Model Checking Properties on Reduced Trace Systems

Temporal logic has become a well-established method for specifying the behavior of distributed systems. In this paper, we interpret a temporal logic over a partial order model that is a trace system. The satisfaction of the formulae is directly defined on traces on the basis of rewriting rules; so, the graph representation of the system can be completely avoided; moreover, a method is presented that keeps the trace system finite, also in the presence of infinite computations. To further reduce the complexity of model checking temporal logic formulae, an abstraction technique is applied to trace systems.


Introduction and Motivation
Linear time [1] and branching time [2] temporal logics are used for specifying and verifying concurrent and distributed systems: partial order models (trace systems are an example) are mostly used to give semantics to linear time logics, while interleaving models (such as transition systems) are widely used for branching time logics.To express properties inherent in concurrency, i.e., properties distinguishing concurrency from nondeterminism, a partial order interpretation for the logic fits better.This interpretation allows also a good definition of fairness properties as, for example, inevitability under the fairness assumption [3,4]: "in all computations the event a eventually occurs".
Model checking is one of the main methods for the automated verification of concurrent systems [5]; it consists in checking whether a structure representing the system is a model for a logic formula.Model checking very large concurrent systems may cause the so-called "state explosion problem" and lead to a too big number of states of the structure.A variety of methods for reducing the state explosion problem have been developed [6][7][8][9][10]; in the context of branching time logics, in [11,12], the authors and others proposed a logic, called selective mu-calculus, equi-expressive to mu-calculus [13], but, such that each formula directly characterizes an abstraction of the system that maintains the truth value of the formula itself.Different action logics, such as [14], whose operators could be also used in a linear fashion to concisely express fairness properties, are not suitable to individuate system abstractions preserving the truth values of formulae.A further problem is the model checking of infinite representation of systems: for example, in trace systems, recursive behaviors are usually represented by means of an infinite set of finite traces (see [15], solutions for branching time logic are in [16]).Finally, it is known that, while a lot of interesting correctness properties, such as mutual exclusion and the absence of starvation, can be elegantly expressed by linear time formulae, the model checking of a linear time logic and that of a branching time logic [5,17,18] have different complexity.For example, given a transition system of size n and an alternation-free temporal logic formula of size m, model checking algorithms for the branching time logic (CTL)run in time O(nm), while those for the linear time logics (LTL) run in time O(n2 m ).This result holds also in the case of generalized model checking [19].
In this work, we give a non-interleaving interpretation of selective mu-calculus formulae using the simplest and best known partial order model for computations, that is Mazurkiewicz's trace system [3,15,20].This model allows a compact representation of the system computations using only an element, called trace, to represent an equivalence class of sequences of events with respect to a dependence relation.A similar approach has been carried on with the logic CTL in [21].More precisely, the author defines an extension of CTL by past modalities, called CT L P , and interpreted over Mazurkiewicz's trace systems.The author's aim is to obtain the model checking of properties described in this logic with a linear complexity, as is that of CTL on transition systems: on the contrary, he proved that model checking for CT L P on traces is NP-hard, even if past modalities cannot be nested.Differently from [21], the aim of this article is to check the satisfaction of our formulae directly on traces, i.e., we suppose using a sequential memory representation for traces and no graph representation of the system, but only a representation of dependencies.Moreover, we employ a trace abstraction, induced by the selective formulae, and we simplify the traces by discarding, at each verification step, the events that are no more of interest for the successive verification.Furthermore, to avoid the management of infinite sets of traces, we use partial traces containing holes to give the semantics of recursive behaviors: the holes are expanded step-by-step, until the verification of the formula can be decided, and so, we have always to manage a finite set of traces.The checking method can be easily implemented by rewriting functions that transform each trace with a polynomial complexity in its dimension.
In Section 2, concurrent systems are defined by a simple event-based specification language, taken as an example and whose semantics is a trace system.In Section 3, the syntax of the selective mu-calculus is recalled, and the satisfaction of the formulae is defined on the corresponding trace system.In the successive section, this is shown as each trace can be abstracted with respect to a particular formula, but maintaining its truth value.The last section contains conclusions and comparisons of the presented approach with some related works.

Event Language
This section presents a very simple, event-based language that is not a real language, but an exercise one; nevertheless, it contains the basic features to represent behaviors of concurrent systems.The language is actually very similar to some of the most common process algebras.The semantics of the language is given in terms of trace systems.

Syntax of Expressions
Expressions are obtained composing a finite set A = {a, b, . ..} of symbols, called the alphabet, by means of a set of operators.Each expression represents a possible behavior of the system, while the occurrence of a symbol in an expression represents the occurrence of an event of the system.The syntax to build up expressions is the following: where a ranges over A. The language allows the definition of: • the empty expression (the operator nil); • the concatenation of two expressions (the operator "."); for example, e 1 .e 2 , with e 1 = a and e 2 = b, is the expression a.b; • the choice between two expressions (the operator "+"); for example, e 1 + e 2 , with e 1 = a.c and e 2 = b, is the expression a.c + b; • the parallel composition of two expressions (operator " "), where the events in each expression can occur independently, except the events with the same name that cause the synchronization of the two concurrent expressions; for example, e 1 e 2 , with e 1 = a.c and e 2 = b, is the expression a.c b; • the unbounded iteration of an expression (the operator "rec").
We require that the following rules hold for the expressions: 1. e.nil = e 2. nil e = e 3. rec(nil) = nil 4. e e = e 5. e + e = e while e + nil = e does not hold; the trace semantics of the language is given by the Definition 2 in the next section, and it guarantees the rules.For each alphabet A, A * is the set of all finite sequences (strings) of symbols in A; for each string σ, alph(σ) (the alphabet of σ) is the set of all symbols occurring in σ; this definition can be easily extended over expressions.We denote the set of all expressions by E. In the following section, the semantics of the language is formally given.

Trace Semantics of Expressions
In this section, we define the trace semantics of expressions of the language.The first step is the definition of the notion of dependence between events; the relation we use is taken from Mazurkiewicz's trace theory [3,15].
The ordered triple (A * , ., ), where is the empty string and . is the concatenation operation on strings, is the standard string monoid over A. Usually, the sign .for concatenation is omitted.Let A be an alphabet and σ ∈ A * ; then for any alphabet B we denote Π B (σ) the string projection of σ onto B, i.e., a string over A ∩ B obtained from σ deleting all symbols not belonging to B. If A ∩ B = ∅, Π B (σ) = , for any σ.A concurrent alphabet is any ordered pair Σ = (A, D), where A is a finite set of symbols, called also the alphabet of Σ, and D is a dependence over A. Given Σ = (A, D), the trace equivalence for Σ is the least congruence ≡ Σ in the string monoid over A, such that for all a, b: In other words, it holds that σ ≡ Σ σ if there is a finite sequence of strings σ 0 , σ 1 , . . ., σ n , n ≥ 0, such that σ 0 = σ, σ n = σ , and for each i, Dependence Closure.Given two dependencies, D 1 and D 2 , defined on the alphabets A 1 and A 2 , respectively, we call dependence closure the derived dependence on the alphabet A 1 ∪ A 2 : Trace System.A trace system T S is any ordered pair (Σ, T ), where Σ = (A, D) is a concurrent alphabet and T ⊆ Θ(Σ) is a trace language over Σ.
To manage only finite sets of traces also in the presence of recursive behaviors, we extend the alphabet A by a set of special symbols (called holes): a hole represents the fact that the trace is incomplete and can be expanded; we also call this type of trace a partial trace.Each hole has the form x , where x is the name of a trace language; in fact, any trace belonging to the language x can be used to fill the hole giving rise to another partial trace.
Some operations can be performed on trace systems.
• Given the trace system T S = ((A, D), T ), its unbounded iteration is the system: where: The following example gives a first hint of the effect of the unbounded iteration of trace systems.
Example 1.Consider the trace system T S 0 = ((A 0 , D 0 ), T 0 ), with: The actual traces of (T S 0 ) * are all of the partial traces that can be obtained by filling its hole by means of the traces of T 0 : some examples are [a T 0 ], [aa T 0 ], [aaa T 0 ]; Definition 1 will show the formal way in which more complete traces can be obtained.Other operations on trace systems are the following ones.
-Their concatenation is the system: where: their nondeterministic composition is the system: their parallel composition is the system: Example 2. Consider the following trace systems : The expansion of the partial traces is obtained through the following definition: a completion step is performed by prefixing each hole T in the partial trace by means of an element of the trace language T ; the same occurs for the holes possibly contained in T .Each expansion of the partial trace maintains the capability of a further expansion for each hole.

Definition 1 (one-unfolding).
Consider T S = ((A, D), T ) and σ ∈ A * , all the possible one-unfoldings of σ, denoted by σ, correspond to the set U(σ, S), obtained as follows from an initial value of S = ∅: for example, the trace [abc x d] may be transformed by filling the hole x with the first trace in the language x, so obtaining the partial trace [abcdg x d].When using the second partial trace in x, we obtain the partial trace [abcdf dc y x d], since also the hole y must be filled one time.The one-unfolding procedure of a string always terminates after each hole in the initial trace (and each hole in the traces used to fill it) has been filled once.
The semantics of an expression is the trace system built on the basis of the syntactic structure of each expression.
Definition 2 (Semantics).Given the expression e, its semantics is the trace system T S(e) = ((A, D), T ) built as follows: We remark that the rule e + nil = e does not hold; in fact, T S(e + nil) always contains the empty trace, while T S(e) may not.
The following example clarifies the semantics of the rec operator.
where, for each 0 The strings below are the one-unfoldings of T 0 : a T 0 , ad T 3 T 0

Selective Mu-Calculus
The selective mu-calculus is a temporal logic proposed by the authors in [11,12] and interpreted on transition systems, as a branching time logic.That calculus has the characteristic that the actions relevant for checking a formula are the ones explicitly mentioned.We propose here a different interpretation that takes into account linear time; the following sub-section recalls the syntax of the calculus (called LTSC, for short) and the satisfaction of LTSC formulae on trace systems.

The Syntax of the Calculus
Here, slight simplifications are made on the syntax of the selective mu-calculus to avoid useless details.Consider the set A of events.The events a, b range over A, and S ⊆ A is a set of events with cardinality less than or equal to one.Moreover, Z belongs to a set of variable names.The calculus has the following syntax: A fixed point formula has the form µZ.ϕ (νZ.ϕ),where the fixed point operator µZ (νZ) binds free occurrences of Z in ϕ.An occurrence of Z is free if it is within the scope of no fixed point operator.A formula is closed if it contains no free variables.The formula µZ.ϕ is the least fixed point of the recursive equation Z = ϕ, while νZ.ϕ is the greatest one.In the following, we consider only closed formulae and alternation-free mu-calculus formulae [22].
However, note that the syntax of the modal operators can be easily extended as follows (and so their meaning) to manage a set of events without affecting the remainder of the paper.ϕ 1 = νZ.a ∅ Z: "there exists a run in which the event a, preceded by any event, can always occur".ϕ 2 = [c] {a} a ∅ tt: "in any run where an event c, not preceded by the event a, occurs, the event a must always follow.

The Satisfaction of the Formulae on Trace Systems
To define the formula satisfaction on trace systems, we will build a particular trace presentation; the behavior of the operators that produce this presentation is based on a rewriting rule, which transforms a trace into an equivalent one.

Definition 3 (Rewriting rule). Consider Σ = (A, D) and γbaγ
The rule transforms a string into an equivalent one, since: The following function D uses the auxiliary function M, shown in Table 1.The function M, given a string β, marks all the events in β.If A is an alphabet, we write A − for the set {a | a ∈ A ∧ a = x , ∀ x ∈ A}.Intuitively, A − is the set of all of the symbols of the alphabet A, except for the holes.

Table 1. Marking function.
Let A be an alphabet: consider a ∈ A and β ∈ A * .
(2) null otherwise D a,S (σ) manipulates traces exploiting a simple algorithm that moves events according to the rewriting rule.The result of D a,S (σ) is a trace without the events occurring before a in any run (the events in δ 1 do not matter for the successive verification), but that includes the events occurring in some run after a and in some run before a (they are the marked events in δ 2 , with the mark remembering that they do not necessarily occur where they are); it includes also (they are the events in δ 3 ) the events that occur after a in any run and, if present, the event in S (such an event is required to occur after a in all runs of interest; this fact is guaranteed by the constraint expressed in Point a) of Definition 4).The complexity of the trace manipulations is polynomial in the number of elements of the trace itself in the worst case, when at each step, all of the events are moved up and down to verify if they can occur before and/or after a; linear in the better case, when only the reading of all of the events of the trace is required, since the rewriting rule cannot ever be applied.The following example shows, in more detail, the effect of M.
The formal satisfaction of a formula ψ by a trace [σ] is defined as follows.Note that we consider the event set X = X ∪ X, where X = {x|x ∈ X} as the alphabet for strings, since it is possible to obtain strings containing marked events.In Table 2, auxiliary cleaning functions are shown that either eliminate the marks from the events of a string (Cl 2 ) before the next verification step is performed or eliminate the marked events at all (Cl 1 ), as shown in the following Example 6.In fact, the marked events must not be considered when checking for the satisfaction of a formula a S ψ.

Table 2. Cleaning functions.
Let A be an alphabet; consider a, b ∈ A and β ∈ A * .
where, for each n, νZ n .ϕand µZ n .ϕare defined as: and the notation ϕ[ψ/Z] indicates the substitution of ψ for every free occurrence of the variable Z in ϕ. and suppose having to check on e the formula: (a T 0 and ad T 3 T 0 are the one-unfoldings of T 0 ).
Since D d,∅ (Cl 2 (a T 0 )) = null, we have to verify that: , and:

Transformation Rules to Obtain Abstract Trace Systems
In this section, we present a syntactic transformation algorithm, which, given a set ρ of events and an expression e, transforms e into e , where both e and e satisfy the same set of LTSC formulae with events occurring in ρ.In general, the trace system corresponding to e is smaller than the one corresponding to e.Our aim is two-fold: given a formula, to find a suitable set ρ and, given ρ, to eliminate from an expression a suitable superset of ρ.A suitable ρ depending on a formula is the following.
Occurring Events: O(ϕ).Given an LTSC formula ϕ, O(ϕ) is the union of all the events α and the sets S appearing in the modal operators ([α] S ψ, α S ψ) occurring in ϕ.
The complexity of the transformation operator T is linear in the length of the specification.This result, together with Definition 6 of the satisfaction on traces, further reduces the complexity of the model checking of temporal logic formulae.
The following theorem deals with the abstraction of a trace system induced by the formula ϕ and obtained in two steps: the first step syntactically reduces the event expression; the second one reduces the trace system, which is the semantics of the expression.Now, we extend the definition of projection to trace systems.
Definition 8. Let T S = ((A, D), T ) be a trace system and B ⊆ A; where: ( and try to prove the properties: ϕ 1 = νZ.a ∅ Z: "there exists a run in which the event a, preceded by any event, can always occur".ϕ 2 = [a ] {a} ff: "it is not possible to perform a if a has not occurred before".By our methodology, we have to check: • T S(e) |= ϕ 1 , and through the checking of (see Theorem 1): The transformation rules applied over e with ρ 1 obtain: The trace language of T S 1 (rec(a.cc )) is The trace language of T S 2 (rec(a.cc .a )) is: Finally, by applying Definition 6, we can prove that Π ρ 1 (T S 1 ) |= ϕ 1 and Π ρ 2 (T S 2 ) |= ϕ 2 .In the first case, the trace [ T 3 ] can be unfolded (the first one-unfolding is [ac T 3 ]) step by step and simplified for the successive step (the next one-unfolding for the simplified trace produces the trace [c ac T 3 ]).We can see that, at each step n, the formula is verified on: Consequently, ϕ 1 = νZ.a ∅ Z holds on e.For ϕ 2 = [a ] {a} ff, both traces should verify the formula: it is easy to see that, for both [ ] and [ac a T 4 ] (the one-unfolding of T 4 ), ϕ 2 holds.

Conclusions and Related Works
In this work, we define the notion of satisfaction for the formulae of a temporal logic calculus, when interpreted on a trace system, i.e., a partial order representation of the concurrent system.The calculus we use is a temporal logic, whose formulae directly characterize possible abstractions of the system preserving their truth values; more precisely, the events relevant for checking a formula are only the ones explicitly mentioned.Different action logics, such as [14], whose operators could be used in a linear fashion to concisely express fairness properties, are not suitable to individuate system abstractions preserving the truth values of formulae.We use a well-known partial order model for computations, that is Mazurkiewicz's trace system [20].Recently, Mazurkiewicz traces have been also extended with time in order to capture the concurrency and timing constraints among the services of systems [23].
It is known that model checking has a different complexity when using linear time or branching time logics [5,17,18].For example, given a transition system of size n and an alternation-free temporal logic formula of size m, model checking algorithms for the branching time logic (CTL) run in time O(nm), while those ones for the linear time logics (LTL) run in time O(n2 m ).
The works [24,25] relate branching and linear model checking.The authors study the problem of deciding whether a linear-time property, specified by either an automaton or an LTL formula, can be translated to a branching time logic formula and describe the translation when this exists.A disadvantage of this method is that a higher complexity of the formula is achieved, since its size must be increased by some prefix; moreover, also fairness requirements must be expressed by a new formula prefixed to the translation of the old one.Other works [26,27] check linear time formulae on a structure that is the unfolding of the Petri net representing the system, i.e., a partial order model.Nevertheless, this method requires the construction of a, possibly infinite, safe net to represent the behavior of the system.Solutions exist to this problem that exploit McMillan's finite prefix [28].The product automaton is obtained from the finite prefix and the Buchi automaton representing the formula.In [29,30], for example, the satisfaction of linear time mu-calculus formulae is checked using alternating Buchi automata.Some different approaches (for example, [20,31,32]) interpret the logic on the dependence graphs among events, instead of linearizations.Moreover, the state explosion problem is present also for this type of graph.A similar approach is the automata-theoretic one [25], which is based on the product between the finite state automaton representing the system and the one representing the formula.Furthermore, such an approach suffers from the state-explosion problem, due to the interleaving of concurrent events; several methods for the reduction of the state space have been suggested in this case [7,9,33,34].
A different approach could be that of using a partial order interpretation, where it is possible to distinguish concurrency from nondeterminism, trying to keep the advantage of not exploding the state space of the system due to the concurrency using trace systems.Our method exploits the compact notation of equivalence classes of behaviors; moreover, the satisfaction of a formula is decided by an algorithm that works directly on the traces (thus, a sequential memory representation) without constructing any type of graph; so saving space and time.The work pays further attention to the reduction of the state space of the system, since, as argued in [17,24], this is the greatest part of the complexity of the model checking procedure, provided that interesting properties are generally of a small size.For this purpose, we use selective mu-calculus to describe system properties, and trace systems are reduced by eliminating the events that do not alter the truth value of a given formula.Finally, it is worth noting that a lot of interesting properties, such as mutual exclusion and absence of starvation, can be elegantly expressed by linear time formulae that usually use a partial order interpretation; while the interleaving interpretation does not allow an easy expression of fairness properties; nevertheless, the use of the selective mu-calculus allows us to express properties, such as precedence and fairness, in a very compact way; for example, the fairness property "in all computation, eventually aoccurs" can be expressed through selective mu-calculus by the formula µZ.( − ∅ tt ∧ [−a] ∅ Z).
The works [9,10,34,35] also follow the partial order approach to model checking and consider only a representative among all interleavings of actions generated by a parallel composition.The properties that are well handled by these approaches do not concern precedence relations between actions, while they can be profitably used to prove, for example, deadlock freedom.In our approach, properties concerning precedence relations between actions are, in general, described by formulae that induce a consistent reduction of the trace system.On the contrary, the formula describing deadlock freedom induces no reduction, since it involves all events.Thus, the two approaches can be considered as complementary.Other approaches use symbolic model checking (for a survey on the use of this formal verification technique for linear temporal logic, see [36]), which is particularly suited to the verification of reactive systems or concurrent programs.In these approaches, the focus of the state explosion problem is shifted from the size of the state space to the size of the BDD representation, maintaining all problems of defining an automaton, recognizing the complement of the formula to be verified.
Abstraction is another successful technique for fighting the state explosion problem in model checking.In [37], the authors present a novel game-based approach to abstraction-refinement for the full µ-calculus, interpreted over three-valued semantics, successively improved in [38].
Pushdown systems are transition systems whose states include a stack of unbounded length; hence, they are strictly more expressive than finite state systems.One can argue that pushdown systems are a natural model for sequential programs with procedures where there is no restriction on the call hierarchy among the procedures.Arbitrary recursion is allowable, since the stack can keep track of active procedure calls.Differently form our approach, the main restriction of this kind of model is that it does not handle parallelism.In fact, in [39], the authors show applications of their model checking algorithm for pushdown systems only in the area of sequential program analysis.The model checking problem of pushdown systems against standard branching temporal logics has been intensively studied in the literature.It has been confirmed that, with pushdown systems, the model checking problem is much harder for branching-time temporal logics than for linear-time temporal logics.In particular, for the modal mu-calculus, the most powerful branching temporal logic used for verification, the problem is known to be EXPTIME-complete (even for a fixed formula) [40].The problem remains EXPTIME-complete also for the logic, CTL.In [41], the author shows that the complexity of the pushdown model checking problem for CTL* is, in fact, 2EXPTIME-complete.A natural generalization of pushdown machines is pushdown machines with more than one stack [42].This generalization, unfortunately, is not smooth in terms of the power of these machines: a pushdown automaton with two or more stacks is known to recognize all recursively enumerable languages.The model in its full generality is, thus, intractable.However, for certain model checking applications, pushdown automata with two or more stacks are useful.In [43], the model checking problem for specifications given by nondeterministic pushdown tree automata is studied.The author consider both finite-state (regular) and infinite-state (non-regular) systems.It is shown that for finite-state systems, the model checking problem is solvable in time exponential in both the system and the specification.On the other hand, the model checking problem for context-free systems is undecidable; already for a weak type of pushdown tree automata.
In [44], the authors consider the sabotage modal logic (SML) [45], which can arbitrarily delete edges of the model; thus, it has the ability to modify the model under evaluation.In [44], it was shown that the sabotage modality already strengthens modal logic in such a way that all nice model-theoretic properties and algorithmic complexities get lost.In fact, from the viewpoint of complexities, SML much more resembles first-order logic than modal logic (with the exception that the formula complexity remains in PTIME).Item 2. This case can be proven in a similar way.
In the following, given a trace language T , by alph(T ), we denote the set of symbols occurring in all traces belonging to T .
Item 2. This is similar.
Lemma 3. Let s be an expression over A and ρ ⊆ A.
The proof is made by the induction on the structure of the term.All other cases can be proven in a similar way using Item 2 of Lemmas 1 and 2.

Example 4 .
Some examples of formulae are shown in the following.
Π {a}∪S (δ 1 δ 2 ) = ; and (b) no event in δ 1 can move forward (by means of the rewriting rule), to pass over a; and (c) no event in δ 3 can move backward to pass over a (by means of the rewriting rule) apart the event in S.