arxiv: v2 [cs.lo] 10 Jun 2014

Transcription

1 Structurl Refinement for the Modl nu-clculus Uli Fhrenberg, Axel Legy, nd Louis-Mrie Tronouez Inri / IRISA, Cmpus de Beulieu, Rennes CEDEX, Frnce rxiv: v2 [cs.lo] 10 Jun 2014 Abstrct. We introduce new notion of structurl refinement, sound bstrction of logicl impliction, for the modl nu-clculus. Using new trnsltions between the modl nu-clculus nd disjunctive modl trnsition systems, we show tht these two specifiction formlisms re structurlly equivlent. Using our trnsltions, we lso trnsfer the structurl opertions of composition nd quotient from disjunctive modl trnsition systems to the modl nu-clculus. This shows tht the modl nu-clculus supports composition nd decomposition of specifictions. 1 Introduction There re two conceptully different pproches for the specifiction nd verifiction of properties of forml models. Logicl pproches mke use of logicl formule for expressing properties nd then rely on efficient model checking lgorithms for verifying whether or not model stisfies formul. Automt-bsed pproches, on the other hnd, exploit equivlence or refinement checking for verifying properties, given tht models nd properties re specified using the sme (or closely relted) formlism. The logicl pproches hve been quite successful, with plethor of logicl formlisms vilble nd number of successful model checking tools. One prticulrly interesting such formlism is the modl µ-clculus [21], which is universl in the sense tht it generlizes most other temporl logics, yet mthemticlly simple nd menble to nlysis. One centrl problem in the verifiction of forml properties is stte spce explosion: when model is composed of mny components, the stte spce of the combined system quickly grows too big to be nlyzed. To combt this problem, one pproch is to employ compositionlity. When model consists of severl components, ech component would be model checked by itself, nd then the components properties would be composed to yield property which utomticlly is stisfied by the combined model. Similrly, given globl property of model nd component of the model tht is lredy known to stisfy locl property, one would be ble to decompose utomticlly, from the globl property nd the locl property, new property which the rest of the model must stisfy. We refer to [23] for good ccount of these nd other fetures which one would wish specifictions to hve. As n lterntive to logicl specifiction formlisms nd with n eye to compositionlity nd decomposition, utomt-bsed behviorl specifictions were

2 2 Uli Fhrenberg, Axel Legy, nd Louis-Mrie Tronouez AG(req AX(work AW grnt)) νx. ( [grnt,idle,work]x [req]νy.( work Y grnt X) [idle,req]ff ) X ν = [grnt,idle,work]x [req]y Y ν = ( work Y grnt X) [idle,req]ff grnt, work, idle grnt req work Fig. 1. An exmple property specified in CTL (top left), in the modl µ-clculus (below left), s modl eqution system (third left), nd s DMTS (right). introduced in [22]. Here the specifiction formlism is generliztion of the modeling formlism, nd the stisfction reltion between models nd specifictions is generlized to refinement reltion between specifictions, which resembles simultion nd bisimultion nd cn be checked with similr lgorithms. For n exmple, we refer to Fig. 1 which shows the property informlly specified s fter req(uest), no idle(ing) is llowed, but only work, until grnt is executed using the logicl formlisms of CTL [15] nd the modl µ-clculus [21] nd the behviorl formlism of disjunctive modl trnsition systems [26]. The precise reltionship between logicl nd behviorl specifiction formlisms hs been subject to some investigtion. In [22], Lrsen shows tht ny modl trnsition system cn be trnslted to formul in Hennessy-Milner logic which is equivlent in the sense of dmitting the sme models. Conversely, Boudol nd Lrsen show in [11] tht ny formul in Hennessy-Milner logic is equivlent to finite disjunction of modl trnsition systems. We hve picked up this work in [6], where we show tht ny disjunctive modl trnsition system (DMTS) is equivlent to formul in the modl ν-clculus, the sfety frgment of the modl µ-clculus which uses only mximl fixed points, nd vice vers. (Note tht the modl ν-clculus is equivlent to Hennessy-Milner logic with recursion nd mximl fixed points.) Moreover, we show in [6] tht DMTS re s expressive s (non-deterministic) cceptnce utomt [30, 31]. Together with the inclusions of [7], this settles the expressivity question for behviorl specifictions: they re t most s expressive s the modl ν-clculus. In this pper, we show tht not only re DMTS s expressive s the modl ν-clculus, but the two formlisms re structurlly equivlent. Introducing new notion of structurl refinement for the modl ν-clculus ( sound bstrction of logicl impliction), we show tht one cn freely trnslte between the modl ν-clculus nd DMTS, while preserving structurl refinement. DMTS form complete specifiction theory [2] in tht they both dmit logicl opertions of conjunction nd disjunction nd structurl opertions of composition nd quotient [6]. Hence they support full compositionlity nd decomposition in the sense of [23]. Using our trnsltions, we cn trnsport these notions

3 Structurl Refinement for the Modl nu-clculus 3 to the modl ν-clculus, thus lso turning the modl ν-clculus into complete specifiction theory. In order to rrive t our trnsltions, we first recll DMTS nd (non-deterministic) cceptnce utomt in Section 2. We lso introduce new hybrid modl logic, which cn serve s compct representtion for cceptnce utomt nd should be of interest in itself. Afterwrds we show, using the trnsltions introduced in [6], tht these formlisms re structurlly equivlent. In Section 3 we recll the modl ν-clculus nd review the trnsltions between DMTS nd the modl ν-clculus which were introduced in [6]. These in turn re bsed on work by Boudol nd Lrsen in [11, 22], hence firly stndrd. We show tht, though semnticlly correct, the two trnsltions re structurlly mismtched in tht they relte DMTS refinement to two different notions of ν-clculus refinement. To fix the mismtch, we introduce new trnsltion from the modl ν-clculus to DMTS nd show tht using this trnsltion, the two formlisms re structurlly equivlent. In Section 4, we use our trnsltions to turn the modl ν-clculus into complete specifiction theory. We remrk tht ll our trnsltions nd constructions re bsed on new norml form for ν-clculus expressions, nd tht turning ν-clculus expression into norml form my incur n exponentil blow-up. However, the trnsltions nd constructions preserve the norml form, so tht this trnsltion only need be pplied once in the beginning. We lso note tht composition nd quotient opertors re used in other logics such s e.g. sptil [14] or seprtion logics [32, 28]. However, in these logics they re treted s first-clss opertors, i.e. s prt of the forml syntx. In our pproch, on the other hnd, they re defined s opertions on logicl expressions which s results gin yield logicl expressions (without compositions or quotients). Note tht some proofs hve been relegted to seprte ppendix. 2 Structurl Specifiction Formlisms Let Σ be finite set of lbels. A lbeled trnsition system (LTS) is structure I = (S,S 0, ) consisting of finite set of sttes S, subset S 0 S of initil sttes nd trnsition reltion S Σ S. Disjunctive modl trnsition systems. A disjunctive modl trnsition system (DMTS) is structure D = (S,S 0,, ) consisting of finite sets S S 0 of sttes nd initil sttes, my-trnsition reltion S Σ S, nd disjunctive must-trnsition reltion S 2 Σ S. It is ssumed tht for ll (s,n) nd ll (,t) N, (s,,t). As customry, we write s t insted of (s,,t), s N insted of (s,n), s if there exists t for which s t, nd s if there does not. The intuition is tht my-trnsitions s t specify which trnsitions re permitted in n implementtion, wheres must-trnsitions s N stipultes disjunctive requirement: t lest one of the choices (,t) N must be imple-

4 4 Uli Fhrenberg, Axel Legy, nd Louis-Mrie Tronouez mented. A DMTS (S,S 0,, ) is n implementtion if = {(s,{(,t)}) s t}; DMTS implementtions re precisely LTS. DMTS were introduced in [26] in the context of eqution solving, or quotient, for specifictions nd re used e.g. in [5] for LTL model checking. They re nturl closure of modl trnsition systems (MTS) [22] in which ll disjunctive must-trnsitions s N led to singletons N = {(, t)}. LetD 1 = (S 1,S1 0, 1, 1 ),D 2 = (S 2,S2 0, 2, 2 ) be DMTS. A reltion R S 1 S 2 is modl refinement if it holds for ll (s 1,s 2 ) R tht for ll s 1 t 1 there is t 2 S 2 with s 2 t 2 nd (t 1,t 2 ) R, nd for ll s 2 N 2 there is s 1 N 1 such tht for ech (,t 1 ) N 1 there is (,t 2 ) N 2 with (t 1,t 2 ) R. We sy tht D 1 modlly refines D 2, denoted D 1 m D 2, whenever there exists modl refinement R such tht for ll s 0 1 S1, 0 there exists s 0 2 S2 0 for which (s 0 1,s0 2 ) R. We write D 1 m D 2 if D 1 m D 2 nd D 2 m D 1. For sttes s 1 S 1, s 2 S 2, we write s 1 m s 2 if the DMTS (S 1,{s 1 }, 1, 1 ) m (S 2,{s 2 }, 2, 2 ). Note tht modl refinement is reflexive nd trnsitive, i.e. preorder on DMTS. Also, the reltion on sttes m S 1 S 2 defined bove is itself modl refinement, indeed the mximl modl refinement under the subset ordering. The set of implementtions of n DMTS D is D = {I m D I implementtion}. This is, thus, the set of ll LTS which stisfy the specifiction given by the DMTS D. We sy tht D 1 thoroughly refines D 2, nd write D 1 th D 2, if D 1 D 2. We write D 1 th D 2 if D 1 th D 2 nd D 2 th D 1. For sttes s 1 S 1, s 2 S 2, we write s 1 = (S 1,{s 1 }, 1, 1 ) nd s 1 th s 2 if s 1 s 2. The below proposition, which follows directly from trnsitivity of modl refinement, shows tht modl refinement is sound with respect to thorough refinement; in the context of specifiction theories, this is wht one would expect, nd we only include it for completeness of presenttion. It cn be shown tht modl refinement is lso complete for deterministic DMTS [8], but we will not need this here. Proposition 1. For ll DMTS D 1, D 2, D 1 m D 2 implies D 1 th D 2. We introduce new construction on DMTS which will be of interest for us; intuitively, it dds ll possible my-trnsitions without chnging the implementtion semntics. The my-completion of DMTS D = (S,S 0,, ) is mc(d) = (S,S 0, mc, ) with mc = {(s,,t ) S Σ S (s,,t) : t th t}. Note tht to compute the my-completion of DMTS, one hs to decide thorough refinements, hence this computtion (or, more precisely, deciding whether given DMTS is my-complete) is EXPTIME-complete [9]. We show n exmple of my-completion in Fig. 2. Proposition 2. For ny DMTS D, D m mc(d) nd D th mc(d).

5 Structurl Refinement for the Modl nu-clculus 5 D u 1 v 1 b,c mc(d) u 1 v 1 b,c s t 1 t 3 u 2 u 3 d v 3 b s t 1 th t 3 u 2 u 3 d th v 3 b,c b Fig.2. A MTS D (left) nd its my-completion mc(d) (right). In mc(d), the semntic inclusions which led to extr my-trnsitions re depicted with dotted rrows. Proof. It is lwys the cse thtd m D, nd dding my trnsitions on the right side preserves modl refinement. Therefore it is immedite tht D m mc(d), hence lso D th mc(d). To prove tht mc(d) th D, we consider n implementtion I m mc(d); we must prove tht I m D. Write D = (S,S 0,, ), I = (I,I 0, I, I ) nd mc(d) = (S,S 0, mc, ). Let R I S be the lrgest modl refinement between I nd mc(d). We now prove tht R is lso modl refinement between I nd D. For ll (i,d) R: For ll i I i, there exists d S such tht d mc d nd (i,d ) R. Then by definition of mc, there exists d S such tht d d nd d d. (i,d ) R implies i d, which implies i d. This mens tht i m d, nd since R is the lrgest refinement reltion in I S it must be the cse tht (i,d ) R. The cse of must trnsitions follows immeditely, since must trnsitions re exctly the sme in D nd mc(d). Exmple 3. The exmple in Fig. 2 shows tht generlly, mc(d) m D. First, t 3 th t 1 : For n implementtion I = (I,I 0, ) t 3 with modl refinement R I {t 3,u 3,v 3 }, define R I {t 1,u 1,u 2,v 1 } by R = {(i,t 1 ) (i,t 3 ) R} {(i,v 1 ) (i,v 3 ) R} {(i,u 1 ) (i,u 3 ) R,i {(i,u 2 ) (i,u 3 ) R,i } }, then R is modl refinement I m t 1. Similrly, t 3 th t 1 in mc(d). On the other hnd, t 3 m t 1 (nd similrly, t 3 m t 1 ), becuse neither u 3 m u 1 nor u 3 m u 2. Now in the modl refinement gme between mc(d) nd D, the my-trnsitions t 3 hs to be mtched by s t 1, but then t 3 m t 1, hence mc(d) m D. Also, the my-completion does not necessrily preserve modl refinement: Consider the DMTS D from Fig. 2 nd D 1 from Fig. 3, nd note first tht mc(d 1 ) = D 1. It is esy to see tht D m D 1 (just mtch sttes in D with their

6 6 Uli Fhrenberg, Axel Legy, nd Louis-Mrie Tronouez D 1 s t 1 u 1 u 2 d v 1 b,c D 2 s t u v b Fig.3. DMTS D 1, D 2 from Exmple 3. double-prime cousins in D 1 ), but mc(d) m mc(d 1 ) = D 1 : the my-trnsition s t 3 hs to be mtched by s t 1 nd t 3 m t 1. Lstly, the my-completion cn lso crete modl refinement: Considering the DMTS D 2 from Fig. 3, we see tht D 2 m D, but mc(d 2 ) = D 2 m mc(d). Acceptnce utomt. A (non-deterministic) cceptnce utomton (AA) is structure A = (S,S 0, Trn), with S S 0 finite sets of sttes nd initil sttes nd Trn : S 2 2Σ S n ssignment of trnsition constrints. We ssume tht for ll s 0 S 0, Trn(s 0 ). An AA is n implementtion if it holds for ll s S tht Trn(s) = {M} is singleton; hence lso AA implementtions re precisely LTS. Acceptnce utomt were first introduced in [30] (see lso [31], where slightly different lnguge-bsed pproch is tken), bsed on the notion of cceptnce trees in [20]; however, there they re restricted to be deterministic. We employ no such restriction here. The following notion of modl refinement for AA ws lso introduced in [30]. Let A 1 = (S 1,S 0 1, Trn 1 ) nd A 2 = (S 2,S 0 2, Trn 2 ) be AA. A reltion R S 1 S 2 is modl refinement if it holds for ll(s 1,s 2 ) R nd llm 1 Trn 1 (s 1 ) tht there exists M 2 Trn 2 (s 2 ) such tht (,t 1 ) M 1 : (,t 2 ) M 2 : (t 1,t 2 ) R, (,t 2 ) M 2 : (,t 1 ) M 1 : (t 1,t 2 ) R. As for DMTS, we write A 1 m A 2 whenever there exists modl refinement R such tht for ll s 0 1 S 0 1, there exists s 0 2 S 0 2 for which (s 0 1,s 0 2) R. Sets of implementtions nd thorough refinement re defined s for DMTS. Note tht s both AA nd DMTS implementtions re LTS, it mkes sense to use thorough refinement nd equivlence cross formlisms, writing e.g. A th D for n AA A nd DMTS D. Hybrid modl logic. We introduce hybrid modl logic which cn serve s compct representtion of AA. This logic is closely relted to the Boolen modl trnsition systems of [7] nd hybrid in the sense of [29, 10]: it contins nominls, nd the semntics of nominl is given s ll sets which contin the nominl. For finite set X of nominls, let L(X) be the set of formule generted by the bstrct syntx L(X) φ := tt ff x φ φ φ, for Σ nd x X. The semntics of formul is set of subsets of Σ X, given s follows: tt = 2 Σ X, ff =, φ = 2 Σ X \ φ, x = {M Σ X (,x) M}, nd φ ψ = φ ψ. We lso define disjunction φ 1 φ 2 = (φ 1 φ 2 ).

7 Structurl Refinement for the Modl nu-clculus 7 An L-expression is structure E = (X,X 0,Φ) consisting of finite sets X 0 X of vribles nd mpping Φ : X L(X). Such n expression is n implementtion if Φ(x) = {M} is singleton for ech x X. It cn esily be shown tht L-implementtions precisely correspond to LTS. Let E 1 = (X 1,X 0 1,Φ 1 ) nd E 2 = (X 2,X 0 2,Φ 2 ) be L-expressions. A reltion R X 1 X 2 is modl refinement if it holds for ll (x 1,x 2 ) R nd ll M 1 Φ 1 (x 1 ) tht there exists M 2 Φ 2 (x 2 ) such tht (,t 1 ) M 1 : (,t 2 ) M 2 : (t 1,t 2 ) R, (,t 2 ) M 2 : (,t 1 ) M 1 : (t 1,t 2 ) R. Agin, we write E 1 m E 2 whenever there exists such modl refinement R such tht for ll x 0 1 X 0 1, there exists x 0 2 X 0 2 for which (x 0 1,x 0 2) R. Sets of implementtions nd thorough refinement re defined s for DMTS. Structurl equivlence. We proceed to show tht the three formlisms introduced in this section re structurlly equivlent. Using the trnsltions between AA nd DMTS discovered in [6] nd new trnsltions between AA nd hybrid logic, we show tht these respect modl refinement. The trnsltions l, l between AA nd our hybrid logic re strightforwrd: For n AA A = (S,S 0, Trn) nd ll s S, let ( Φ(s) = t ) b u M Trn(s) (,t) M (b,u)/ M nd define the L-expression l(a) = (S,S 0,Φ). For n L-expression E = (X,X 0,Φ) nd ll x X, let Trn(x) = Φ(x) nd define the AA l(e) = (X,X 0, Trn). The trnsltions d, d between DMTS nd AA were discovered in [6]. For DMTS D = (S,S 0,, ) nd ll s S, let Trn(s) = {M Σ S (,t) M : s t, s N : N M } nd define the AA d(d) = (S,S 0, Trn). 1 For n AA A = (S,S 0, Trn), define the DMTS d(a) = (D,D 0,, ) s follows: D = {M Trn(s) s S} D 0 = {M 0 Trn(s 0 ) s 0 S 0 } = {( M,{(,M ) M Trn(t)} ) (,t) M } = {(M,,M ) M N : (,M ) N} Note tht the stte spces of A nd d(a) re not the sme; the one of d(a) my be exponentilly lrger. The following lemm shows tht this explosion is unvoidble: Lemm 4. There exists one-stte AA A for which ny DMTS D th A hs t lest 2 n 1 sttes, where n is the size of the lphbet Σ. 1 Note tht there is n error in the corresponding formul in [6].

8 8 Uli Fhrenberg, Axel Legy, nd Louis-Mrie Tronouez We notice tht LTS re preserved by ll trnsltions: for ny LTS I, l(i) = l(i) = d(i) = d(i) = I. In [6] it is shown tht the trnsltions between AA nd DMTS respect sets of implementtions, i.e. tht d(d) th D nd d(a) th A for ll DMTS D nd ll AA A. The next theorem shows tht these nd the other presented trnsltions respect modl refinement, hence these formlisms re not only semnticlly equivlent, but structurlly equivlent. Theorem 5. For ll AA A 1, A 2, DMTS D 1,D 2 nd L-expressions E 1, E 2 : 1. A 1 m A 2 iff l(a 1 ) m l(a 2 ), 2. E 1 m E 2 iff l(e 1 ) m l(e 2 ), 3. D 1 m D 2 iff d(d 1 ) m d(d 2 ), nd 4. A 1 m A 2 iff d(a 1 ) m d(a 2 ). Proof (sketch). We give few hints bout the proofs of the equivlences; the detils cn be found in ppendix. The first two equivlences follow esily from the definitions, once one notices tht for both trnsltions, Φ(x) = Trn(x) for ll x X. For the third equivlence, we cn show tht DMTS modl refinement D 1 m D 2 is lso n AA modl refinement d(d 1 ) m d(d 2 ) nd vice vers. The fourth equivlence is slightly more tricky, s the stte spce chnges. If R S 1 S 2 is n AA modl refinement reltion witnessing A 1 m A 2, then we cn construct DMTS modl refinement R D 1 D 2, which witnesses d(a 1 ) m d(a 2 ), by R = {(M 1,M 2 ) (s 1,s 2 ) R : M 1 Trn 1 (s 1 ),M 2 Trn(s 2 ), (,t 1 ) M 1 : (,t 2 ) M 2 : (t 1,t 2 ) R, (,t 2 ) M 2 : (,t 1 ) M 1 : (t 1,t 2 ) R}. Conversely, if R D 1 D 2 is DMTS modl refinement witnessing d(a 1 ) m d(a 2 ), then R S 1 S 2 given by R = {(s 1,s 2 ) M 1 Trn 1 (s 1 ) : M 2 Trn 2 (s 2 ) : (M 1,M 2 ) R} is n AA modl refinement. The result on thorough equivlence from [6] now esily follows: Corollry 6. For ll AA A, DMTS D nd L-expressions E, l(a) th A, l(e) th E, d(d) th D, nd d(a) th A. Also soundness of modl refinement for AA nd hybrid logic follows directly from Theorem 5: Corollry 7. For ll AA A 1 nd A 2, A 1 m A 2 implies A 1 th A 2. For ll L-expressions E 1 nd E 2, E 1 m E 2 implies E 1 th E 2.

9 3 The Modl ν-clculus Structurl Refinement for the Modl nu-clculus 9 We wish to extend the structurl equivlences of the previous section to the modl ν-clculus. Using trnsltions between AA, DMTS nd ν-clculus bsed on work in [22, 11], it hs been shown in [6] tht ν-clculus nd DMTS/AA re semnticlly equivlent. We will see below tht there is mismtch between the trnsltions from [6] (nd hence between the trnsltions in [22, 11]) which precludes structurl equivlence nd then proceed to propose new trnsltion which fixes the mismtch. Syntx nd semntics. We first recll the syntx nd semntics of the modl ν-clculus, the frgment of the modl µ-clculus [33, 21] with only mximl fixed points. Insted of n explicit mximl fixed point opertor, we use the representtion by eqution systems in Hennessy-Milner logic developed in [24]. For finite set X of vribles, let H(X) be the set of Hennessy-Milner formule, generted by the bstrct syntx H(X) φ ::= tt ff x φ []φ φ φ φ φ, for Σ nd x X. A declrtion is mpping : X H(X); we recll the mximl fixed point semntics of declrtions from [24]. Let (S,S 0, ) be n LTS, then n ssignment is mpping σ : X 2 S. The set of ssignments forms complete lttice with order σ 1 σ 2 iff σ 1 (x) σ 2 (x) for ll x X nd lowest upper ) (x) = i I σ i(x). bound ( i I σ i The semntics of formul is subset of S, given reltive to n ssignmentσ, defined s follows: tt σ = S, ff σ =, x σ = σ(x), φ ψ σ = φ σ ψ σ, φ ψ σ = φ σ ψ σ, nd φ σ = {s S s s : s φ σ}, []φ σ = {s S s s : s φ σ}. The semntics of declrtion is then the ssignment defined by = {σ : X 2 S x X : σ(x) (x) σ}; the mximl (pre)fixed point of. A ν-clculus expression is structure N = (X,X 0, ), with X 0 X sets of vribles nd : X H(X) declrtion. We sy tht n LTS I = (S,S 0, ) implements (or models) the expression, nd write I = N, if it holds tht for ll s 0 S 0, there is x 0 X 0 such tht s 0 (x 0 ). We write N for the set of implementtions (models) of ν-clculus expression N. As for DMTS, we write x = (X,{x}, ) for x X, nd thorough refinement of expressions nd sttes is defined ccordingly. The following lemm introduces norml form for ν-clculus expressions: Lemm 8. For ny ν-clculus expression N 1 = (X 1,X1 0, 1), there exists nother expression N 2 = (X 2,X2 0, 2) with N 1 = N 2 nd such tht for ny x X, 2 (x) is of the form 2 (x) = ( ij x ij ) ( ) [] (1) i I j J i Σ j J y,j

10 10 Uli Fhrenberg, Axel Legy, nd Louis-Mrie Tronouez for finite (possibly empty) index sets I, J i, J, for i I nd Σ, nd ll x ij,y,j X 2. Additionlly, for ll i I nd j J i, there exists j J ij for which x ij th y ij,j. As this is type of conjunctive norml form, it is cler tht trnslting ν-clculus expression into norml form my incur n exponentil blow-up. We introduce some nottion for ν-clculus expressions in norml form which will mke our life esier lter. LetN = (X,X 0, ) be such n expression nd x X, with (x) = ) i I ( j J i ij x ij Σ []( ) j J y,j s in the lemm. Define (x) = {{( ij,x ij ) j J i } i I} nd, for ech Σ, (x) = {y,j j J }. Note tht now (x) = ( N (x) (,y) N y) Σ []( y (x) y). Refinement. In order to expose our structurl equivlence, we need to introduce notion of modl refinement for the modl ν-clculus. For resons which will become pprent lter, we define two different such notions: Let N 1 = (X 1,X 0 1, 1), N 2 = (X 2,X 0 2, 2) be ν-clculus expressions in norml form nd R X 1 X 2. The reltion R is modl refinement if it holds for ll (x 1,x 2 ) R tht 1. for ll Σ nd every y 1 1 (x 1), there is y 2 2 (x 2) for which (y 1,y 2 ) R, nd 2. for ll N 2 2 (x 2 ) there is N 1 1 (x 1 ) such tht for ech (,y 1 ) N 1, there exists (,y 2 ) N 2 with (y 1,y 2 ) R. R is modl-thorough refinement if, insted of 1., it holds tht 1. for ll Σ, ll y 1 1 (x 1) nd every y 1 X 1 with y 1 th y 1, there is y 2 2 (x 2) nd y 2 X 2 such tht y 2 th y 2 nd (y 1,y 2 ) R. We sy tht N 1 refines N 2 whenever there exists such refinement R such tht for every x 0 1 X0 1 there exists x0 2 X0 2 for which (x0 1,x0 2 ) R. We write N 1 m N 2 in cse of modl nd N 1 mt N 2 in cse of modl-thorough refinement. We remrk tht wheres modl refinement for ν-clculus expressions is simple nd entirely syntctic notion, modl-thorough refinement involves semntic inclusions of sttes. Using results in [9], this implies tht modl refinement cn be decided in time polynomil in the size of the (norml-form) expressions, wheres deciding modl-thorough refinement is EXPTIME-complete. Trnsltion from DMTS to ν-clculus. Our trnsltion from DMTS to ν- clculus is new, but similr to the trnsltion from AA to ν-clculus given in [6]. This in turn is bsed on the chrcteristic formule of [22] (see lso [1]). For DMTS D = (S,S 0,, ) nd ll s S, we define (s) = {N s N} nd, for ech Σ, (s) = {t s t}. Then, let (s) = ( t ) ( ) [] t N (s) (,t) N Σ t (s) nd define the (norml-form) ν-clculus expression dh(d) = (S,S 0, ).

11 Structurl Refinement for the Modl nu-clculus 11 Note how the formul precisely expresses tht we demnd t lest one of every choice of disjunctive must-trnsitions (first prt) nd permit ll my-trnsitions (second prt); this is lso the intuition of the chrcteristic formule of [22]. Using results of [6] (which introduces very similr trnsltion from AA to ν-clculus expressions), we see tht dh(d) th D for ll DMTS D. Theorem 9. For ll DMTS D 1 nd D 2, D 1 m D 2 iff dh(d 1 ) m dh(d 2 ). Proof. For the forwrd direction, let R S 1 S 2 be modl refinement between D 1 = (S 1,S1 0, 1, 1 ) nd D 2 = (S 2,S2 0, 2, 2 ); we show tht R is lso modl refinement between dh(d 1 ) = (S 1,S1, 0 1 ) nd dh(d 2 ) = (S 2,S2, 0 2 ). Let (s 1,s 2 ) R. Let Σ nd t 1 1 (s 1), then s 1 1 t 1, which implies tht there is t 2 S 2 for whichs 2 2 t 2 nd(t 1,t 2 ) R. By definition of 2, t 2 2 (s 2). LetN 2 2 (s 2 ), then s 2 2 N 2, which implies tht there existss 1 1 N 1 such tht (,t 1 ) N 1 : (,t 2 ) N 2 : (t 1,t 2 ) R. By definition of 1, N 1 1 (s 1). For the other direction, let R S 1 S 2 be modl refinement between dh(d 1 ) nd dh(d 2 ), we show tht R is lso modl refinement between D 1 nd D 2. Let (s 1,s 2 ) R. For ll s 1 1 t 1, t 1 1(s 1 ), which implies tht there is t 2 2(s 2 ) with (t 1,t 2 ) R, nd by definition of 2, s 2 2 t 2. For ll s 2 2 N 2, N 2 2 (s 2 ), which implies tht there is N 1 1 (s 1 ) such tht (,t 1 ) N 1 : (,t 2 ) N 2 : (t 1,t 2 ) R, nd by definition of 1, s 1 1 N 1. Old trnsltion from ν-clculus to DMTS. We recll the trnsltion from ν-clculus to DMTS given in [6], which is bsed on trnsltion from Hennessy- Milner formule (without recursion nd fixed points) to sets of cyclic MTS in [11]. For ν-clculus expression N = (X,X 0, ) in norml form, let = {(x,,y ) X Σ X y (x) : y th y}, = {(x,n) x X,N (x)}. nd define the DMTS hd t (N) = (X,X 0,, ). Note how this trnsltes dimonds to disjunctive must-trnsitions directly, but for boxes tkes semntic inclusions into ccount: for subformul []y, mytrnsitions re creted to ll vribles which re semnticlly below y. This is consistent with the interprettion of formule-s-properties: []y mens for ny -trnsition, (y) must hold ; but (y) holds for ll vribles which re semnticlly below y. It follows from results in [6] (which uses slightly different norml form for ν-clculus expressions) tht hd t (N) th N for ll ν-clculus expressions N. Theorem 10. For ll ν-clculus expressions, N 1 mt N 2 iff hd t (N 1 ) m hd t (N 2 ).

12 12 Uli Fhrenberg, Axel Legy, nd Louis-Mrie Tronouez Proof. For the forwrd direction, let R X 1 X 2 be modl-thorough refinement between N 1 = (X 1,X 0 1, 1) nd N 2 = (X 2,X 0 2, 2). We show tht R is lso modl refinement between hd t (N 1 ) = (X 1,X 0 1, 1, 2 ) nd hd t (N 2 ) = (X 2,X 0 2, 2, 2 ). Let (x 1,x 2 ) R. Let x 1 1 y 1. By definition of 1, there is y 1 1(x 1 ) for which y 1 th y 1. Then by modl-thorough refinement, this implies tht there exists y 2 2 (x 2) nd y 2 X 2 such tht y 2 th y 2 nd (y 1,y 2 ) R. By definition of 2 we hve x 2 2 y 2. Let x 2 2 N 2, then we hve N 2 2 (x 2 ). By modl-thorough refinement, this implies tht there is N 1 1 (x 1 ) such tht (,y 1 ) N 1 : (,y 2 ) N 2 : (y 1,y 2 ) R. By definition of 1, x 1 1 N 1. Now to the proof tht hd t (N 1 ) m hd t (N 2 ) implies N 1 mt N 2. We hve modl refinement (in the DMTS sense) R X 1 X 2. We must show tht R is lso modl-thorough refinement. Let (x 1,x 2 ) R. Let Σ, y 1 1(x 1 ) nd y 1 X 1 such tht y 1 th y 1. Then by definition of 1, x 1 x 2 1 y 1. By modl refinement, this implies tht there exists 2 y 2 with (y 1,y 2) R. Finlly, by definition of 2, there exists y 2 2 (x 2) such tht y 2 th y 2. Let N 2 2 (x 2 ), then by definition of 2, x 2 2 N 2. Then, by modl refinement, this implies tht there exists x 1 1 N 1 such tht (,y 1 ) N 1 : (,y 2 ) N 2 : (y 1,y 2 ) R. By definition of 1, N 1 1 (x 1). Discussion. Notice how Theorems 9 nd 10 expose mismtch between the trnsltions: dh reltes DMTS refinement to ν-clculus modl refinement, wheres hd t reltes it to modl-thorough refinement. Both trnsltions re well-grounded in the literture nd well-understood, cf. [6, 11, 22], but this mismtch hs not been discovered up to now. Given tht the bove theorems cn be understood s universl properties of the trnsltions, it mens tht there is no notion of refinement for ν-clculus which is consistent with them both. The following lemm, esily shown by inspection, shows tht this discrepncy is relted to the my-completion for DMTS: Lemm 11. For ny DMTS D, mc(d) = hd t (dh(d)). As corollry, we see tht modl refinement nd modl-thorough refinement for ν-clculus re incomprble: Referring bck to Exmple 3, we hve D m D 1, hence by Theorem 9, dh(d) m dh(d 1 ). On the other hnd, we know tht mc(d) m mc(d 1 ), i.e. by Lemm 11, hd t (dh(d)) m hd t (dh(d 1 )), nd then by Theorem 10, dh(d) mt dh(d 1 ). To expose n exmple where modl-thorough refinement holds, but modl refinement does not, we note tht mc(d 2 ) m mc(d) implies, gin using Lemm 11 nd Theorem 10, tht dh(d 2 ) mt dh(d). On the other hnd, we know tht D 2 m D, so by Theorem 9, dh(d 2 ) m dh(d). New trnsltion from ν-clculus to DMTS. We now show tht the mismtch between DMTS nd ν-clculus expressions cn be fixed by introducing new, simpler trnsltion from ν-clculus to DMTS.

13 Structurl Refinement for the Modl nu-clculus 13 For ν-clculus expression N = (X,X 0, ) in norml form, let = {(x,,y) X Σ X y (x)}, = {(x,n) x X,N (x)}. nd define the DMTS hd(n) = (X,X 0,, ). This is simple syntctic trnsltion: boxes re trnslted to disjunctive must-trnsitions nd dimonds to my-trnsitions. Theorem 12. For ll ν-clculus expressions, N 1 m N 2 iff hd(n 1 ) m hd(n 2 ). Proof. Let R X 1 X 2 be modl refinement between N 1 = (X 1,X 0 1, 1) nd N 2 = (X 2,X 0 2, 2); we show tht R is lso modl refinement between hd(n 1 ) = (S 1,S 0 1, 1, 1 ) nd hd(n 2 ) = (S 2,S 0 2, 2, 2 ). Let (x 1,x 2 ) R. Letx 1 1 y 1, then y 1 1 (x 1), which implies tht there existsy 2 2 (x 2) for which (y 1,y 2 ) R, nd by definition of 2, x 2 2 y 2. Let x 2 2 N 2, then N 2 2 (x 2 ), hence there is N 1 1 (x 1 ) such tht (,y 1 ) N 1 : (,y 2 ) N 2 : (y 1,y 2 ) R, nd by definition of 1, x 1 1 N 1. Now let R X 1 X 2 be modl refinement between hd(n 1 ) nd hd(n 2 ), we show tht R is lso modl refinement between N 1 nd N 2. Let (x 1,x 2 ) R, Let Σ nd y 1 1(x 1 ). Then x 1 1 y 1, which implies tht there is y 2 X 2 for which x 2 2 y 2 nd (y 1,y 2 ) R, nd by definition of 2, t 2 2(s 2 ). Let N 2 2 (x 2 ), then x 2 2 N 2, so there is x 1 1 N 1 such tht (,y 1 ) N 1 : (,y 2 ) N 2 : (y 1,y 2 ) R. By definition of 1, N 1 1(x 1 ). We finish the section by proving tht lso for the syntctic trnsltion hd(n) th N for ll ν-clculus expressions; this shows tht our trnsltion cn serve s replcement for the prtly-semntic hd t trnsltion from [6, 11]. First we remrk tht dh nd hd re inverses to ech other: Proposition 13. For ny ν-clculus expression N, dh(hd(n)) = N; for ny DMTS D, hd(dh(d)) = D. Corollry 14. For ll ν-clculus expressions N, hd(n) th N. 4 The Modl ν-clculus s Specifiction Theory Now tht we hve exposed close structurl correspondence between the modl ν-clculus nd DMTS, we cn trnsfer the opertions which mke DMTS complete specifiction theory to the ν-clculus.

14 14 Uli Fhrenberg, Axel Legy, nd Louis-Mrie Tronouez Refinement nd implementtions. As for DMTS nd AA, we cn define n embedding of LTS into the modl ν-clculus so tht implementtion = nd refinement m coincide. We sy tht ν-clculus expression (X,X 0, ) in norml form is n implementtion if (x) = {{(,y)} y (x), Σ} for ll x X. The ν-clculus trnsltion of LTS (S,S 0, ) is the expression (S,S 0, ) in norml form with (s) = {{(,t)} s t} nd (s) = {t s t}. This defines bijection between LTS nd ν-clculus implementtions. Theorem 15. For ny LTS I nd ny ν-clculus expression N, I = N iff I m N. Proof. I = N is the sme s I N, which by Corollry 14 is equivlent to I hd(n). By definition, this is the sme s I m hd(n), which using Theorem 12 is equivlent to I m N. Using trnsitivity, this implies tht modl refinement for ν-clculus is sound: Corollry 16. For ll ν-clculus expressions, N 1 m N 2 implies N 1 th N 2. Disjunction nd conjunction. As for DMTS, disjunction of ν-clculus expressions is stright-forwrd. Given ν-clculus expressions N 1 = (X 1,X 0 1, 1 ), N 2 = (X 2,X 0 2, 2) in norml form, their disjunction isn 1 N 2 = (X 1 X 2,X 0 1 X0 2, ) with (x 1 ) = 1 (x 1 ) for x 1 X 1 nd (x 2 ) = 2 (x 2 ) for x 2 X 2. The conjunction of ν-clculus expressions like bove is N 1 N 2 = (X,X 0, ) defined by X = X 1 X 2, X 0 = X 0 1 X0 2, (x 1,x 2 ) = 1 (x 1) 2 (x 2) for ech (x 1,x 2 ) X, Σ, nd for ech (x 1,x 2 ) X, (x 1,x 2 ) = { {(,(y 1,y 2 )) (,y 1 ) N 1,(y 1,y 2 ) (x 1,x 2 )} N1 1 (x 1 ) } { {(,(y 1,y 2 )) (,y 2 ) N 2,(y 1,y 2 ) (x 1,x 2 )} N2 2 (x 2 ) }. Note tht both N 1 N 2 nd N 1 N 2 re gin ν-clculus expressions in norml form. Theorem 17. For ll ν-clculus expressions N 1, N 2, N 3 in norml form, N 1 N 2 m N 3 iff N 1 m N 3 nd N 2 m N 3, N 1 m N 2 N 3 iff N 1 m N 2 nd N 1 m N 3, N 1 N 2 = N 1 N 2, nd N 1 N 2 = N 1 N 2. Theorem 18. With opertions nd, the clss of ν-clculus expressions forms bounded distributive lttice up to m. The bottom element (up to m ) in the lttice is the empty ν-clculus expression = (,, ), nd the top element (up to m ) is = ({s},{s}, ) with (s) = tt.

15 Structurl Refinement for the Modl nu-clculus 15 Structurl composition. The structurl composition opertor for specifiction theory is to mimic, t specifiction level, the structurl composition of implementtions. Tht is to sy, if is composition opertor for implementtions (LTS), then the gol is to extend to specifictions such tht for ll specifictions S 1, S 2, S 1 S 2 = { I 1 I 2 I 1 S 1,I 2 S 2 }. (2) For simplicity, we use CSP-style synchroniztion for structurl composition of LTS, however, our results redily crry over to other types of composition. Anlogously to the sitution for MTS [8], we hve the following negtive result: Theorem 19. There is no opertor for the ν-clculus which stisfies (2). Proof. We first note tht due to Theorem 17, it is the cse tht implementtion sets of ν-clculus expressions re closed under disjunction: for ny ν-clculus expression N nd I 1,I 2 N, lso I 1 I 2 N. Now ssume there were n opertor s in the theorem, then becuse of the trnsltions, (2) would lso hold for DMTS. Hence for ll DMTSD 1,D 2,{I 1 I 2 I 1 D 1,I 2 D 2 } would be closed under disjunction. But Exmple 7.8 in [8] exhibits two DMTS (ctully, MTS) for which this is not the cse, contrdiction. Given tht we cnnot hve (2), the revised gol is to hve sound composition opertor for which the right-to-left inclusion holds in (2). We cn obtin one such from the structurl composition of AA introduced in [6]. We hence define, for ν-clculus expressions N 1 = (X 1,X 0 1, 1), N 2 = (X 2,X 0 2, 2) in norml form, N 1 N 2 = h(h(n 1 ) A h(n 2 )), where A is AA composition nd we write h = dh d nd h = d hd for the composed trnsltions. Notice tht the involved trnsltion from AA to DMTS my led to n exponentil blow-up. Unrveling the definition gives us the following explicit expression for N 1 N 2 = (X,X 0, ): X = { {(,(y 1,y 2 )) i {1,2} : (,y i ) M i } i {1,2} : Mi Σ X i, x i X i : (,y i ) M i : y i i (x i), N i i (x i ) : N i M i }, X 0 = { {(,(y 1,y 2 )) i {1,2} : (,y i ) M i } i {1,2} : Mi Σ X i, x i X 0 i : (,y i ) M i : y i i (x i), N i i (x i ) : N i M i }, (x) = { {(,{(b,(z 1,z 2 )) i {1,2} : (b,z i ) M i } i {1,2} : M i Σ X i, (,z i ) M i : z i b i (y i), N i i (y i ) : N i M i } (,(y 1,y 2 )) x } for ech x X, nd (x) = {y N (x) : (,y) N}. Theorem 20. For ll ν-clculus expressions N 1, N 2, N 3, N 4 in norml form, N 1 m N 3 nd N 2 m N 4 imply N 1 N 2 m N 3 N 4. Proof. This follows directly from the nlogous property for AA [6] nd the trnsltion theorems 5, 9 nd 12.

16 16 Uli Fhrenberg, Axel Legy, nd Louis-Mrie Tronouez D 1 t 1 s 1 D 2 s 2 t 2 D 1 D 2 s t b u 1 u 2 u Fig.4. DMTS D 1, D 2 nd the rechble prts of their structurl composition D 1 D 2. Here, s = {(,(t 1,t 2)),(,(t 1,u 2))}, t = {(,(t 1,t 2))} nd u =. Note tht D 1 D 2 hs two initil sttes. This implies the right-to-left inclusion in (2), i.e. { I 1 I 2 I 1 N 1,I 2 N 2 } N 1 N 2. It lso entils independent implementbility, in tht the structurl composition of the two refined specifictions N 1, N 2 is refinement of the composition of the originl specifictions N 3, N 4. Fig. 4 shows n exmple of the DMTS nlogue of this structurl composition. Quotient. The quotient opertor / for specifiction theory is used to synthesize specifictions for components of structurl composition. Hence it is to hve the property, for ll specifictions S, S 1 nd ll implementtions I 1, I 2, tht I 1 S 1 nd I 2 S / S 1 imply I 1 I 2 S. (3) Furthermore, S / S 1 is to be s permissive s possible. We cn gin obtin such quotient opertor for ν-clculus from the one for AA introduced in [6]. Hence we define, for ν-clculus expressions N 1, N 2 in norml form, N 1 / N 2 = h(h(n 1 ) / A h(n 2 )), where / A is AA quotient. We recll the construction of / A from [6]: Let A 1 = (S 1,S1 0, Trn 1), A 2 = (S 2,S2 0, Trn 2) be AA nd define A 1 / A A 2 = (S,{s 0 }, Trn), with S = 2 S1 S2, s 0 = {(s 0 1,s0 2 ) s0 1 S0 1,s0 2 S0 2 }, nd Trn given s follows: Let Trn( ) = 2 Σ { }. For s = {(s 1 1,s1 2 ),...,(sn 1,sn 2 )} S, sy tht Σ is permissible from s if it holds for ll i = 1,...,n tht there is M 1 Trn 1 (s i 1 ) nd t 1 S 1 for which (,t 1 ) M 1, or else there is no M 2 Trn 2 (s i 2) nd no t 2 S 2 for which (,t 2 ) M 2. For permissible from s nd i {1,...,n}, let {t i,1 2,...,ti,mi 2 } = {t 2 S 2 M 2 Trn 2 (s i 2) : (,t 2 ) M 2 } be n enumertion of the possible sttes in S 2 fter n -trnsition nd define pt (s) = { {(t i,j 1,ti,j 2 ) i = 1,...,n,j = 1,...,m i } i : j : M1 Trn 1 (s i 1 ) : (,ti,j 1 ) M 1}, the set of ll sets of possible ssignments of next- sttes from s i 1 to next- sttes from s i 2. Now let pt(s) = {(,t) t pt (s), dmissible from s} nd define Trn(s) = {M pt(s) i = 1,...,n : M 2 Trn 2 (s i 2 ) : M M 2 Trn 1 (s i 1 )}. Here is the composition-projection opertor defined by M M 2 = {(,t t 2 ) (,t) M,(,t 2 ) M 2 } nd t t 2 = {(t 1 1,t1 2 ),...,(tk 1,tk 2 )} ti 2 = ti 1 (note tht by construction, there is precisely one pir in t whose second component is t i 2 ).

17 Structurl Refinement for the Modl nu-clculus 17 Theorem 21. For ll ν-clculus expressions N, N 1, N 2 in norml form, N 2 m N / N 1 iff N 1 N 2 m N. Proof. From the nlogous property for AA [6] nd Theorems 5, 9 nd 12. As corollry, we get (3): IfI 2 N/N 1, i.e. I 2 m N/N 1, thenn 1 I 2 m N, which using I 1 m N 1 nd Theorem 20 implies I 1 I 2 m N 1 I 2 m N. The reverse impliction in Theorem 21 implies tht N / N 1 is s permissive s possible. Theorem 22. With opertions,, nd /, the clss of ν-clculus expressions forms commuttive residuted lttice up to m. The unit of (up to m ) is the ν-clculus expression corresponding to the LTS U = ({u},{u},{(u,,u) Σ}). We refer to [19] for good reference on commuttive residuted lttices. 5 Conclusion nd Further Work Using new trnsltions between the modl ν-clculus nd DMTS, we hve exposed structurl equivlence between these two specifiction formlisms. This mens tht both types of specifictions cn be freely mixed; there is no more ny need to decide, whether due to personl preference or for technicl resons, between one nd the other. Of course, the modl ν-clculus cn only express sfety properties; for more expressivity, one hs to turn to more expressive logics, nd no behviorl nlogue to these stronger logics is known (neither is it likely to exist, we believe). Our constructions of composition nd quotient for the modl ν-clculus expect (nd return) ν-clculus expressions in norml form, nd it is n interesting question whether they cn be defined for generl ν-clculus expressions. (For disjunction nd conjunction this is of course trivil.) Lrsen s [23] hs composition nd quotient opertors for Hennessy-Milner logic (restricted to deterministic context systems ), but we know of no extension (other thn ours) to more generl logics. We lso note tht our hybrid modl logic ppers relted to the Boolen eqution systems [27, 25] which re used in some µ-clculus model checking lgorithms. The precise reltion between the modl ν-clculus, our L-expressions nd Boolen eqution systems should be worked out. Similrly, cceptnce utomt ber some similrity to the modl utomt of [12]. Lstly, we should note tht we hve in [4, 3] introduced quntittive specifiction theories for weighted modl trnsition systems. These re well-suited for specifiction nd nlysis of systems with quntittive informtion, in tht they replce the stndrd Boolen notion of refinement with robust distncebsed notion. We re working on n extension of these quntittive formlisms to DMTS, nd hence to the modl ν-clculus, which should relte our work to other pproches t quntittive model checking such s e.g. [17, 16, 18].

18 18 Uli Fhrenberg, Axel Legy, nd Louis-Mrie Tronouez References 1. L. Aceto, A. Ingólfsdóttir, K. G. Lrsen, nd J. Srb. Rective Systems. Cmbridge Univ. Press, S. S. Buer, A. Dvid, R. Hennicker, K. G. Lrsen, A. Legy, U. Nymn, nd A. Wąsowski. Moving from specifictions to contrcts in component-bsed design. In FASE, vol of LNCS. Springer, S. S. Buer, U. Fhrenberg, L. Juhl, K. G. Lrsen, A. Legy, nd C. Thrne. Quntittive refinement for weighted modl trnsition systems. In MFCS, vol of LNCS. Springer, S. S. Buer, U. Fhrenberg, A. Legy, nd C. Thrne. Generl quntittive specifiction theories with modlities. In CSR, vol of LNCS. Springer, N. Beneš, I. Černá, nd J. Křetínský. Modl trnsition systems: Composition nd LTL model checking. In [13]. 6. N. Beneš, B. Delhye, U. Fhrenberg, J. Křetínský, nd A. Legy. Hennessy- Milner logic with gretest fixed points. In CONCUR, vol of LNCS. Springer, N. Beneš, J. Křetínský, K. G. Lrsen, M. H. Møller, nd J. Srb. Prmetric modl trnsition systems. In [13]. 8. N. Beneš, J. Křetínský, K. G. Lrsen, nd J. Srb. On determinism in modl trnsition systems. Th. Comp. Sci., 410(41): , N. Beneš, J. Křetínský, K. G. Lrsen, nd J. Srb. EXPTIME-completeness of thorough refinement on modl trnsition systems. Inf. Comp., 218:54 68, P. Blckburn. Representtion, resoning, nd reltionl structures: hybrid logic mnifesto. Log. J. IGPL, 8(3): , G. Boudol nd K. G. Lrsen. Grphicl versus logicl specifictions. Th. Comp. Sci., 106(1):3 20, J. Brdfield nd C. Stirling. Modl mu-clculi. In The Hndbook of Modl Logic. Elsevier, T. Bultn nd P.-A. Hsiung, eds. Automted Technology for Verifiction nd Anlysis, 9th Int. Symp., ATVA 2011, vol of LNCS. Springer, L. Cires nd L. Crdelli. A sptil logic for concurrency. Inf. Comp., 186(2), E. M. Clrke nd E. A. Emerson. Design nd synthesis of synchroniztion skeletons using brnching-time temporl logic. In Logic of Progrms, vol. 131 of LNCS. Springer, L. de Alfro. Quntittive verifiction nd control vi the mu-clculus. In CON- CUR, vol of LNCS. Springer, L. de Alfro, T. A. Henzinger, nd R. Mjumdr. Discounting the future in systems theory. In ICALP, vol of LNCS. Springer, D. Gebler nd W. Fokkink. Compositionlity of probbilistic Hennessy-Milner logic through structurl opertionl semntics. In CONCUR, vol of LNCS. Springer, J. B. Hrt, L. Rfter, nd C. Tsinkis. The structure of commuttive residuted lttices. Internt. J. Algebr Comput., 12(4): , M. Hennessy. Acceptnce trees. J. ACM, 32(4): , D. Kozen. Results on the propositionl µ-clculus. Th. Comp. Sci., 27, K. G. Lrsen. Modl specifictions. In Automtic Verifiction Methods for Finite Stte Systems, vol. 407 of LNCS. Springer, K. G. Lrsen. Idel specifiction formlism = expressivity + compositionlity + decidbility + testbility +... In CONCUR, vol. 458 of LNCS. Springer, 1990.

19 Structurl Refinement for the Modl nu-clculus K. G. Lrsen. Proof systems for stisfibility in Hennessy-Milner logic with recursion. Th. Comp. Sci., 72(2&3): , K. G. Lrsen. Efficient locl correctness checking. In CAV, vol. 663 of LNCS. Springer, K. G. Lrsen nd L. Xinxin. Eqution solving using modl trnsition systems. In LICS. IEEE Computer Society, A. Mder. Verifiction of Modl Properties Using Boolen Eqution Systems. PhD thesis, Technische Universität München, P. W. O Hern, J. C. Reynolds, nd H. Yng. Locl resoning bout progrms tht lter dt structures. In CSL, vol of LNCS. Springer, A. N. Prior. Ppers on Time nd Tense. Oxford: Clrendon Press, J.-B. Rclet. Residul for component specifictions. Publiction interne 1843, IRISA, Rennes, J.-B. Rclet. Residul for component specifictions. Electr. Notes Theor. Comput. Sci., 215:93 110, J. C. Reynolds. Seprtion logic: A logic for shred mutble dt structures. In LICS. IEEE Computer Society, D. Scott nd J. W. de Bkker. A theory of progrms. Unpublished mnuscript, IBM, Vienn, 1969.

20 20 Uli Fhrenberg, Axel Legy, nd Louis-Mrie Tronouez Appendix: Extr Lemms nd Proofs Lemm 23. Let D = (S,S 0,, ) be DMTS nd s S. For ll M 1,M 2 Trn(s) nd ll M Σ S with M 1 M M 1 M 2, lso M Trn(s). Proof. For i = 1,2, since M i Trn(s), we know tht for ll (,t) M i, (s,,t), nd for ll (s,n), there is (,t) M i N. Now s M M 1 M 2, it directly follows tht for ll (,t) M, we hve (s,,t). Moreover, since M 1 M, we lso hve tht for ll (s,n), there exists (,t) M N. As consequence, M Trn(s). Proof (of Lemm 4). Let Σ = { 1,..., n } nd A = ({s 0 },{s 0 }, Trn) the AA with Trn(s 0 ) = {M Σ {s 0 } k : M = 2k} the trnsition constrint contining ll disjunctive choices of even crdinlity. Let D = (T,T 0,, ) be DMTS with cd th A; we clim tht D must hve t lest 2 n 1 initil sttes. Assume, for the purpose of contrdiction, tht T 0 = {t 0 1,...,t 0 m} with m < 2 n 1. We must hve m i=1 Trn T(t 0 i ) = {M Σ T k : M = 2k}, so tht there is n index j {1,...,m} for which Trn T (t 0 j ) = {M 1,M 2 } contins two different disjunctive choices from Trn S (s 0 ). By Lemm 23, lso M Trn T (t 0 j ) for ny M with M 1 M M 1 M 2. But M 1 M 2 hs greter crdinlity thn M 1, so tht there will be n M Trn T (t 0 j ) with odd crdinlity. Proof (of Theorem 5). The first two equivlences in the theorem follow directly from the definitions. Indeed, for the trnsltion from L-expressions to AA, we hve Φ(x) = Trn(x) by definition, hence M Φ(x) iff M Trn(x). For the other trnsltion, we compute Φ(x) = = = = = M Trn(x) M Trn(x) M Trn(x) M Trn(x) M Trn(x) ( (,t) M ( (,t) M t (b,u)/ M b u ) {M (,t) M } (b,u)/ M {M (b,u) / M } ) ( {M (,t) M : (,t) M } {M (b,u) / M : (b,u) / M } ) ( {M M M } {M M M} ) M = Trn(x). D 1 m D 2 implies d(d 1 ) m d(d 2 ):

21 Structurl Refinement for the Modl nu-clculus 21 Let D 1 = (S 1,S 0 1, 1, 1 ), D 2 = (S 2,S 0 2, 2, 2 ) be DMTS nd ssume D 1 m D 2. Then we hve modl refinement reltion (in the DMTS sense) R S 1 S 2. Now let (s 1,s 2 ) R nd M 1 Trn 1 (s 1 ), nd define M 2 = {(,t 2 ) s 2 2 t 2, (,t 1 ) M 1 : (t 1,t 2 ) R}. The condition (,t 2 ) M 2 : (,t 1 ) M 1 : (t 1,t 2 ) R in the definition of AA refinement is stisfied by construction. For the inverse condition, let (,t 1 ) M 1, then s 1 1 t 1, so by DMTS refinement, there is t 2 S 2 with s 2 2 t 2 nd (t 1,t 2 ) R, whence (,t 2 ) M 2 by construction. We re left with showing tht M 2 Trn 2 (s 2 ). First we notice tht by construction, indeed s 2 2 t 2 for ll (,t 2 ) M 2. Now let s 2 N 2 ; we need to show tht N 2 M 2. By DMTS refinement, we hve s 1 N 1 such tht (,t 1 ) N 1 : (,t 2 ) N 2 : (t 1,t 2 ) R. We know tht N 1 M 1, so let (,t 1 ) N 1 M 1. Then there lso is (,t 2 ) N 2 with (t 1,t 2 ) R. But (,t 2 ) N 2 implies s 2 2 t 2, hence (,t 2 ) M 2. d(d 1 ) m d(d 2 ) implies D 1 m D 2 : Let D 1 = (S 1,S1 0, 1, 1 ), D 2 = (S 2,S2 0, 2, 2 ) be DMTS nd ssume d(d 1 ) m d(d 2 ). Then we hve modl refinement reltion (in the AA sense) R S 1 S 2. Let (s 1,s 2 ) R. Let s 1 1 t 1, then we cnnot hve s 1. Let M 1 = {(,t 1 )} {N 1 s 1 N 1 }, then M 1 Trn 1 (s 1 ) by construction. This implies tht there is M 2 Trn 2 (s 2 ) nd (,t 2 ) M 2 with (t 1,t 2 ) R, but then lso s 2 t 2 s ws to be shown. Let s 2 N 2 nd ssume, for the ske of contrdiction, tht there is no s 1 N 1 for which (,t 1 ) N 1 : (,t 2 ) N 2 : (t 1,t 2 ) R holds. Then for ech s 1 N 1, there is n element ( N1,t N1 ) N 1 for which there is no ( N1,t 2 ) N 2 with (t N1,t 2 ) R. Let M 1 = {( N1,t N1 ) s 1 N 1 }, then M 1 Trn 1 (s 1 ) by construction. Hence we hve M 2 Trn 2 (s 2 ) stisfying the conditions in the definition of AA refinement. By construction of Trn 2 (s 2 ), N 2 M 2, so let (,t 2 ) N 2 M 2. Then there exists (,t 1 ) M 1 for which (t 1,t 2 ) R, in contrdiction to the definition of M 1. A 1 m A 2 implies d(a 1 ) m d(a 2 ): Let A 1 = (S 1,S 0 1, Trn 1), A 2 = (S 2,S 0 2, Trn 2) be AA, with DMTS trnsltions (D 1,D 0 1, 1, 1 ), (D 2,D 0 2, 2, 2 ), nd ssume A 1 m A 2. Then we hve modl refinement reltion (in the AA sense) R S 1 S 2. Define

22 22 Uli Fhrenberg, Axel Legy, nd Louis-Mrie Tronouez R D 1 D 2 by R = {(M 1,M 2 ) (s 1,s 2 ) R : M 1 Trn 1 (s 1 ),M 2 Trn(s 2 ), (,t 1 ) M 1 : (,t 2 ) M 2 : (t 1,t 2 ) R, (,t 2 ) M 2 : (,t 1 ) M 1 : (t 1,t 2 ) R}. We show tht R is modl refinement in the DMTS sense. Let (M 1,M 2 ) R. Let M 2 2 N 2. By construction of, there is (,t 2 ) M 2 such tht N 2 = {(,M 2) M 2 Trn 2 (t 2 )}. Then (M 1,M 2 ) R implies tht there must be (,t 1 ) M 1 for which (t 1,t 2 ) R, nd we cn define N 1 = {(,M 1) M 1 Trn 1 (t 1 )}, whence M 1 1 N 1. We show tht (,M 1) N 1 : (,M 2) N 2 : (M 1,M 2) R : Let (,M 1) N 1, then M 1 Trn 1(t 1 ). From (t 1,t 2 ) R we hence get M 2 Trn 2(t 2 ), nd then (,M 2 ) N 2 by construction of N 2 nd (M 1,M 2 ) R due to the conditions of AA refinement (pplied to (t 1,t 2 ) R). Let M 1 1 M 1, then we hve M 1 1 N 1 for which (,M 1 ) N 1 by construction of. This in turn implies tht there must be (,t 1 ) M 1 such tht N 1 = {(,M 1 ) M 1 Trn 1(t 1 )}, nd then by (M 1,M 2 ) R, we get (,t 2 ) M 2 for which (t 1,t 2 ) R. Let N 2 = {(,M 2 ) M 2 Trn 2(t 2 )}, then M 2 2 N 2 nd hence M 2 2 M 2 for ll (,M 2) N 2. On the other hnd, the rgument in the previous prgrph shows tht there is (,M 2 ) N 2 for which (M 1,M 2) R. We miss to show tht R is initilized. Let M1 0 D0 1, then we hve s0 1 S0 1 with M1 0 Trn 1(s 0 1 ). As R is initilized, this entils tht there is s0 2 S0 2 with (s 0 1,s 0 2) R, which gives us M2 0 Trn 2 (s 0 2) which stisfies the AA refinement conditions, whence (M1 0,M0 2 ) R. d(a 1 ) m d(a 2 ) implies A 1 m A 2 : Let A 1 = (S 1,S 0 1, Trn 1), A 2 = (S 2,S 0 2, Trn 2) be AA, with DMTS trnsltions (D 1,D 0 1, 1, 1 ), (D 2,D 0 2, 2, 2 ), nd ssume d(a 1 ) m d(a 2 ). Then we hve modl refinement reltion (in the DMTS sense) R D 1 D 2. Define R S 1 S 2 by R = {(s 1,s 2 ) M 1 Trn 1 (s 1 ) : M 2 Trn 2 (s 2 ) : (M 1,M 2 ) R}; we will show tht R is n AA modl refinement. Let (s 1,s 2 ) R nd M 1 Trn 1 (s 1 ), then by construction of R, we hve M 2 Trn 2 (s 2 ) with (M 1,M 2 ) R. Let (,t 2 ) M 2 nd define N 2 = {(,M 2 ) M 2 Trn 2(t 2 )}, then M 2 2 N 2. Now (M 1,M 2 ) R implies tht there must be M 1 1 N 1 stisfying (,M 1 ) N 1 : (,M 2 ) N 2 : (M 1,M 2 ) R. We hve (,t 1) M 1 such tht N 1 = {(,M 1 ) M 1 Trn 1(t 1 )}; we only miss to show tht (t 1,t 2 ) R. Let M 1 Trn 1 (t 1 ), then (,M 1) N 1, hence there is (,M 2) N 2 with (M 1,M 2 ) R, but (,M 2 ) N 2 lso entils M 2 Trn 2(t 2 ). Let (,t 1 ) M 1 nd define N 1 = {(,M 1) M 1 Trn 1 (t 1 )}, then M 1 1 N 1. Now let (,M 1 ) N 1, then M 1 1 M 1, hence we hve M 2 2 M 2 for