The Power of the Future Perfect in Program Logics

Transcription

1 INFORMATION AND CONTROL 67, (1985) The Power of the Future Perfect in Progrm Logics MATTHEW HENNESSY AND COLIN STIRLING University of Edinburgh, Edinburgh, United Kingdom The expressiveness of brnching time tense (temporl) logics whose eventully opertors re reltivised to generl pths into the future is investigted. These logics re interpreted in models obtined by generlising the usul notion of trnsition system to llow infinite trnsitions. It is shown tht the presence of formule expressing the future perfect enbles one to prove tht the expressiveness of the logic cn be chreterised by notion of bisimultion on the generlised trnsition systems. The future perfect is obtined by dding pst tense opertor to the lnguge. Finlly the power of vrious tense lnguges from the literture re investigted in this frmework Acdemic Press, Inc. 1. INTRODUCTION Mny vrieties of tense (temporl) logics hve been suggested for describing properties of progrms (Gbby, Pnueli, Shelh, nd Stvi, 1980; Clrke, Emerson, nd Sistl, 1983; Emerson nd Hlpern, 1983; Ben- Ari, Mnn, nd Pnueli, 1981; Pnueli, 1979; Mnn nd Pnueli, 1983; Hrel, Kozen, nd Prikh, 1982; Abrhmson, 1979). This prolifertion suggests tht there is no simple criterion for judging the dequcy of such lnguges. They should be ble to describe ll properties which re commonly greed to be of interest. However this clss of properties is difficult to delinete nd the most tht one cn hope for is to prove tht lnguge A is more expressive thn lnguge B in the sense tht there is n interesting property expressible in A which is not expressible in B. There re of course other criteri for compring these logics, such s the simplicity of their relted proof systems. This pper will exmine only their descriptive powers, i.e., their expressiveness. One interesting question posed of such logics is whether they re dequte for expressing the vrious formultions of firness (Gbby et l., 1980; Lmport, 1980; Emerson nd Hlpern, 1983). Since this inevitbly involves considertion of infinite sequences the models for these lnguges should stte which infinite sequences re dmissible. Most often these models re some form of trnsition system together with some criteri for dmissible infinite sequences through the trnsition system. This is the /85 $3.00 Copyright 1985 by Acdemic Press, Inc. All rights of reproduction in ny form reserved.

2 24 HENNESSY AND STIRLING pproch tken, for exmple, in (Queille nd Sifkis, 1983; Lehmnn, Pnueli, nd Stvi, 1981; Milner, 1982). However much of the discussion is independent of the ctul set of infinite sequences llowed. In Section 2 we introduce generlistion of trnsition systems, clled generl trnsition systems, which re nturl generlistion of these models. They consist of set of progrms (or progrm points), or processes, nd ny collection of computtions through these points stisfying simple criteri. We will use these s models throughout the pper. In Section 3 we pose the problem of finding tense logic which is dequte for expressing properties of generl trnsition systems. We offer nturl cndidte L r which is generlistion of the logic HML of (Hennessy nd Milner, 1980; Brookes nd Rounds, 1983; Hennessy nd Milner, 1985). Lr is lso reltivized brnching time tense logic in the sense tht the eventully opertors re reltivized to prticulr generl pths into the future: insted of hving n opertor ( ) mening in some future it will be the cse tht... we hve n opertor (u) mening in some u-future it will be the cse tht... We show tht Lr is not sufficiently expressive. We do this by exmple; by exhibiting two generl trnsition systems which intuitively hve different computtionl behviour but which cnnot be distinguished by the lnguge Lr. One my increse the power of L r by dding new opertors nd thereby enble the lnguge to express the intuitive difference between the two trnsition systems of this exmple. There re two dngers in this pproch. By dding more nd more opertors to cope with different exmples the lnguge becomes incresingly complicted. This criticism might be levelled t CTL* in (Emerson nd Hlpern, 1983). Moreover, by simply dding new opertor one cnnot be sure tht the new lnguge is sufficiently expressive to cpture ll the interesting phenomen of generl trnsition system. Criteri, independent of progrm logics, re required. A simple criterion lredy exists for trnsition systems, nmely bisimultion equivlence. Informlly two progrms in trnsition system re bisimultion equivlent if no mount of experimenttion will ever discover difference between them. One my experiment on progrm using the ctions or trnsitions defined in the trnsition systems. This equivlence hs been studied for vrious specific trnsition systems in (Sifkis, 1982b; Prk, 1981; Milner, 1980, 1981). It is of interest to us becuse it serves s simple chrcteristion of the expressive power of the lnguge HML; in finite brnching trnsition system two progrms enjoy the sme properties expressible in HML if nd only if they re bisimultion equivlent. In other words they cn be distinguished by HML if nd only if they re not bisimultion equivlent. We sy tht HML is expressive complete reltive to bisimultion equivlence. Bisimultion equivlence is not of much interest for generl trnsition

3 THE POWER OF THE FUTURE PERFECT IN PROGRAM LOGICS 25 systems since it is formulted in terms of experiments which only use finite trnsitions or computtions. However by llowing experiments to consist of infinite computtions one my define the notion of extended bisimultion equivlence on generl trnsition systems. This, we clim, is nturl yrdstick for the expressiveness of generlistions of HML. In Section 4 we give very simple extension of LT, Jr, which is expressive complete reltive to extended bisimultion equivlence. The extr opertor required is reltivised pst tense the is true of progrm if it hs just executed the ction nd immeditely previous to its execution the property A is true. The expressive power of Jr stems from its bility to express the future perfect: it will hve been the cse tht... In the finl section we show tht Jr is very stble: the ddition of wide vriety of new opertors does not increse its expressiveness. Finlly we show tht modifiction of CTL*, clled Kr, is s powerful s Jr. The disdvntge of KT is tht both its syntx nd semntics re quite complicted since the lnguge llows rbitrry nesting of two kinds of formule, one deling with progrms, the other with computtion pths. 2. GENERAL TRANSITION SYSTEMS Trnsition systems hve long been recognised s useful for modelling discrete systems (Keller, 1975; Sifkis, 1982; Prk, 1981). We use s bsis trnsition systems whose trnsitions re lbelled. DEFINITION 2.1. (i) (ii) A trnsition system is triple (P, A, --, ), where P is set of process nmes A is set of ction nmes (iii) ~ is mpping which ssocites with ech ea reltion ~_PxP. This is essentilly the definition used in (Queille nd Sifkis, 1983). When firness is considered, trnsition systems re no longer sufficient simply becuse definitions of firness ppel to infinite sequences of trnsitions. A common expedient is to tret infinite sequences seprtely by dding to trnsition system criteri for their dmissibility (Queille nd Sifkis, 1983; Lehmnn, Pnueli, nd Stvi, 1981; Milner, 1982). Here we propose, s n lterntive, extended trnsition systems. First, we need some nottion. For ny set X let X* be the set of finite sequences nd X ~ the set of infinite sequences over X, nd let X t = X*u X% For u z X ~ let u(n) be the

4 26 HENNESSY AND STIRLING prefix of length n of u, if it exists nd u[n] be the nth element of u, if it exists, nd let ]u] be the length of u (which my be infinite). Reltive to given set P of process nmes nd set A of ction nmes,, computtion is ny non-empty finite or infinite sequence of the form: We often bbrevite this to oo ~ ~. (1) Po ~ Pl, Pl ~ P2,..., Pn ~ Pn l 2 Po... ~ Pl ~" P2 '"" (2) This computtion is clled u-computtion from Po whenever u E A* nd u[n] =n for ll n. It will sometimes be useful to llow computtions of length zero from p which we write s p ~ p. We use c to rnge over C(A, P), the set of computtions reltive to P nd A. If c is the cornputtion (1 then Icl lnit(c) term(c) A(n, c) P(n, c) A(c) =lul = P0 =-Pn ~ n =Pn =u6a ~ if Icl =n such tht u[n] =, for ll n ~< Icl c(n) = c if A(n, c) is not defined nd o l n PO ) Pl ~" "" ' Pn+l otherwise. Composition of computtions, cl. c2, is defined in the obvious wy: if c I is infinite then c~c2 is cl; if Cl is finite then c~c2 is only defined when term(c~) = init(c2) nd is then the conctention of the two computtions. We re now ble to define generl trnsition system. DEFINITION 2.2. where A generl trnsition system, gts, is triple (P, A, C), (i) (ii) (iii) () (b) P is set of process nmes A is set of ction nmes C ~ C(A, P) is set of computtions stisfying c1" c2 ~ C whenever defined nd cl, c2 s C cl, c2~ C whenever c 1 c2e C nd cl is finite.

5 THE POWER OF THE FUTURE PERFECT IN PROGRAM LOGICS 27 Condition () which sttes tht C is closed under composition is very intuitive requirement. Condition (b) which sttes tht C is both prefix nd suffic closed lso ppers to be nturl lthough it does fil to hold in the systems discussed in (Cost nd Stifling, 1984). An immedite consequence of (b) is the condition: (c) c(n) ~ C for every n > 0 whenever c ~ C. The converse need not hold. When it does we sy tht gts (P, A, C) is stndrd (or limit closed): c~c whenever c(n)ec for every n>0. Moreover, we sy tht gts (P, A, C) is finite brnching if for every p e P nd ea the set S(, p)= {p':p ~p'ec} is finite. In contrst to trnsition systems generl trnsition systems del with infinite computtions directly, s prt of their definition. When firness is not n issue, infinite computtions of trnsition systems re defined s the limits of sequences of finite computtions: there is, then, 1-1 correspondence between stndrd gtss nd trnsition systems. Non-stndrd gtss hve been used in (Queille nd Sifkis, 1983; Lehmnn, Pnueli, nd Stvi, 1981), nd (Cost nd Stirling, 1984; Hennessy, 1983) contin finite brnching instnces. In the sequel we lwys ssume tht S(, p), for ny nd p, is countble. Lbelled directed grphs cn be used to represent stndrd gtss. For ny such grph g let gts(g) be the gts defined by (i) (ii) P is the set of nodes A is the lbels on the rcs of g (iii) C is the set of pths through g. It is esy to check tht gts(g) is stndrd gts. Moreover we hve LEMMA 2.3. For every stndrd gts T= ( P, A, C) there exists grph g such tht gts(g)= T. Proof (i) (ii) The required grph g is defined by nodes--p rc lbels--a (iii) p is connected to p' by n rc lbelled if p ~ p, e C. I This representtion cn be extended to rbitrry gtss. Let g be lbelled directed grph nd I set of infinite pths through g stisfying the condition tht for every finite pth c through g nd finite pth c' through g if c. e' is defined then c' e 1 iff c. c' e/. Then gts(g, I) is the gts defined by (i) (ii) P is the set of nodes A is the set of lbels on the rcs of g (iii) C is I together with the set of finite pths through g.

6 28 HENNESSY AND STIRLING LEMMA 2.4. For every gts T= (P, A, C) there exists pir g, I such tht T = gts( g, I). Proof Let g be the grph defined s in the previous lemm. Note tht p, p, e C if nd only if p ~ p, ppers in some computtion in C. Let I be the set of infinite pths through the grph g which correspond to the infinite computtions of C. Becuse T stisfies (c) nd (b) bove it is esy to check tht gts(g, I) coincides with T. We use this representtion of gtss throughout the pper when giving exmples. The indequcy of trnsition systems when firness is ssumed is illustrted by the following exmple (Prk, 1980). EXAMPLE 2.5. p=x:= 1; y:=0; (while x>0 do y:= y+l od LI x := 0). A simplified trnsition system representtion of p is while x.o do y:=y+l IIx:= 0 empty X:=O When firness is ssumed, p lwys termintes. But the loop lbelled by y := y + 1 hides this. We need to know when loop cn or cnnot give to n infinite pth through the trnsition system. The generl trnsition system representtion of p will include this informtion. 3. RELATIVIZED BRANCHING TIME TENSE LOGICS There is vriety of progrm logics for describing progrm properties. Tense (temporl) logics hve become especilly populr in recent yers. They view progrm essentilly s kind of trnsition system. Ech formul of the logic expresses property tht the trnsition system my or my not prossess. Mny people hve worried bout the exct form these logics should hve if they re to cpture interesting progrmming properties such s firness (Gbby et l., 1980; Lmport, 1980; Emerson nd Hlpern, 1983; Pnueli, 1979; Owicki nd Lmport, 1982). Here, we ddress the question of which progrm logics re suitble for expressing properties of generl trnsition systems nd when these logics my be sid to be sufficiently expressive.

7 THE POWER OF THE FUTURE PERFECT IN PROGRAM LOGICS 29 In (Hennessy nd Milner, 1980, 1985) simple logic, HML, ws introduced for expressing properties of finite brnching trnsition systems. HML ws further exmined in (Brookes nd Rounds, 1983; Stirling, 1985). The first lnguge we consider is nturl extension of HML to del with generl trnsition systems. When T= (P, A, C) is gts L~- is the lnguge defined by ~b ::= Tr [7~bl V{~bi: iei} ](u)~b I [u]~b where I is non-empty set of indexes (which my be infinite) nd where u rnges over non-empty members of A t. Intuitively, the formuls hve the following mening: Tr mens true 7~b mens not ~b V{~bi: i e I} mens ~b h or ~bi2 or'-" or ~b~, or'. ", where I= {il, i2... i... } (u >~b mens ~b t some point during some u-computtion [u]~b mens ~b t some point during every u-computtion. Note tht the only tomic formul is Tr: the reson being tht our interest is in expressing properties in terms of the trnsitions of computtion pths. These intuitions re formlized by defining stisfction reltion _c p x L'r where P is in T: p ~ ~b is to be understood s process p stisfies (the property expressed by) the formul ~b. is defined by structurl induction on L~.: p~yr p~v{oi:iei} for ny p e P iffnot (p~b) iff p ~ ~bj for some j e I iff for some u-computtion c from p nd for some n, 0 < n <~ IcJ, P(n, c)~q} iff for every u-computtion c from p there is n n, 0<n~< Ic], such tht P(n, c)~b. Note tht < u > nd [u] re not duls of ech other. L} extends HML in two wys: first, by llowing infinitry nd not just finitry disjunction nd second by llowing u to rnge over A t nd not just A. (For different but finitry extensions of HML see Brookes nd Rounds, 1983.) Let HMLr, therefore, be the sublnguge of L), where u is restricted to rnge over A only nd where disjunction is finitry nd let HML~ be the result of extending HML r by llowing infinitry disjunction. The opertors (u) nd l-u] re lso bsed on the two eventulity

8 30 HENNESSY AND STIRLING opertors of brnching time: in some future it will be the cse tht nd in every future it will be the cse tht (Prior, 1867; Bull, 1970). They re, however, reltivized eventulity opertors, reltivized to prticulr pths into the future nd when u is finite these pths re lso bounded. Except when uea, (u> nd [u] re not duls of ech other: 7(u>7 mens "in every u-future it will lwys be tht" or more precisely, "t every point in every u-computtion" wheres 7[u] 7 mens "in some u-future it will lwys be tht" or "t every point in some u-computtion." Thus, L} is reltivized brnching time tense logic (nd HMLT nd HML~ re reltivized next logics, brnching time logics whose only tense opertors re the reltivized correltes of "t some next moment," nd "t every next moment"). These logics hve virtues which, we hope, come out in subsequent sections. One point, however, is worth mentioning. It is not cler how one cn give semntics for the unreltivized eventulity opertor "in every future it will be tht" with respect to generl trnsition systems becuse computtions need not be limit closed--futures cnnot be defined s mximl computtions. To see the powers of L) consider the following exmple gts. EXAMPLE 3.1. Let Ii be the set of infinite pths through this grph Pl P2 b P3 P4 P5 b P6.. which lmost lwys pss through Pi. So, for exmple, pth through the grph pl I p2 2 is in I 1 if nd only if there is k ~> 0 such tht for every n t> k, pn is Pl nd n is. Let I be/2 w 14 w 15. Then the bove grph, together with I determine gts. With respect to this gts, pl~[ ~](b>tr unlike P4: ll ~computtions from Pl eventully pss through P2 wheres there is n ~- computtion from P4 which does not pss through Ps. It is esy to show tht no formul of HML distinguishes between Pl nd P4- In defining prticulr gts such s tht in Exmple 3.1 it is more convenient to specify I in terms of subset J which genertes it by virtue of the

9 THE POWER OF THE FUTURE PERFECT IN PROGRAM LOGICS 31 closure properties of pths, given in Definition 2.2(iii). In Exmple 3.1, I is completely specified by the three pths P2 ~ P2 ~"" P4 ~ P4 ~ "'" P5 ' P5 ~"" In future exmples we will lwys specify the set of infinite pths in this wy. We now turn our ttention to the expressibility of L~-. Idelly, one wnts L~ to express ll the interesting properties of T without, t the sme time, being overly discrimintory. Formuls of L~. my be used to distinguish processes in T. This bility to distinguish cn be formlized by ssociting with L~ n equivlence reltion on P ~ T: P "~LT' P' if V~ELT,' p~q~iffp'~ob. Thus, p ~ L~ P' holds just in cse p nd p' re indistinguishble by ny formulk of L'r. In Exmple 3.1, Pz ~L'~P5 nd P3 ~L~P6 but not (Pl "~ L~ P4). Our logic will be too discrimintory if there is gts T nd two processes in T which enjoy the sme interesting properties but re distinguishble by L~. On the other hnd, it will not be rich enough if there is T nd two processes which differ in their interesting properties but re indistinguishble by L~. Before tking on these issues we exmine more trctble expressiveness question. We my wonder if L~ contins redundnt constructions: in other words, is there subset Mr of L~., for ny gts T, such tht p ~ MT P' iff p "~ L~ P'? MT would then express ll the properties expressed by L~-. Let LT, for ny T, be the sublnguge of L~-without the opertor (u). LEMMA 3.2. p "~ LT p' iff p ~ LT P' for ny T. Proof. (~) Clerly holds becuse Lr~_L ~. (~) Suppose not (p ~ L~ P'). The only interesting cse is when p~ (u)~b nd not (p'~ (u)~b). We show not (p ~LTP') by nlysis of u: (i) u= nd ~A. Then p~(u)q) iffp=~[u] ~b. (ii) u=o..'n (u is finite). Then p~(u)~b iffp~(o)(~b A ( 1)... (.)Tr) v (o)(l)(~b A (2)"" (n)tr) v -.. v (o) "'" (n)~b. Ech (j) is eliminble by i. 643/67/i-3-3

10 32 HENNESSY AND STIRLING (iii) u=ol...then p~(u)~) iff p~(o)"'" (n)(q~/x ][,+l ""7 ] Tr) for some n. This interesting result shows tht the weker reltivized eventully opertor, "in some u-future it will be tht" is redundnt in the presence of the stronger, "in every u-future it will be tht." The converse does not hold. Let Mr be the sublnguge of Lr without the opertor [u], then it is strightforwrd to show tht Pl nd P4 of Exmple 3.1 re indistinguishble by Mr: tht is, Pl ~ Mr P4 wheres not (Pl ~ c~ P4)- We let () bbrevite -][]] nd Flse bbrevite -] Tr in LT. LEMMA 3.3. () If T is stndrd then p ~ LT P' iff p ~ HML~ p'. (b) If T is stndrd nd finite brnching then P~LTP' iff p~hmlrp'. This result, which follows immeditely from the results of the next section, shows tht if T is stndrd then infinitry computtions cn be distinguished without using the opertor [u] for u ~ A. This is not suprising given the limit closedness condition; if two processes differ on their infinite computtions then they differ on their finite computtions. It suffices, therefore, to hve the opertor [u], u is finite. But by resoning similr to (ii) of the proof of Lemm 3.2, [u] is definble in terms of [], e A. If in ddition T is finite brnching then we need only finitely disjunction. It is strightforwrd to show tht ech of the opertors, ], V, [] (or insted ()), ea, in these sublnguges re necessry: by omitting ny one of them, expressive power is lost. Exmples for the lnguge HMLT cn be found in Hennessy nd Milner (1985). We return now to the more diffiult expressiveness issues. Evidence tht L r is not too disciminting cn be given by showing tht if we remove distinguishing powers from Lr then processes which pper to enjoy different interesting properties become indistinguishble. As remrked, Exmple 3.1 brought out the need for the infinitry opertor l-u], u ~ A% A much simpler exmple is the following: EXAMPLE 3.4. I is generted by the pth: Pl-'P2--*Pt--*... Pl "~---~-~"~ P2 P3 ~ P4 Clerly, Pl nd P3 do not differ in their finite computtions. However, P3~ [ -o)] Flse unlike Pl.

11 THE POWER OF THE FUTURE PERFECT IN PROGRAM LOGICS 33 The following exmple tken from Milner (1983) shows the need for infinitry disjunction. EXAMPLE 3.5. o? P o o Pio Pil Pii-1 p, Vn:t<_n<W Vi_>l :i=. except when i=j. i ] et Vm:l<m<_OJ i=q~. Pl P2 Pn oo o,,o, P1 P2 Pm The importnt distinction here is tht unlike p, p' ~ Po~. When the ction i represents y : = i then Po~ is trnsition system representtion of rndom ssignment, y :=? (Prk, 1980). P represents progrm with finite brnching structure wheres p' is infinite brnching, which could rise, for instnce, from Exmple 2.5. However, if LT is restricted to finitry disjunction then p nd p' re indistinguishble. But there is n -computtion from p' to Po~ which differs from every -computtion from p: p ~ Pn for n < co nd ech such Pn fils some m computtion (just tke m to be n). The two processes p nd p' re distinguishble using infinitry disjunction: p=[](v{[i]tt:l<<.i<co}) unlike p'. This exmple lso shows the need for the negtion opertor. The following exmple shows tht Lr even though it contins infinitry disjunction is not rich enough to express ll interesting properties. EXAMPLE 3.6. I is generted by {p2"-~p2"-*... ; q2 +q2 ~... ; P2 "--rp3 --'~ p2 ~... }. 92..~---.~ p qlo~ q2 "% Let T be the gts described in Exmple 3.6. Then

12 34 HENNESSY AND STIRLING LEMMA 3.7. p~ ~Lrqgfor i= 1, 2, nd 3. Proof Clerly, Pl ~L~q~. The equivlences of the other pir re proved simultneously by structurl induction on ~b. There is only one interesting cse: ~b = [u]o, where u is prefix of ~, () Suppose Pz~[U]O (i) if u= then becuse P2 --+~ Pi i= 1, 2 nd 3, Pi~O. Hence by inductive hypothesis qe~t) i = 1, 2 nd 3. Therefore q2~ [u]~9. (ii) u=", n>~2, then P2~O, t lest, becuse P2 ~ P2 ~... e C. Consider ny computtion of t lest length 2 from q2: Such computtion must hve the form q2--,q2~... or q2 ~ q3 ~ q2 ~... i.e. q2 must lwys pper fter its initil occurrence. By inductive hypothesis q2 ~ 0" Hence q2 ~ [-U']~t. (b) Suppose q2~ [u]o. The rgument is similr to (). (c) Suppose p3~[u]o. Then P2~O becuse p3--~p2~p2--* " e C. By induction hypothesis q2~o- But ny computtion from q3 psses through q2- Hence q3~ [u]0. (d) Suppose q3~[-u]o- The rgument is similr to (c). The lnguge Lr, therefore, does not distinguish between P2 nd q2. However they do pper to hve different interesting properties: ll o- computtions from q2 pss through q2 lmost lwys wheres ll ~computtions from P2 only pss through P2 infinitely often nd t P2 nd q2 (unlike P3 nd q3) there is the possibility of termintion by moving to Pl nd ql. This difference is bound up with distinctions between wek-fir nd strong-fir computtions (Lehmnn, Pnueli, nd Stvi, 1981; Prk, 1981b). If we wnt logicl lnguge to express such subtle distinctions then LT needs to be extended. Anlogous expressibility problems exist for brnching time future tense logics with unreltivized eventully opertors: see, for instnce, Lmport (1980) nd, in prticulr, Emerson nd Hlpern (1983) which offers extensions which re more expressive. Such problems re not overcome by simply dding infinitry disjunction. Finding suitble extension of LT which distinguishes P2 from q2 of Exmple 3.6, will not gurntee sufficient expressibility. There is lwys the dnger tht new exmple will be found showing it is still not expressive enough (or it is overly expressive). Indeed, in Section 5 we offer n extension of LT which distinguishes the processes of Exmple 3.6 but which is still not expressive enough. The min problem is, of course, tht we wnt logic which precisely cptures the interesting properties of gts. But we do not hve forml criterion for wht n interesting property is: nor is it

13 THE POWER OF THE FUTURE PERFECT IN PROGRAM LOGICS 35 cler tht we could ever hve one, given the open-ended nture of wht counts s interesting. The wy out of this impsse is to Offer reltive expressibility results. We need yrdstick, independent of the logic, for mesuring expressibility. This independent criterion should be justifible. For exmple, there is Kmp's result tht liner time sententil tense logic with the two dydic opertors, "since" nd "until" is completely expressive with respect to complete first-order liner orders (Kmp, 1968). (This is not the lst word; see Kmp, 1971; Wolper, 1981, for instnce.) In the next section we offer expressive completeness results reltive to more progrmming-oriented criterion, criterion which rose independently of considertions of progrm logics. 4. BISIMULATIONS AND RELATIVE EXPRESSIBILITY Let T= (P, A,--.) be trnsition system. A bisimultion on T is reltion R P x P stisfying: if ( p, p' ) e R then for every e A, (i) if p ~ Pl then p' --, p] for some p] such tht (p~, P'I) e R (ii) if p', P'I then p --*~ Pl for some Pl such tht (pl, p'~ ) ~ R. (1) This requirement on R ppers circulr. However it is not definition but rther property tht reltion my or my not hve. If it does then the reltion is bisimultion. These give rise to nturl equivlence on P in T: P ~ r P' if there exists bisimultion R such tht (p, p') ~ R. It is strightforwrd to check tht ~ r is indeed n equivlence nd tht it is lso the mximl bisimultion (under inclusion). If p "~r P' then their computtionl potentils re very similr. In fct the definition of ~ r is one ttempt t formlising the ide tht processes re equivlent if no mount of experimenttion will ever discover difference between them. In trnsition system one experiments on process by sking it to perform prticulr ctions. The reltions ~ formlise the effect tht this hs on processes. Our formultion of this ide (nd vritions thereof) hve been investigted for prticulr trnsition systems in (Prk, 1981; Milner, 1980, 1982), for exmple. In Sifkis (1982) it is discussed with respect to trnsition systems in generl. A somewht different formultion hs been used in Moore (1956) nd pplied to finite utomt.

14 36 HENNESSY AND STIRLING EXAMPLE 4.1. Consider the trnsition system given by: b b b 1 3 Then the reltion {(Pl, ql), (P2, q2), (P2, q3)} is bisimultion. To prove this one merely checks tht it stisfies the requirement (1) bove. Consequently, Pl ~Tql, P2 ~rq2, nd P2 "~rq3. In generl it is strightforwrd to show tht p,-- v q; one merely exhibits bisimultion which contins the pir ( p, q). Of course it my be difficult to find one, but hving found cndidte one cn esily check it. On the other hnd to show p 4, r q my be more difficult since one hs to show tht (p, q) is not in ny bisimultion. EXAMPLE 4.2. Consider the trnsition system given by: b c Then Pl~rql. This cn be proved by contrdiction. Suppose (Pl, ql)~r for some bisimultion R. Then since R stisfies the property (1) either (P2, q2)~r or (P2, q3)er. However neither is possible. For exmple, if ( P2, q2) e R then there must be some q' such tht (i) (ii) q2 ~Cq, nd (p~,q')er. However, no such q' cn exist for the simple reson tht q2 cnnot perform the ction c. In this exmple Pl is intuitively different from ql becuse ql cn fil the experiment "perform then perform c" wheres pl cnnot. The equivlence ~T is nturl yrdstick for mesuring the expressibility of progrm logics. If A is fmily of (generl) trnsition systems then we sy tht progrm logic M r is expressive complete with respect to A nd with respect to n equivlence ET on processes in T whenever VTeA, Vp, p'epin T, petp' iffp ~MTP" The import of this stipultion is tht the distinguishing powers of M r coincide with ET. The notion of expressive complete is different from the more

15 THE POWER OF THE FUTURE PERFECT IN PROGRAM LOGICS 37 stndrd logicl "just s expressive s" s used in (Emenson nd Hlpern, 1983; Kmp, 1968; Gbby et l., 1980). We exmine the difference in the Appendix. The following theorem, generliztion of Hennessy nd Milner (1980), is n expressive completeness result reltive to trnsition systems. THEOREM 4.1. () For ny trnsition system T, P ~ 7- P' iff P ~ HML~ P" (b) For ny finite brneing trnsition system T, p ~ T P' iff P ~ nmlt P" Proof () Suppose p,,, rp' nd p~b where ~behmlt. A simple induction on the structure of ~b estblishes p'~b. For the other hlf we show tht,--hml7 is bisimultion on T. Suppose not. Then p,-~ HML~ P' nd w.l.o.g, p~pl for some nd p~ s.t. Vp~, if p'~"p'~ then not (Pl ~ HML7 P')" Let S(, p')= {ql,.-., G,---}. (Recll S(, p')= {p'~:p' ~ p'~} is ssumed to be countble.) Let IS(, p')[ be crdility of S(, p'). If IS(, P')I =0 then p'~ [] Flse unlike p. But this contrdicts p ~nml7 P" Otherwise there exists formuls {(~e:l<~i<<.[s(, p')[} s.t. qi~b~ nd not(plumb1). Hence p' = [-]{V~bi:l <<. i <,G IS(, p')[} unlike p. This gin contrdicts hypothesis p ~ HML7 P'- (b) The proof is very similr except tht in the second hlf the set S(, p') must be finite nd hence, finitely disjunction suffices. As previously noted, stndrd generl trnsition system re essentilly trnsition systems. Consequently, Theorem4.1 lso sttes tht HML~ (HMLT) is expressive complete reltive to stndrd (finite brnching) gtss nd,-~ T" Moreover, LT is lso expressive complete: this is in fct rewording of Lemm 3.3 which follows immeditely from the following: LEMMA 4.2. If T is stndrd gts then p ~ T P' implies p ~ LT P'" Proof Suppose p "~TP' nd p~b for some ~belr. We show by induction on ~b tht p'~b. There is only one non-trivil cse: ~b is [u]~ nd u is infinite ol"" ". Suppose p' ~ ]~b. Then there is u-computtion from p', p' --* 0 P'I ~ l..., such tht p;~]o for ll i>~l. But, by hypothesis P~rP'. Hence 3Po,..., Pi,.-- s.t. pi ~,p~+l nd Po=P nd Pi ~TP; for i~> 1. By induction hypothesis pi~o iff p;~o for i~> 1. By the stndrdness condition p ~0 Pl,i... is u-computtion from p. But then not (p~ [u]o). We now develop nturl extension of ~r for generl trnsition

16 38 HENNESSY AND STIRLING systems. Let T= (P, A, C) be gts. A reltion R ~ P x P is n extended bisimultion on T if it stisfies: if (p,p')er then for every u-computtion c (i) if c strts from p then there is u-computtion c' from p' s.t. for ll n >0, (P(n, c), P(n, c')) er. (ii) if c strts from p' then there is u-computtion c' from p s.t. for ll n>0, (P(n, c'), P(n, c))er. As with bisimultions, extended bisimultions give rise to nturl equivlence on processes in T: "~ p' if there is n extended bisimultion R on T s.t. ( p, p' ) ~ R. P~r It is esy to show tht ~ r is n equivlence reltion nd enjoys mny of the properties of ~r: for instnce, ~ris the mximl extended bisimultion on T. Moreover, it is the nturl counterprt of the reltion "prtil extended bisimultion" defined in Hennessy (1984). It is lso very nturl extension of ~ r: ~ r becomes ~ r when computtions re restricted to be of length one. Furthermore, the following lemm holds. LEMMA 4.3. If T is stndrd gts then P ~ r P' iff p ~ r P'. Proof Clerly right to left holds. The difficult cse is to show tht "~r--- ~r. Let c be u-computtion from p: p.0 Pl ~~... +N Pn+l,o+~... We must show tht there is u-comput~ition from p', p, ~0p~ _ ~ p,+l,,+~... such tht Pi ~ rp; for ll i, 1 ~<i~< lul. Becuse p ~TP' it follows tht for every n>~l, if lul>~n there exist p],..., p', such tht p' ~ ~0 P'I ~~ "'" ~, ~ p, nd p~ ~ r P~. If u is finite the result is proved. Otherwise the result follows from the stndrdness condition. This lemm gives us further expressibility results: Lr nd HML~ re expressive complete reltive to stndrd gtss nd ~r. However, the interesting issue is to find logic which is complete reltive to ~r nd rbitrry gtss. L r is not such logic. Exmple 3.6 which we reproduce here is the counterexmple. EXAMPLE 3.6. I is generted by {pz--~p ; q2~q2-~... ; Pl P 2 ~ P3 ql - q 2 ~ q 3 O

17 THE POWER OF THE FUTURE PERFECT IN PROGRAM LOGICS 39 p2~p3 p2 ~... }. Recll tht by Lemm3.7 P2 ~r~q2. On the other hnd, not (P2 ~ v q2) becuse of the following '-computtion from P2: P2 ~ P3 ~ P2 ~ P3 ~ P2 ~ P3"" ". This cnnot be mtched by n %computtion from q2- All o- computtions from q2 lmost lwys contin q2; they re of the form q2 ) "" ~ q2 ~ q2 ~ "' Thus, P2 ~ r q2 would hold just in cse P3 ~ r q2 which clerly fils. In the previous section we remrked tht similr expressiveness problems occur for stndrd brnching time future tense logic. We cited Emerson nd Hlpern (1983), where more expressive logic is offered. Rther thn extend Lr in the wy these uthors would suggest--n extension which not only complictes the semntics but lso the syntx--we offer n lterntive which is more in keeping with stndrd brnching time tense logics. We tke up the issue of lterntive extensions in the next section. We extend LT by dding reltivized pst tense e A, with intended mening: it ws the cse t the lst moment, just before, tht. (Thus, it is pst nlogue of reltivized next opertor.) The ddition of this opertor llows us to express reltivized future perfect tense; in every u4uture it will hve been the cse just before s, where s is non-empty member of A*. (E.g., if s = 0,..., ~ then expresses this tense.) Consider gin Exmple 3.6 nd let ~b be the Lr formul ()[] Flse: ~b is true only of P2 nd q2. The process q2 stisfies: in every %future it will be tht (~b nd t the lst moment, just before, ~b). The ~-computtion P2 ~ P3 + P2 ~... shows tht P2 does not stisfy this formul. Where T= (P, A, C) is gts then Jr is the lnguge: ~b ::= Tr 17~1 v {@,: iei} where u is non-empty member of A t nd e A. The presence in Jr complictes its semntics. The stisfction reltion~is defined between finite computtions in C nd Jr. Let d rnge over finite computtions in T. Recll tht term(d) is the finl process of d nd tht c(n) is the prefix of length n + 1 (or c if its length is less thn n + 1). ~ is defined by structurl induction: d~tr for every d d~ 7~b iffnot (d~b) d~v{q~i:iei} iffd~ojforsomejei

18 40 HENNESSY AND STIRLING d~ [u]~b iff for every u-computtion c from term(d) there exists n ~> 0 such tht d" c(n)~(~ iffdis d"p ~, p' nd d'~b. Jr induces n equivlence reltion on finite computtions in T: d Jr d' iffvo~jr.d~oiffd'~q~. Our concern is expressive completeness reltive to "~r which is n equivlence on processes nd not computtions in T. Clerly, however process p my be sid to stisfy Jr formul just in cse the empty computtion p --+~ p stisfies it. Thus, we extend ~ j~ to processes in T: P~J~P' iff p ~P,,~ s~ p' ~ p,. It is esy to check tht q2~ [~](~ b ~b) unlike P2 in Exmple 3.6 where ~b is (}[]Flse. The reminder of this section is devoted to the proof of the following theorem tht Jr is expressive complete. THEOREM 4.4. If T is gts then p ~ JT P! iff p ~ T Pt We define further bisimultion between finite computtions on T. Recll tht if d=po ~,Op~ ~~... ~~Pn+~ then A(d) is o'"n nd term(d) = Pn + 1 nd d(m) is d if m > n nd otherwise Po ~o p~ ~<... ~ Pro+l: we lso use the convention tht d(-1) is the empty computtion P0 --'~ Po nd tht term(p0 ~ P0) is P0- A reltion R on finite computtions in C is clled computtion bisimultion (c.b. for short) on T if it stisfies: if (d, d')~r then A(d)=A(d') nd for every u- computtion c: (i) if c is from term(d(n-1)), n>0, then there exists u- computtion c' from term(d'(n - 1)) s.t. ( (d(n - 1). c)(m), (d'(n - 1 ). c')(m) ) ~ R Vm >>- O. (ii) if c is from term(d'(n-1)), n>0, then there exists u- computtion c' from term(d(n- 1)) s.t. ((d(n- 1). c')(m), (d'(n - 1)" c)(m)) ~ R Vm >~ O. We let d=--rd ' just in cse there is c.b. R on T such tht (d,d')~r. Note tht if d = Td' then d(n) =- r d'(n) for ny n nd hence the length of d is equl to the length of d'. LEMMA 4.5. Proof If T is gts then p ~ T p' iff p ~ ~ p -- T p' ~ ' p '. (~) It suffices to show tht R= {(d, d'): A(d)=A(d')/x for ll

19 THE POWER OF THE FUTURE PERFECT IN PROGRAM LOGICS 41 n P(n,d) grp(n,d')} is c.b. Let (d,d')er with init(d)=q nd init(d') = q'. W.l.o.g. suppose c is u-computtion from d(n- 1) for some n. Then there exists u-computtion c' from d'(n- 1) such tht P(m,d(n-1).e) ~rp(m,d'(n-1)'c') for ll m. Hence, ( (d(n - 1). c)(k), (d'(n - 1)" c')(k) ) ~ R for every n, k. (,--) It suffices to show tht R= {(q'q'): for some d, d' s.t. d =- rd' nd q = term(d), q' = term(d')} is n extended bisimultion. Let (q, q') e R, where q=term(d), q'=term(d') nd d--rdd'. Let c be u-computtion from q. Then becuse d- r d', there exists u-computtion c' from q' such tht (d. c)(m) =- r (d" c')(m) for every m i> 0. We show tht for every n >~ O, (P(c, n), P(c', n)) e R. If ]d[ = k then P(c, n) = term((d" c)(n + k)), P(c', n) = term((d" c')(n + k)) nd (d. c)(n + k) -= T (d'" c')(n + k). Theorem 4.4 follows directly from the previous lemm nd the following expressive completeness result. THEOREM 4.6. If T is gts then d = v d' iff d ~ Jr d'. Proof Suppose d -= T d' nd d~ q~, 0 ~ Jv. We show d' ~ ~b by induction on ~b. There re two non-trivil cses: (i) ~b Result follows becuse A(d)=A(d') nd clerly, d(n - 1 ) -= r d'(n - 1 ) for ll n. (ii) ~b is [u]0. Then for ll u-computtions c from term(d) there exists n s.t.d, c(n)~o. Suppose there is u-computtion c' from term(d') s.t. for ll nd'. c'(n)~-]o. Then by induction hypothesis nd from d =- rd' there is corresponding u-computtion from term(d) which contrdicts hypothesis. For the other direction we show tht ~ Jr is c.b. on T. Suppose not. Then for some d, d', d' --~ Jr d'. W.l.o.g. either (i) A(d) A(d') or (ii) for some n there is u-computtion c from term(d(n-1)) such tht for every u-computtion c' from term(d'(n- 1)) there exists m s.t. not ((d(n- 1). c)(m) ~Jr (d'(n- 1)- c)(m)). Suppose (i): let A(d)= o"' n nd A(d')= bo"" bin. Then Tr nd d' does not Tr nd d does not.

20 42 HENNESSY AND STIRLING Suppose (ii): let c be the u-computtion from term(d(n-1)). Let A be the set of u-computtions from term(d'(n - 1)). Then A = {ci: A(c i) = u nd init(c i) = term(d'(n- 1)) nd i~ I}, for some index set. Then for ll i there is n mi- 1 s.t. not((d'(n - 1)' d)(m~- 1) ~JT (d(n - 1)- c)(mi- 1)). Hence there exist distinguishing formuls ~bi for ech i E I s.t. (d'(n-1)'d)(mi-1)~q)~ nd (d(n-1)'c)(mf-1) ~ 0~. Two cses rise: () if for some i, m~<~n. Let m denote such m~. Then d'(m- 1)~bi nd not (d(m - 1)~bi). Let A(d') = A(d'(m-- 1)). 0'", for some n t> -1. If n=-1 then d'~b~ unlike d which contrdicts hypothesis. Otherwise ~b~ gin unlike d. (b) for every i, mi>n, let c~ be the formul -](V{@Tr:~A}). (Note ~ is only true of empty computtions.) Let ~ be the formul... where o...n=a((d'(n-1).ci)(m~ - 1)); n must be >~0. And let ~ be V{O~: i6i}. Let A(d')=A(d'(n- 1))'bo"bn for some n>~ -1. If n= -1 then d'~[u]o unlike d which contrdicts hypothesis. Otherwise unliked. 5. MORE PROGRAM LOGICS In this section we offer some more progrm logics including n lterntive logic bsed on Emerson nd Hlpern (1983) which is expressive complete with respect to ~ r" Let us bcktrck nd reconsider the rgument of Section 3. We there proposed logic L} which is equivlent in expressive power to LT. Recll tht if T= (P,A, C) then L r is the lnguge: ~b ::= Tr 13@1V{q~,: iei}[ [u]~b where u is non-empty member of A t nd [u]~b hs the mening: in every u-future it will be tht. We then offered n exmple--the infmous 3.6--which we climed shows tht L r is not expressive enough. It does not distinguish processes which hve different interesting properties. In Section 4 we gve lnguge JT which extends LT by the ddition of bckwrd ( reltivized pst-tense) opertor nd showed tht it mkes the

21 THE POWER OF THE FUTURE PERFECT IN PROGRAM LOGICS 43 required distinctions. But there is lso n lterntive extension to Lr with this feture. Let Mr be Lr extended by the two opertors (~) nd [~] whenever u ea% These hve the intended mening: in some u-future (in every u- future) it will infinitely often be tht. More formlly, p~ ( ~ )qt iff ~ u-computtion c from p such tht Vm ~> 0, 3n > m, P(n, c)~o p ~ [ ~ ] ~b iff V u-computtions c from p V m >i O, 3 n > m, P(n, c) ~ ~. The duls of these opertors 7(~)q nd -][~]-] hve the mening: In every u-future (in some u-future) it will lmost lwys be tht. For instnce, ~P = 7( ~ )q~b iff Vu-computtions from p 3m ~> O, Vn > m, P(n, c)~(~. Recll Exmple 3.6. It is strightforwrd to check tht q2~7(~)-]()[]flse unlike P2- This exmple cn therefore be hndled just by dding (~) to Lr. But we now show tht, despite this, Mr is not expressive complete reltive to ~ r. EXAMPLE 5.1. I is generted by {P2 --*" P ; q2 ~" q2 ~... ; P3 ~ P3 --*... ; q3 ~ q3 ~... ; P2. P3._. P2 ~... }" Pl"~~~ " ql P2~ p q2 ~q3 o! Here, every ~-computtion from q either lmost lwys psses through q2 or lmost lwys psses through q3. This is not true of P2 becuse of the computtion P2 ~ 1)3 --*.... Mr, however, does not distinguish them. LEMMA 5.2. Pi "~ MT qi, i = 1, 2, nd 3. Proof Clerly Pl ~ Mr ql" The other pir we prove simultneously by structurl induction on ~b. The only interesting cses re ~b = [u]~, (~)4, [~]~. The cse ~b = [u]0 is given in Lemm 3.7: (i) ~b=(~)ff nd u=% Suppose p2~b, then either p2~0 or

22 44 HENNESSY AND STIRLING Suppose P2~ then by induction hypothesis q2~o. And becuse q2 --',q , q2 ~ ~. Suppose P3D~ then q3~. And becuse q2--+q3--+q , q2~q}. The other cses re similr. (ii) q~=[~]~ nd u=% Suppose p2d~b then p2d~b nd P3>~. The result follows strightforwrdly. similr rgument for the rest of the cses. However, not(p 2 ~Tq2 ). This is becuse of the ~-computtion P2 _.+. P3 _..+ P2 _+ P3 ~ which cnnot be mtched by n '- computtion from q2 unless P2 ~ J q3 or q2 ~T P3; clerly, neither hold. Jr distinguishes between P2 nd q2 in the following wy: q2~ [~](( ~) V unlike P2 where ~b is ()[]Flse. We now show, somewht indirectly, tht Mr is strictly less expressive thn Jr in the sense tht if Mr distinguishes processes then so does Jr. We do this by showing tht if we dd the opertors < ~) nd [ ~ ] to Jr then the new lnguge is no more expressive thn Jr. Let J} be Jr plus the two infinitely often opertors. The semntic cluses of Jr re extended s follows: co d~(u>(b d#[~]~ iff for some u-computtion c from term(d) gm>lo, 3n>m, d'c(n)d 0 iff for every u-computtion c from term(d) gm >~O, 3n > m, d" c(n)~o. LEMMA 5.3. If T is gts then p,~ T P' implies p,~ j~ p'. Proof. It suffices to extend the first hlf of Theorem 4.6. We show tht supposing d -=r d' nd d~b, ~b ~ J~ then d' ~b by induction on ~b. The only new cses to consider re the two infinitely often opertors: (i) ~b is (~>~ u is infinite. Then for some u-computtion c from term(d) V m <~ O, 3n > m, d" c(n)~t~. Clerly, there is u-computtion c' from term(d') s.t. Vm>~0, d.c(m)~ iff d'.c'(m)~p by induction hypothesis. Hence the result follows. (ii) ~b is [~]~, u is infinite. Then for every u-computtion c from term(d) Vm >1 O, 3n > m, d" c(n)~. Clerly, if there is u-computtion c' from term(d') filing this condition then this contrdicts the ssumption d=rd '. 1

23 THE POWER OF THE FUTURE PERFECT IN PROGRAM LOGICS 45 This lemm together with the expressive completeness of JT shows tht J) is lso expressive complete reltive to ~ r. (Indeed, we cn go further nd dd more opertors: mening it ws the cse tht O mening in some future it will be mening in every infinite future it will be mening in some infinite future it will infinitely often be mening in every infinite future it will infinitely often be without incresing expressibility.) We now offer n lterntive expressive completeness result bsed on lnguges in Emerson nd Hlpern (1983). Consider the opertor [u]. Semnticlly, this involves double quntifiction: for ll u-futures there is future time tht. Suppose we redesign our opertors to bring out explicitly these quntifiers: VuF, where F is the liner time eventully opertor it will be tht. Similrly 7 [u] 7 cn be redesigned s 3 ug, where G is the liner time future lwys opertor. If we llow ourselves even more complex opertors such s VuFG then the resulting lnguge is richer thn LT. VuFG~b mens: in ny u-future there will be point s.t. ~b will lwys be true from then on in tht future. If u is infinite V ufg is none other thn 7<~)7 which cn be used to distinguish the processes in Exmple 3.6. If we lso llow ourselves the liner time next opertor then Exmple 5.1 cn lso be distinguished. This splitting of the implicit double quntifiction, s remrked, we tke from Emerson nd Hlpern (1983), where the uthors do this for unreltivized tense logics. (Their im is to mrry liner nd brnching time tense logic in the sme frmework.) These uthors introduce fmily of logics with incresing expressibility contining ll the stndrd liner time tense opertors. Unfortuntely, however, even their richest lnguge (when the futures re reltivized) is not expressive complete reltive to ~ 7- becuse they only contin finitry disjunction (nd so cnnot distinguish between progrms whose differences re due to rndom ssignment s in Exmple 3.5). And the ddition of infinitry disjunction mens tht ll the other liner time opertors re expressible in terms of next. The splitting of the double quntifiction results in lnguge which hs much more complex syntx thn Jr nd this explins why we propose the ltter insted. The resulting lnguge hs two kinds of formuls, process nd computtion formuls (clled stte nd pth formuls in loc cit. Where T= (P,A, C), let KT be the lnguge which is defined simultneously s the union of the t~vo lnguges CKr nd PKT, where c~ determines CKr nd ql PKT:

24 46 HENNESSY AND STIRLING c~ ::= Tr 17~1 r(c~i: iei} IX~I X~ ~b ::= Tr 17~1 g{~: iei} IVuc~. Process formuls (members of PKr) re true of processes in T wheres computtion formuls (members of CKr) re true of computtions in T. We define stisfction reltion ~ q (PxPKr)w (Cx CKr) s follows, where d is the ith suffix of c if defined: p~tr VpeP p~ 7~b iffnot (p~b) p~v{~bi: iei} iff p~bj for some j~i p ~ V uc~ iff V u-computtion c from pc ~ c~ c~tr for ll ce C c~7e iffnot (c~c~) c~v{c~i:iei } iffc~;forsomej~i c~ Xct iffcl~ c~xo~ iff P(1, c)~. Besides X Emerson nd Hlpern (1983) offer other opertors F, G, U (until), F, nd G on CKr giving their most generl lnguge. These cn, however, ll be defined using X nd infinitry disjunction. F, for instnce, is definble s Fy ~ V{XiT: 1 ~<i< co} where 7 is q~ or nd where X i + 1 = XX i, i >/1, nd X 1 = X. And U s ywy' ~ V{Xiy' A A{XJT:O<j<i}:O<~i<o~} where X y--7 nd A{ } = Tr. (The others re strightforwrd: G~ = 7F7c~, oo co Fc~ = GFe, nd G~ =F(GXTr /x FGct)). PKr cn distinguish the processes of Exmples 3.6 nd 5.1: in Exmple 3.6 q2~v ~F(XO A XX~)) unlike P2 nd in Exmple 5.1, q2~v~f((xo /x XXO) v (X(~ A xxo)) unlike P2

25 THE POWER OF THE FUTURE PERFECT IN PROGRAM LOGICS 47 where ~b is 3XVXFlse (i.e., ()[]Flse in LT). This lso brings out tht the redibility of Jr formuls is simpler thn KT formuls. We show tht KT is expressive complete reltive to ~ 7-. To do this we require ~ T to be lso n equivlence on computtions. This we do s expected: c ~TC' iffa(c)=a(c')/x Vn~>0, P(n,c) ~rp(n,c'). KT induces two nturl equivlences: P ~pinup' iffv(~epkr, p~(j c ~ CK~ c' iff g ~ E CK r, c ~ ct iff p'~b iff e'~. We let "~Kr be ~ez(rw~ckr nd let y rnge over PwC in T. Then the expressive completeness of KT is given by the following theorem. THEOREM 5.4. If T is gts y,,~ r Y' iff y,,~ KT Y'" Proof Suppose y "~TY' nd Y~7 where y~k T. We show tht y'~ by mutul recursion on CKTvoPKT. The only nontrivil cses:?=vu~;? = X~b, 7 = Xc~: (i) V = Vu. Then y nd y' must be processes, tke y = p nd y' = p'; p~vuc~ iff for ll u-computtions c from p, e~. Suppose not (p'~vu~). Then there is u-computtion c' from p' such tht not (c'~). By induction hypothesis not (c' gvc) for ll u-computtions e from p. Tht is, for every such c there is n n such tht not (P(n, c) ~ TP(n, C')). But then not (p ~ TP') contrdicting supposition. (ii) 7 = Xq~. Then y nd y' re computtions; tke y = c nd y'--c', e~x~ iff P(l, c)~. However c' ~ rc nd so P(1, c')~q~ by induction hypothesis. (iii)? = X~. Then y nd y' re computtions; tke y = c nd y'--c', c~x~ iff CI~. But c ~ rc' hence c 1 ~ rc '1 nd so the result follows. For the other hlf we show tht ~KT_C ~ T- Suppose not. Two cses rise: (i) c '~KTC' nd not (P(n,c)~KrP(n,c')) for some n. Therefore w.l.o.g. P(n, c)~ unlike P(n, c'). But then c~x~ unlike c'. 643/67/1-3-4

26 48 HENNESSY AND STIRLING (ii) p ~p' nd w.l.o.g, there is u-computtion from p, c, such tht for every u-computtion c' from p' there is n n s.t. not (P(n, c) ~ KrP(n, c')). Let {c~: iel} be the set of u-computtions from p'. If this set is empty then p'~vu Flse unlike p, which contrdicts the hypothesis. Otherwise, for ech i there is n ni>0 such tht not (P(nic;) ~KTP(ni, C)). Let ~bi be the distinguishing formuls 1 ~< i. Let c~ be X~'~b~. Then p'~vu v {X~bi: iei} unlike p. 6. CONCLUSION We hve presented reltivised tense logic JT nd shown tht it is expressively complete with respect to the independent notion of extended bisimultion. There re two min innovtions in the lnguge Jr; in plce of the usul tense opertors, such s [], we hve opertors, such s [u], reltivised to computtions u of the underlying trnsition system. In ddition we hve reltivised pst tense (Pst tense opertors hve lso been used in Koymns, Vytopil, nd de Roever (1983) to define properties of progrms, but they re stndrd prt of tense logic.) We hve rgued tht the ddition of this opertor llows us to distinguish between generl trnsition systems which intuitively hve different behviour. Moreover this opertor gives the lnguge more expressive power thn mny of the lnguges suggested in the literture. Theorem 4.4, connecting extended bisimultion with the lnguge, gives n independent chrcteristion of its expressive power. This independent chrcteristion is very useful. For exmple we use it to give very simple proof (in Lemm 5.3) tht dding vrious opertors to JT does not increse its expressive power. It lso llows us to show in very strightforwrd fshion, in Theorem 5.4, tht the lnguge KT, derived from CTL* of Emerson nd Hlpern (1983), is eqully expressive s JT. Extended bisimultion is nturl extension of the notion of bisimultion to our models, generl trnsition systems. Other extensions hve been suggested. For exmple, Milner hs suggested fortifictions in (Milner, 1982). The lnguge Jr cn be modified, mking it less powerful, so tht the resulting lnguge is once more expressively complete with respect to fortifictions. We hve yet to consider the extensions in Hennessy (1984), which involve convergence predictes in the underlying models.