Logics and Games for True Concurrency
We study the underlying mathematical properties of various partial order models of concurrency based on transition systems, Petri nets, and event structures, and show that the concurrent behaviour of these systems can be captured in a uniform way by two simple and general dualities of local behaviour. Such dualities are used to define new mu-calculi and logic games for the analysis of concurrent systems with partial order semantics. Some results of this work are: the definition of a number of mu-calculi which, in some classes of systems, induce the same identifications as some of the best known bisimulation equivalences for concurrency; and the definition of (infinite) higher-order logic games for bisimulation and model-checking, where the players of the games are given (local) monadic second-order power on the sets of elements they are allowed to play. More specifically, we show that our games are sound and complete, and therefore, determined; moreover, they are decidable in the finite case and underpin novel decision procedures for bisimulation and model-checking. Since these mu-calculi and logic games generalise well-known fixpoint logics and game-theoretic decision procedures for concurrent systems with interleaving semantics, the results herein give some of the groundwork for the design of a logic-based, game-theoretic framework for studying, in a uniform way, several concurrent systems regardless of whether they have an interleaving or a partial order semantics.
Keywords: Modal and temporal logics; Petri nets, event structures, TSI models; Bisimulation and model-checking; Logic games for verification.
Concurrency theory studies the logical and mathematical foundations of parallel processes, i.e., of systems composed of independent components which can interact with each other and with an environment. These systems can be analysed by studying the formalisms (logics and methodologies) employed to specify and verify their properties as well as the mathematical structures used to represent their behaviour. Such formalisms and structures make use of models of two different kinds: interleaving or partially ordered. This semantic feature is particularly important as most logics, tools, and verification techniques for analysing the behaviour of concurrent systems have to take this difference into account. This is sometimes an undesirable situation since it obscures our understanding of concurrent computations and divide research efforts in two different directions. Here we report on some work towards the definition of theories and verification techniques for analysing different models for concurrency in a uniform way.
This study focuses on core issues related to mu-calculi (fixpoint extensions of modal logic, in this case) and infinite logic games for concurrency. In particular, using a game-theoretic approach, we study fixpoint modal logics with partial order models as well as their associated bisimulation and model-checking problems. Our results show that generalisations (to a partial order setting) of some of the theories and verification techniques for interleaving concurrency can be used to address, uniformly, the analysis of concurrent systems with both interleaving and partial order semantics. Some of our particular contributions are as follows.
We first study the relationships between logics and equivalences for concurrent systems with partial order semantics purely based on observable ‘local dualities’ between concurrency and conflict, on the one hand, and concurrency and causality on the other. These dualities, which can be found across several partial order models of concurrency, are mathematically supported in a beautiful way by a simple axiomatization of concurrent behaviour. Although the dualities and axiomatization are defined with respect to partial order models of concurrency, such dualities and axiomatization have a natural interpretation when considering concurrent systems with interleaving semantics such as transition systems (or their unfoldings) since they appear as particular instances of our framework.
We also define a logical notion of equivalence for concurrency tailored to be model independent. We do so by defining a number of fixpoint modal logics whose semantics are given by an intermediate structure called a ‘process space’, which is a mathematical structure intended to be used as a common bridge between the particular models of concurrency under consideration. Roughly speaking, a process space is a structure that contains the local partial order behaviour of a concurrent system, and is built using the local dualities mentioned above. Then, following this approach, two concurrent systems, possibly with models of different kinds, can be compared with each other within the same framework by comparing logically their associated process spaces.
Moreover, some of the bisimulation equivalences induced by these logics coincide with the standard bisimilarities both for interleaving and for causal systems, namely with Milner’s strong bisimilarity (sb [hmljacm-milner]) and with history-preserving bisimilarity (hpb [hpb-rav]), respectively. The latter result holds when restricted to a particular class of concurrent systems, which we currently call the class of -systems. We also define a new bisimulation equivalence, which (on -systems) is strictly stronger than hpb and strictly weaker than hereditary history-preserving bisimilarity (hhpb [open-nielsen]), one of the specializations of the abstract notion of bisimulation equivalence defined by Joyal, Nielsen, and Winskel using open maps [open-nielsen].
We also study the model-checking problem for these logics against the models for concurrency we consider here. The outcome of this is a generalisation of the local model-checking games defined by Stirling [localmc-stirling] for the mu-calculus ( [lmutcs-kozen]). This new game-based decision procedure is used for the temporal verification of a class of regular event structures [res-thia], and thereby, we improve previous results in the literature [mceslics-madhu, tacas-penczek] in terms of temporal expressive power. We do so by allowing a free interplay of fixpoint operators and local monadic second-order power on the sets of elements that can be described within the logics.
The distinctive feature of the (infinite) logic games we define in order to address the bisimulation and model-checking problems we have described is that through their formal definition we move from a traditional setting where both players, namely a “Verifier” Eve () and a “Falsifier” Adam (), have first-order power on the elements available in the locality where they are to play, to a more complex setting in which the players are provided with higher-order power on the sets of elements they are allowed to play. From a more computational viewpoint, we show that despite their higher-order features both logic games are sound and complete, and therefore, determined; moreover, they are also decidable when played on finite systems allowing for possible practical implementations.
The structure of the document is as follows. Section 2 introduces some background on the models for concurrency, fixpoint modal logics, and bisimulation and model-checking games of our interest. In Section LABEL:mucalculi we define the local dualities recognisable in several (partial order) models for concurrency as well as the fixpoint modal logics that can be extracted from such dualities; here we also study the bisimulation equivalences induced by some of the modal logics defined in this section making no use of any game-theoretic machinery. Then, in Sections LABEL:bisgames and LABEL:mcgames, we introduce the higher-order logic games that characterise, respectively, the bisimulation and model-checking problems of the logics defined in the previous section; we also show their correctness and applications as described before. Finally, in Section LABEL:relwork a summary of related work is given, and in Section LABEL:conc we provide some concluding remarks and directions for further work.
In this section we study the models for concurrency of our interest, together with background material on the modal logics and games for verification that are relevant to the work presented in this document. We also discuss some relationships between the models for concurrency that are studied here as well as between the equivalences induced by the modal logics presented in this section and the equivalences for concurrency considered in this and forthcoming sections.
2.1 Partial Order Models of Concurrency
In concurrency there are two main semantic approaches to modelling concurrent behaviour, either using interleaving or partial order models for concurrency. On the one hand, interleaving models represent concurrency as the nondeterministic combination of all possible sequential behaviours in the system. On the other hand, partial order models represent concurrency explicitly by means of an independence relation on the set of actions, transitions, or events in the system that can be executed concurrently.
We are interested in partial order models for various reasons. In particular, because they can be seen as a generalisation of interleaving models as explained later. This feature allows us to define the logics and games developed in further sections in a uniform way for several different models for concurrency, regardless of whether they are used to provide interleaving or partial order semantics.
In the following, we present the three partial order models for concurrency that we study here, namely Petri nets, transition systems with independence, and event structures. We also present some basic relationships between these three models, and how they generalise some models for interleaving concurrency. For further information on models for concurrency and their relationships the reader is referred to [models-winskel, modelstcs-winskel] where one can find a more comprehensive presentation.
A net is a tuple , where is a set of places, is a set of actions, is a relation between places and actions, and is a labelling function from actions to a set of action labels. Places and actions are called nodes; given a node , the set is the preset of and the set is the postset of . These elements define the static structure of a net.111The reader acquainted with net theory may have noticed that we use the word ‘action’ instead of ‘transition’, more common in the literature on (Petri) nets. We have made this choice of notation in order to avoid confusion later on in the document. The notion of computation state in a net (i.e., its dynamic part) is that of a ‘marking’, which is a set or a multiset of places; in the former case such nets are called safe. Hereafter we only consider safe nets.
A Petri net is a tuple , where is a net and is its initial marking.
As mentioned above, markings define the dynamics of nets; they do so in the following way. We say that a marking enables an action iff . If is enabled at , then can occur and its occurrence leads to a successor marking , where , written as . Let be the relation between successor markings and let be its transitive closure. Given a Petri net , the relation defines the set of reachable markings in the system ; such a set of reachable markings is fixed for any pair , and can be constructed with the occurrence net unfolding construction defined by Nielsen, Plotkin, and Winskel [pnesdom-winskel].
Finally, let be the symmetric independence relation on actions such that iff , where stands for the set , and there exists a reachable marking such that both and . Then, if two actions and can occur concurrently they must be independent, i.e., .
Transition Systems with Independence.
A labelled transition system (LTS) is an edge-labelled graph structure. Formally, an LTS is a tuple , where is a set of vertices called states, is a set of labels, and is a set of -labelled edges, which are called transitions. A rooted LTS is an LTS with a designated initial state . A transition system with independence is a rooted LTS where independent transitions can be explicitly recognised. Formally:
A transition system with independence (TSI) is a tuple , where is a set of states with initial state , is a transition relation, is a set of labels, and is an irreflexive and symmetric relation on independent transitions. The binary relation on transitions defined by
expresses that two transitions are ‘instances’ of the same action, but in two different interleavings. We let be the least equivalence relation that includes , i.e., the reflexive, symmetric, and transitive closure of . The equivalence relation is used to group all transitions that are instances of the same action in all its possible interleavings. Additionally, is subject to the following axioms:
Axiom A1 states that from any state, the execution of a transition leads always to a unique state. This is a determinacy condition. Axioms A2 and A3 ensure that independent transitions can be executed in either order. Finally, A4 ensures that the relation is well defined. More precisely, A4 says that if two transitions and are independent, then all other transitions in the equivalence class (i.e., all other transitions that are instances of the same action but in different interleavings) are independent of as well, and vice versa. Having said that, an alternative and possibly more intuitive definition for axiom A4 can be given. Let be the set . Then, axiom A4 is equivalent to this expression: A4’. .
This axiomatization of concurrent behaviour was defined by Winskel and Nielsen [models-winskel], but has its roots in the theory of traces [tracesbook-maz], notably developed by Mazurkiewicz for trace languages, one of the simplest partial order models for concurrency. As shown in Figure LABEL:ch2-diamond, this axiomatization can be used to generate a ‘concurrency diamond’ for any two independent transitions and .