arxiv: v1 [cs.lo] 4 Jun 2013

Transcription

1 Hennessy-Milner Logic with Gretest Fixed Points s Complete Behviourl Specifiction Theory rxiv: v1 [cs.lo] 4 Jun 2013 Nikol Beneš 1, Benoît Delhye 2, Uli Fhrenberg 2, Jn Křetínský 1,3, nd Axel Legy 2 1 Msryk University, Brno, Czech Republic 2 Iris / INRIA Rennes, Frnce 3 Technische Universität München, Germny Abstrct. There re two fundmentlly different pproches to specifying nd verifying properties of systems. The logicl pproch mkes use of specifictions given s formule of temporl or modl logics nd relies on efficient model checking lgorithms; the behviourl pproch exploits vrious equivlence or refinement checking methods, provided the specifictions re given in the sme formlism s implementtions. In this pper we provide trnsltions between the logicl formlism of Hennessy-Milner logic with gretest fixed points nd the behviourl formlism of disjunctive modl trnsition systems. We lso introduce new opertion of quotient for the bove equivlent formlisms, which is djoint to structurl composition nd llows synthesis of missing specifictions from prtil implementtions. This is substntil generlistion of the quotient for deterministic modl trnsition systems defined in erlier ppers. 1 Introduction There re two fundmentlly different pproches to specifying nd verifying properties of systems. Firstly, the logicl pproch mkes use of specifictions given s formule of temporl or modl logics nd relies on efficient model checking lgorithms. Secondly, the behviourl pproch exploits vrious equivlence or refinement checking methods, provided the specifictions re given in the sme formlism s implementtions. In this pper, we discuss different formlisms nd their reltionship. As n exmple, let us consider lbelled trnsition systems nd the property tht t ll time points fter executing request, no idle nor further requests but only work is llowed until grnt is executed. The property cn be written in e.g. CTL [14] s AG(request AX(work AW grnt)) The uthor hs been supported by the Czech Science Foundtion grnt No. GAP202/11/0312. The uthor is prtilly supported by the Czech Science Foundtion, project No. P202/10/1469.

2 2 Beneš, Delhye, Fhrenberg, Křetínský, Legy grnt, work, idle request request grnt request work grnt work idle idle Fig. 1. DMTS specifiction corresponding to AG(request AX(work AW grnt)), nd its implementtion or s recursive system of equtions in Hennessy-Milner logic [29] s X = [grnt, idle, work]x [request]y Y = ( work Y grnt X) [idle, request]ff where the solution is given by the gretest fixed point. As formule of modl logics cn be difficult to red, some people prefer utomt-bsed behviourl specifictions to logicl ones. One such behviourl specifiction formlism is the one of disjunctive modl trnsition systems(dmts) [26]. Fig. 1 (left) displys specifiction of our exmple property s DMTS. Here the dshed rrows indicte tht the trnsitions my or my not be present, while brnching of the solid rrow indictes tht t lest one of the brnches must be present. An exmple of lbelled trnsition system tht stisfies our logicl specifictions nd implements the behviourl one is lso given in Fig. 1. The lterntive between logicl nd behviourl specifictions is not only question of preference. Logicl specifiction formlisms put powerful logicl lnguge t the disposl of the user, nd the logicl pproch to model checking [14, 34] hs seen lot of success nd tool implementtions. Automt-bsed specifictions [12, 27], on the other hnd, hve focus on compositionl nd incrementl design in which logicl specifictions re somewht lcking, with the trde-off of generlly being less expressive thn logics. To be more precise, utomt-bsed specifictions re, by design, compositionl in the sense tht they support structurl composition of specifictions nd, in most cses, its djoint, quotient. This is useful, even necessry, in prcticl verifiction, s it mens tht (1) it is possible to infer properties of system from the specifictions of its components, nd (2) the problem of correctness for system cn be decomposed into verifiction problems for its components. We refer to [28] for detiled ccount on composition nd decomposition. It is thus desirble to be ble to trnslte specifictions from the logicl relm into behviourl formlisms, nd vice vers from behviourl formlisms to logic-bsed specifictions. This is, then, the first contribution of this pper: we show tht Hennessy-Milner logic with gretest fixed points (νhml) nd DMTS (with severl initil sttes) re eqully expressive, nd we provide trnsltions forth nd bck. For doing this, we introduce n uxiliry intermedite formlism NAA ( nondeterministic extension of cceptnce utomt [22, 35]) which is equivlent in expressiveness to both νhml nd DMTS.

3 Hennessy-Milner Logic with Gretest Fixed Points 3 We lso discuss other desirble fetures of specifiction formlisms, nmely structurl composition nd quotient. As n exmple, consider specifiction S of the finl system to be constructed nd T either n lredy implemented component or specifiction of service to be used. The tsk is to construct the most generl specifiction of the rest of the system to be implemented, in such wy tht when composed with ny implementtion of T, it conforms with the specifiction S. This specifiction is exctly the quotient S/T. Contribution Firstly, we show tht the formlisms of νhml, NAA nd DMTS hve the sme expressive power, nd provide the respective trnsltions. As result, the estblished connection llows for grphicl representtion of νhml s DMTS. This extends the grphicl representbility of HML without fixed points s modl trnsition systems [10,27]. In some sense this is optiml, s due to the lterntion of lest nd gretest fixed points, there seems to be no hope tht the whole µ-clculus could be drwn in similrly simple wy. Secondly, we show tht there re nturl opertions of conjunction nd disjunction for NAA which mimic the ones of νhml. As we work with multiple initil sttes, disjunction is redily defined, nd conjunction extends the one for DMTS [6]. Thirdly, we introduce structurl composition on NAA. For simplicity we ssume CSP-style synchronistion of lbels, but the construction cn esily be generlised to other types of lbel synchronistion. Finlly, we provide solution to the open problem of the generl quotient. We extend the quotient constructions for deterministic modl trnsition systems (MTS) nd cceptnce utomt [35] to define the quotient for the full clss of (possibly nondeterministic) NAA. We lso provide more efficient procedure for (possibly nondeterministic) MTS. These constructions re the techniclly most demnding prts of the pper. With the opertions of structurl composition nd quotient, NAA, nd hence lso DMTS nd νhml, re fully compositionl behviourl specifiction theories nd form commuttive residuted lttice [21, 39] up to equivlence. This mkes rich lgebric theory vilble for compositionl resoning bout specifictions. Most of the constructions we introduce re implemented in prototype tool [8]. Due to spce constrints, some of the proofs hd to be omitted from the pper. Relted work Hennessy-Milner logic with recursion [29] is populr logicl specifiction formlism which hs the sme expressive power s µ-clculus [25]. It is obtined from Hennessy-Milner logic (HML) [23] by introducing vribles nd gretest nd lest fixed points. Hennessy-Milner logic with gretest fixed points (νhml) is equivlent to ν-clculus, i.e. µ-clculus with gretest fixed points only. DMTS hve been proposed s solutions to lgebric process equtions in [26] nd further investigted lso s specifiction formlism [6, 28]. The DMTS formlism is member of the modl trnsition systems (MTS) fmily nd s such hs lso received ttention recently. The MTS formlisms hve proven to be useful in prctice. Industril pplictions strted s erly s [11] where MTS

4 4 Beneš, Delhye, Fhrenberg, Křetínský, Legy hve been used for n ir-trffic system t Hethrow irport. Besides, MTS clsses re dvocted s n pproprite bse for interfce theories in [36] nd for product line theories in [31]. Further, n MTS bsed softwre engineering methodology for design vi merging prtil descriptions of behviour hs been estblished in [38] nd methods for supervisory control of MTS shown in [15]. Tool support is quite extensive, e.g. [3,6,9,16]. Over the yers, mny extensions of MTS hve been proposed. While MTS cn only specify whether or not prticulr trnsition is required, some extensions equip MTS with more generl bilities to describe wht combintions of trnsitions re possible. These include DMTS [26], 1-MTS [17] llowing to express exclusive disjunction, OTS [4] cpble of expressing positive Boolen combintions, nd Boolen MTS [5] covering ll Boolen combintions. The lst one is closely relted to our NAA, the cceptnce utomt of [22,35], s well s hybrid modl logic [7,33]. Lrsen hs shown in [27] tht ny finite MTS is equivlent to HML formul (without recursion or fixed points), the chrcteristic formul of the given MTS. Conversely, Boudol nd Lrsen show in [10] tht ny consistent nd prime HML formul is equivlent to MTS. Here we extend these results to νhml formule, nd show tht ny such formul is equivlent to DMTS, solving problem left open in [26]. Hence νhml supports full compositionlity nd decomposition in the sense of [28]. This finishes some of the work strted in [10,27,28]. Quotients re relted to decomposition of processes nd properties, n issue which hs received considerble ttention through the yers. In [26], solution to bisimultion C(X) P for given process P nd context C is provided (s DMTS). This solves the quotienting problem P/C for the specil cse where both P nd C re processes. This is extended in [30] to the setting where the contextc cnhveseverlholesnd C(X 1,...,X n ) must stisfypropertyqof νhml. However, C remins to be process context, not specifiction context. Our specifiction context llows for rbitrry specifictions, representing infinite sets of processes nd process equtions. Another extension uses infinite conjunctions [19], but similrly to the other pproches, genertes prtil specifictions from n overll specifiction nd given set of processes. This is subsumed by generl quotient. Quotient opertors, or gurntee or multiplictive impliction s they re clled there, re lso well-known from vrious logicl formlisms. Indeed, the lgebric properties of our prllel composition nd quotient / resemble closely those of multiplictive conjunction & nd impliction in liner logic [20], nd of sptil conjunction nd impliction in sptil logic [13] nd seprtion logic [32, 37]. For these nd other logics, proof systems hve been developed which llow one to reson bout expressions contining these opertors. In sptil nd seprtion logic, & nd (or the opertors corresponding to these liner-logic symbols) re first-clss opertors on pr with the other logicl opertors, nd their semntics re defined s certin sets of processes. In contrst, for NAA nd hence, vi the trnsltions, lso for νhml, nd / re derived opertors, nd we provide constructions to reduce ny expression which contins

5 Hennessy-Milner Logic with Gretest Fixed Points 5 them, to one which does not. This is importnt from the perspective of reuse of components nd useful in industril pplictions. 2 Specifiction Formlisms In this section, we define the specifiction formlisms νhml, DMTS nd NAA nd show tht they re equivlent. Forthe rest ofthe pper, wefix finite lphbet Σ. In echofthe formlisms, the semntics of specifiction is set of implementtions, in our cse lwys set of lbelled trnsition systems (LTS) over Σ, i.e. structures (S,s 0, ) consisting of set S of sttes, n initil stte s 0 S, nd trnsition reltion S Σ S. We ssume tht the trnsition reltion of LTS is lwys imge-finite, i.e. tht for every Σ nd s S the set {s S s s } is finite. 2.1 Hennessy-Milner Logic with Gretest Fixed Points We recp the syntx nd semntics of HML with vribles developed in [29]. A HML formul φ over set X of vribles is given by the bstrct syntx φ ::= tt ff x φ φ φ φ φ []φ, where x rnges over X nd over Σ. The set of such formule is denoted H(X). Notice tht insted of including fixed point opertors in the logic, we choose to use declrtions with gretest fixed point semntics, s explined below. A declrtion is mpping : X H(X). We shll give gretest fixed point semntics to declrtions. Let (S,s 0, ) be n LTS, then n ssignment is mpping σ : X 2 S. The set of ssignments forms complete lttice with σ 1 σ 2 iff σ 1 (x) σ 2 (x) for ll x X nd ( i I σ ) i (x) = i I σ i(x). The semntics of formul is subset of S, given reltive to n ssignment σ, defined s follows: tt σ = S, ff σ =, x σ = σ(x), φ ψ σ = φ σ ψ σ, φ ψ σ = φ σ ψ σ, φ σ = {s S s s : s φ σ}, nd []φ σ = {s S s s : s φ σ}. The semntics of declrtion is then the ssignment defined by = {σ : X 2 S x X : σ(x) (x) σ}: the gretest (pre)fixed point of. An initilised HML declrtion, or νhml formul, is structure (X,X 0, ), with X 0 X finite sets of vribles nd : X H(X) declrtion. We sy tht n LTS (S,s 0, ) implements (or models) the formul, nd write S =, if it holds tht there is x 0 X 0 such tht s 0 (x 0 ). We write for the set of implementtions (models) of νhml formul. 2.2 Disjunctive Modl Trnsition Systems A DMTS is essentilly lbelled trnsition system (LTS) with two types of trnsitions, my trnsitions which indicte tht implementtions re permitted to implement the specified behviour, nd must trnsitions which proclim tht

6 6 Beneš, Delhye, Fhrenberg, Křetínský, Legy ny implementtion is required to implement the specified behviour. Additionlly, must trnsitions my be disjunctive, in the sense tht they cn require tht t lest one out of number of specified behviours must be implemented. We now recll the syntx nd semntics of DMTS s introduced in [26]. We modify the syntx slightly to permit multiple initil sttes nd, in the spirit of lter work [6, 18], ensure tht ll required behviour is lso llowed: A disjunctive modl trnsition system (DMTS) over the lphbet Σ is structure (S,S 0,, ) consisting of set of sttes S, finite subset S 0 S of initil sttes, my-trnsition reltion S Σ S, nd disjunctive musttrnsition reltion S 2 Σ S. It is ssumed tht for ll (s,n) nd ll (,t) N, (s,,t). We usully write s t insted of (s,,t) nd s N insted of (s,n). We lso ssume tht the my trnsition reltion is imge-finite. Note tht the two ssumptions imply tht S 2 Σ S Fin where 2 X Fin denotes the set of ll finite subsets of X. A DMTS (S,S 0,, ) is n implementtion if S 0 = {s 0 } is singleton nd = {(s,{(,t)} s t}, hence if N is singleton for ech s N nd there re no superfluous my-trnsitions. Thus DMTS implementtions re precisely LTS. We proceed to define the semntics of DMTS. First, reltion R S 1 S 2 is modl refinement between DMTS (S 1,S1, 0 1, 1 ) nd (S 2,S2, 0 2, 2 ) if it holds for ll (s 1,s 2 ) R tht for ll s 1 t 1 there is s 2 t 2 for some t 2 S 2 with (t 1,t 2 ) R, nd for ll s 2 N 2 there is s 1 N 1 such tht for ech (,t 1 ) N 1 there is (,t 2 ) N 2 with (t 1,t 2 ) R. Such modl refinement is initilised if it is the cse tht, for ech s 0 1 S0 1, there is s 0 2 S0 2 for which (s0 1,s0 2 ) R. In tht cse, we sy tht S 1 refines S 2 nd write S 1 m S 2. We write S 1 m S 2 if S 1 m S 2 nd S 2 m S 1. We sy tht n LTS I implements DMTS S if I m S nd write S for the set of implementtions of S. Notice tht the notions of implementtion nd modl refinement gree, cpturing the essence of DMTS s specifiction theory: A DMTS my be grdully refined, until n LTS, in which ll behviour is fully specified, is obtined. For DMTS S 1, S 2 we sy tht S 1 thoroughly refines S 2, nd write S 1 t S 2, if S 1 S 2. We write S 1 t S 2 if S 1 t S 2 nd S 2 t S 1. By trnsitivity, S 1 m S 2 implies S 1 t S 2. Exmple 1. Figs. 2 nd 3 show exmples of importnt bsic properties expressed both s νhml formule, NAA (see below) nd DMTS. For DMTS, my trnsitions re drwn s dshed rrows nd disjunctive must trnsitions s brnching rrows. Sttes with short incoming rrow re initil (the DMTS in Fig. 3 hs two initil sttes).

7 Hennessy-Milner Logic with Gretest Fixed Points 7 X = tt []X [b]x ({s 0},{s 0},Trn) Trn(s 0) = { {(,s 0)},{(,s 0),(b,s 0)} } b Fig. 2. νhml formul, NAA nd DMTS for the invrince property there is lwys n trnsition vilble, with Σ = {,b} X = b tt ( tt []X [b]x [c]x ) b,c ({s 0,s 1},{s 0},Trn) Trn(s 0) = { {(b,s 1)},{(b,s 1),(,s 1)},{(b,s 1),(c,s 1)}, {(b,s 1),(,s 1),(c,s 1))},{(,s 0)},{(,s 0),(c,s 0)} } Trn(s 1) = 2 {s 1 } {,b,c} b,c b,c,b,c Fig. 3. νhml formul, NAA nd DMTS for the ( wek until ) property there is lwys n trnsition vilble, until b trnsition becomes enbled, with Σ = {,b,c} Modl Trnsition Systems An interesting subclss of DMTS re modl trnsition systems (MTS) [27]. A DMTS (S,S 0,, ) is sid to be MTS if (1) b S 0 = {s 0 } is singleton, (2) for every s N, the set N is singleton. Hence, for ech trnsition, we specify whether it must, my, or must not be present; no disjunctions cn be expressed. It is esy to see tht MTS re less expressive thn DMTS, i.e. there re DMTS S for which no MTS S exists so tht S = S. One exmple is provided on the right. Here ny implementtion must hve n or b trnsition from the initil stte, but then ny MTS which permits ll such implementtions will lso llow implementtions without ny trnsition from the initil stte. 2.3 NAA We now define NAA, the nondeterministic extension to the formlism of cceptnce utomt [35]. We shll use this formlism to bridge the gp between νhml nd DMTS. A nondeterministic cceptnce utomton over the lphbet Σ is structure (S,S 0,Trn) where S nd S 0 re the sttes nd initil sttes s previously, nd Trn : S 2 2Σ S Fin ssigns dmissible trnsition sets. A NAA (S,S 0,Trn) is n implementtion if S 0 = {s 0 } is singleton nd Trn(s) = {M} is singleton for every s S; clerly, NAA implementtions re precisely LTS. We lso define the inconsistent NAA to be = (,, ) nd the universl NAA by = ({s},{s},2 2Σ {s} ). A reltion R S 1 S 2 is modl refinement between NAA (S 1,S1,Trn 0 1 ), (S 2,S2 0,Trn 2) if it holds for ll (s 1,s 2 ) R nd ll M 1 Trn 1 (s 1 ) tht there exists M 2 Trn 2 (s 2 ) such tht (,t 1 ) M 1 : (,t 2 ) M 2 : (t 1,t 2 ) R,

8 8 Beneš, Delhye, Fhrenberg, Křetínský, Legy (,t 2 ) M 2 : (,t 1 ) M 1 : (t 1,t 2 ) R. We define nd use the notions of initilised modl refinement, m, m, implementtion, t, nd t the sme wy s for DMTS. Proposition 2. The clss of NAA is preordered by modl refinement m, with bottom element nd top element. Note tht s implementtions of ll our three formlisms νhml, DMTS nd NAA re LTS, it mkes sense to use thorough refinement t nd equivlence t cross formlisms, so tht we e.g. cn write S t for NAA S nd νhml formul. 2.4 Equivlences We proceed to show tht νhml, DMTS nd NAA re eqully expressive: Theorem 3. For ny set S of LTS, the following re equivlent: 1. There exists νhml formul with = S. 2. There exists finite NAA S with S = S. 3. There exists finite DMTS S with S = S. Furthermore, the ltter two sttements re equivlent even if we drop the finiteness constrints. Note tht we could drop the finiteness ssumption bout the set of vribles of νhml formule, while retining the fct tht (x) is finite HML formul. The result of Theorem 3 could then be extended with the sttement tht these possibly infinite νhml formule re equivlent to generl DMTS/NAA. For DMTS S = (S,S 0,, ), let Trn(s) = {M Σ S N : s N,N M; (,t) M : s t} nd define the NAA dn(s) = (S,S 0,Trn). Conversely, for n NAA (S,S 0,Trn), define the DMTS nd(s) = (T,T 0,, ) s follows: T = {M Trn(s) s S}, T 0 = {M Trn(s 0 ) s 0 S 0 }, = {(M,{(,M ) M Trn(s )} (,s ) M}, = {(t,,t ) t T, (t,n) : (,t ) N}. Note tht both nd nd dn preserve finiteness. Both trnsltion re exponentil in their respective rguments. Lemm 4. For every DMTS S, S t dn(s). For every NAA S, S t nd(s). For set of pirs of ctions nd sttes M we use M to denote the set {s (,s) M}. Let (S,S 0,Trn) be finite NAA nd let s S, we then define ( Trn (s) = t [] ( M Trn(s) (,t) M Σ u M u )) We then define the νhml formul nh(s) = (S,S 0, Trn ). Notice tht vribles in nh(s) re sttes of S.

9 Hennessy-Milner Logic with Gretest Fixed Points 9 Lemm 5. For ll NAA S, S t nh(s). Our trnsltion from νhml to DMTS is bsed on the constructions in [10]. First, we need vrint of disjunctive norml form for HML formule: Lemm 6. For ny νhml formul (X 1,X1 0, 1), there exists nother formul (X 2,X2, 0 2 ) with 1 = 2 nd such tht ny formul 2 (x), for x X 2, is tt or of the form 2 (x) = ( i I j J i ij x ij Σ []y i,) for finite (possibly empty) index sets I nd J i, i I, nd ll x ij,y i, X 2. Additionlly we cn ssume tht for ll i I, j J i, Σ, ij = implies x ij y i,. Let now (X,X 0, ) be νhml formul in the form introduced bove, then we define DMTS hd( ) = (S,S 0,, ) s follows: S = {(x,k) x X, (x) = i I φ i,k I } {, }, S 0 = {(x 0,k) x 0 X 0 }. For ech (x,k) S with (x) = i I ( j J i ij x ij Σ []y i,) nd I, for ech j J i, let Must j (x,k) = {( ij,(x ij,i )) Σ S}, for ech Σ, let My (x,k) = {(x,i ) S x y i, }. Let = {(s,,s ) s S, Σ,s My (s)} {(,, ) Σ} nd = {(s,must j (s)) s = (x,i) S,j J i } {(, )}. Lemm 7. For ll νhml formule, t hd( ). Further, we remrk tht the overll trnsltion from DMTS to νhml is qudrtic nd in the other direction inevitbly exponentil. Exmple 8. Consider the νhml formul X = ( ( b X []ff) [b]ff) []ff. Chnging the formul into the norml form of Lemm 6 introduces new vrible Y s illustrted below; X remins the sole initil vrible. The trnsltion hd then gives DMTS with two initil sttes (the inconsistent stte nd redundnt my trnsitions such s x 1 x 2, x 2 x 1, etc. hve been b omitted): x 1 {}}{ X = ( Y []tt [b]ff) ([]ff [b]tt) }{{} x 2 Y = b X []ff [b]tt }{{} y 1 x 1 x 2 b b b y 1 b,b 3 Specifiction Theory In this section, we introduce opertions of conjunction, disjunction, structurl composition nd quotient for NAA, DMTS nd νhml. Together, these opertions yield complete specifiction theory in the sense of [1], which llows for

10 10 Beneš, Delhye, Fhrenberg, Křetínský, Legy compositionl design nd verifiction using both logicl nd structurl opertions. We remrk tht conjunction nd disjunction re strightforwrd for logicl formlisms such s νhml, wheres structurl composition is more redily defined on behviourl formlisms such s (D)MTS. For the mixed formlism of NAA, disjunction is trivil s we permit multiple initil sttes, but conjunction requires some work. Note tht our construction of conjunction works for nondeterministic systems in contrst to ll the work in this re except for [6,26]. 3.1 Disjunction The disjunction of NAA S 1 = (S 1,S 0 1,Trn 1 ) nd S 2 = (S 2,S 0 2,Trn 2 ) is S 1 S 2 = (S 1 S 2,S 0 1 S0 2,Trn 1 Trn 2 ). Similrly, the disjunction of two DMTS S 1 = (S 1,S 0 1, 1, 1 ) nd S 2 = (S 2,S 0 2, 2, 2 ) is S 1 S 2 = (S 1 S 2,S 0 1 S 0 2, 1 2, 1 2 ). It follows tht disjunction respects the trnsltion mppings dn nd nd from the previous section. Theorem 9. Let S 1, S 2, S 3 be NAA or DMTS. Then S 1 S 2 = S 1 S 2. Further, S 1 S 2 m S 3 iff S 1 m S 3 nd S 2 m S 3. We point out one importnt distinction between NAA nd DMTS: NAA with single s 0 1 s 0 2 b b initil stte re eqully expressive s generl NAA, while for DMTS, this is not the cse. The exmple on the right shows DMTS (S,S 0,, ), with S = S 0 = {s 0 1,s 0 2}, s 0 1 {(,s 0 1),(,s 0 2)} nd s 0 1 {(b,s 0 1),(b,s 0 2)} (nd the corresponding my-trnsitions). Two initil sttes re necessry for cpturing S. Lemm 10. For ny NAA S there is NAA T = (T,T 0,Ψ) with T 0 = {t 0 } singleton nd S m T. 3.2 Conjunction Conjunction for DMTS is n extension of the construction from [6] for multiple initil sttes. Given two DMTS (S 1,S 0 1, 1, 1 ), (S 2,S 0 2, 2, 2 ), we define S 1 S 2 = (S,S 0,, ) with S = S 1 S 2, S 0 = S 0 1 S0 2, nd (s 1,s 2 ) (t 1,t 2 ) iff s 1 1 t 1 nd s 2 2 t 2, for ll s 1 N 1, (s 1,s 2 ) {(,(t 1,t 2 )) (,t 1 ) N 1,(s 1,s 2 ) (t 1,t 2 )}, for ll s 2 N 2, (s 1,s 2 ) {(,(t 1,t 2 )) (,t 2 ) N 2,(s 1,s 2 ) (t 1,t 2 )}. To define conjunction for NAA, we need uxiliry projection functions π i : Σ S 1 S 2 Σ S i. These re defined by π 1 (M) ={(,s 1 ) s 2 S 2 : (,s 1,s 2 ) M} π 2 (M) ={(,s 2 ) s 1 S 1 : (,s 1,s 2 ) M} Given NAA (S 1,S 0 1,Trn 1), (S 2,S 0 2,Trn 2), define S 1 S 2 = (S,S 0,Trn), with S = S 1 S 2, S 0 = S 0 1 S 0 2 nd Trn((s 1,s 2 )) = {M Σ S 1 S 2 π 1 (M) Trn 1 (s 1 ),π 2 (M) Trn 2 (s 2 )}.

11 Hennessy-Milner Logic with Gretest Fixed Points 11 Lemm 11. For DMTS S 1, S 2, dn(s 1 S 2 ) = dn(s 1 ) dn(s 2 ). For the trnsltion from NAA to DMTS, nd(s 1 S 2 ) = nd(s 1 ) nd(s 2 ) does not necessrily hold, s the trnsltion chnges the stte spce. However, Theorem 12 below will ensure tht nd(s 1 S 2 ) t nd(s 1 ) nd(s 2 ). Theorem 12. Let S 1, S 2, S 3 be NAA or DMTS. Then S 1 S 2 = S 1 S 2. Further, S 1 m S 2 S 3 iff S 1 m S 2 nd S 1 m S 3. Theorem 13. With opertions nd, the sets of DMTS nd NAA form bounded distributive lttices up to m. 3.3 Structurl Composition We define structurl composition for NAA. For NAA S 1 = (S 1,S 0 1,Trn 1), S 2 = (S 2,S 0 2,Trn 2 ), we define S 1 S 2 = (S,S 0,Trn) with S = S 1 S 2, S 0 = S 0 1 S 0 2, nd for ll (s 1,s 2 ) S, Trn((s 1,s 2 )) = {M 1 M 2 M 1 Trn 1 (s 1 ),M 2 Trn 2 (s 2 )}, where M 1 M 2 = {(,(t 1,t 2 )) (,t 1 ) M 1,(,t 2 ) M 2 }. Lemm 14. Up to m, the opertor on NAA is ssocitive nd commuttive, distributes over, nd hs unit U, where U is the LTS ({s},s, ) with s s for ll Σ. Theorem 15. For ll NAA S 1, S 2, S 3, S 4, S 1 m S 3 nd S 2 m S 4 imply S 1 S 2 m S 3 S 4. We remrk tht structurl composition on MTS [27] coincides with our NAA composition, so tht for MTS S 1, S 2, dn(s 1 ) dn(s 2 ) = dn(s 1 S 2 ). On the other hnd, structurl composition for DMTS (with single initil sttes) s defined in [6] is weker thn NAA composition, i.e. for DMTS S 1, S 2, nd denoting by the composition from [6], only dn(s 1 ) dn(s 2 ) t dn(s 1 S 2 ) holds. Consider for exmple the DMTS S nd S in the figure below. When considering their NAA composition, the initil stte is the pir (s 0,t 0 ) with Trn((s 0,t 0 )) = {,{(,(s 2,t 1 )),(,(s 2,t 2 ))}. Since this constrint cnnot be represented s disjunctive must, there is no DMTS with single initil stte which cn represent the NAA composition precisely. s 2 s 0 s 1 b t 2 t 0 t 1 Hence the DMTS composition of [6] is DMTS over-pproximtion of the NAA composition, nd trnslting from DMTS to NAA before composing (nd bck gin) will generlly give tighter specifiction. However, s noted lredy in [24], MTS composition itself is n over-pproximtion, in the sense tht there willgenerllybeimplementtionsi S 1 S 2 whichcnnotbewritteni = I 1 I 2 for I 1 S 1 nd I 2 S 2 ; the sme is the cse for NAA nd DMTS.

12 12 Beneš, Delhye, Fhrenberg, Křetínský, Legy 3.4 Quotient We now present one of the centrl contributions of this pper, the construction of quotient. The quotient S/T is to be the most generl specifiction tht, when composed with T, refines S. In other words, it must stisfy the property tht for ll specifictions X, X m S/T iff X T m S. Quotient hs been defined for deterministic MTS nd for deterministic cceptnce utomt in [35]; here we extend it to the nondeterministic cse (i.e. NAA). The construction incurs n exponentil blow-up, which however is locl nd depends on the degree of nondeterminism. We lso provide quotient construction for nondeterministic MTS; this is useful becuse MTS encodings for NAA cn be very compct. Let(S,S 0,Trn S ),(T,T 0,Trn T )betwonaa.wedefinethequotients/t = (Q,{q 0 },Trn Q ). Let Q = 2 S T Fin nd q 0 = {(s 0,t 0 ) s 0 S 0,t 0 T 0 }. Sttes in Q will be written {s 1 /t 1,...,s n /t n } insted of {(s 1,t 1 ),...,(s n,t n )}. In the following, we use the nottion x z s shortcut for the fct tht there exists y with x y z. We first define Trn Q ( ) = 2 Σ { }. This mens thttheemptysetofpirsistheuniverslstte.nowletq = {s 1 /t 1,...,s n /t n } Q. We first define the uxiliry set of possible trnsitions pt(q) s follows. For x S T, let α(x) = { Σ y : (,y) Trn(x)} nd γ(q) = i( α(si ) (Σ \α(t i )) ). Let further π (X) = {x (,x) X}. Letnow γ(q).forlli {1,...,n},let{t i,1,...,t i,mi } = π ( Trn T (t i )) be the possible next sttes from t i fter n -trnsition, nd define pt (q) = { {s i,j /t i,j i {1,...,n},j {1,...,m i }} i {1,...,n} : j {1,...,m i } : (,s i,j ) Trn S (s i ) } nd pt(q) = Σ ({} pt (q)). Hence pt (q) contins sets of possible next quotient sttes fter n -trnsition, ech obtined by combining the t i,j with some permuttion of possible next -sttes in S. We then define Trn Q (q) = {X pt(q) i : Y Trn T (t i ) : X Y Trn S (s i )}, where the opertor is defined by {s 1 /t 1,...,s k /t k } t l = s l nd X Y = {(,x y) (,x) X,(,y) Y}. Hence Trn Q (q) contins ll sets of (possible) trnsitions which re comptible with ll t i in the sense tht (the projection of) their prllel composition with ny set Y Trn T (t i ) is in Trn S (s i ). Theorem 16. For ll NAA S, T nd X, X T m S iff X m S/T. Theorem 17. With opertions,, nd /, the set of NAA forms commuttive residuted lttice up to m. This theorem mkes cler the reltion of NAA to liner logic [20]: except for completeness of the lttice induced by nd (cf. Theorem 13), NAA form commuttive unitl Girrd quntle [40], the stndrd lgebric setting for liner logic. Completeness of the lttice cn be obtined by llowing infinite conjunctions nd disjunctions (nd infinite NAA).

13 Hennessy-Milner Logic with Gretest Fixed Points 13 t 1 t 0 t 2 s 1 s 0 s 2 b c s 0 /t 0 b {s 1/t 1,s 2/t 2} b,c {s 2/t 1,s 2/t 2} b,b,c 3.5 Quotient for MTS Fig. 4. Two nondeterministic MTS nd their quotient We now give quotient lgorithm for the importnt specil cse of MTS, which results in much more compct quotient thn the NAA construction in the previous section. However, MTS re not closed under quotient; cf. [28, Thm. 5.5]. We show tht the quotient of two MTS will generlly be DMTS. Let (S,s 0, S, S ) nd (T,t 0, T, T ) be nondeterministic MTS. We define the quotient S/T = (Q,{q 0 }, Q, Q ). We let Q = 2 S T Fin s before, nd q 0 = {(s 0,t 0 )}. The stte Q is gin universl, so we define for ll Σ. There re no must trnsitions from. Let α(s), γ(q) be s in the previous section. For convenience, we work with sets My (s), for Σ nd sttes s, insted of my trnsitions, i.e. we hve My (s) = {t s t}. Let q = {s 1 /t 1,...,s n /t n } Q nd Σ. First we define the my trnsitions. If γ(q) then for ech i {1,...,n}, write My (t i ) = {t i,1,...,t i,mi }, nd define My (q) = { {s i,j /t i,j i {1,...,n},j {1,...,m i }} i {1,...,n} : j {1,...,m i } : s i,j My (s i ) }. For the (disjunctive) must-trnsitions, we let, for every s i s, q {(,M) {} My (q) t : s /t M, t i t }. Exmple 18. We illustrte the construction on n exmple. Let S nd T be the MTS in the left prt of Fig. 4. We construct S/T; the end result is displyed in the right prt of the figure. First we construct the my-successors of s 0 /t 0. Under b nd c there re no constrints, hence we go to. For, we hve ll permuttions of ssignments of successors of s to successors of t, nmely {s 1 /t 1,s 1 /t 2 }, {s 1 /t 1,s 2 /t 2 }, {s 2 /t 1,s 1 /t 2 } nd {s 2 /t 1,s 2 /t 2 }. Since there is must-trnsition from s (to s 1 ), we crete disjunctive must-trnsition to ll successors tht cn be used to yield must-trnsition when composed with the must-trnsition from t to t 1. These re ll successors where t 1 is mpped to s 1, hence the first two. However, {s 1 /t 1,s 1 /t 2 } will turn out inconsistent, s it requires to refine s 1 by composition with t 2. As t 2 hs no must under b, the composition hs none either, hence the must of s 1 cn never be mtched. As result, fter pruning, the disjunctive

14 14 Beneš, Delhye, Fhrenberg, Křetínský, Legy must from {s 0 /t 0 } leds only to {s 1 /t 1,s 2 /t 2 }. Further, {s 2 /t 1,s 1 /t 2 } is inconsistent for the sme reson, so tht we only hve one other my-trnsition under from {s 0 /t 0 }. Now{s 1 /t 1,s 2 /t 2 }is obligedto hvemust under bsotht it refiness 1 when composed with t 1, but cnnot hve ny c in order to mtch s 2 when composed with t 2. Similrly, {s 2 /t 1,s 2 /t 2 } hs neither c nor b. One cn esily verify tht T (S/T) m S in this cse. Note tht the constructions my crete inconsistent sttes, which hve no implementtion. In order to get consistent system, it needs to be pruned. This is stndrd nd the detils cn be found in Appendix C. The pruning cn be done in polynomil time. Theorem 19. For ll MTS S, T nd X, X m S/T iff T X m S. 4 Conclusion nd Future Work In this pper we hve introduced generl specifiction frmework whose bsis consists of three different but eqully expressive formlisms: one of grphicl behviourl kind (DMTS), one logic-bsed (νhml) nd one n intermedite lnguge between the former two (NAA). We hve shown tht the frmework possesses rich lgebric structure tht includes logicl (conjunction, disjunction) nd structurl opertions (prllel composition nd quotient). Moreover, the construction of the quotient solves n open problem in the re of MTS. As for future work, we hope to estblish the exct complexity of the quotient constructions. We conjecture tht the exponentil blow-up of the construction is in generl unvoidble. References 1. S.S. Buer, A. Dvid, R. Hennicker, K.G. Lrsen, A. Legy, U. Nymn, nd A. Wsowski. Moving from specifictions to contrcts in component-bsed design. In FASE, pges 43 58, S.S. Buer, L. Juhl, K.G. Lrsen, A. Legy, nd J. Srb. Extending modl trnsition systems with structured lbels. Mth. Struct. Comput. Sci., 22(4): , S.S. Buer, P. Myer, nd A. Legy. MIO workbench: A tool for compositionl design with modl input/output interfces. In ATVA, pges , N. Beneš nd J. Křetínský. Process lgebr for modl trnsition systemses. In MEMICS, pges 9 18, N. Beneš, J. Křetínský, K. G. Lrsen, M. H. Møller, nd J. Srb. Prmetric modl trnsition systems. In ATVA, pges , N. Beneš, I. Černá, nd J. Křetínský. Modl trnsition systems: Composition nd LTL model checking. In ATVA, pges , P. Blckburn. Representtion, resoning, nd reltionl structures: hybrid logic mnifesto. Logic J. IGPL, 8(3): , BMoTrs.

15 Hennessy-Milner Logic with Gretest Fixed Points A. Børjesson, K.G. Lrsen, nd A. Skou. Generlity in design nd compositionl verifiction using TAV. Forml Meth. Syst. Design, 6(3): , G. Boudol nd K.G. Lrsen. Grphicl versus logicl specifictions. Theor. Comput. Sci., 106(1):3 20, G. Bruns. An industril ppliction of modl process logic. Sci. Comput. Progrm., 29(1-2):3 22, G. Bruns nd P. Godefroid. Model checking prtil stte spces with 3-vlued temporl logics. In CAV, pges , L. Cires nd L. Crdelli. A sptil logic for concurrency (prt I). Inf. Comput., 186(2): , E.M. Clrke nd E.A. Emerson. Design nd synthesis of synchroniztion skeletons using brnching-time temporl logic. In Logic of Progrms, pges 52 71, P. Drondeu, J. Dubreil, nd H. Mrchnd. Supervisory control for modl specifictions of services. In WODES, pges , N. D Ippolito, D. Fischbein, H. Foster, nd S. Uchitel. MTSA: Eclipse support for modl trnsition systems construction, nlysis nd elbortion. In ETX, pges 6 10, H. Fecher nd H. Schmidt. Compring disjunctive modl trnsition systems with n one-selecting vrint. J. Logic Algebr. Progrm., 77(1-2):20 39, H. Fecher nd M. Steffen. Chrcteristic mu-clculus formuls for underspecified trnsition systems. Electr. Notes Theor. Comput. Sci., 128(2): , W. Fokkink, R.J. vn Glbbeek, nd P. de Wind. Compositionlity of Hennessy- Milner logic by structurl opertionl semntics. Theor. Comput. Sci., 354(3): , Jen-Yves Girrd. Liner logic. Theor. Comput. Sci., 50:1 102, J.B. Hrt, L. Rfter, nd C. Tsinkis. The structure of commuttive residuted lttices. Internt. J. Algebr Comput., 12(4): , M. Hennessy. Acceptnce trees. J. ACM, 32(4): , M. Hennessy nd R. Milner. Algebric lws for nondeterminism nd concurrency. J. ACM, 32(1): , H. Hüttel nd K.G. Lrsen. The use of sttic constructs in modl process logic. In Logic t Botik, pges , D. Kozen. Results on the propositionl mu-clculus. Theor. Comput. Sci., 27: , K. G. Lrsen nd Liu X. Eqution solving using modl trnsition systems. In LICS, pges , K.G. Lrsen. Modl specifictions. In Automtic Verifiction Methods for Finite Stte Systems, pges , K.G. Lrsen. Idel specifiction formlism = expressivity + compositionlity + decidbility + testbility +... In CONCUR, pges 33 56, K.G. Lrsen. Proof systems for stisfibility in Hennessy-Milner logic with recursion. Theor. Comput. Sci., 72: , K.G. Lrsen nd Liu X. Compositionlity through n opertionl semntics of contexts. In ICALP, pges , U. Nymn. Modl Trnsition Systems s the Bsis for Interfce Theories nd Product Lines. PhD thesis, Institut for Dtlogi, Alborg Universitet, P.W. O Hern, J.C. Reynolds, nd H. Yng. Locl resoning bout progrms tht lter dt structures. In CSL, pges 1 19, A.N. Prior. Ppers on Time nd Tense. Oxford: Clrendon Press, J.-P. Queille nd J. Sifkis. Specifiction nd verifiction of concurrent systems in CESAR. In Symp. Progrm., pges , 1982.

16 16 Beneš, Delhye, Fhrenberg, Křetínský, Legy 35. J.-B. Rclet. Residul for component specifictions. Electr. Notes Theor. Comput. Sci., 215:93 110, J.-B. Rclet, E. Bdouel, A. Benveniste, B. Cillud, nd R. Psserone. Why re modlities good for interfce theories? In ACSD, pges , J.C. Reynolds. Seprtion logic: A logic for shred mutble dt structures. In LICS, pges 55 74, S. Uchitel nd M. Chechik. Merging prtil behviourl models. In SIGSOFT FSE, pges 43 52, M. Wrd nd R. P. Dilworth. Residuted lttices. Trns. AMS, 45(3): , Dvid N. Yetter. Quntles nd (noncommuttive) liner logic. J. Symb. Log., 55(1):41 64, 1990.

17 Hennessy-Milner Logic with Gretest Fixed Points 17 Appendix: Proofs A Proofs of Section 2 Proof (Proof of Proposition 2). For reflexivity of m, one only needs to see tht for ny NAA S, the identity reltion id S = {(s,s) s S} S S is modl refinement from S to S. To see tht m is trnsitive, let S 1, S 2, S 3 be NAA with S 1 m S 2 nd S 2 m S 3. Let R 1 nd R 2 be modl refinement reltions witnessing S 1 m S 2 nd S 2 m S 3, respectively, nd define the reltion R 3 S 1 S 3 by R 3 = {(s 1,s 3 ) s 2 S 2 : (s 1,s 2 ) R 1,(s 2,s 3 ) R 2 }. We show tht R 3 is modl refinement reltion witnessing S 1 m S 3. Remrk tht s (s 0 1,s 0 2) R 1 nd (s 0 2,s0 3 ) R 2, we hve (s 0 1,s0 3 ) R 3. Let (s 1,s 3 ) R 3, then we hve s 2 S 2 such tht (s 1,s 2 ) R 1 nd (s 2,s 3 ) R 2. Let M 1 Trn 1 (s 1 ). By R 1, there exists M 2 Trn 2 (s 2 ) such tht (,t 1 ) M 1 : (,t 2 ) M 2 : (t 1,t 2 ) R 1, (1) (,t 2 ) M 2 : (,t 1 ) M 1 : (t 1,t 2 ) R 1. (2) Using R 2, we now see tht there must be M 3 Trn 3 (s 3 ) for which (,t 2 ) M 2 : (,t 3 ) M 3 : (t 2,t 3 ) R 2, (3) (,t 3 ) M 3 : (,t 2 ) M 2 : (t 2,t 3 ) R 2. (4) Now let (,t 1 ) M 1. Using (1), we find (,t 2 ) M 2 such tht (t 1,t 2 ) R 1. By (3), there exists (,t 3 ) M 3 such tht (t 2,t 3 ) R 2, so tht lso (t 1,t 3 ) R 3. Conversely, let (,t 3 ) M 3. By (4), there must be (,t 2 ) M 2 such tht (t 2,t 3 ) R 2. Using (2), we hve (,t 1 ) M 1 such tht (t 1,t 2 ) R 1, nd then lso (t 1,t 3 ) R 3. To finish the proof, we must see tht for ll NAA S, m S m. The empty reltion provides witness for the former, nd the reltion {(s, ) s S} S one for the ltter. Proof (Proof of Theorem 3). This follows directly from Lemms 4, 5 nd 7. Proof (Proof of Lemm 4). The first prt of the proof is trivil, s ny DMTS S hs the sme stte-structure s its corresponding NAA dn(s) nd the trnsition reltion in dn(s) is just n enumertion of ll cceptble choices of trnsitions from S. For the second prt of the lemm, we need to show tht for ny NAA S nd ny LTS I, I m S (s NAA) iff I m nd(s) (s DMTS). Let S = (S,S 0,Trn) be NAA nd let nd(s) = (T,T 0,, ) be defined s bove. Let I = (I,{i 0 },Trn I ) (I,{i 0 }, I, I ).

18 18 Beneš, Delhye, Fhrenberg, Křetínský, Legy. We first prove tht I m S I m nd(s). Assume tht I m S with witnessing modl refinement reltion R I S. Given i I, let M i be the unique set of trnsitions such tht Trn I (i) = {M i }. By R, we know tht for ll (i,s) R, there exists M i,s Trn(s) such tht (,i ) M i : (,t) M i,s : (i,t) R (,t) M i,s : (,i ) M i : (i,t) R Given i I, we denote by M i,s the corresponding set in Trn(s), s given bove. Let R D I T be the reltion such tht (i,m) R D iff there is s S with (i,s) R nd M = M i,s. We show tht R D is modl refinement. Let (i,m i,s ) R D. Let (,i ) such tht i i, i.e. i i s I is n implementtion. By construction, we hve (,i ) M i. By R, there exists (,t) M i,s such tht (i,t) R. By construction of nd(s), there exists M i,s N such tht (,M) N for ll M Trn(t). Since (i,t) R, there exists M i,t Trn(t) such tht (i,m i,t ) R D. Thus, we hve s M i,t nd (i,m i,t ) R D. Let M i,s ) N. By construction of nd(s), N is of the form {(,M) M Trn(t)} for some (,t) M i,s. By R, there thus exists i i such tht (i,t) R. As consequence, we hve (i,m i,t ) R D nd (,M i,t ) N. We hve shown tht R D is modl refinement reltion (for DMTS). We proceed to prove tht it is initilised. We hve s 0 S 0 with (i 0,s 0 ) R. By definition of R D, this implies tht (i 0,M i0,s 0 ) R D, but M i0,s 0 Trn(s 0 ), hence M i0,s 0 T 0.. We now prove tht I m nd(s) I m S. Assume tht I m nd(s) with witnessing modl refinement reltion R D I T. Given i I, let M i be the unique set of trnsitions such tht Trn I (i) = {M i }. Let R I S be the reltion such tht (i,s) R iff there exists M Trn(s) such tht (i,m) R D. We show tht R is modl refinement. Let (i,s) R nd let M i,s Trn(s) be such tht (i,m i,s ) R D. Let (,i ) M i. By construction, we hve i i, so by R D, there exists M T such tht M i,s M. By construction of nd(s), there must exist M i,s N with (,M) N. As consequence, gin by construction of nd(s), we must hve t S with (,t) M i,s nd M Trn(t). Therefore, there exists (,t) M i,s such tht (i,t) R. Let (,t) M i,s. By construction, we hve M i,s N with N = {(,M) M Trn(t)}. By R D, there exists i i such tht (i,m) R D for some M. As consequence, there exists (,i ) M i such tht (i,t) R. Hence R is modl refinement reltion (for NAA). To show tht R is initilised, we hve N 0 T 0 with (i 0,N 0 ) R D. But then N 0 Trn(s 0 ) for some s 0 S 0, nd by definition of R, (i 0,s 0 ) R.

19 Hennessy-Milner Logic with Gretest Fixed Points 19 Proof (Proof of Lemm 5). Let (S,S 0,Trn) be NAA nd write nh(s) = (S,S 0, ). Let (I,i 0, ), with I Σ I, be n LTS; we need to show tht I S iff I. For sttes i I, s S, write i m s iff (I,i, ) (S,{s},Trn), i.e. if the LTS I with its initil stte replced by i implements the BFS S with initil stte s. Similrly, write i = s iff (I,i, ) (S,{s}, ). We show tht I S iff I. We strt with the only if prt. The proof is done by coinduction. We define the ssignment σ : S 2 I s follows: σ(t) = {j I j m t}. We need to show tht for every s S, σ(s) (x) σ. Let i σ(s). As i m s, we know tht there exists M Trn(s) stisfying the conditions of modl refinement. For every (,t) M there thus exists i j such tht j m t. This mens tht j σ(t) nd i t σ. As (,t) M is rbitrry, this lso mens tht i (,t) M t σ. Let now Σ be rbitrry. Due to the first condition of modl refinement, we know tht for every i j there hs to be t lest one (,u) M (i.e. u M ) such tht j m u. This mens tht for every such j, j σ(u) u M u σ nd thus i [] ( u M u ) σ. As ws rbitrry, this mens tht i Σ []( u M u ) σ. Together with the previous observtion, we hve i (,t) M t Σ []( u M u ) σ. Clerly, there is s 0 S 0 such tht i 0 σ(s 0 ). Therefore, I =. We now show the if prt. We define reltion R s follows: R = {(j,t) j I,t S,j = t} nd show tht R stisfies the conditions of modl refinement. Let (i,s) R. As i = s there hs to exist some M Trn(s) such tht i = (,t) M t Σ []( u M u ). Let i j. As i = [] ( u M u ), there hs to be some (,u) M such tht j = u. The first condition of modl refinement is thus met. Let further (,t) M. As i = t, this mens tht there is some i j such tht j = t. The second condition of modl refinement is thus lso met. Clerly, R lso stisfies the condition of n initilised refinement. Thus I m S. Proof (Proof of Lemm 6). Itisshownin[10]thtnyHMLformulisequivlent to one in strong norml form, i.e. either tt or of the form i I ( j J i ij φ ij Σ []ψ i,) for HML formuls φ ij, ψ i, which re lso in strong norml form. We only need to replce the φ ij, ψ i, by (new) vribles x ij, y i, nd dd declrtions 2 (x ij ) = φ ij, 2 (y i, ) = ψ i, to finish the proof. Proof (Proof of Lemm 7). Let (x,k) S, with (x) = i I ( j J i ij x ij Σ []y i,) nd I. By construction, the chrcteristic formul [27] of (x,k) is χ(x,k) = j J i ij ( i I j x ij ) Σ []( i I y i, ). Distributing the disjunctions over the conjunctions, we see tht (x) = k χ(x,k).

20 20 Beneš, Delhye, Fhrenberg, Křetínský, Legy Now let (I,i 0, ) be LTS. Then I = x 0 X 0 : i 0 = (x 0 ) x 0 X 0 : k : i 0 = χ(x 0,k) (x 0,k) S 0 : i 0 m (x 0,k) I m S, the next-to-lst biimpliction holds precisely becuse χ(x 0,k) is the chrcteristic formul of (x,k). B Proofs of Section 3 Proof (Proof of Theorem 9). Let S 1 nd S 2 be DMTS or NAA. Let I be n implementtion such tht I S 1 S 2, i.e. I m S 1 S 2. Let R be the initilised modl refinement witnessing I m S 1 S 2. By construction of S 1 S 2, R cn be split into two reltions R 1 = R S 1 nd R 2 = R S 2 such tht R = R 1 R 2. One cn then verify tht both R 1 nd R 2 re modl refinement reltions. Depending ontheequivlenceclssoftheinitilstteofi (eitherbelongingtor 1 orr 2 ),one cn verify tht either I m S 1 or I m S 2. As consequence, I S 1 S 2, thus S 1 S 2 S 1 S 2. Conversely, if I m S 1 (resp S 2 ) with modl refinement reltion R, one cn verify tht R lso witnesses I m S 1 S 2. Thus S 1 S 2 S 1 S 2. Proof (Proof of Lemm 10). Write S = (S,S 0,Trn). If S 0 =, we cn let T = {t 0 } nd Trn(t 0 ) = ; note tht S m T m. Otherwise, we let T = S {t 0 }, where t 0 is new stte, nd Trn(t 0 ) = s 0 S 0 Trn(s0 ). Let R = id S {(s 0,t 0 ) s 0 S 0 }, then R is n initilised refinement S m T nd the inverse reltion R 1 n initilised refinement T m S. Proof (Proof of Lemm 11). LetS 1 = (S 1,S 0 1, 1, 1 )nds 2 = (S 2,S 0 2, 2, 2 ) be DMTS. Let db(s 1 ) = (S 1,S 0 1,Trn 1) nd dn(s 2 ) = (S 2,S 0 2,Trn 2) be their corresponding NAA. Let S = dn(s 1 S 2 ) nd S = dn(s 1 ) dn(s 2 ). We show tht S nd S re syntcticlly equivlent. First, remrk tht S nd S hve precisely the sme stte-spce, which is S 1 S 2, nd initil sttes, which re S 0 1 S 0 2. We now show tht they hve the sme trnsition functions. Let Trn (resp. Trn ) be the trnsition function of S (resp. S ). Let (s 1,s 2 ) S 1 S 2 nd let M Σ S 1 S 2 be such tht M Trn ((s 1,s 2 )). ByconstructionofTrn,theremustbe M 1 Trn 1 (s 1 )ndm 2 Trn 2 (s 2 ) such tht M M 1 M 2, i.e. π 1 (M) = M 1 nd π 2 (M) = M 2. We show tht M Trn ((s 1,s 2 )).

21 Hennessy-Milner Logic with Gretest Fixed Points 21 Let (,(t 1,t 2 )) M). Sinceπ 1 (M) = M 1 ndπ 2 (M) = M 2,wehve(,t 1 ) M 1 nd (,t 2 ) M 2. As consequence, there re trnsitions s 1 t 1 nd s 2 t 2 in S 1 nd S 2 respectively. Thus, by construction of conjunction of DMTS, there is trnsition (s 1,s 2 ) (t 1,t 2 ) in S 1 S 2. Let N Σ S 1 S 2 such tht (s 1,s 2 ) N in S 1 S 2. By construction, N is such tht either (1) there exists N 1 such tht s 1 N 1 in S 1 nd N = {(,(t 1,t 2 )) (,t 1 ) N 1,(s 1,s 2 ) (t 1,t 2 )}, or (2) there exists N 2 such tht s 2 N 2 in S 2 nd N = {(,(t 1,t 2 )) (,t 2 ) N 2,(s 1,s 2 ) (t 1,t 2 )}. Assume tht (1) holds (cse (2) being symmetric). Since M 1 Trn 1 (s 1 ), there must be (,t 1 ) N 1 M 1. Since π 1 (M) = M 1, there must be t 2 S 2 such tht (,(t 1,t 2 )) M. As consequence, there is (,(t 1,t 2 )) M N. Finlly, M Trn ((s 1,s 2 )). Conversely, we cn show tht for ll M Trn ((s 1,s 2 )), we lso hve M Trn ((s 1,s 2 )) in similr wy. We cn thus conclude tht Trn = Trn nd thus tht S nd S re syntcticlly equivlent. To prove Theorem 12, we need the following lemm: Lemm 20. For NAA or DMTS S 1, S 2, S 3, S 1 m S 2 S 3 iff S 1 m S 2 nd S 1 m S 3. Proof. We prove the two implictions seprtely.. Let S 1,S 2,S 3 be NAA with S i = (S i,s 0 i,trn i) nd consider the conjunction S 2 S 3 = (S,s 0,Trn). Assume tht S 1 m S 2 with witnessing reltion R 2 S 1 S 2 nd tht S 1 m S 3 with witnessing reltion R 3 S 1 S 3. We prove tht S 1 m (S 2 S 3 ). Consider the reltion R S 1 (S 2 S 3 ) such tht (s 1,(s 2,s 3 )) R (s 1,s 2 ) R 2 (s 1,s 3 ) R 3. We prove tht R is modl refinement. Let (s 1,(s 2,s 3 )) R nd M 1 Trn 1 (s 1 ). By R 2, there exists M 2 Trn 2 (s 2 ) such tht (,t 1 ) M 1 : (,t 2 ) M 2 : (t 1,t 2 ) R 2 (5) (,t 2 ) M 2 : (,t 1 ) M 1 : (t 1,t 2 ) R 2. (6) Moreover, by R 3, there exists M 3 Trn 3 (s 3 ) such tht (,t 1 ) M 1 : (,t 3 ) M 3 : (t 1,t 3 ) R 3 (7) (,t 3 ) M 3 : (,t 1 ) M 1 : (t 1,t 3 ) R 3. (8) We construct the set M using the following principle: for ll (,t 2 ) M 2, we know by (6) tht there exists (,t 1 ) M 1 such tht (t 1,t 2 ) R 2. Given the stte t 1, we know by (7) tht there exists (,t 3 ) M 3 such tht (t 1,t 3 ) R 3. The set M is thus composed of the trnsitions obtined by combining (6) nd (7) nd (5) nd (8): M = {(,(t 2,t 3 )) (,t 2 ) M 2,(,t 3 ) M 3 : By construction, we know tht M Trn(s 2,s 3 ). (,t 1 ) M 1,(t 1,t 2 ) R 2 (t 1,t 3 ) R 3 }.

22 22 Beneš, Delhye, Fhrenberg, Křetínský, Legy Let (,t 1 ) M 1. Consider sttes t 2 nd t 3 given by (5) nd (7) respectively. Since (,t 2 ) M 2, (,t 3 ) M 3, (t 1,t 2 ) R 2 nd (t 1,t 3 ) R 3 we hve (,(t 2,t 3 )) M nd (t 1,(t 2,t 3 )) R. Let (,(t 2,t 3 )) M. By construction of M, there exists (,t 2 ) M 2, (,t 3 ) M 3 nd (,t 1 ) M 1 such tht (t 1,t 2 ) R 2 nd (t 1,t 3 ) R 3, thus (t 1,(t 2,t 3 )) R. By construction, we know tht (s 0 1,(s0 2,s0 3 )) R, thus R is modl refinement reltion nd S 1 m (S 2 S 3 ).. Let S 1,S 2,S 3 be NAA with S i = (S i,s 0 i,trn i) nd consider the conjunction S 2 S 3 = (S,s 0,Trn). Assume tht S 1 m (S 2 S 3 ) with witnessing reltion R. We show tht S 1 m S 2 (S 1 m S 3 is then obtined by symmetry). Let R 2 S 1 S 2 be the reltion such tht (s 1,s 2 ) R 2 s 3 S 3 s.t. (s 1,(s 2,s 3 )) R. We show tht R 2 is modl refinement reltion. Let (s 1,s 2 ) R 2 nd consider s 3 S 3 such tht (s 1,(s 2,s 3 )) R. Let M 1 Trn 1 (s 1 ). By R, we know tht there exists M Trn((s 2,s 3 )) such tht (,t 1 ) M 1 : (,(t 2,t 3 )) M : (t 1,(t 2,t 3 )) R (9) (,(t 2,t 3 )) M : (,t 1 ) M 1 : (t 1,(t 2,t 3 )) R. (10) ConsiderM 2 = π 2 (M). ByconstructionofTrn((s 2,s 3 )), weknowtht M 2 Trn 2 (s 2 ). Let(,t 1 ) M 1.By(9), thereexists(,(t 2,t 3 )) M suchtht(t 1,(t 2,t 3 )) R. As consequence, we hve (,t 2 ) M 2 = π 2 (M) nd (t 1,t 2 ) R 2. Let(,t 2 ) M 2.Byconstruction,thereexistst 3 S 3 suchtht(,(t 2,t 3 )) M. By (10), there exists (,t 1 ) M 1 such tht (t 1,(t 2,t 3 )) R, thus (t 1,t 2 ) R 2. Finlly, we know tht (s 0 1,(s0 2,s0 3 )) R, thus (s0 1,s0 2 ) R 2 nd R 2 is modl refinement reltion such tht S 1 m S 2. Proof (Proof of Theorem 12). The result directly follows from Lemm 20. Let S 1 nd S 2 be NAA or DMTS. Let I S 1 S 2, we thus hve I m S 1 S 2. By Lemm 20, we thus hve I m S 1 nd I m S 2, thus I S 1 S 2. Reversely, if I S 1 S 2, then we hve I m S 1 nd I m S 2. By Lemm 20, this implies tht I m S 1 S 2, nd thus I S 1 S 2. Proof (Proof of Theorem 13). The sets form bounded lttices by stndrd ordertheoretic rguments, so only the distributive lw remins to be verified. Let thus S 1, S 2, S 3 be DMTS (the rgument for NAA is similr); we wnt to show tht S 1 (S 2 S 3 ) m (S 1 S 2 ) (S 1 S 3 ). The stte spces of both sides re S 1 S 2 S 1 S 3, nd it is esily verified tht the identity reltion is two-sided modl refinement.