Calder, M. and Maharaj, S. and Shankland, C. (2001) An adequate logic
for full LOTOS. Lecture Notes in Computer Science 2021:pp. 384-395.
http://eprints.gla.ac.uk/2873/
Glasgow ePrints Service
http://eprints.gla.ac.uk
An Adequate Logic for Full LOTOS
Muy Calder1, Savi Maharaj2, and Carron Shankland2
Department of Computing Science,
University of Glasgow, Glasgow G12 8QQ, UK
1
2
muffy@dcs.gla.ac.uk
Department of Computing Science and Mathematics,
University of Stirling, Stirling FK9 4LA, UK
fsavi,carrong@cs.stir.ac.uk
Abstract. We present a novel result for a logic for symbolic transition
systems based on LOTOS processes. The logic is adequate with respect
to bisimulation de ned on symbolic transition systems.
1 Introduction
LOTOS 12] is a popular process description language that has been in use for
well over a decade. With the aid of a number of mature veri cation tools, it
has been successfully applied in a number of domains, including protocols and
services 17], distributed systems 23, 16], and as a semantics for higher level
languages such as feature descriptions 22] and use-case maps 1].
A particularly distinctive feature of LOTOS is that it includes a rich set
of operators for describing both process control and data, which may in turn
aect control. However, much of the foundational work, and subsequently the
veri cation tools, has ignored all, or parts, of the data aspect of the language.
Speci cally, there is no logic for reasoning about LOTOS processes with unconstrained data. This is a serious drawback since it has long been recognised that a
more abstract, temporal logic is essential for describing and checking desired (or
undesired) properties of processes 11]. Indeed, experience with case studies 21,
19, 20, 17] has shown the bene ts of having data in the process description language and the need to express properties of a system in terms of data, as well as
actions. Often the properties refer to data, but symbolically, rather than mentioning particular instances. For example, in the classical comparator one such
property is if process Comp inputs x and y on channel in, and x and y are
equivalent, then eventually it will output true on channel out.
There has been a good reason to avoid dealing with data properly: in LOTOS, data introduces in nite branching into the underlying state transition
systems. For example, the simple process g?x:Nat exit results in an in nite
choice, one for each member of Nat. This presents a serious obstacle to reasoning,
particularly to approaches based on ( nite) model-checking. Therefore existing
approaches have been restricted to Basic LOTOS 13], or LOTOS with only
nite data types 6].
Our aim is to provide a complete approach to data. In order to do so, we
base our logic on a new semantics for LOTOS which is nitely branching. This is
achieved by having a symbolic treatment of data the underlying state transition
systems are therefore called symbolic state transition systems (STSs). Our work
is heavily inuenced by the symbolic transition systems and logic developed
by Hennessy, Lin and Liu for CCS 9, 10]. However, it is signi cantly dierent
because of the special characteristics of the STSs that result from LOTOS. These
derive from the three (related) features that distinguish LOTOS from most other
process algebras: multi-way (broadcast) synchronisation, value negotiation, and
selection predicates. Together, these features make the de nition of the similar
concepts of symbolic transition, bisimulation and logic, non-trivial.
1.1 Related Work
A symbolic approach to message passing CCS is presented in 9] and a related
logic in 10]. We adopt the theory of symbolic transition systems here, but the
logic is not so useful for our applications. The logic of Hennessy and Liu is based
on a late semantics, whereas we adopt an early semantics because the standard
de nition of LOTOS 12] is also early. (The late and early classi cation relates to
binding time of variables to values.) In addition, the modal operators de ned rely
on the classical CCS distinction between ! and ? data oers (i.e. as corresponding
to output and input events). In LOTOS the distinction between these two kinds
of data oers is not so clear cut. The logic does have the advantage that it is based
on symbolic transition systems, and therefore places no arti cial restrictions on
data values.
CRL 8] is, like LOTOS, a process algebra with data. In 7] an extension of
the modal mu-calculus 14] is presented which includes quanti cation over data
in the modal operators. The semantics of the logic is over labelled transition
systems and therefore is subject to the usual problems of state explosion. The
focus of their research is on proof rules for the logic rather than adequacy with
respect to some equivalence over CRL processes.
The CADP toolkit 6] provides a number of tools to analyse Full LOTOS
speci cations, two of which use logic to provide an abstract description of system
properties. The tool evaluator takes an alternation free modal mu-calculus 14]
formula and assesses its truth with respect to a LOTOS expression. The modal
operators are extended to allow more exibility in dealing with actions with
data, for example, precise actions or Unix regular expressions can be matched.
However, it is not possible to state general predicates on data, such as input a
value which is less than 42 but more than 3. The action formulae of this logic
treat the values as syntactic entities only, whereas we provide the ability to
reason about their semantics too.
Also part of the CADP toolkit is XTL 15]. This is an executable temporal
language which describes computations over transitions. XTL allows a more
general treatment of data actions than the evaluator. For example, variables
over data can be declared and matched with actions, and operations over data
in the LOTOS source can also be used in the logic. Various logics can be encoded
in XTL in fact, we have encoded a restricted form of the logic presented in this
paper in XTL and carried out some limited examples.
Two important disadvantages of XTL are that the underlying semantics of
labelled transition systems is concrete (i.e. fully instantiated) and that CADP
must impose niteness restrictions on the data types of the language to obtain
tractability. So, any logic encoded by XTL cannot handle Full LOTOS eectively
or accurately.
1.2 Structure of the Paper
The structure of the rest of this paper is as follows. In Section 2 we introduce the
idea of a symbolic transition system, describe how this has had to be adapted
for LOTOS, and explain the problem of de ning substitution and how this is
solved. In Section 3 we present the syntax and semantics of a modal logic called
FULL. In Section 4 we give an alternative characterisation of the equivalence
induced by the logic by showing that it coincides with bisimulation on symbolic
transition systems. Finally, we discuss further work and conclude in Section 5.
2 Symbolic Transition Systems
The standard semantics of LOTOS 12] (labelled transition systems) hard codes
concrete data values into the transitions. For example, g!0 P oers the single transition labelled g0], while g?x:Nat P oers the transitions labelled
by g0], gsucc(0)], gsucc(succ(0))], (Fig. 1). Thus, event oers of
more than one value (i.e. ? oers) correspond to a (possibly in nite) choice over
all values of the data type. While this makes the semantics of certain language
:::
g?x:Nat;P
g0
g1
Fig. 1.
g2
gn
...
...
Standard semantics of g?x:Nat event o er
features easier to describe (particularly multiway synchronisation), it makes reasoning about speci cations more dicult since transition systems are typically
in nite. Existing tools such as CADP 6] deal with this problem by imposing
niteness restrictions on data types, limiting the natural numbers, for example,
to a maximum of 256.
An alternative solution is to restate the semantics of the language in a form
which exposes the commonalities of actions and the nitary nature of the process
speci cation. This can be done by basing the semantics on symbolic transition
systems (STSs). These are essentially transition systems whose transitions can
have free variables in the data label and are additionally labelled with a transition
condition representing the conditions under which that transition is available.
This approach was rst introduced in 9] which gave a symbolic semantics for
value passing CCS. In our research 4, 3], we have been adapting this theory for
use with LOTOS. There are signi cant dierences between LOTOS and value
passing CCS which mean that this adaptation is not straightforward.
One dierence is that input events in CCS are always unconstrained and
there is no analogue of the selection predicates which can be used in LOTOS to
restrict the values passed in a ? event. For example, LOTOS allows events such
as g?x x > 3] meaning, input an x which is bigger than 3. This means that the
transition conditions in the LOTOS semantics need to be able to talk about the
data associated with the current transition, whereas in CCS these are concerned
only with previous transitions.
Another dierence is that in order to implement multi-way synchronisation
LOTOS permits synchronisation between any combination of ? and ! events,
whereas in CCS an input event (?) can synchronise only with an output action
(!). This means that the distinction between ? and ! is much less signi cant in
LOTOS than it is in CCS. Essentially, a ! event is associated with an expression using constants and \known" variables while a ? event introduces a new
variable. We have found it convenient to remove the !/? distinction from the
syntax of data expressions in STSs. We shall still need to be able to tell when
a transition introduces a new variable, but this will be determined by comparing the transition's data expression with the free variables of the source of the
transition.
We shall assume that we have a countable set of variables, Var, ranged over
by x, y, etc., and a (possibly in nite) set of values, Val, ranged over by v . We
also assume a set of data expressions, Exp, which includes Var and Val and is
ranged over by E , and a set of boolean expressions, BoolExp, ranged over by b .
We also assume that we have a set of gates, G, ranged over by g . The set of
simple events, SimpleEv, ranged over by a , is de ned as G fi, g. (Recall that
in LOTOS i is the internal event and is the special event which takes place
when a process is exited.) The set of structured events, StructEv contains all
gate-expression combinations gE , as well as all combinations E . Since the two
kinds of structured events are handled exactly the same, we shall generally ignore
in this paper, treating it as if it were a member of G. For simplicity, we do not
allow structured events consisting of multiple data expressions only singleton
data oers are allowed. It is possible, but tedious, to extend our analysis to the
case of multiple data oers.
Basically, an STS is a directed graph whose nodes are tagged with sets of
free variables, and whose branches are labelled with a boolean condition and an
event. Formally, the de nition of STS is as follows:
Denition 1. (Symbolic Transition Systems) A symbolic transition system consists of:
{ a set of states, containing a distinguished initial state, T0 , with each state
T tagged with a set of free variables, denoted fv (T ).
-T,
where 2 SimpleEv StructEv and b is a Boolean expression
and fv (T ) fv (T ) fv () and fv (b ) fv (T ) fv () and
#(fv () ; fv (T )) 1
{ a set of transitions written as T
b
0
0
Following convention, we shall often identify an STS with its initial state.
For example, the set of free variables of an STS S , fv (S ), is de ned as the set of
free variables of the initial state of S .
A set of rules presented in 4] de ne how a symbolic transition system may be
constructed from a LOTOS process expression. The resulting transition system
is typically a cyclic graph (if recursive processes are involved) and is always of
nite width (since only a nite number of branches may be described in a LOTOS
process). This paper is concerned with STSs rather than LOTOS processes,
though we shall use LOTOS syntax to describe examples.
2.1 Substitution
In the following section we present a logic on symbolic transition systems. Before
we can do this, however, we must consider the question of how to de ne substitution on STSs. It is not possible to de ne a straightforward syntactic substitution
on STSs because of the presence of cycles (such as might arise from recursive
processes).
Buff
output x
tt
Buff
tt
input x
Buff’
Fig. 2.
tt
output x [3/x]
input x[3/x]
tt
Buff’[3/x]
Failed substitution on Buff STS
Consider, for example, the simple buer Buff = input?x:Nat output!x
The STS which corresponds to Buff is shown in Figure 2. If the rst
action taken by this process is to input the value 3, then the x at the output
gate must also be tied to that value. Since Buff is recursive, we expect that
the next time round the loop a dierent value may be input, and therefore a
dierent substitution must be applied. However, if we simply substitute 3 for x
in the STS, as shown in Figure 2, we fail to capture this possibility.
In 9], this problem is solved by introducing the concept of a \term": a node in
a symbolic transition system paired with a substitution. The same solution can
be adapted for LOTOS. Formally, a substitution is a partial function from Var to
Var Val and a term consists of an STS, T , paired with a substitution, such
Buff.
that domain ( ) fv (T ). We use t and u to range over terms. For example, since
Buff is closed, it can be paired only with the empty substitution to form the term
Buff ] . The substitution is applied step by step, when necessary, as explained in
the rules for transitions between terms (Figure 2). For example, below are some
possible transitions starting from the term Buff ] . The substitutions capture
the fact that the variable x is discarded and then bound afresh upon each pass
through the loop, making it possible to process a dierent value during each
pass.
Buff ] tt
Buff'z 1=x ]
Buff ] tt
- Buff' z =x
z- Buff
z - Buff'
z =x
input z 1
tt
output 1
1
]
]
and so on.
The de nition of free variables is extended to terms in the obvious way. Terms,
rather than STSs, are used as the basis for de ning the logic and bisimulation.
Denition 2. Transitions on Terms
T b a - T implies T b a- T
gE - T
T b gE- T implies T b
where fv (E ) fv (T )
T b gx- T implies T bz =x ] gz- T z =x ]
where x 62 fv (T ) and z 62 fv (T )
In all cases, = fv (T ) C , that is, the restriction of to include only domain
elements in the set fv (T ).
input 2
2
]
0
0
0
0
0
0
0
0
0
0
0
0
3 The Modal Logic FULL
In this section we present the syntax and semantics of a modal logic de ned over
symbolic transition systems. The logic is called Full LOTOS Logic (FULL) and
is inspired by the HML presented in 18] and the data extended logic presented
in 10]. The logic and the design considerations driving the choice of operators
are described fully in 3] here we simply give the syntax and semantics without
discussion.
FULL is made up of two parts. The rst set of formulae, ranged over by
, applies to closed terms. The second set, ranged over by , is to be used for
terms with a single free variable, as would arise from a LOTOS process with
a single parameter. (The extension to multiple free variables is straightforward
but tedious and is therefore omitted).
Denition 3. (Syntax of FULL)
::= b j 1 ^ 2 j 1 _ 2 j a ] j ha i
j h9x g i j h8x g i j 9x g ] j 8x g ]
::= 9x j 8x
:
:
(Semantics of FULL) Given any closed term t, the semantics of
t j= is given by:
t j= b
= b tt
t j= 1 ^ 2 = t j= 1 and t j= 2
t j= 1 _ 2 = t j= 1 or t j= 2
t j= ha i
= there is a t s.t. t tt a - t and t j=
t j= a ]
= whenever t tt a - t then t j=
t j= h9x g i = for some value v, either
for some t , t tt gv- t and t j= v =x ]
or
for some t , t b gz- t and b v =z ] tt
and tv =z ] j= v =x ]
t j= h8x g i = for all values v, either
for some t , t tt gv- t and t j= v =x ]
or
for some t , t b gz- t and b v =z ] tt
and tv =z ] j= v =x ]
t j= 9x g ] = for some value v,
whenever t tt gv- t then t j= v =x ] and
whenever t b gz- t and b v =z ] tt then tv =z ] j= v =x ]
t j= 8x g ] = for all values v,
whenever t tt gv- t then t j= v =x ] and
whenever t b gz- t and b v =z ] tt then tv =z ] j= v =x ]
Given any term t with one free variable z the semantics of t j= is given by:
t j= 9x :
= there is some value v such that tv =z ] j= v =x ]
t j= 8x :
= for all values v, tv =z ] j= v =x ]
Denition 4.
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
A property of FULL is that for every formula it is possible to construct
the negation, neg , of that formula. (We assume that negation is available in
the underlying language of boolean expressions.) For example, neg (8x g ] ) is
h9x g ineg ( ).
To each formula in FULL is associated a depth, n , which is de ned in the
obvious inductive way.
4 Bisimulation and Adequacy of FULL
In developing the logic FULL we were motivated by two goals. The rst was to
develop a logic which allowed properties concerning data to be expressed in a
natural way. The second was to ensure that the logic was adequate with respect
to other notions of equivalence between processes, in the sense that equivalent
processes should satisfy the same set of logical formulae. One important relationship between processes is that of bisimulation. In this section we show how
bisimulation is de ned upon terms and prove that FULL is adequate with respect
to bisimulation.
We shall assume we have a function new (t u ) which, given two terms t and
u , returns a variable which is not among the free variables of either t or u .
Denition 5. Bisimulation on terms
Given two closed terms t and u,
1. t 0 u
2. for all n > 0, t n u provided that:
(a) (simple event)
whenever t tt a- t , then for some u , u tt a- u and t n 1 u
(b) (structured event, no new variable)
whenever t tt gv- t , then either
for some u , u tt gv- u and t n 1 u
or
for some u , u b gz- u and bu v =z ] tt and t n 1 uv =z ] , where
z = new (t u ).
(c) (structured event, new variable)
whenever t b gz- t , where z = new (t u ), then, for all v s.t. bt v =z ]
tt, either
for some u , u tt gv- u and tv =z ] n 1 u
or
for some u , u b gz- u and bu v =z ] tt and
tv =z ] n 1 uv =z ].
(d), (e), (f) Symmetrically, the transitions of u must be matched by t.
Given two terms t and u with free variables fx g and fy g, respectively, t n u
provided that for all values v, tv =x ] n uv =y ].
The four theorems which follow show that FULL is adequate with respect
to bisimulation. Theorems 1 and 2 give the result for closed terms, and are then
used to prove the result for terms of one free variable (Theorems 3 and 4).
Theorem 1. (FULL distinguishes non-bisimilar closed terms) For all n, for all
closed terms t and u, if t =n u then there is a formula such that t j= and
u j==
Proof The proof is by induction on n. If n = 0 then the result is vacuously
true. In the case where n > 0, we examine all the ways in which bisimulation
can fail and, in each case, construct a formula which is satis ed by t but not
by u. We shall illustrate the construction by showing the case where rule (c) of
De nition 5 fails. The other cases are simpler and are omitted.
If rule (c) fails, then there is a transition t b gz- t , where z = new (t u ),
but there is some value v such that bt v =z ] tt and for all transitions of the form
u tt gv- u , tv =z ] =n 1 u , and for all transitions of the form u b gz- u where
0
0
0
0
;
0
0
0
0
;
0
0
0
u
0
0
0
;
0
0
t
0
;
0
0
0
;
0
u
t
0
0
0
0
;
0
u
0
0
bu v =z ] tt, tv =z ] =n 1uv =z ] . Suppose that that there are k of the rst kind of
transition and m of the second kind, where k and m are natural numbers. Then,
by the induction hypothesis, each of the ui s of the rst kind can be distinguished
from tv =z ] by some formula i , and for each of the ui s of the second kind, there
is a formula i which distinguishes tv =z ] from
V ui v =z ] . Then,
V t and u can be
distinguished by the formula 9g x ](x = v ) ^ f1 :::k g ^ f 1 ::: m g.
0
0
;
0
0
0
0
0
Theorem 2. (Bisimilar closed terms satisfy the same formulae) For all n, for
all closed terms t and u, if t n u then, for all formulae such that depth
n, t j if and only if u j .
Proof The proof is by induction on n. If n , then the formula must be
of depth , and must therefore be a simple boolean b. By the semantics of FULL,
it is clear that for any t and u, t j b i u j b.
=
()
=
= 0
0
=
=
In the case where n > 0, we take any t and u and assume that t n u. We
must show that for all formulae such that depth () n, t j= if and only
if u j= . This is done by induction on the structure of . There are 9 cases to
consider. We illustrate the arguments used by showing one of the most complex
cases:
Consider the case where is of the form 8x g ] . Suppose that t j= . Then,
by the semantics of FULL, for all values v, whenever there is a t such that
t tt gv- t then t j= v =x ], and whenever there is a t such that t b gz- t
(for some new variable z) and bt v =z ] tt then tv =z ] j= v =x ]. We must show
that u j= . Take any value v. We must consider all u transitions on v. These
can be of two kinds:
Case (1) Suppose there is a transition of the form u tt gv- u . By bisimilarity, this is matched by a t transition. There are two possibilities.
The matching transition may be of the form t tt gv- t , where t n 1 u .
Then, we know that t j= v =x ] and, by the main induction hypothesis, we get
that u j= v =x ].
The matching transition may be of the form t b gz- t , where z = new (t u )
and bt v =z ] tt and tv =z ] n 1 u . Then, we know that tv =z ] j= v =x ] and,
by the main induction hypothesis, we get that u j= v =x ].
Case (2) Suppose there is a transition of the form u b gz- u , (for some
fresh z) and bu v =z ] tt. We wish to show that uv =z ] j= v =x ]. Now, since
z is fresh, we can replace z by z where z = new (t u ). In other words, we are
looking instead at the transition u b z =z ] gz- uz =z ] . For this transition, we
get that bu v =z ] tt. And, we need to show that uv =z ] j= v =x ].
By bisimilarity, this transition is matched by a t transition. There are two
possibilities.
The matching transition may be of the form t tt gv- t , where t n 1 uv =z ] .
Then, we know that t j= v =x ] and, by the main induction hypothesis, we get
that uv =z ] j= v =x ].
0
0
0
0
0
0
0
t
0
0
0
0
0
0
0
0
0
t
0
0
;
0
0
0
0
0
u
0
0
0
0
0
u
0
0
0
0
0
0
0
0
0
0
0
;
0
0
0
0
0
;
0
0
The matching transition may be of the form t b gz- t , where bt v =z ] tt
and tv =z ] n 1 uv =z ] . Then, we know that tv =z ] j= v =x ] and, by the main
induction hypothesis, we get that uv =z ] j= v =x ].
t
0
0
0
;
0
0
0
0
0
0
0
0
0
0
Theorem 3. (FULL distinguishes non-bisimilar open terms) For all n, for all
terms t and u with one free variable, if t n u then there is a formula such that
t j= and u j= .
Proof Suppose that the free variables of t and u are z1 and z2, respectively.
Since t n u, then there is some value v such that tv =z1 ] n Uv =z2 ]. By Theorem 1
there is then a formula such that tv =z1] j= but uv =z2 ] j= . We construct the
formula = 8 x (x =
6 v ) _ . Then, t j= but u j= .
Theorem 4. (Bisimilar open terms satisfy the same formulae) For all n, for
all terms t and u with one free variable, if t n u then, for all such that
depth ( ) n, t j= if and only if u j= .
Proof This is a straightforward consequence of Theorem 2.
=
=
=
=
:
=
=
5
Further Work
The results presented in this paper provide a foundation upon which to build a
system for verifying properties of speci cations in Full LOTOS. In this section
we discuss the further work, both theoretical and practical, which needs to be
done to realise this goal.
Extensions of the Logic The logic we have developed is relatively sparse,
and there are several useful ways in which it could be extended and made more
expressive. However, care must be taken to ensure that this is not done at the
expense of adequacy. Two important features which we intend to focus upon are
ways of handling multi-sorted data, and xpoint operators to handle recursion.
User-de ned algebraic datatypes are an important and heavily used feature of
LOTOS so it is essential to extend FULL to deal in some way with multiple data
types. One obvious way of doing this is to encode types as predicates over values.
The details of this need to be worked out and alternative solutions explored.
Recursion is another heavily-used feature of LOTOS, and the usefulness of
FULL would be signi cantly enhanced by the addition of xpoint operators for
reasoning about recursive or in nitary behaviour. This is a topic which has been
much studied in the theory of concurrency and we hope to be able to adapt
existing solutions to the needs of LOTOS.
Further Theoretical Analysis Some areas of the theory underlying symbolic
transition systems for LOTOS are as yet incomplete. For example, the relationship between our symbolic semantics and the standard semantics of LOTOS has
not yet been fully analyzed. We conjecture that the two semantics coincide for
closed terms, in the sense that bisimilar terms in the symbolic semantics correspond to bisimilar processes in the standard semantics. The details of this
remain to be checked.
Another interesting area of study is symbolic bisimulation. The bisimulation
presented in this paper is of limited practical use because it requires a possibly
in nite number of values to be examined (cf rules 2(c) and 2(f) of De nition 5).
This problem can be solved by turning to symbolic bisimulation, as introduced
in 9]. Symbolic bisimulation solves the problem of in nite values by dividing
the value space that must be examined into a nite number of partitions described by boolean expressions. We have de ned symbolic bisimulation for LOTOS 4] and are working on its theoretical underpinnings and the development
of a bisimulation-checking tool to support it.
Algorithms and Tools The eventual goal of this research is the development of tools to support reasoning about speci cations in Full LOTOS. Work
is in progress on the development of algorithms for reasoning within FULL. In
tandem with this, there is also work on the implementation of tools to support
reasoning in FULL. At the present time, a restricted version of the logic has
been implemented in CADP. The logic is also being implemented in the Ergo
theorem prover 2] and in the Maude system 5].
Acknowledgement. The authors would like to thank the Engineering and Physical Sciences Research Council and the Nu eld Foundation Newly Appointed Lecturer scheme
for supporting this research.
References
1. D. Amyot, L. Char et al. Feature Description and Feature Interaction Analysis
with Use Case Maps and LOTOS. In M. Calder and E. Magill, editors, Feature
Interactions in Telecommunications and Software Systems VI. IOS Press, May
2000.
2. H. Becht, A. Bloesch et al. Ergo 4.1 Reference Manual. Technical Report 9631, Software Veri cation Research Centre, University of Queensland, Australia,
November 1996
3. M. Calder, S. Maharaj, and C. Shankland. A Modal Logic for Early Symbolic
Transition Systems. The Computer Journal, 2001. To appear.
4. M. Calder and C. Shankland. A Symbolic Semantics and Bisimulation for Full
LOTOS. To appear as a University of Stirling Technical Report, 2000.
5. M. Clavel, F. Duran et al. Maude: Speci cation and Programming in Rewriting
Logic. Maude System documentation. Computer Science Laboratory, SRI, Menlo
Park, California, March 1999.
6. J-C. Fernandez, H. Garavel et al. CADP (CAESAR/ALDEBARAN Development
Package): A Protocol Validation and Veri cation Toolbox. In R. Alur and T.A.
Henzinger, editors, Proceedings of CAV'96, number 1102 in Lecture Notes in Computer Science, pages 437{440. Springer-Verlag, 1996.
7. J.F. Groote and R. Mateescu. Veri cation of Temporal Properties of Processes in a
Setting with Data. In Proceedings of the 7th International Conference on Algebraic
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
Methodology and Software Technology AMAST'98, Amazonia, Brazil, volume 1548
of Lecture Notes in Computer Science, pages 74{90, 1999.
J.F. Groote and A. Ponse. The Syntax and Semantics of -CRL. In Proceedings
of Algebra of Communicating Processes, Utrecht 1994, Workshops in Computing.
Springer-Verlag, 1995.
M. Hennessy and H. Lin. Symbolic Bisimulations. Theoretical Computer Science,
138:353{389, 1995.
M. Hennessy and X. Liu. A Modal Logic for Message Passing Processes. Acta
Informatica, 32:375{393, 1995.
M. Hennessy and R. Milner. Algebraic Laws for Nondeterminism and Concurrency.
Journal of the Association for Computing Machinery, 32(1):137{161, 1985.
International Organisation for Standardisation. Information Processing Systems
| Open Systems Interconnection | LOTOS | A Formal Description Technique
Based on the Temporal Ordering of Observational Behaviour, 1988.
C. Kirkwood. Specifying Properties of Basic LOTOS Processes Using Temporal
Logic. In G. v Bochmann, R. Dssouli, and O. Ra q, editors, Formal Description
Techniques, VIII, IFIP. Chapman Hall, April 1996.
D. Kozen. Results on the Propositional -Calculus. Theoretical Computer Science,
27:333{354, 1983.
R. Mateescu and H. Garavel. XTL: A Meta-Language and Tool for Temporal Logic
Model-Checking. In Proceedings of the International Workshop on Software Tools
for Technology Transfer STTT'98 (Aalborg, Denmark), 1998.
C. Pecheur. Using LOTOS for specifying the CHORUS distributed operating
system kernel. Computer Communications, 15(2):93{102, March 1992.
M. Sighireanu and R. Mateescu. Veri cation of the Link Layer Protocol of the
IEEE-1394 Serial Bus (FireWire): an Experiment with E-LOTOS. Springer International Journal on Software Tools for Technology Transfer (STTT), 2(1):68{88,
Dec. 1998.
C. Stirling. Temporal Logics for CCS. In J.W. de Bakker, W.-P. de Roever, and
G. Rozenberg, editors, Linear Time, Branching Time and Partial Order in Logics
and Models for Concurrency, LNCS 354, pages 660{672. Springer-Verlag, 1989.
REX School/Workshop, Noordwijkerhout, The Netherlands, May/June 1988.
M. Thomas. The Story of the Therac-25 in LOTOS. High Integrity Systems
Journal, 1(1):3{15, 1994.
M. Thomas. Modelling and Analysing User Views of Telecommunications Services.
In Feature Interactions in Telecommunications Systems, pages 168{183. IOS Press,
1997.
M. Thomas and B. Ormsby. On the Design of Side-Stick Controllers in Fly-by-Wire
Aircraft. A.C.M. Applied Computing Review, 2(1):15{20, Spring 1994.
Kenneth J. Turner. An architectural description of intelligent network features
and their interactions. Computer Networks, 30(15):1389{1419, September 1998.
A. Vogel. On ODP's architectural semantics using LOTOS. In J. de Meer, B. Mahr,
and O. Spaniol, editors, Proc. Int. Conf. on Open Distributed Processing, pages
340{345, September 1993.
Calder, M. and Maharaj, S. and Shankland, C. (2001) An adequate logic
for full LOTOS. Lecture Notes in Computer Science 2021:pp. 384-395.
http://eprints.gla.ac.uk/2873/
Glasgow ePrints Service
http://eprints.gla.ac.uk
An Adequate Logic for Full LOTOS
Muy Calder1, Savi Maharaj2, and Carron Shankland2
Department of Computing Science,
University of Glasgow, Glasgow G12 8QQ, UK
1
2
muffy@dcs.gla.ac.uk
Department of Computing Science and Mathematics,
University of Stirling, Stirling FK9 4LA, UK
fsavi,carrong@cs.stir.ac.uk
Abstract. We present a novel result for a logic for symbolic transition
systems based on LOTOS processes. The logic is adequate with respect
to bisimulation de ned on symbolic transition systems.
1 Introduction
LOTOS 12] is a popular process description language that has been in use for
well over a decade. With the aid of a number of mature veri cation tools, it
has been successfully applied in a number of domains, including protocols and
services 17], distributed systems 23, 16], and as a semantics for higher level
languages such as feature descriptions 22] and use-case maps 1].
A particularly distinctive feature of LOTOS is that it includes a rich set
of operators for describing both process control and data, which may in turn
aect control. However, much of the foundational work, and subsequently the
veri cation tools, has ignored all, or parts, of the data aspect of the language.
Speci cally, there is no logic for reasoning about LOTOS processes with unconstrained data. This is a serious drawback since it has long been recognised that a
more abstract, temporal logic is essential for describing and checking desired (or
undesired) properties of processes 11]. Indeed, experience with case studies 21,
19, 20, 17] has shown the bene ts of having data in the process description language and the need to express properties of a system in terms of data, as well as
actions. Often the properties refer to data, but symbolically, rather than mentioning particular instances. For example, in the classical comparator one such
property is if process Comp inputs x and y on channel in, and x and y are
equivalent, then eventually it will output true on channel out.
There has been a good reason to avoid dealing with data properly: in LOTOS, data introduces in nite branching into the underlying state transition
systems. For example, the simple process g?x:Nat exit results in an in nite
choice, one for each member of Nat. This presents a serious obstacle to reasoning,
particularly to approaches based on ( nite) model-checking. Therefore existing
approaches have been restricted to Basic LOTOS 13], or LOTOS with only
nite data types 6].
Our aim is to provide a complete approach to data. In order to do so, we
base our logic on a new semantics for LOTOS which is nitely branching. This is
achieved by having a symbolic treatment of data the underlying state transition
systems are therefore called symbolic state transition systems (STSs). Our work
is heavily inuenced by the symbolic transition systems and logic developed
by Hennessy, Lin and Liu for CCS 9, 10]. However, it is signi cantly dierent
because of the special characteristics of the STSs that result from LOTOS. These
derive from the three (related) features that distinguish LOTOS from most other
process algebras: multi-way (broadcast) synchronisation, value negotiation, and
selection predicates. Together, these features make the de nition of the similar
concepts of symbolic transition, bisimulation and logic, non-trivial.
1.1 Related Work
A symbolic approach to message passing CCS is presented in 9] and a related
logic in 10]. We adopt the theory of symbolic transition systems here, but the
logic is not so useful for our applications. The logic of Hennessy and Liu is based
on a late semantics, whereas we adopt an early semantics because the standard
de nition of LOTOS 12] is also early. (The late and early classi cation relates to
binding time of variables to values.) In addition, the modal operators de ned rely
on the classical CCS distinction between ! and ? data oers (i.e. as corresponding
to output and input events). In LOTOS the distinction between these two kinds
of data oers is not so clear cut. The logic does have the advantage that it is based
on symbolic transition systems, and therefore places no arti cial restrictions on
data values.
CRL 8] is, like LOTOS, a process algebra with data. In 7] an extension of
the modal mu-calculus 14] is presented which includes quanti cation over data
in the modal operators. The semantics of the logic is over labelled transition
systems and therefore is subject to the usual problems of state explosion. The
focus of their research is on proof rules for the logic rather than adequacy with
respect to some equivalence over CRL processes.
The CADP toolkit 6] provides a number of tools to analyse Full LOTOS
speci cations, two of which use logic to provide an abstract description of system
properties. The tool evaluator takes an alternation free modal mu-calculus 14]
formula and assesses its truth with respect to a LOTOS expression. The modal
operators are extended to allow more exibility in dealing with actions with
data, for example, precise actions or Unix regular expressions can be matched.
However, it is not possible to state general predicates on data, such as input a
value which is less than 42 but more than 3. The action formulae of this logic
treat the values as syntactic entities only, whereas we provide the ability to
reason about their semantics too.
Also part of the CADP toolkit is XTL 15]. This is an executable temporal
language which describes computations over transitions. XTL allows a more
general treatment of data actions than the evaluator. For example, variables
over data can be declared and matched with actions, and operations over data
in the LOTOS source can also be used in the logic. Various logics can be encoded
in XTL in fact, we have encoded a restricted form of the logic presented in this
paper in XTL and carried out some limited examples.
Two important disadvantages of XTL are that the underlying semantics of
labelled transition systems is concrete (i.e. fully instantiated) and that CADP
must impose niteness restrictions on the data types of the language to obtain
tractability. So, any logic encoded by XTL cannot handle Full LOTOS eectively
or accurately.
1.2 Structure of the Paper
The structure of the rest of this paper is as follows. In Section 2 we introduce the
idea of a symbolic transition system, describe how this has had to be adapted
for LOTOS, and explain the problem of de ning substitution and how this is
solved. In Section 3 we present the syntax and semantics of a modal logic called
FULL. In Section 4 we give an alternative characterisation of the equivalence
induced by the logic by showing that it coincides with bisimulation on symbolic
transition systems. Finally, we discuss further work and conclude in Section 5.
2 Symbolic Transition Systems
The standard semantics of LOTOS 12] (labelled transition systems) hard codes
concrete data values into the transitions. For example, g!0 P oers the single transition labelled g0], while g?x:Nat P oers the transitions labelled
by g0], gsucc(0)], gsucc(succ(0))], (Fig. 1). Thus, event oers of
more than one value (i.e. ? oers) correspond to a (possibly in nite) choice over
all values of the data type. While this makes the semantics of certain language
:::
g?x:Nat;P
g0
g1
Fig. 1.
g2
gn
...
...
Standard semantics of g?x:Nat event o er
features easier to describe (particularly multiway synchronisation), it makes reasoning about speci cations more dicult since transition systems are typically
in nite. Existing tools such as CADP 6] deal with this problem by imposing
niteness restrictions on data types, limiting the natural numbers, for example,
to a maximum of 256.
An alternative solution is to restate the semantics of the language in a form
which exposes the commonalities of actions and the nitary nature of the process
speci cation. This can be done by basing the semantics on symbolic transition
systems (STSs). These are essentially transition systems whose transitions can
have free variables in the data label and are additionally labelled with a transition
condition representing the conditions under which that transition is available.
This approach was rst introduced in 9] which gave a symbolic semantics for
value passing CCS. In our research 4, 3], we have been adapting this theory for
use with LOTOS. There are signi cant dierences between LOTOS and value
passing CCS which mean that this adaptation is not straightforward.
One dierence is that input events in CCS are always unconstrained and
there is no analogue of the selection predicates which can be used in LOTOS to
restrict the values passed in a ? event. For example, LOTOS allows events such
as g?x x > 3] meaning, input an x which is bigger than 3. This means that the
transition conditions in the LOTOS semantics need to be able to talk about the
data associated with the current transition, whereas in CCS these are concerned
only with previous transitions.
Another dierence is that in order to implement multi-way synchronisation
LOTOS permits synchronisation between any combination of ? and ! events,
whereas in CCS an input event (?) can synchronise only with an output action
(!). This means that the distinction between ? and ! is much less signi cant in
LOTOS than it is in CCS. Essentially, a ! event is associated with an expression using constants and \known" variables while a ? event introduces a new
variable. We have found it convenient to remove the !/? distinction from the
syntax of data expressions in STSs. We shall still need to be able to tell when
a transition introduces a new variable, but this will be determined by comparing the transition's data expression with the free variables of the source of the
transition.
We shall assume that we have a countable set of variables, Var, ranged over
by x, y, etc., and a (possibly in nite) set of values, Val, ranged over by v . We
also assume a set of data expressions, Exp, which includes Var and Val and is
ranged over by E , and a set of boolean expressions, BoolExp, ranged over by b .
We also assume that we have a set of gates, G, ranged over by g . The set of
simple events, SimpleEv, ranged over by a , is de ned as G fi, g. (Recall that
in LOTOS i is the internal event and is the special event which takes place
when a process is exited.) The set of structured events, StructEv contains all
gate-expression combinations gE , as well as all combinations E . Since the two
kinds of structured events are handled exactly the same, we shall generally ignore
in this paper, treating it as if it were a member of G. For simplicity, we do not
allow structured events consisting of multiple data expressions only singleton
data oers are allowed. It is possible, but tedious, to extend our analysis to the
case of multiple data oers.
Basically, an STS is a directed graph whose nodes are tagged with sets of
free variables, and whose branches are labelled with a boolean condition and an
event. Formally, the de nition of STS is as follows:
Denition 1. (Symbolic Transition Systems) A symbolic transition system consists of:
{ a set of states, containing a distinguished initial state, T0 , with each state
T tagged with a set of free variables, denoted fv (T ).
-T,
where 2 SimpleEv StructEv and b is a Boolean expression
and fv (T ) fv (T ) fv () and fv (b ) fv (T ) fv () and
#(fv () ; fv (T )) 1
{ a set of transitions written as T
b
0
0
Following convention, we shall often identify an STS with its initial state.
For example, the set of free variables of an STS S , fv (S ), is de ned as the set of
free variables of the initial state of S .
A set of rules presented in 4] de ne how a symbolic transition system may be
constructed from a LOTOS process expression. The resulting transition system
is typically a cyclic graph (if recursive processes are involved) and is always of
nite width (since only a nite number of branches may be described in a LOTOS
process). This paper is concerned with STSs rather than LOTOS processes,
though we shall use LOTOS syntax to describe examples.
2.1 Substitution
In the following section we present a logic on symbolic transition systems. Before
we can do this, however, we must consider the question of how to de ne substitution on STSs. It is not possible to de ne a straightforward syntactic substitution
on STSs because of the presence of cycles (such as might arise from recursive
processes).
Buff
output x
tt
Buff
tt
input x
Buff’
Fig. 2.
tt
output x [3/x]
input x[3/x]
tt
Buff’[3/x]
Failed substitution on Buff STS
Consider, for example, the simple buer Buff = input?x:Nat output!x
The STS which corresponds to Buff is shown in Figure 2. If the rst
action taken by this process is to input the value 3, then the x at the output
gate must also be tied to that value. Since Buff is recursive, we expect that
the next time round the loop a dierent value may be input, and therefore a
dierent substitution must be applied. However, if we simply substitute 3 for x
in the STS, as shown in Figure 2, we fail to capture this possibility.
In 9], this problem is solved by introducing the concept of a \term": a node in
a symbolic transition system paired with a substitution. The same solution can
be adapted for LOTOS. Formally, a substitution is a partial function from Var to
Var Val and a term consists of an STS, T , paired with a substitution, such
Buff.
that domain ( ) fv (T ). We use t and u to range over terms. For example, since
Buff is closed, it can be paired only with the empty substitution to form the term
Buff ] . The substitution is applied step by step, when necessary, as explained in
the rules for transitions between terms (Figure 2). For example, below are some
possible transitions starting from the term Buff ] . The substitutions capture
the fact that the variable x is discarded and then bound afresh upon each pass
through the loop, making it possible to process a dierent value during each
pass.
Buff ] tt
Buff'z 1=x ]
Buff ] tt
- Buff' z =x
z- Buff
z - Buff'
z =x
input z 1
tt
output 1
1
]
]
and so on.
The de nition of free variables is extended to terms in the obvious way. Terms,
rather than STSs, are used as the basis for de ning the logic and bisimulation.
Denition 2. Transitions on Terms
T b a - T implies T b a- T
gE - T
T b gE- T implies T b
where fv (E ) fv (T )
T b gx- T implies T bz =x ] gz- T z =x ]
where x 62 fv (T ) and z 62 fv (T )
In all cases, = fv (T ) C , that is, the restriction of to include only domain
elements in the set fv (T ).
input 2
2
]
0
0
0
0
0
0
0
0
0
0
0
0
3 The Modal Logic FULL
In this section we present the syntax and semantics of a modal logic de ned over
symbolic transition systems. The logic is called Full LOTOS Logic (FULL) and
is inspired by the HML presented in 18] and the data extended logic presented
in 10]. The logic and the design considerations driving the choice of operators
are described fully in 3] here we simply give the syntax and semantics without
discussion.
FULL is made up of two parts. The rst set of formulae, ranged over by
, applies to closed terms. The second set, ranged over by , is to be used for
terms with a single free variable, as would arise from a LOTOS process with
a single parameter. (The extension to multiple free variables is straightforward
but tedious and is therefore omitted).
Denition 3. (Syntax of FULL)
::= b j 1 ^ 2 j 1 _ 2 j a ] j ha i
j h9x g i j h8x g i j 9x g ] j 8x g ]
::= 9x j 8x
:
:
(Semantics of FULL) Given any closed term t, the semantics of
t j= is given by:
t j= b
= b tt
t j= 1 ^ 2 = t j= 1 and t j= 2
t j= 1 _ 2 = t j= 1 or t j= 2
t j= ha i
= there is a t s.t. t tt a - t and t j=
t j= a ]
= whenever t tt a - t then t j=
t j= h9x g i = for some value v, either
for some t , t tt gv- t and t j= v =x ]
or
for some t , t b gz- t and b v =z ] tt
and tv =z ] j= v =x ]
t j= h8x g i = for all values v, either
for some t , t tt gv- t and t j= v =x ]
or
for some t , t b gz- t and b v =z ] tt
and tv =z ] j= v =x ]
t j= 9x g ] = for some value v,
whenever t tt gv- t then t j= v =x ] and
whenever t b gz- t and b v =z ] tt then tv =z ] j= v =x ]
t j= 8x g ] = for all values v,
whenever t tt gv- t then t j= v =x ] and
whenever t b gz- t and b v =z ] tt then tv =z ] j= v =x ]
Given any term t with one free variable z the semantics of t j= is given by:
t j= 9x :
= there is some value v such that tv =z ] j= v =x ]
t j= 8x :
= for all values v, tv =z ] j= v =x ]
Denition 4.
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
A property of FULL is that for every formula it is possible to construct
the negation, neg , of that formula. (We assume that negation is available in
the underlying language of boolean expressions.) For example, neg (8x g ] ) is
h9x g ineg ( ).
To each formula in FULL is associated a depth, n , which is de ned in the
obvious inductive way.
4 Bisimulation and Adequacy of FULL
In developing the logic FULL we were motivated by two goals. The rst was to
develop a logic which allowed properties concerning data to be expressed in a
natural way. The second was to ensure that the logic was adequate with respect
to other notions of equivalence between processes, in the sense that equivalent
processes should satisfy the same set of logical formulae. One important relationship between processes is that of bisimulation. In this section we show how
bisimulation is de ned upon terms and prove that FULL is adequate with respect
to bisimulation.
We shall assume we have a function new (t u ) which, given two terms t and
u , returns a variable which is not among the free variables of either t or u .
Denition 5. Bisimulation on terms
Given two closed terms t and u,
1. t 0 u
2. for all n > 0, t n u provided that:
(a) (simple event)
whenever t tt a- t , then for some u , u tt a- u and t n 1 u
(b) (structured event, no new variable)
whenever t tt gv- t , then either
for some u , u tt gv- u and t n 1 u
or
for some u , u b gz- u and bu v =z ] tt and t n 1 uv =z ] , where
z = new (t u ).
(c) (structured event, new variable)
whenever t b gz- t , where z = new (t u ), then, for all v s.t. bt v =z ]
tt, either
for some u , u tt gv- u and tv =z ] n 1 u
or
for some u , u b gz- u and bu v =z ] tt and
tv =z ] n 1 uv =z ].
(d), (e), (f) Symmetrically, the transitions of u must be matched by t.
Given two terms t and u with free variables fx g and fy g, respectively, t n u
provided that for all values v, tv =x ] n uv =y ].
The four theorems which follow show that FULL is adequate with respect
to bisimulation. Theorems 1 and 2 give the result for closed terms, and are then
used to prove the result for terms of one free variable (Theorems 3 and 4).
Theorem 1. (FULL distinguishes non-bisimilar closed terms) For all n, for all
closed terms t and u, if t =n u then there is a formula such that t j= and
u j==
Proof The proof is by induction on n. If n = 0 then the result is vacuously
true. In the case where n > 0, we examine all the ways in which bisimulation
can fail and, in each case, construct a formula which is satis ed by t but not
by u. We shall illustrate the construction by showing the case where rule (c) of
De nition 5 fails. The other cases are simpler and are omitted.
If rule (c) fails, then there is a transition t b gz- t , where z = new (t u ),
but there is some value v such that bt v =z ] tt and for all transitions of the form
u tt gv- u , tv =z ] =n 1 u , and for all transitions of the form u b gz- u where
0
0
0
0
;
0
0
0
0
;
0
0
0
u
0
0
0
;
0
0
t
0
;
0
0
0
;
0
u
t
0
0
0
0
;
0
u
0
0
bu v =z ] tt, tv =z ] =n 1uv =z ] . Suppose that that there are k of the rst kind of
transition and m of the second kind, where k and m are natural numbers. Then,
by the induction hypothesis, each of the ui s of the rst kind can be distinguished
from tv =z ] by some formula i , and for each of the ui s of the second kind, there
is a formula i which distinguishes tv =z ] from
V ui v =z ] . Then,
V t and u can be
distinguished by the formula 9g x ](x = v ) ^ f1 :::k g ^ f 1 ::: m g.
0
0
;
0
0
0
0
0
Theorem 2. (Bisimilar closed terms satisfy the same formulae) For all n, for
all closed terms t and u, if t n u then, for all formulae such that depth
n, t j if and only if u j .
Proof The proof is by induction on n. If n , then the formula must be
of depth , and must therefore be a simple boolean b. By the semantics of FULL,
it is clear that for any t and u, t j b i u j b.
=
()
=
= 0
0
=
=
In the case where n > 0, we take any t and u and assume that t n u. We
must show that for all formulae such that depth () n, t j= if and only
if u j= . This is done by induction on the structure of . There are 9 cases to
consider. We illustrate the arguments used by showing one of the most complex
cases:
Consider the case where is of the form 8x g ] . Suppose that t j= . Then,
by the semantics of FULL, for all values v, whenever there is a t such that
t tt gv- t then t j= v =x ], and whenever there is a t such that t b gz- t
(for some new variable z) and bt v =z ] tt then tv =z ] j= v =x ]. We must show
that u j= . Take any value v. We must consider all u transitions on v. These
can be of two kinds:
Case (1) Suppose there is a transition of the form u tt gv- u . By bisimilarity, this is matched by a t transition. There are two possibilities.
The matching transition may be of the form t tt gv- t , where t n 1 u .
Then, we know that t j= v =x ] and, by the main induction hypothesis, we get
that u j= v =x ].
The matching transition may be of the form t b gz- t , where z = new (t u )
and bt v =z ] tt and tv =z ] n 1 u . Then, we know that tv =z ] j= v =x ] and,
by the main induction hypothesis, we get that u j= v =x ].
Case (2) Suppose there is a transition of the form u b gz- u , (for some
fresh z) and bu v =z ] tt. We wish to show that uv =z ] j= v =x ]. Now, since
z is fresh, we can replace z by z where z = new (t u ). In other words, we are
looking instead at the transition u b z =z ] gz- uz =z ] . For this transition, we
get that bu v =z ] tt. And, we need to show that uv =z ] j= v =x ].
By bisimilarity, this transition is matched by a t transition. There are two
possibilities.
The matching transition may be of the form t tt gv- t , where t n 1 uv =z ] .
Then, we know that t j= v =x ] and, by the main induction hypothesis, we get
that uv =z ] j= v =x ].
0
0
0
0
0
0
0
t
0
0
0
0
0
0
0
0
0
t
0
0
;
0
0
0
0
0
u
0
0
0
0
0
u
0
0
0
0
0
0
0
0
0
0
0
;
0
0
0
0
0
;
0
0
The matching transition may be of the form t b gz- t , where bt v =z ] tt
and tv =z ] n 1 uv =z ] . Then, we know that tv =z ] j= v =x ] and, by the main
induction hypothesis, we get that uv =z ] j= v =x ].
t
0
0
0
;
0
0
0
0
0
0
0
0
0
0
Theorem 3. (FULL distinguishes non-bisimilar open terms) For all n, for all
terms t and u with one free variable, if t n u then there is a formula such that
t j= and u j= .
Proof Suppose that the free variables of t and u are z1 and z2, respectively.
Since t n u, then there is some value v such that tv =z1 ] n Uv =z2 ]. By Theorem 1
there is then a formula such that tv =z1] j= but uv =z2 ] j= . We construct the
formula = 8 x (x =
6 v ) _ . Then, t j= but u j= .
Theorem 4. (Bisimilar open terms satisfy the same formulae) For all n, for
all terms t and u with one free variable, if t n u then, for all such that
depth ( ) n, t j= if and only if u j= .
Proof This is a straightforward consequence of Theorem 2.
=
=
=
=
:
=
=
5
Further Work
The results presented in this paper provide a foundation upon which to build a
system for verifying properties of speci cations in Full LOTOS. In this section
we discuss the further work, both theoretical and practical, which needs to be
done to realise this goal.
Extensions of the Logic The logic we have developed is relatively sparse,
and there are several useful ways in which it could be extended and made more
expressive. However, care must be taken to ensure that this is not done at the
expense of adequacy. Two important features which we intend to focus upon are
ways of handling multi-sorted data, and xpoint operators to handle recursion.
User-de ned algebraic datatypes are an important and heavily used feature of
LOTOS so it is essential to extend FULL to deal in some way with multiple data
types. One obvious way of doing this is to encode types as predicates over values.
The details of this need to be worked out and alternative solutions explored.
Recursion is another heavily-used feature of LOTOS, and the usefulness of
FULL would be signi cantly enhanced by the addition of xpoint operators for
reasoning about recursive or in nitary behaviour. This is a topic which has been
much studied in the theory of concurrency and we hope to be able to adapt
existing solutions to the needs of LOTOS.
Further Theoretical Analysis Some areas of the theory underlying symbolic
transition systems for LOTOS are as yet incomplete. For example, the relationship between our symbolic semantics and the standard semantics of LOTOS has
not yet been fully analyzed. We conjecture that the two semantics coincide for
closed terms, in the sense that bisimilar terms in the symbolic semantics correspond to bisimilar processes in the standard semantics. The details of this
remain to be checked.
Another interesting area of study is symbolic bisimulation. The bisimulation
presented in this paper is of limited practical use because it requires a possibly
in nite number of values to be examined (cf rules 2(c) and 2(f) of De nition 5).
This problem can be solved by turning to symbolic bisimulation, as introduced
in 9]. Symbolic bisimulation solves the problem of in nite values by dividing
the value space that must be examined into a nite number of partitions described by boolean expressions. We have de ned symbolic bisimulation for LOTOS 4] and are working on its theoretical underpinnings and the development
of a bisimulation-checking tool to support it.
Algorithms and Tools The eventual goal of this research is the development of tools to support reasoning about speci cations in Full LOTOS. Work
is in progress on the development of algorithms for reasoning within FULL. In
tandem with this, there is also work on the implementation of tools to support
reasoning in FULL. At the present time, a restricted version of the logic has
been implemented in CADP. The logic is also being implemented in the Ergo
theorem prover 2] and in the Maude system 5].
Acknowledgement. The authors would like to thank the Engineering and Physical Sciences Research Council and the Nu eld Foundation Newly Appointed Lecturer scheme
for supporting this research.
References
1. D. Amyot, L. Char et al. Feature Description and Feature Interaction Analysis
with Use Case Maps and LOTOS. In M. Calder and E. Magill, editors, Feature
Interactions in Telecommunications and Software Systems VI. IOS Press, May
2000.
2. H. Becht, A. Bloesch et al. Ergo 4.1 Reference Manual. Technical Report 9631, Software Veri cation Research Centre, University of Queensland, Australia,
November 1996
3. M. Calder, S. Maharaj, and C. Shankland. A Modal Logic for Early Symbolic
Transition Systems. The Computer Journal, 2001. To appear.
4. M. Calder and C. Shankland. A Symbolic Semantics and Bisimulation for Full
LOTOS. To appear as a University of Stirling Technical Report, 2000.
5. M. Clavel, F. Duran et al. Maude: Speci cation and Programming in Rewriting
Logic. Maude System documentation. Computer Science Laboratory, SRI, Menlo
Park, California, March 1999.
6. J-C. Fernandez, H. Garavel et al. CADP (CAESAR/ALDEBARAN Development
Package): A Protocol Validation and Veri cation Toolbox. In R. Alur and T.A.
Henzinger, editors, Proceedings of CAV'96, number 1102 in Lecture Notes in Computer Science, pages 437{440. Springer-Verlag, 1996.
7. J.F. Groote and R. Mateescu. Veri cation of Temporal Properties of Processes in a
Setting with Data. In Proceedings of the 7th International Conference on Algebraic
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
Methodology and Software Technology AMAST'98, Amazonia, Brazil, volume 1548
of Lecture Notes in Computer Science, pages 74{90, 1999.
J.F. Groote and A. Ponse. The Syntax and Semantics of -CRL. In Proceedings
of Algebra of Communicating Processes, Utrecht 1994, Workshops in Computing.
Springer-Verlag, 1995.
M. Hennessy and H. Lin. Symbolic Bisimulations. Theoretical Computer Science,
138:353{389, 1995.
M. Hennessy and X. Liu. A Modal Logic for Message Passing Processes. Acta
Informatica, 32:375{393, 1995.
M. Hennessy and R. Milner. Algebraic Laws for Nondeterminism and Concurrency.
Journal of the Association for Computing Machinery, 32(1):137{161, 1985.
International Organisation for Standardisation. Information Processing Systems
| Open Systems Interconnection | LOTOS | A Formal Description Technique
Based on the Temporal Ordering of Observational Behaviour, 1988.
C. Kirkwood. Specifying Properties of Basic LOTOS Processes Using Temporal
Logic. In G. v Bochmann, R. Dssouli, and O. Ra q, editors, Formal Description
Techniques, VIII, IFIP. Chapman Hall, April 1996.
D. Kozen. Results on the Propositional -Calculus. Theoretical Computer Science,
27:333{354, 1983.
R. Mateescu and H. Garavel. XTL: A Meta-Language and Tool for Temporal Logic
Model-Checking. In Proceedings of the International Workshop on Software Tools
for Technology Transfer STTT'98 (Aalborg, Denmark), 1998.
C. Pecheur. Using LOTOS for specifying the CHORUS distributed operating
system kernel. Computer Communications, 15(2):93{102, March 1992.
M. Sighireanu and R. Mateescu. Veri cation of the Link Layer Protocol of the
IEEE-1394 Serial Bus (FireWire): an Experiment with E-LOTOS. Springer International Journal on Software Tools for Technology Transfer (STTT), 2(1):68{88,
Dec. 1998.
C. Stirling. Temporal Logics for CCS. In J.W. de Bakker, W.-P. de Roever, and
G. Rozenberg, editors, Linear Time, Branching Time and Partial Order in Logics
and Models for Concurrency, LNCS 354, pages 660{672. Springer-Verlag, 1989.
REX School/Workshop, Noordwijkerhout, The Netherlands, May/June 1988.
M. Thomas. The Story of the Therac-25 in LOTOS. High Integrity Systems
Journal, 1(1):3{15, 1994.
M. Thomas. Modelling and Analysing User Views of Telecommunications Services.
In Feature Interactions in Telecommunications Systems, pages 168{183. IOS Press,
1997.
M. Thomas and B. Ormsby. On the Design of Side-Stick Controllers in Fly-by-Wire
Aircraft. A.C.M. Applied Computing Review, 2(1):15{20, Spring 1994.
Kenneth J. Turner. An architectural description of intelligent network features
and their interactions. Computer Networks, 30(15):1389{1419, September 1998.
A. Vogel. On ODP's architectural semantics using LOTOS. In J. de Meer, B. Mahr,
and O. Spaniol, editors, Proc. Int. Conf. on Open Distributed Processing, pages
340{345, September 1993.