer. Alternation. Journal of the Asso-
ciation for Computing Machinery, 28(1):114-133, January 1981.
[CLR90] T.H. Cormen, C.E. Leiserson, and R.L. Rivest. Introduction to Algorithms. Mrr
Press, 1990.
264
[cvwv92] C. Courcoubetis, M.Y. Vardi, P. Wolper, and M. Yannakakis. Memory 'efficient

algorithms for the verification of temporal properties. Formal Methods in System
Design, 1:275-288, 1992.
[Di1891 D.L. Dill. Trace theory for automatic hierarchical verification of speed independent
circuits. MIT Press, 1989.
[EC82] E.A. Emerson and E.M. Clarke. Using branching time logic to synthesize synchro-
nization skeletons. Science of Computer Programming, 2:241-266, 1982.
[EH86] E.A. Emerson and J.Y. Halpem. Sometimes and not never revisited: On branching
versus linear time. Journal of the ACM, 33(1):151-178, 1986.
[EJ88] E.A. Emerson and C. Jufla. The complexity of tree automata and logics of programs.
In Proceedings of the 29th IEEE Symposium on Foundations of ComputerScience,
White Plains, October 1988.
[EJ89] E.A. Emerson and C. Jufla. On simultaneously determinizing and complementing to-
automata. In Proceedings of the 4th IEEE Symposium on Logic in Computer Science,
pages 333-342, 1989.
[EL85a] E.A. Emerson and C.-L. Lei. Modalities for model checking: Branching time logic
strikes back. In Proceedings of the Twelfth ACM Symposium on Principles of Pro-
gramming Languages, pages 84-96, New Orleans, Janhary 1985.
[EL85b] E.A. Emerson and C.-L. Lei. Temporal model checking under gene~:alized fairness
constraints. In Prec. 18th Hawaii International Conference on System Sciences,
Hawaii, 1985.
[Eme85] E.A. Emerson. Automata, tableaux, and temporal logics. In Prec. Workshop on
Logic of Programs, volume 193 of Lecture Notes in Computer Science, pages 79-87.
[GJ79] M. Garey and D. S. Johnson. Computers and Intractability: A Guide to the Theory
ofNP-completeness. W. Freeman and Co., San Francisco, 1979.
[GPSS80] D. Gabbay, A. Pnueli, S. Shelah, and J. Stavi. On the temporal analysis of fairness.
In Proceedings ofthe 7th ACM Symposiumon Principles of Programming Languages,
pages 163-173, January 1980.
[GS53] D. Gale and F. M. Stewart. Infinite games ofperfectinformation. Ann. Math. Studies,
28:245-266, 1953.
[HP85] D. Harel and A. Pnueli. On the development of reactive systems. In K. Apt, editor,
Logics and Models of Concurrent Systems, volume F-13 of NATO AdvancedSummer
Institutes, pages 477-498. Springer-Verlag, 1985.
[HR72] R. Hossley and C.W. Rackoff. The emptiness problem for automata on infinite trees.
In Prec. 13th IEEE Symp. on Switching and Automata Theory, pages 121-124, 1972.
[HU79] J.E. Hopcroft and J.D. Ullman. Introduction to Automata Theory, Languages and
Computation. Addison-Wesley, New York, 1979.
[Jon75] N.D. Jones. Space-bounded reducibility among combinatorial problems. Journal of
Computer and System Sciences, 11:68-75, 1975.
[Lam80] L. Lamport. Sometimes is sometimes "not never" - on the temporal logic ofprograms.
In Proceedings ofthe 7thACM Symposiumon Principles of Programming Languages,
pages 174-185, January 1980.
[Lei81l Leiss. Succinctrepresentation of regular languages by boolean automata. Theoretical
[Liu89] M.T. Liu. Protocol engineering. Advances in Computing, 29:79-195, 1989.
[LP851 O. Lichtenstein and A. Pnueli. Checking that finite state concurrentprograms satisfy
their linear specification. In Proceedings of the TwelfthA CM Symposium on Principles
of Programming Languages, pages 97-107, New Orleans, January 1985.
265
[LPZ851 O. Lichtenstein, A. Pnueli, and L. Zuck. The glory of the past. In Logics of Pro-
grams, volume 193, pages 196-218,Brooklyn, June 1985. Lecture Notes in Computer
Science, Springer-Verlag.
[MEN66] R. McNaughton. Testing and generating infinite sequences by a finite automaton.
Information and Control, 9:521-530, 1966.
[MF71] A.R. Meyer and i . J . Fischer. Economy of description by automata, grammars, and
formal systems. In Prec. 12th IEEE Syrup. on Switching andAutomata Theory, pages
188-i91, 1971.
[MH84] S. Miyano and T. Hayashi. Alternating finite automata on w-words. Theoretical
[Mic88] M. Michel. Complementation is more difficult with automata on infinite words.
CNET, Paris, 1988.
[Mos80] Y.N. Moschovakis. Descriptive Set Theory. North Holland, 1980.
[MP92] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems:
Specification. Springer-Verlag, Berlin, January 1992.
[MS72] A.R. Meyer and L.J. Stockmeyer. The equivalence problem for regular expressions
with squaring requires exponential time. In Proc. 13th IEEE Symp. on Switching and
Automata Theory, pages 125-129, 1972.
[MS87] D.E. Muller and EE. Schupp. Alternating automata on infinite trees. Theoretical
Computer Science, 54,:267-276, 1987.
[MSS88] D. E. Muller, A. Saoudi, and E E. Schupp. Weak alternating automata give a simple
explanation of why most temporal and dynamic logics are decidable in exponential
time. In Proceedings 3rd IEEE Symposium on Logic in Computer Science, pages
422-427, Edinburgh, July 1988.
[MW84] Z. Manna and E Wolper. Synthesis of communicating processes from temporal
logic specifications. ACM Transactions on Programming Languages and Systems,
6(1):68-93, January 1984.
[OL82] S. Owicki and L. Lamport. Proving liveness properties ofconcurrentprograms. ACM
Transactions on Programming Languages and Systems, 4(3):455-495, July 1982.
[Pei85] R. Peikert. o~-regular languages and propositional temporal logic. Technical Report
85-01, ETH, 1985.
[Pnu77] A. Pnueli. The temporal logic of programs. In Proc. 18th IEEE Symposium on
Foundation of Computer Science, pages 46-57, 1977.
[PR89] A. Pnueli and R. Rosner. On the synthesis of a reactive module. In Proceedings of
the Sixteenth ACM Symposium on Principles of Programming Languages, Austin,
Januery 1989.
[Rab69] M.O. Rabin. Decidability of second order theories and automata on infinite trees.
Transaction of the AMS, 141:1-35, 1969.
[Rab721 M.O. Rabin. Automata on infinite objects and Church's problem. In Regional Conf.
Set Math., 13, Providence, Rhode Island, 1972. AMS.
[RS59] M.O. Rabin and D. Scott. Finite automata and their decision problems. IBM J. of
Research and Development, 3:115-125, 1959.
[Rud87] H. Rudin. Network protocols and tools to help produce them. Annual Review of
[Saf88] S. Safra. On the complexity of omega-automata. In Proceedings of the 29th IEEE
Symposium on Foundations of Computer Science, White Plains, October 1988.
[Sav70] W.J. Savitch. Relationship between nondeterministic and deterministic tape com-
plexities. J. on Computer and System Sciences, 4:177-192, 1970.
[sc85] A.E Sisfla and E.M. Clarke. The complexity of propositional linear temporal logic.
J. ACM, 32:733-749, 1985.
266
ISis83] A.E Sistla. Theoretical issues in the design and analysis of distributed systems. PhD
thesis, Harvard University, 1983.
[SPH84] R. Sherman, A. Pnueli, and D. Harel. Is the interesting part of process logic un-
interesting: a translation from PL to PDL. SlAM J. on Computing; 13(4):825-839,
1984.
[SV3V87] A.P. Sistla, M.Y. Vardi, and P. Wolper. The complementation problem for Btlchi
automata with applications to temporallogic. Theoretical ComputerScience , 49:217-
237, 1987.
[The90] W. Thomas. Automata on infinite objects. Handbook of theoretical computerscience,
pages 165-191, 1990.
pCax94] M.Y. Vardi. Nontraditional applications of automata theory. In Prec. Int'l Syrup.
on Theoretical Aspects of Computer Software, volume 789, pages 575-597. Lecture
Notes in Computer Science, Springer-Verlag, 1994.
Ws851 M.Y. Vardi and L. Stockmeyer. Improved upper and lower bounds for modal logics
of programs. In Proc 17th ACM Symp. on Theory of Computing, pages 240-251,
1985.
[VW861 M.Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program
verification. In Proceedings of the First Symposium on Logic in Computer Science,
pages 322-331, Cambridge, June 1986.
[VW941 M.Y. Vardi and P. Wolper. Reasoning about infinite computations. Information and
Computation, 115(1):1-37, November 1994.
[Vr P. Wolper. Synthesis of Communicating Processes from Temporal Logic Specifica-
t/ons. PhD thesis, Stanford University, 1982.
[WVS83] P. Wolper, M.Y. Vardi, and A.P. Sistla. Reasoning about infinite computation paths.
In Prec. 24th IEEE Symposium on Foundations of Computer Science, pages 185-194,
Tucson, 1983.
Lecture Notes in Computer Science
For information about Vols. 1-975
please contact your bookseller or Springer-Verlag
Vol. 976: U. Montanari, F. Rossi (Eds.), Principles and Vol. 993: T.C. Fogarty (Ed.), Evolutionary Computing.
Practice of Constraint Programming - - CP '95. Proceedings, 1995. VIII, 264 pages. 1995.
Proceedings, 1995. XIII, 651 pages. 1995. Vol. 994: M. Hebert, J. Ponce, T. Boult, A. Gross (Eds.),
Vol. 977: H. Beilner, F. Bause (Eds.), Quantitative Object Representation in Computer Vision.
Evaluation of Computing and Communication Systems. Proceedings, 1994. VIII, 359 pages. 1995.
Proceedings, 1995. X, 415 pages. 1995. Vol. 995: S.M. Mailer, W.J. Paul, The Complexity of
Vol. 978: N. Revell, A M. Tjoa (Eds.), Database and Simple Computer Architectures. XII, 270 pages. 1995.
9 Expert Systems Applications. Proceedings, 1995. XV, Vol. 996: P. Dybjer, B. NordstrOm, J. Smith (Eds.),
654 pages. 1995. Types for Proofs and Programs9 Proceedings, 1994. X,
Vol. 979: P. Spirakis (Ed,), Algorithms - - ESA '95. 202 pages. 1995.
Proceedings, 1995. XII, 598 pages. 1995. Vol. 997: K.P. Jantke, T. Shinohara, T. Zeugmann
Vol. 980: A. Ferreira, J. Rolim (Eds.), Parallel (Eds.), Algorithmic Learning Theory. Proceedings,
Algorithms for Irregularly Structured Problems. 1995. XV, 319 pages. 1995.
Proceedings, 1995. IX, 409 pages. 1995. Vol. 998: A. Clarke, M. Campolargo, N. Karatzas
Vol. 981: I. Wachsmuth, C.-R. Rollinger, W. Brauer (Eds.), Bringing Telecommunication Services to the
(Eds.), KI-95: Advances in Artificial Intelligence. People - IS&N '95. Proceedings, 1995. XII, 510 pages.
Proceedings, 1995. XII, 269 pages. (Subseries LNAI). 1995.
Vol. 982: S. Doaitse Swierstra, M. Hermenegildo Vol. 999: P. Antsaklis, W. Kohn, A. Nerode, S. Sastry
(Eds.), Programming Languages: Implementations, (Eds.), Hybrid Systems II. VIII, 569 pages. 1995.
Logics and Programs. Proceedings, 1995. XI, 467 Vol. 1000: J. van Leeuwen (Ed.), Computer Science
pages. 1995. Today. XIV, 643 pages. 1995.
Vol. 983: A. Mycroft (Ed.), Static Analysis. Vol. 1001: M. Sudan, Efficient Checking of Polynomials
Proceedings, 1995. VIII, 423 pages. 1995. and Proofs and the Hardness of Approximation Problems9
Vol. 984: J.-M. Haton, M. Keane, M. Manago (Eds.), XIV, 87 pages. 1995.
Advances in Case-Based Reasoning. Proceedings, 1994. Vol. 1002: J.J. Kistler, Disconnected Operation in a
VIII, 307 pages. 1995. Distributed File System. XIX, 249 pages. 1995.
Vol. 985: T. Sellis (Ed.), Rules in Database Systems. VOL. 1003: P. Pandurang Nayak, Automated Modeling
Proceedings, 1995. VIII, 373 pages. 1995. of Physical Systems. XXI, 232 pages. 1995. (Subseries
Vol. 986: Henry G. Baker (Ed.), Memory I~anagement. LNAI).
Proceedings, 1995. XII, 417 pages. 1995. Vol. 1004: J. Staples, P. Eades, N. Katoh, A. Moffat
Vol. 987: P.E. Camnrati, H. Eveking (Eds.), Correct (Eds.), Algorithms and Computation9 Proceedings,
Hardware Design and Verification Methods. 1995. XV, 440 pages. 1995.
Proceedings, 1995. VIII, 342 pages. 1995. Vol. 1005! J. Estublier (Ed.), Software Configuration
Vol. 988: A.U. Frank, W. Kuhn (Eds.), Spatial Management. Proceedings, 1995. IX, 311 pages. 1995.
Information Theory. Proceedings, 1995. XIII, 571 Vol. 1006: S. Bhalla (Ed,), Information Systems and
pages. 1995. Data Management. Proceedings, 1995. IX, 321 pages.
Vol. 989: W. Sch~ifer, P. Botella (Eds.), Software 1995.
Engineering - - ESEC '95. Proceedings, 1995. XII, 519 Vol. 1007: A. Bosselaers, B. Preneel (Eds.), Integrity
pages. 1995. Primitives for Secure Information Systems. VII, 239
Vol. 990: C. Pinto-Ferreira, N.J. Mamede (Eds.), pages. 1995.
Progress in Artificial Intelligence. Proceedings, 1995. Vol. 1008: B. Preneel (Ed.), Fast Software Encryption.
XIV, 487 pages. 1995. (Subseries LNAI). Proceedings, 1994. VIII, 367 pages. 1995.
Vol. 991: J. Wainer, A. Carvalho (Eds.), Advances in Vol. 1009: M. Broy, S. J~ihnichen (Eds.), KORSO:
Artificial Intelligence. Proceedings, 1995. XII, 342 Methods, Languages, and Toolsfor the Construction
pages. 1995. (Subseries LNAI). of Correct Software. X, 449 pages. 1995. Vol.
Vol. 992: M. Gori, G. Soda (Eds.), Topics in Artificial Vol. 1010: M. Veloso, A. Aamodt (Eds.), Case-Based
Intelligence. Proceedings, 1995. XII, 451 pages. 1995. Reasoning Research and Development. Proceedings,
(Subseries LNAI). 1995. X, 576 pages. 1995. (Subseries LNAI).
Vol. 1011: T. Furuhashi (Ed.), Advances in Fuzzy Vol. 1032: P. Godefroid, Partial-Order Methods for the
Logic, Neural Networks and Genetic Algorithms. Pro- Verification of Concurrent Systems. IV, 143 pages. 1996.
ceedings, 1994. (Subseries LNAI). Vol. 1033: C.-H. Huang, P. Sadayappan, U. Banerjee, D.
Vol. 1012: M. Bartogek, J. Staudek, J. Wiedermann Gelernter, A. Nicolau, D. Padua (Eds.), Languages and
(Eds.), SOFSEM '95: Theory and Practice of Compilers for Parallel Computing. Proceedings, 1995.
Informatics. Proceedings, 1995. XI, 499 pages. 1995. XIII, 597 pages. 1996.
Vol. 1013: T.W. Ling, A.O. Mendelzon, L. Vieille Vol. 1034: G. Kuper, M. Wallace (Eds.), Constraint
(Eds.), Deductive and Object-Oriented Databases. Databases and Applications. Proceedings, 1995. VII, 185
Proceedings, 1995. XIV, 557 pages. 1995. pages. 1996.
Vol. 1014: A.P. d e l Pobil, M.A. Serna, Spatial Vol. 1035: S.Z. Li, D.P. Mital, E.K. Teoh, H. Wang (Eds.),
Representation and Motion Planning. XII, 242 pages. Recent Developments in Computer Vision. Proceedings,
1995. 1995. XI, 604 pages. 1996.
Vol. 1015: B. Blumenthal, J. Gornostaev, C. Unger Vol. 1036: G. Adorni, M. Zock (Eds.), Trends in Natural
(Eds.), Human-Computer Interaction. Proceedings, Language Generation - An Artificial Intelligence
1995. VIII, 203 pages. 1995. Perspective. Proceedings, 1993. IX, 382 pages. 1996.
(Subseries LNAI).
VOL. 1016: R. Cipolla, Active Visual Inference of Surface
Shape. XII, 194 pages. 1995. Vol. 1037: M. Wooldridge, J.P. MiJller, M. Tambe (Eds.),
Vol. 1017: M. Nagl (Ed.), Graph-Theoretic Concepts IntelligentAgents II. Proceedings, 1995. XVI, 437 pages.
1996. (Subseries LNAI).
in Computer Science. Proceedings, 1995. XI, 406 pages.
1995. Vol. 1038: W: Van de Velde, J.W. Perram (Eds.), Agents
Vol. 1018: T.D.C. Little, R. Gusella {Eds.), Network and Breaking Away. Proceedings, 1996. XIV, 232 pages.
Operating Systems Support for Digital Audio and Video. 1996. (Subseries LNAI).
Proceedings, 1995. XI, 357 pages. 1995. Vol. 1039: D. Gollmann (Ed.), Fast Software Encryption.
Proceedings, 1996. X, 219 pages. 1996.
Vol. 1019: E. Brinksma, W.R. Cleaveland, K.G. Larsen,
T. Margaria, B. Steffen (Eds.), Tools and Algorithms Vol. 1040: S. Wermter, E. Riloff, G. Scheler (Eds.),
for the Construction and Analysis of Systems. Selected Connectionist, Statistical, and Symbolic Approaches to
Papers, 1995. VII, 291 pages. 1995. Learning for Natural Language Processing. Proceedings,
1995. IX, 468 pages. 1996. (Subseries LNAI).
Vol. 1020: I.D. Watson (Ed.), Progress in Case-Based
Reasoning. Proceedings, 1995. VIII, 209 pages. 1995. Vol. 1041: J. Dongarra, K. Madsen, J. Wa~niewski (Eds.),
(Subseries LNAI). Applied Parallel Computing. Proceedings, 1995. XII, 562
pages. 1996.
Vol. 1021: M.P. Papazoglou (Ed.), OOER '95: Object-
Oriented and Entity-Relationship Modeling. Proceedings, Vol. 1042: G. WeiB, S. Sen (Eds.), Adaption and Learning
1995. XVII, 451 pages. 1995. in Multi-Agent Systems. Proceedings, 1995. X, 238 pages.
1996. (Subseries LNAI).
Vol. 1022: P.H. Hartel, R. Plasmeijer (Eds.), Functional
Programming Languages in Education. Proceedings, 1995. Vol. 1043: F. Muller, G. Birtwistle (Eds.), Logics for
X, 309 pages. 1995. Copcurrency. XI, 266 pages. 1996.
Vol. 1023: K. Kanchanasut, J.-J. L6vy (Eds.), Algorithms, Vol. 1044: B. Plattner (Ed.), Broadband Communications.
Concurrency and Knowlwdge. Proceedings, 1995. X, 410 Proceedings, 1996. XIV, 359 pages. 1996.
pages. 1995. Vol. 1045: B. Butscher, E. Moeller, H. Pusch (Eds.),
Vol. 1024: R.T. Chin, H.H.S. Ip, A.C. Naiman, T.-C. Pong Interactive Distributed Multimedia Systems and Services.
(Eds.), Image Analysis Applications and Computer Proceedings, 1996. XI, 333 pages. 1996.
Graphics. Proceedings, 1995. XVI, 533 pages. 1995. Vol. 1046: C. Puech, R. Reischuk (Eds.), STACS 96.
Vol. 1025: C. Boyd (Ed.), Cryptography and Coding. Proceedings, 1996. XII, 690 pages. 1996.
Proceedings, 1995. IX, 291 pages. 1995. Vol. 1047: E. Hajnicz, Time Structures. IX, 244 pages.
Vol. 1026: P.S. Thiagarajan (Ed.), Foundations of 1996. (Subseries LNAI).
Software Technology and Theoretical Computer Science. .Vol. 1048: M. Proietti (Ed.), Logic Program Syynthesis
Proceedings, 1995. XII, 515 pages. 1995. and Transformation. Proceedings, 1995. X, 267 pages.
Vol. 1027: F.J. Brandenburg (Ed.), Graph Drawing. 1996.
Proceedings, 1995. XII, 526 pages. 1996. Vol. 1049: K. Futatsugi, S. Matsuoka (Eds.), Object
Vol. 1028: N.R. Adam, Y. Yesha (Eds.), Electronic Technologies for Advanced Software. Proceedings, 1996.
Commerce. X, 155 pages. 1996. X, 309 pages. 1996.
Vol. 1029: E. Dawson, J. Goli6 (Eds.), Cryptography: Vol. 1050: R. Dyckhoff, H. Herre, P. Schroeder-Heister
Policy and Algorithms. Proceedings, 1995. XI, 327 pages. (Eds.), Extensions of Logic Programming. Proceedings,
1996. 1996. VII, 318 pages. 1996. (Subseries LNAI).
Vol. 1030: F. Pichler, R. Moreno-Dfaz, R. Albrecht (Eds.), Vol. 1051: M.-C. Gaudel, J. Woodcock (Eds.), FME '96:
Computer Aided Systems Theory - EUROCAST '95. Industrial Benefit of Formal Methods. Proceedings, 1996.
Proceedings, 1995. XII, 539 pages. 1996. XII, 704 pages. 1996.
Vol.1031: M. Toussaint (Ed.), Ada in Europe.
Proceedings, 1995. XI, 455 pages. 1996.

Lecture Notes in Computer Science: Edited by G. Goos, J. Hartmanis and J. Van Leeuwen

Uploaded by

Copyright:

Available Formats

You might also like

Lecture Notes in Computer Science: Edited by G. Goos, J. Hartmanis and J. Van Leeuwen

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture Notes in Computer Science: Edited by G. Goos, J. Hartmanis and J. Van Leeuwen

Uploaded by

Copyright:

Available Formats

Lecture Notes in Computer Science 1043

Edited by G. Goos, J. Hartmanis and J. van Leeuwen

Advisory Board: W. Brauer D. Gries J. Stoer

Logics for Concurrency

Cataloging-in-Publication data applied for

Die Deutsche Bibliothek - CIP-Einheitsaufnahme

Logics for concurrency : s t r u c t u r e versus a u t o m a t a / F a r o n

CR Subject Classification (1991): F.3, F.4, E l , F.2

ISBN 3-540-60915-6 Springer-Verlag Berlin Heidelberg New York

A c k n o w l e d g e m e n t s . The workshop from which this volume emerged was

December 1995 Faron Moller, Stockholm

SAMSON ABRAMSKY is currently Professor of Computer Science at Imperial Col-

E. ALLEN EMERSON is a Bruton Centennial Professor in the Computer Sciences

SIMON GAY is a Lecturer in Computer Science at Royal Holloway, University

YORAM HIRSHFELD received an MSc in Mathematics (non-standard analysis)

FAI:tON MOLLER is currently Vikariat Professor of Distributed Systems in the

RAJAGOPAL NAGARAJAN is currently completing his PhD degree at Imperial

COLIN STIR.LING is Professor of Computer Science at the University of Edin-

MosIJ~. Y. VAaDI is a Noah Harding Professor and Chair of Computer Science

Specification Structures and Propositions-as-Types for Concurrency

A u t o m a t e d Temporal Reasoning about Reactive Systems

Decidability Results in Automata and P r o c e s s T h e o r y

Modal and Temporal Logics for Processes

2.3 Process equivalences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

In this volume are to be found five tutorial-style presentations of various ap-

- What are suitable formalisms for expressing system properties?

Three of the five presentations concentrate on linear- and branching-time tem-

Samson A b r a m s k y Simon Gay Rajagopal Nagarajan

Abstract. Many different notions of "property of interest" and methods

- Even in the most basic form of sequential programming, it has proved

- In the field of static analysis, and particularly in the systematic frame-

- In concurrency, it is standard to separate out classes of properties such

The upshot of this observation is that no one monolithic type system

Co ~"~Cl +-"~Cq +-~-"~"~Ck.

The notion of specification structure, at least in its most basic form, is

- a relation RA,B C_ P A • C(A, B) x P B for each pair of objects A, B

satisfying the s t a n d a r d coherence equations [26]. A specification s t r u c t u r e

qo{f)r qo'{f')r ==~ ~o @ ~o'{f | f ' } r @ r

Writing A ( f ) : A ~ B --o C for the m o r p h i s m corresponding to f :

(A, 7~) | (B, r = (A | B, ~p| r

All the constructions on morphisms in Cs work exactly as t h e y do in C,

- models of Classical (or I n t u i t i o n i s t i c ) L i n e a r Logic including the ad-

- cartesian closed categories [15]

- models of polymorphism [15].

2.1 Examples of Specification Structures

CS is the category of coherence spaces and linear maps [20].

where ~,~ is the n t h partial recursive function in some acceptable

6. C = games and partial strategies, as in [9], PA = all sets of infinite

Such a tower arises by progressively refining Co by specification structures

Each such step adds propositional information to the underlying "raw"

f : (A, ~ 1 , - . . , ~k) ~ (B, •1,..., ~)k)

Interaction Categories [1, 3, 4, 6] are a new paradigm for the semantics of

as the equivalence. We will usually define processes by means of labelled

alltraces(P) aef {e} U {aa I P ~' Q, a E alltraces(Q)}

The fact that P is a process of type A is expressed by the notation P : A.

The duality is trivial on objects: A • a cf A. This means that at the level

A morphism p : A --+ B of ,gl~oc is a process p of type A --r B (so p

then p ; q is this tree.

monA,B ((')"2 idA|

If f : A --~ B then O f : OA -~ OB is defined by the transition O f ('! f .