Safety for Branching Time Semantics
18
Transcript of Safety for Branching Time Semantics
Safety for Branching Time Semantics �A. Bouajjaniy J.C. Fernandezy S. Grafy C. Rodriguezz J. SifakisyAbstractWe study in a �rst part of this paper safety and liveness properties for any given program se-mantics. We give a topological de�nition of these properties using a safety preorder. Then, weconsider the case of branching time semantics where a program is modeled by a set of in�nitecomputation trees modulo bisimulation. We propose and study a safety preorder for this seman-tics based on simulation and dealing with silent actions. We focus on regular safety propertiesand characterize them by both tree-automata and formulas of a branching time logic. We showthat verifying safety properties on trees reduces to simulation testing.1 IntroductionThe properties of parallel systems may be classi�ed according to the type of behaviors they describe.Several classes of properties are distinguished such as safety, liveness, fairness, termination or recurrenceproperties.Such a classi�cation allows structuring a program speci�cation into several components; each ofthese components may be expressed in an appropriate formalism and veri�ed using a speci�c veri�ca-tion method.A classi�cation into safety and liveness properties was �rst proposed by Lamport in [Lam77]. There,these classes were intuitively de�ned by :� a safety property asserts that something bad never happens,� a liveness property asserts that something good eventually happens.These classes have been widely studied for linear time semantics where a program is modeled bya set of in�nite sequences of states (also called computation sequences). Several formal de�nitions ofsafety and liveness have been proposed in this case, e.g., in [Lam85], [Sis85], [AS87], [AL88], [MP89].One of them (see for example [MP89] or [AL88]) de�nes safety (resp. liveness) properties as the closed(resp. dense) sets in the Cantor topology on the set of in�nite sequences of states. An interestingproblem is to know how an arbitrary property can be expressed in terms of safety and liveness prop-erties. Using the topological de�nition given above, Alpern and Schneider show that any !-regularproperty is the intersection of a safety and a liveness property [AS87]. This means that, in this case,it is always possible to decompose a program speci�cation into a safety and a liveness part and dealwith each of them separately. However, it has been shown that for more expressive classes, e.g., as!-context-free properties, this can not be done in general [CL89].Characterizations of !-regular safety and liveness properties have been given in di�erent programspeci�cation formalisms : automata on in�nite sequences and fragments of propositional linear timetemporal logics [Sis85], [LPZ85], [AS87]. It has also been shown that the proof methods associated with�This work was partially supported by ESPRIT Basic Research Action \SPEC"yLGI-IMAG, IMAG Campus, BP 53X, 38041 GRENOBLE cedex, FRANCE; e-mail: fbouajjan, fernand, graf,[email protected] Rhone-Alpes, Forum du Pr�e Milliet, 38330 MONTBONNOT SAINT-MARTIN, FRANCE; e-mail:[email protected]
safety and liveness are di�erent. The veri�cation of a safety property is based on an invariant argumentwhereas the veri�cation of a liveness property is based on a well-foundedness argument [MP84].In this paper we study safety and liveness properties for branching time semantics where a programis modeled by a set of in�nite computation trees modulo a bisimulation equivalence.First, we study the problem of de�ning formally the classes of safety and liveness properties for suchsemantics. For this purpose, we generalize the topological approach used for the linear time semantics.We argue that de�ning safety and liveness properties on trees reduces to �nding a preorder on treessuch that, in the topology induced by this preorder, the safety properties are the closed sets and theliveness properties are the dense sets. We give some minimal requirements on such a preorder and itturns out that a suitable preorder is the simulation relation [Mil71].Furthermore, we are interested in properties not sensitive to abstraction, that means that twoequivalent programs (verifying the same properties) remain equivalent after abstraction. Therefore,we combine the simulation preorder with an abstraction criterion allowing to abstract away from allthe silent actions, i.e., actions which are considered irrelevant. We call safety preorder the resultingpreorder and safety equivalence the equivalence induced by it. We show that the safety equivalence isweaker than branching bisimulation [GW89] and observational equivalence [Mil80]. We also show thatthe safety preorder is a precongruence for the standard constructors of parallel programs and give acomplete axiomatization for it on regular trees, i.e., trees which are unfoldings of �nite-state labeledtransition systems.We consider as properties regular sets of trees, i.e., sets de�nable by �nite-state (Rabin) tree-automata (RTA for short) [Rab69], [Rab72]. We recall that the class of RTA de�nable sets contains allthe classes of sets de�nable by either B�uchi, Muller or Streett tree-automata [B�62], [Mul63], [Rab69],[Rab70], [Str82]. It has been shown also that RTA are more expressive than all the commonly usedspeci�cation formalisms for �nite-state parallel programs [VW86], [Wol89] and that they are expres-sively equivalent to the branching time propositional �-calculus [Koz83], [Niw88]. We show that in theclass of RTA de�nable sets we have also the nice fact that any property is the intersection of a safetyand a liveness property.In practice, it is often su�cient to consider only safety properties. For example, most of serviceproperties of communication protocols are safety properties. Especially, due to the use of nondetermin-istic choice for scheduling, most of liveness properties fail to be valid. In order the liveness propertiesto be veri�ed, a concrete �nite scheduler has to be modeled and time constraints are introduced. Thisgives a less abstract speci�cation but it allows to replace some liveness by bounded eventualities whichare safety properties.We focus on the class of regular safety properties on in�nite trees and consider the problem of theircharacterization by both tree-automata and formulas of a branching time logic.First, we de�ne a kind of tree-automata which we call safety-recognizers (SR for short) and showthat they de�ne exactly closed regular sets of trees. Then, we de�ne a branching time logic called BSL(Branching Time Safety Logic) which is a fragment of the �-calculus. We show that it is adequatefor the safety equivalence and that it is expressively equivalent to the class of SR de�nable sets oftrees. We give also a complete deductive system for this logic. In particular, we establish that anybranching time safety property can be expressed by a graph modulo simulation. This allows to reducethe problem of verifying a safety property to a simulation problem between regular trees.The remainder of this paper is organized as follows. In section 2, we introduce a semantical char-acterization of safety and liveness properties for any given program semantics using a safety preorderon the computations. In section 3, we propose a safety preorder for bisimulation based branching timesemantics and study its features. In section 4, we consider the class of RTA-de�nable properties andgive a characterization of safety properties by tree-automata. In section 5, we give a logical charac-terization of these properties. Finally, we discuss in the conclusion the choice of an appropriate safetypreorder.For lack of space, standard proofs are omitted and will be given in the full paper.
2 Safety and Liveness PropertiesIn this section, we study the notions of safety and liveness properties for any program semantics. Wepropose a general de�nition of these classes and show some general results concerning them.Let us �rst �x the framework in which we carry out this study. We denote by P a term algebraused to describe programs. A program semantics is usually de�ned by a congruence relation on P. Infact, in order to de�ne a congruence on P, we often consider a congruence on a class M of programmodels and establish a homomorphism � from P to M. Examples of classes of program models arelabeled transition systems and event structures [Win83]. In order to de�ne a congruence on M, weintroduce the notion of computations generated by a model. Let C be the set of computations generatedby the elements of M. First, we consider an equivalence relation ' on C which we generalize to 2Cby considering that for any sets of computations C1 and C2, C1 ' C2 if and only if 8x1 2 C1: 9x2 2C2: x1 ' x2 and conversely). Then, we de�ne a homomorphism � fromM to 2C associating with anymodel a set of computations closed under ' and such that ' is a congruence on �(�(P)).For example, if program models are labeled transition systems (LTS for short), we can consideras computations either sequences or trees. This gives rise respectively to linear and branching timesemantics.In linear time semantics, the set of computation sequences of a LTS may be de�ned as the set of itsmaximal paths and an equivalence on sequences may be simply equality. In this case, two programsare equivalent if and only if their models have the same sets of maximal paths. This equivalence isusually called maximal trace equivalence. More interesting equivalences can be chosen. For example,in order to deal with abstraction, one can consider the stuttering trace equivalence: two sequencesare equivalent if and only if one of them can be obtained from the other by removing or adding �niterepetitions. However, it is well known that maximal trace equivalences are not congruences for therestriction operator [Mil80].In branching time semantics, the set of computations of a LTS is the set of trees obtained byunfolding it, starting from its initial states. In this case, any operation on models is de�ned as ageneralization on sets of an operation on trees. Thus, a branching time semantics can be de�ned bya congruence on computation trees. Several such congruences have been de�ned, most of them basedon bisimulation by incorporating abstraction criteria [Mil80], [GW89].For a given program semantics, a property is a union of congruence classes of programs. Thus,congruent programs verify the same properties. In fact, if the semantics is de�ned as described above,we can de�ne a property as a union of equivalence classes of computations; a program � satis�es aproperty P if and only if all the computations generated by its model belong to the property, i.e.,�(�(�)) � P .Having �xed what is a property for a given semantics, we are interested now in de�ning safety andliveness properties. Formal de�nitions of safety and liveness properties have been given for linear timesemantics [Lam85], [Sis85], [AS87], [AL88], [MP89]. One of them (see for example [MP89]) de�nessafety properties as closed sets and liveness properties as dense sets in the Cantor topology on theset of �nite or in�nite computation sequences. We propose here a general topological de�nition ofsafety and liveness properties based on a preorder on computations. To this end, we need the followingpreliminary de�nitions.First we consider a preorder de�ned as the limit of a decreasing family of preorders. We consideralso the equivalences induced by these preorders.De�nition 2.1 (limit preorder) Let U be a set and consider f�kgk2IN a family of decreasing preorderson U . Consider also the family of the induced equivalences f�=kgk2IN such that �=k = �k \ �k, forany k 2 IN. We take � = \k2IN�k and �= = \k2IN �=k.Then, we de�ne the notion of �-closure.De�nition 2.2 (�-closure) A subset S of U is �-closed if and only if 8x 2 S: 8x0 2 U : x0 � x )x0 2 S. The �-closure of a subset S of U is the smallest �-closed superset of S in U .
Now, we de�ne the notions of limit and limit-closure.De�nition 2.3 (limit) Let S = fxigi2IN be a subset of U and x 2 U . The set S converges to xif and only if8k: 9j: 8i � j: xi �=k xWe say that x is a limit of S.Notice that if a set S converges to x and x0 then necessarily x �= x0. Thus, the limit of a set isunique up to �=.De�nition 2.4 (closure by limit) A subset of U is limit-closed if and only if it contains all the limitsof its subsets. The limit-closure of a subset S of U is the smallest limit-closed superset of S in U .Now, we de�ne a notion of closure which is both �-closure and limit-closure. We show then thatit allows to de�ne a topology on U .De�nition 2.5 (closed and open sets) A subset of U is closed if and only if it is �-closed and limit-closed. As usually, an open set is the complement of a closed set.Notice that any closed and any open set is closed under the equivalence �=.Proposition 2.1 (Topology induced by �)The set of closed sets de�nes a topology on U , which we denote by I(U ;�).Proof: It can be shown that the empty set and the full set are closed sets, the intersection of closedsets is a closed set and the �nite union of closed sets is a closed set. We give here only the proofof the last fact, i.e., that the union of two closed sets is a closed set. Let S1 and S2 be two closedsets. It is obvious that S1 [ S2 is �-closed. We show that S1 [ S2 is limit-closed. We consider a setX = fxigi2IN � S1[S2 which converges to x and show that x is in S1[S2. Let Y = fyigi2IN = X \S1and Z = fzigi2IN = X \ S2. We have to consider two cases:� Y is �nite and Z is �nite,We have then X is �nite, thus, since X has a limit, X converges to an x0 2 X � S1 [ S2. SinceS1 [ S2 is closed under �= (S1 and S2 are closed under �=) and x �= x0, we have x 2 S1 [ S2.� Y is in�nite or Z is in�nite,We have 8k: 9j: 8i � j: xi �=k x. For a given k, let j be such that 8i � j: xi �=k x. Withoutloss of generality, consider that Y is in�nite. We have then fxigi�j \ Y 6= ; and thus, 9j 0: 8i �j 0: yi �=k x. We conclude that Y converges to x and since S1 is closed, we have x 2 S1.2 We recall the notions of topological closure and denseness.De�nition 2.6 (Topological closure) For a given topology on a set U , the closure of a set S, whichwe denote by S, is the smallest closed set containing S. A set S is dense if and only if S = U .Now, we can give the de�nition of safety and liveness properties with respect to a limit preorder� on C de�ned as in de�nition 2.1.De�nition 2.7 (Safety and Liveness) Let ' be the equivalence on C de�ning a program semanticsand � a limit preorder on C such that ' � �. A property is a safety (resp. liveness) property (withrespect to C and �) if and only if it is a closed (resp. dense) set in the topology I(C;�).We denote by �(C;�) (resp. �(C;�)) the class of safety (resp. liveness) properties.
To capture the intuitive de�nition of safety and liveness, the preorder � has to express a notionlike "is a restriction of" or "is less de�ned than". For instance, for linear time semantics, where U isthe set of �nite or in�nite sequences on an alphabet �, a suitable preorder is de�ned by consideringthe following family of preorders :� �0 = U � U ,� 8k 2 IN: 8�1; �2 2 U :�1 �k+1 �2 if and only if (8a 2 �: �1 = a:�01 ) (�2 = a:�02 and �01 �k �02)).It is easy to see from the de�nition above that �(C;�) is closed under intersection and �niteunion, that �(C;�) is closed under union but not under intersection and that neither �(C;�) nor�(C;�) are closed under complementation. Furthermore, the empty set is a safety property and theonly property which is both a safety and a liveness is the set C (C is not empty).It is also easy to deduce from this de�nition that � is exactly the preorder induced by safetyproperties on computations. This derives from the fact that a safety property is by de�nition �-closed.Proposition 2.2 8x1; x2 2 C: x1 � x2 if and only if 8S 2 �(C;�): x2 2 S ) x1 2 S. 2Let �= be the equivalence induced by the preorder �, i.e., �= = � \ �. It is straightforwardto deduce from the proposition above that �= coincides with the equivalence induced by the safetyproperties on computations.It is more interesting to verify if this proposition remains true when we consider models insteadof computations. It is straightforward to show the left to right direction using the proposition above.Thus, two �=-equivalent models verify the same safety properties. However, the other direction is nottrue in general. To see this, let for example m1 and m2 be two models such that �(m1) = �(m2).By de�nition of the topological closure, we have �(m1) � S if and only if �(m2) � S for any safetyproperty S, but �(m1) � �(m2) only if �(m2) is limit-closed. In general, we have the followingproposition.Proposition 2.3 (Adequacy)� 8m1; m2 2 M: �(m1)� �(m2) implies 8S 2 �(C;�): �(m2) � S ) �(m1) � S.� 8m1; m2 2 M: (�(m2) is limit-closed and 8S 2 �(C;�): (�(m2) � S ) �(m1) � S)) implies�(m1)� �(m2).2 Notice that in particular, when � associates with any model a limit-closed set of computations,�= is exactly the equivalence induced by safety properties on program models. For example, the setof maximal paths of a LTS is limit-closed. However, if we introduce some notion of fairness in themodels, for example by considering as program models B�uchi-like automata, the set of computationsassociated with a model (the language of the automaton) is clearly not limit-closed in general.The proposition above shows that the semantics we need when we are interested by just safetyproperties can be de�ned by �=. For this reason, we give to� the name of safety preorder and to �= thename of safety equivalence. However, in order to be able to de�ne a semantics based on �=, we requirethat �= induces a congruence on �(�(P)), or equivalently, that � induces a precongruence on thisclass. Notice that for branching time semantics this means simply that � has to be a precongruence.Now, having de�ned safety and liveness properties, an interesting question is how an arbitraryproperty can be expressed in terms of safety and liveness. For example, in the linear time semanticscase, Alpern and Schneider have shown in [AS87] that in the class of !-regular properties, any propertyis the intersection of a safety and a liveness property. So, let us see how this result can be stated inour general frame. We de�ne �rst the notion of sl-separability.
De�nition 2.8 (sl-separability) A property is sl-separable if and only if it is the intersection of asafety and a liveness property. We say that a class of properties is sl-separable if and only if all itsproperties are sl-separable.Thus, a property is sl-separable means that it can be split into a safety and a liveness part andeach of these parts can be dealt with separately. In general, for any class of properties it is interestingto know if it is sl-separable or at least to �nd its largest sl-separable subset. A su�cient condition forsl-separability is expressed by the following proposition.Proposition 2.4 Any class of properties which is closed under union, complementation and topologicalclosure is sl-separable.Proof: The proof is analogous to the one given in [AS87]. Take a semantics where C is the set ofcomputations and let E be a class of properties for this semantics satisfying the hypothesis of theproposition. For any property P in E , consider the sets S = P and L = (C � P ) [ P . These setsare clearly in E . Furthermore, it is easy to see that they are respectively closed and dense and thatP = S \ L. 2In particular, for linear time semantics the class of properties corresponding to !-regular languagesis sl-separable since it satis�es the condition of the proposition above. However, the class of !-context-free languages is not closed under complementation [CG77] and thus, the proposition above does notapply. In fact, it has been shown that this class is not sl-separable and some �nest su�cient conditionsfor sl-separability of !-context-free languages are given in [CL89].In the sequel, we focus on bisimulation based branching time semantics. We have seen in thissection that a safety preorder for such a semantics has to be a precongruence preserving bisimulationand allowing to capture the intuitive de�nition of safety and liveness properties. We claim that sucha preorder is the simulation preorder combined with an abstraction criterion. We propose in thefollowing section a safety preorder which preserves the observational congruence and the branchingbisimulation.3 Safety Preorder on Computation TreesIn this section, we de�ne the safety preorder on computation trees and study its features. Throughoutthis paper we are only interested in regular computation trees which are unfoldings of �nite LTSs. Wede�ne �rst an algebra of such computation trees.3.1 SyntaxLet A be a �nite vocabulary and � a symbol not belonging to A. We call the elements of A visibleactions, � silent action and we take A� = A[ f�g. Let � a set of variables. The language L(A� ;�) ofterms is given by the following grammar, where x 2 � and � 2 A� :t ::= Nil j x j � : t j t + t j t� t j rec x: tWe use P and Q respectively for �nite summation and �nite product. The notion of bound and freeoccurrence of variables are as in the �rst order predicate calculus, by considering rec as a quanti�er.A term is closed if there is no variable occurring free in it. Let ~x = (x0; � � � ; xn) denote either a tupleor the set of its components. We use t(~x) to stand for the term t with free variables ~x.A free occurrence of a x in t is guarded if it occurs within some subterm a : t0 of t where a 2 A,otherwise it is unguarded. If a term t contains an unguarded occurrence of x, we write t� x. A termrec x: t is guarded if is x guarded in t. A term t is guarded if every subterm rec x: t0 of t is guarded.
Let T (A� ;�) the sublanguage of the guarded and closed terms. Terms of T (A� ;�) representcomputation trees, where Nil is the empty tree, + is the non-deterministic choice operator, � is thesynchronous product operator and rec is the recursion operator.We denote by L(A;�) (resp.T (A;�)) the sublanguage of L(A� ;�) (resp. T (A� ;�)) of terms withoutany occurrence of � .3.2 Operational semanticsWe give an operational semantics [Plo81] for the terms of L(A� ;�) by de�ning a set of binary relations��!� L(A� ;�)� L(A� ;�), for any � 2 A� , as the least relations satisfying the following rules, wheret; ti; r; ri 2 L(A� ;�); a 2 A and � 2 A� :pre�x � : t ��! tchoice t1 ��! r1t1 + t2 ��! r1 t2 ��! r2t1 + t2 ��! r2product t1 a�! r1; t2 a�! r2t1 � t2 a�! r1 � r2 t1 ��! r1t1 � t2 ��! r1 � t2 t2 ��! r2t1 � t2 ��! t1 � r2recursion t[rec x: t=x] ��! rrec x: t ��! rLet us recall that a LTS is a quadruple (Q;A� ; �; Q0) where Q is a set of states, � � Q� A� �Qis a labeled transition relation and Q0 � Q is the set of initial states.With a term t 2 T (A� ;�), we associate the LTS St = (T (A� ;�); A� ; f ��!g�2A� ; ftg).3.3 Safety preorderWe de�ne a safety preorder on computation trees as a simulation with an abstraction criterion. Werecall the de�nition of a simulation.Notation Let � � A�� , and let t; r 2 L(A� ;�). We write t ��! r if and only if:9u1 � � �un 2 �: 9t1; � � � ; tn�1 2 L(A� ;�): t u1�! t1 u2�! t2 � � � ti ui+1�! ti+1 � � � tn�1 un�! r.De�nition 3.1 Let � be a family of disjoint languages of �nite words on A� . For each R � L(A� ;�)2,we de�ne :�(R) = f(t1; t2) 2 L(A� ;�)2 j8� 2 �: 8r1: (t1 ��! r1 ) 9r2: (t2 ��! r2 and (r1; r2) 2 R)) andt1 �X ) t2 �XgWe de�ne inductively a family of preorders fv�k gk2IN by v�0= L(A� ;�)2 and 8k � 0: v�k+1= �(v�k ).The simulation preorder for � is de�ned by v� = 1\k=0 v�k . Consider also the equivalence relations��k = v�k T w�k for any k � 0. The simulation equivalence for � is de�ned by �� = 1\k=0 ��k .Di�erent simulation preorders can be de�ned. The choice of a class � (i.e., a partial partitionof A�� ) corresponds to the choice of an abstraction criterion on the actions [Bou85]. The strongsimulation preorder is de�ned by � = ff�g j � 2 A�g. Of course, in this case there is no abstraction
since � -actions play no special role. However, we would like to abstract away from all the � -actions.Interesting criteria for this purpose can be de�ned by considering either the class � = f� ?a j a 2 Ag or = f� ?a� ? j a 2 Ag or �0 = �[f� ?g or 0 = [f� ?g. However, contrary to the case of bisimulations,we can show that the simulation preorders v�, v, v�0 and v0 are the same using the followinglemma.Lemma 3.1 8� 2 f�;;�0;0g: 8t; t0 2 L(A� ;�): t ���!t0 ) t0 v� t: 2Proposition 3.1 v� = v = v�0 = v0. 2Henceforth, we denote by v (resp. �) the preorder v� (resp. the equivalence ��) called safetypreorder (resp. safety equivalence). Now, we study some properties of v. First, we can show that it isa precongruence on the term language L(A� ;�). First, we show that all the operators of the algebraare monotonic with respect to v. We need some intermediate lemmas.Lemma 3.2 8k 2 IN: 8t; s1; s2 2 L(A� ;�): s1 vk s2 ) t[s1=x] vk t[s2=x]Proof: (Induction on k 2 IN). Suppose that 8t; s1; s2 2 L(A� ;�): s1 vk s2 ) t[s1=x] vk t[s2=x] ands1 vk+1 s2. If t[s1=x] ��a�!t0 then either t ��a�!r and t0 = r[s1=x], or t�x ^ s1 ��a�!r1 and t0 = r1, or t ��a�!rand t� x and s1 ��a�!r1 and t0 = r[s1=x]� r1.In the �rst case, t[s2=x] ��a�!r[s2=x] and r[s1=x] vk r[s2=x] by induction hypothesis.In the second case, since s1 vk+1 s2, 9r2: s2 ��a�!r2 ^ r1 vk r2.In the last case, since s1 vk+1 s2, 9r2: s2 ��a�!r2 ^ r1 vk r2. Thus, t[s2=x] ��a�!r[s2=x]� r2. By inductionhypothesis, r[s2=x]� r1 vk r[s2=x]� r2 and r[s1=x] vk r[s2=x] and thus, r[s1=x]� r1 vk r[s2=x]� r1.Then by transitivity, r[s1=x]� r1 vk r[s2=x]� r2.Thus, in all cases 9t" such that t[s2=x] ��a�!t" ^ t0 vk t". 2Similarly, we can prove the following lemma.Lemma 3.3 8k 2 IN: 8s; t1; t2 2 L(A� ;�): t1 vk t2 ) t1[s=x] vk t2[s=x] 2Corollary 3.1 8k 2 IN: 8s1; s2; t1; t2 2 L(A� ;�): s1 vk s2 ^ t1 vk t2 ) t1[s1=x] vk t2[s2=x]. 2Proposition 3.2 (precongruence)v is a precongruence and � is a congruence on L(A� ;�). 2Proof: We have to prove 8k 2 IN: 8t; t1; t2 2 L(A� ;�) and 8� 2 A� , if t1 vk t2, then� : t1 vk � : t2t1 + t vk t2 + tt1 � t vk t2 � trec x: t1 vk rec x: t2We give only the proof of the last property by induction on k 2 IN. Notice that, by de�nition of theoperational semantics of the terms, for any terms t; t0 2 L(A� ;�), rec x: t ��a�!t0 if and only ift[rec x: t=x] ��a�!t0. Suppose that t1 vk t2 ) rec x: t1 vk rec x: t2 and t1 vk+1 t2.(i) First, we show that t1[rec x: t1=x] vk+1 t1[rec x: t2=x]:If t1[rec x: t1=x] ��a�!t0, then necessarily t1 ��a�!t01 with t0 = t01[rec x: t1=x]. Then,t1[rec x: t2=x] ��a�!t01[rec x: t2=x]. Now, we have t1 vk+1 t2. Thus, by induction hypothesis,rec x: t1 vk rec x: t2. By the lemma 3.2, t01[rec x: t1=x] vk t01[rec x: t2=x].Thus, we have t1[rec x: t1=x] vk+1 t1[rec x: t2=x].
(ii) By lemma 3.3, we havet1[rec x: t2=x] vk+1 t2[rec x: t2=x]. Then, by transitivity of vk+1, we havet1[rec x: t1=x] vk+1 t2[rec x: t2=x].2 The term language L(A� ;�) can be extended by adding the asynchronous parallel operator, therestriction operator and the relabeling operator [Mil80], [Win83], [BK85]. We can shown that v is stilla precongruence.Proposition 3.3 v is a precongruence for the asynchronous parallel, restriction and relabeling oper-ators. 2Let us compare now the safety equivalence with some other equivalences. We denote by �b strongbisimulation [Par81], �o observational equivalence [Mil80], [Mil89], �bb branching bisimulation [GW89],[GV90] and �wt weak maximal trace equivalence, i.e., for any two terms t et t0, t �wt t0 if and only ifWT (t) =WT (t0), where for any term t, WT (t) is the set of sequences of visible actions a1:a2 � � � suchthat there exists a maximal derivation t ���!t1 a1�! t01 ���!t2 a2�! t02 ���!t3 � � �.Proposition 3.4 �b � �bb � �o � � � �wt. 23.4 A Deductive System for the Safety PreorderWe present a sound and complete axiomatization of the safety preorder on L(A� ;�). Let � be therelation de�ned by the deductive system below where we omit the usual rules stating that � is aprecongruence and the rules for change of bound variables. An equation t = t0 stand for two inequationst � t0 and t0 � t.The Deductive system Ax1 : For t; t1; t2; t3 2 L(A� ;�) and a; b 2 A and x 2 �, we have:(I1) Nil � t(S1) (t1 + t2) + t3 = t1 + (t2 + t3)(S2) t1 + t2 = t2 + t1(S3) t+ t = t(S4) t+ Nil = t(P1) (t1 � t2)� t3 = t1 � (t2 � t3)(P2) t1 � t2 = t2 � t1(P3) t� t = t(P4) t� Nil = Nil(P5) a : t1 � a : t2 = a : (t1 � t2)(P6) a : t1 � b : t2 = Nil if a 6= b(P7) t1 � (t2 + t3) = (t1 � t2) + (t1 � t3)(�1) � : t = t(R1) recx: t = t[recx: t=x](R2) t1 � t2[t1=x]) t1 � recx: t2 provided x guarded in t2(R3) t2[t1=x] � t1 ) recx: t2 � t1 provided x guarded in t2(R4) recx: (x� t + t0) = recx: t0We write `Ax1 t1 � t2, (resp . `Ax1 t1 = t2) when t1 � t2 (resp. t1 = t2) can be proved by thedeductive system Ax1. We use simply the symbol ` if there is no ambiguity about the considereddeductive system.
Theorem 1 (Soundness) If ` t1 � t2 then t1 v t2. Also, if ` t1 = t2 then t1 � t2. 2The completeness proof follows the completeness proof given by Milner in [Mil89] for observationalcongruence. The di�erences are �rst, that we are dealing with a simulation instead of a bisimulation,and second, that we consider in addition to the operators he considers the �-operator (synchronousproduct) and show that it can be eliminated even occurring in a recursion. This is due essentially toits idempotence (axiom P3).We recall brie y the notations and the terminology introduced in [Mil89]. Let ~X = (X0; � � � ; Xn)and ~W = (W0; � � � ;Wm) be disjoint sets of variables. Let ~H = (H0; � � � ; Hn) be terms with free variablesin ~X [ ~W . A system of equations S = ( ~E; ~X; ~W;E0) is a set of formal equations ~E : ~X = ~H. We call~X the formal variables of E and say that E has free variables in ~W . E0 : X0 = H0 is the leadingequation and X0 is the distinguished variable. We say that ~E : ~X = ~H is standard if each Hi takes theform Xj aij : Xj +Xk (Yl Wikl �Xm aikm : Xl)where theWikl are elements of ~W and all actions are in A. As in [Mil89], we say that t provably satis�es~E : ~X = ~H if and only if there are terms ~t = (t0; � � � ; tn) such that t � t0 and ` ~t = ~H[~t= ~X]. We take� as the syntactic identity. The following propositions are used for the proof of the completeness.Proposition 3.5 (� -elimination) For any term t in L(A� ;�) there exists a term t0 in L(A;�) i.e.,without � -actions, such that ` t = t0. 2Proposition 3.6 For every term t in L(A� ;�), there exists a guarded term t0 in L(A;�) such that` t = t0. 2The propositions above say that every term of L(A� ;�) is provable equivalent to a guarded termwithout � -actions. This is due to axioms �1 and R4.Proposition 3.7 (Equational characterization) Every guarded term t 2 L(A;�) with free variables in~W provably satis�es a standard equation set ~E : ~X = ~H with free variables in ~W . 2Proposition 3.8 Let t 2 L(A;�) provably satisfy S and t0 2 L(A;�) provably satisfy S 0, where bothS and S 0 are standard sets of equations, and let t v t0. Then there is a standard set of equations~E : ~X = ~H, constructed from S and S 0, provably satis�ed by t and such that 9~t0 = (t00; � � � ; t0n) witht0 � t00 and ~H[~t0= ~X] � ~t0. 2Proposition 3.9 (Unique solution of equations) If S is a equation set ~E : ~X = ~H with free variablesin ~W , then there is a term t 2 L(A;�) which provably satis�es S. Moreover, if there are terms~t0 = (t00; � � � ; t0n) (with free variables in ~W ) such that ` ~H[~t0= ~X] � ~t0 then ` t � t00. 2From this proposition, it can be deduced that the solution of any equation set is unique up to =.Theorem 2 (Completeness) For any terms t and t0 if t v t0, then ` t � t0.Proof: With any guarded terms t; t0 2 L(A� ;�), such that t v t0, we associate two guarded termsu; u0 2 L(A;�) such that ` t = u and ` t0 = u0 by propositions 3.5 and 3.6. Then, we associaterespectively with u and u0 a standard equation set ~E : ~X = ~H and ~E 0 : ~X 0 = ~H 0 by proposition 3.7.There is a standard equation set ~E 00 : ~X 00 = ~H 00, by proposition 3.8, such that 9~u = (u0; � � � ; un) and~u0 = (u00; � � � ; u0n), with u0 � u and u00 � u0 , and ` ~u = ~H 00[~u= ~X 00] and ` ~H 00[~u0= ~X 00] � ~u0. Finally, byproposition 3.9 and unicity of the solution for an equation set, we have ` u � u0. 2
4 Automata Based Characterization of Safety PropertiesWe consider as program speci�cations regular sets of computation trees modulo strong bisimulation.This corresponds to bisimulation closed RTA-de�nable sets [Rab69], [Rab72].We study the closure of this class under topological closure in the topology induced by v. Weshow the sl-separability of this class and give a characterization of regular safety properties in termsof automata.Notice that we consider here only computation trees without � -actions since they can always beeliminated (see proposition 3.5). For technical reasons, we represent computation trees by Kripke trees(KT) where the labels are on the states and not on the transitions. It is straightforward to transforma KT into a computation tree and conversely. Therefore, we give a de�nition of Rabin tree-automatawhich is not exactly standard: we consider automata recognizing bisimulation closed sets of KT withpossibly �nite paths and with non bounded but �nite branching degree.De�nition 4.1 (Kripke tree) A Kripke tree is a tuple K = (Q;A; q0;�!; �) where Q is a countableset of states, q0 is the initial state, �!� Q � Q is a transition relation without cycles such thatj fq0 2 Q j q �! q0g j< ! and � : Q �! A is a labeling function of Q by A.De�nition 4.2 (Rabin tree-automaton)A Rabin tree-automaton is a tuple R = (A;W;w0; �;; F ) where W is a �nite set of states, w0 isthe initial state and � � W � A � 2W is a \branching" transition relation, is a �nite set of pairs(Li; Ui) 2 2W � 2W and F � W is a set of �nal states.A Kripke tree K = (Q;A; q0;�!; �) is accepted by R if and only if 9� : Q �! W such that;(1) �(q0) = w0(2) 8q 2 Q: (�(q); �(q); f�(q1); � � � ; �(qn)g) 2 � where fq1; � � � ; qng = fq0 2 Q j q �! q0g.(3-1) For any � an in�nite path in K starting in q0, there exists (L; U) 2 such that Inf(�(�))\L 6=; and Inf(�(�)) \ U = ;,(3-2) For any � = q0 � � � qn a �nite path in K, �(qn) 2 F ,where �(q0:q1 � � �) = �(q0):�(q1) � � � and Inf(w0:w1 � � �) = fw 2 W j 8i 2 IN: 9j > i: wj = wg.Despite the fact that our de�nition is quite di�erent from the standard one, the class of sets de�nableby our Rabin tree-automata is closed under union, intersection and complementation [Rab69], [Rab72],[Sao86].We introduce now automata which we call Safety Recognizers (SR for short) and show that theyde�ne exactly regular safety properties with respect to v.De�nition 4.3 (Safety recognizer)A safety recognizer is a tuple S = (A;W;w0; �) where W is a �nite set of states, w0 is the initial stateand � � W�A�2W . A Kripke tree K = (Q;A; q0;�!; �) is accepted by S if and only if 9� : Q �! Wsuch that:(1) �(q0) = w0(2) 8q 2 Q: 9� � W: (�(q); �(q);�) 2 � and f�(q1); � � � ; �(qn)g � �where fq1; � � � qng = fq0 2 Q j q �! q0g.Proposition 4.1 Any SR-de�nable set is RTA-de�nable.Proof: Let S = (A;W;w0; �) be a SR. An equivalent RTA is (A;W;w0; �0;; F ) where = f(W; ;)g,F =W and �0 is the smallest relation � verifying:8w 2 W: 8a 2 A: (w; a;�) 2 � ) 8�0 � �: (w; a;�0) 2 �0. 2
Proposition 4.2 Any SR-de�nable set is closed. 2Proposition 4.3 The closure of a RTA-de�nable set is SR-de�nable.Proof: Let P be the set de�ned by the RTA R = (A;W;w0; �;; F ). Consider the SR obtained fromR in the following manner:1 Remove from R all the states that accept the empty language (the emptiness problem of a RTAis decidable [Rab72], [HR72]). Let W 0 be the remaining states and �0 the transition relationmodi�ed accordingly : a transition (w; a;�) is removed if there exists a state in � which is notin W 0. The resulting automaton R0 = (A;W 0; w0; �0;0; F 0), where 0 and F 0 are the projectionsof and F on W 0, de�nes also the set P .2 Take S = (A;W 0; w0; �0).We show that any tree de�ned by S is in P , i.e., for any tree t de�ned by S, we have t v t0 where t0 isthe limit of a set of trees in P . Let t be a tree de�ned by S with a labeling � (see de�nition 4.3). Forany k � 0, we denote by tk the full subtree of t of depth k. Each node, and in particular each leaf, oftk is labeled with � by a state in W 0 which accepts a tree in R0 by de�nition. Thus, we can prolong tkto a tree t0k in P (each node of t is prolonged in the same way in all the trees t0k for k � 0). It easy toverify that the obtained set of trees t0k in P converges to a tree t0 such that t v t0.Conversely, since S de�nes a closed set containing P , and P is the smallest closed set containingP , S de�nes P . 2From propositions 4.2 and 4.3 we obtain the following theorem on SR's expressiveness.Theorem 3 (expressiveness)The class of SR-de�nable sets is exactly the class or regular safety properties with respect to v. 2Finally, we give the theorem which states the sl-separability of the class of regular properties oncomputation trees.Theorem 4 (sl-separability)The class of RTA-de�nable properties is sl-separable.Proof: By propositions 4.3 and 4.1, the class of RTA-de�nable sets is closed under topological closure.Furthermore, it is closed under union and complementation. Thus, it is sl-separable by proposition 2.4.2
5 The Branching Time Safety Logic BSLIn this section, we give a branching time logic de�ning exactly the class of safety properties withrespect to v.5.1 SyntaxA formula of U(A;�) is either F or de�ned by the following grammar:� ::= Nil j T j x j B : � j �� � j � ^ � j � _ � j �x: �where x 2 �; B � A. We denote by F(A;�) the closed and guarded formulas, where the notions offree variable, closed formula and guardedness are the same as the ones de�ned in section 3.1 for terms.5.2 SemanticsThe semantics of U(A;�) is de�ned by associating with any formula � a set of terms [[�]](~s) 22T (A� ;�) for a valuation ~s for the variables occurring free in �, where a valuation is a tuple ~s =(s0; � � � ; sn) of closed formulas di�erent from F:[[�]](~s) = \k2IN [[�]]k(~s)where [[�]]0(~s) = T (A� ;�) and for any k > 0, [[�]]k(~s) is inductively de�ned by� [[Nil ]]k(~s) = ft 2 T (A� ;�) j I(t) = ;g where I(t) = fa 2 A j 9t0: t ��a�! t0g� [[F]]k(~s) = ;� [[T]]k(~s) = T (A� ;�)� [[xi]]k(~s) = [[si]]� [[B : �]]k(~s) =ft 2 T (A� ;�) j 8a 2 A: 8t0 2 T (A� ;�): t ��a�! t0 ) (t0 2 [[�]]k�1(~s) and a 2 B)g� [[�1 � �2]]k(~s) = ft 2 T (A� ;�) j 9t1 2 [[�1]]k(~s): 9t2 2 [[�2]]k(~s): t �b t1 + t2g� [[�1 ^ �2]]k(~s) = [[�1]]k(~s) \ [[�2]]k(~s)� [[�1 _ �2]]k(~s) = [[�1]]k(~s) [ [[�2]]k(~s)� [[�x: �]]k(~s) = [[�[�x: �=x]]]k(~s).Notice that for any formula � di�erent from F, Nil 2 [[�]]k(~s).Now, we de�ne an implication relation between formulas in the following manner : for any twoformulas � and , we say that � implies if and only if [[�]](~s) � [[ ]](~s) for any valuation ~s.5.3 A Deductive System for BSLWe give a sound and complete axiomatization for the implication relation on guarded formulas. Anal-ogous to section 3.4, we de�ne a relation � by the deductive system below where we omit the rulesstating that � is a precongruence and the rules for change of bound variables and the propositionalcalculus rules. An equation � = �0 stands for two implications � � �0 and �0 � �.
The Deductive System Ax2 : For �; �1; �2; �3 guarded formulas of U(A;�) and B;B1; B2 � Aand x 2 �, we have:(I1) Nil � � provided � di�erent from F(I2) F � Nil(S1) (�1 � �2)� �3 = �1 � (�2 � �3)(S2) �1 � �2 = �2 � �1(S3) �� � = �(S4) �� Nil = �(S5) ��T = T(S6) T = A : T(T1) (B1 : �1) ^ (B2 : �2) = (B1 \B2) : (�1 ^ �2)(T2) (B1 : �)� (B2 : �) = (B1 [B2) : �(T3) ; : � = Nil(T4) (B : �1)� (B : �2) = B : (�1 _ �2)(T5) �1 � (�2 ^ �3) = (�1 � �2) ^ (�1 � �3)(T6) �1 � (�2 _ �3) = (�1 � �2) _ (�1 � �3)(T7) �1 ^ (�2 � �3) = (�1 ^ �2)� (�1 ^ �3)(R1) �x: � = �[�x: �=x](R2) � � (�)) � � �x: (R3) � � (�)) � � �x: We write `Ax2 �1 � �2, (resp. `Ax2 �1 = �2) when �1 � �2 (resp. �1 � �2 and �2 � �1) can beproved by the deductive system Ax2. We use simply the symbol ` when there is no ambiguity on theconcerned deductive system.Theorem 5 (Soundness) If ` �1 � �2 then �1 implies �2. 2We can prove the completeness of the deductive system by following the steps of the completenessproof of theorem 2 by replacing the proposition 3.7 by the following:Proposition 5.1 (Equational characterization) For each guarded formula � 2 U(A;�) di�erent fromF , there exists an equation set ~E : ~X = ~H such that:- ~� = ~H[~�= ~X]- the leading equation is of the form _i [Mj aij : Xj +Mk (Yl Wikl �Mm aikm : Xl)],- each other equation is of the formMj aij : Xj +Mk (Yl Wikl �Mm aikm : Xl).Proof: By structural induction, in the same way as in the proof of proposition 3.7. Notice that thedisjunction operator may only appear in the leading equation due to the axiom T4. 2Theorem 6 (Completeness)Let be �; �0 be guarded formulas in U(A;�). If � implies �0 then ` � � �0. 2
5.4 Adequacy and ExpressivenessWe show that BSL characterizes exactly safety properties with respect tov and thus, that it is adequatefor safety equivalence, i.e., any formula of BSL represents a union of �-classes. Furthermore, we showthat any formula of BSL di�erent from F has a largest model (LTS) with respect to v satisfying it.Thus, any safety property can be represented by a LTS up to simulation and verifying any safetyproperty reduces to simulation testing.First, we consider a subclass of U(A;�) isomorphic to L(A;�). Formulas of this class are called instandard form.De�nition 5.1 A formula is called in standard form if it is di�erent from F , it does not contain anydisjunction operator and as pre�xing operators only singleton sets are used.As a corollary of proposition 5.1, we have the following lemma.Lemma 5.1 Any guarded formula of U(A;�) di�erent from F is equivalent to a disjunction of for-mulas in standard form. 2We establish now the link between guarded terms of L(A;�) and guarded formulas of U(A;�) instandard form.De�nition 5.2 Let be the function from guarded terms of L(A;�) to guarded formulas of U(A;�),de�ned inductively by :- Nil = Nil.- x = x.- a:t = fag : t .- t1+t2 = t1 � t2 .- t1�t2 = t1 ^ t2 .- rec x: t = �x: tProposition 5.2 (i) Let be � 2 F(A;�) in standard form. Then there exists a guarded term tsuch that t = �(ii) Let t1; t2 be guarded terms of L(A;�). `Ax1 t1 � t2 , `Ax2 t1 � t2Proof:(i) Since to any operator on formulas in standard form corresponds an operator on terms.(ii) Since the image by of the deductive system Ax1 is a subset of the deductive system Ax2.2Proposition 5.3 8t 2 T (A;�): 8t0 2 T (A� ;�): t0 2 [[t]], t0 v t. 2We recall that a �nite-state program model (LTS) can be represented by a �nite set of termscorresponding to the computation trees which are obtained by unfolding the model starting in itsinitial states. A model satis�es a formula � if and only if all its terms are in [[�]]. We show that forany guarded and closed BSL formula di�erent from F, the set of models satisfying it has a largestelement with respect to the preorder v extended to sets of terms.
Proposition 5.4 (largest model satisfying a formula)8� 2 F(A;�): � 6= F : 9t1�; � � � ; tn� 2 T (A;�): 8t 2 T (A� ;�): t 2 [[�]] , 9i 2 [1; n]: t v ti�.Proof: By lemma 5.1 and propositions 5.2(i) and 5.3. 2Theorem 7 (expressiveness)A set is BSL-de�nable if and only if it is SR-de�nable.Proof:(if direction) : We associate with any SR S = (A;W;w0; �) the equation set:fXw = _(w;a;fw1;���;wng)2� a : nMi=1Xwi j w 2 Wg:We can prove by induction on the number of equations that for any such equation set there exists aBSL formula satisfying it.(only if direction) : By proposition 5.4, for any BSL formula there exists a largest model satisfy-ing it, say ft1�; � � � ; tn�g. Any term in this model represents a regular computation tree which can betransformed to a KT (see de�nition 4.1). This KT, since it is regular, is the unfolding of a �nite-statestructure which can be viewed as a SR and a �nite union of SR's is a SR. 2The theorem above says that BSL characterizes exactly the class of regular safety properties.Thus, by proposition 5.4, any safety property is de�nable by a LTS up to simulation. Furthermore, byproposition 2.2, BSL is adequate for safety equivalence.Corollary 5.1 (adequacy for safety equivalence)8t1; t2 2 T (A� ;�): t1 � t2 if and only if 8� 2 F(A;�): t1 2 [[�]] , t2 2 [[�]]. 2Notice that the adequacy of BSL for the safety equivalence remains true when we consider �nitemodels (LTS) instead of computation trees (see proposition 2.3).6 ConclusionWe have proposed a safety preorder for branching time semantics based on simulation and studied theclass of safety properties it de�nes. It turned out that this class coincides with the intuitive notion ofsafety properties.The preorder we have chosen is not sensitive to deadlock, i.e., reachability of a state in which novisible action can be performed. Indeed, a tree with a �nite path may be equivalent to a tree without�nite paths. Thus, if the speci�cations require a system to be deadlock free, this has to be veri�edseparately.A deadlock sensitive simulation is completed simulation [vG90], where a deadlock state does notsimulate any non deadlock state. However, it is easy to see that this relation is not a precongruencefor the restriction operator and therefore also for parallel operators incorporating restriction as e.g.,the synchronous product.A deadlock sensitive safety preorder which is a precongruence for the operators we consider in thispaper can be based on ready simulation [vG90] with abstraction, where two related states have thesame visible initial actions.The abstraction criterion we have chosen (the visible transitions are of the form � �a where a is avisible action) has several advantages in the contex of simulation:� It allows to de�ne a safety equivalence weaker than observational equivalence,� It is very interesting in practice. It allows to eliminate all � -transitions. Furthermore, this canbe done locally during the generation of a program model. In fact, the algorithm is analogousto the one for the elimination of �-transitions on �nite-state automata.
Minimization and comparison up to safety equivalence are implemented in Ald�ebaran [Fer89], atool for the veri�cation of communicating systems represented by LTS's. Ald�ebaran has been used tocompare e�ciently protocols with their speci�cations up to safety equivalence; e.g. the results of theveri�cation of a reliable atomic multicast protocol in the Application Layer can be found in [FM90].Acknowlegments:We thank N. Halbwachs for helpful discussions and Ph. Schnoebelen for his comments on a draft of thispaper.References[AL88] M. Abadi and L. Lamport. The existence of re�nement mappings. SRC 29, DigitalEquipement Corporation, August 1988.[AS87] B. Alpern and F.B. Schneider. Recognizing safety and liveness. Distributed Computing,2:117{126, 1987.[B�62] J.R. B�uchi. On a decision method in restricted second order arithmetic. In Nagel et al.,editor, Logic, Methodology and Philosophy of Sciences. Stantford Univ. Press, 1962.[BK85] J. A. Bergstra and J.W. Klop. Algebra of communicating processes with abstraction. TCS,37 (1), 1985.[Bou85] G. Boudol. Notes on algebraic calculi of processes. In Logics and Models for ConcurrentSystems. Springer Verlag, 1985. Nato ASI Series F (13).[CG77] R. Cohen and A. Gold. Theory of !-languages. J. Comput. System Sci., 15:169{208, 1977.[CL89] S. Chaudhuri and R.E. Ladner. Safety and liveness of !-context-free languages. Technical Re-port 88-11-04, Department of Computer Sciences and Engineering, University of Washington,Seatle, Washington, 1989.[Fer89] J. C. Fernandez. Ald�ebaran: A tool for veri�cation of communicating processes. Tech. reportSpectre C14, LGI-IMAG Grenoble, 1989.[FM90] J. Fernandez and L. Mounier. Veri�cation bisimulations on the y. In Proceedings of the ThirdInternational Conference on Formal Description Techniques FORTE'90 (Madrid, Spain),pages 91{105. North-Holland, November 1990.[GV90] Jan Friso Groote and Frits Vaandrager. An e�cient algorithm for branching bisimulationand stuttering equivalence. CS-R 9001, Centrum voor Wiskunde en Informatica, Amsterdam,January 1990.[GW89] R.J. Van Glabbeek and W.P. Weijland. Branching time and abstraction in bisimulationsemantics (extended abstract). CS-R 8911, Centrum voor Wiskunde en Informatica, Ams-terdam, 1989.[HR72] R. Hossley and C. Racko�. The emptiness problem for automata on in�nite trees. In Proc.13th IEEE Symp. on Switching and Automata Theory, 1972.[Koz83] D. Kozen. Results on the propositional �-calculus. In Theoretical Computer Science. North-Holland, 1983.[Lam77] L. Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Soft-ware Engineering, SE-3(2):125{143, 1977.
[Lam85] L. Lamport. Logical foundation. In M. Paul and H.J. Siegert, editors, Distributed Systems{Methods and Tools for Speci�cation, LNCS 190. Springer Verlag, 1985.[LPZ85] O. Lichtenstein, A. Pnueli, and L. Zuck. The glory of the past. In Conference on Logics ofPrograms, LNCS 194. Springer Verlag, 1985.[Mil71] R. Milner. An algebraic de�nition of simulation between programs. In Second Int. JointConf. on Arti�cial Intelligence, BCS, pages 481{489, 1971.[Mil80] R. Milner. A calculus of communication systems. In LNCS 92. Springer Verlag, 1980.[Mil89] R. Milner. A complete axiomatization for observational congruence of �nite-state behaviours.Information and Computation, 81:227{247, 1989.[MP84] Z. Manna and A. Pnueli. Adequate proof principles for invariance and liveness properties ofconcurrent programs. Science of Computer Programming, 32, 1984.[MP89] Z. Manna and A. Pnueli. The anchored version of the temporal framework. In J.W. DeBakker, W.P. De Roover, and G. Rozenberg, editors, Linear Time, Branching Time, andPartial Order in Logics and Models for Concurrency, LNCS 354. Springer Verlag, 1989.[Mul63] E.D. Muller. In�nite sequences and �nite machines. In 4th IEEE Ann. Symp. on SwitchingCircuit and Logical Design, pages 3{16, 1963.[Niw88] D. Niwinski. Fixed points vs. in�nite generation. In Proc. of Third. Symp. on Logic inComputer Science. Computer Society Press, 1988.[Par81] D. Park. Concurrency and automata on in�nite sequences. In 5th GI-Conference on TheoricalComputer Science. Springer Verlag, 1981. LNCS 104.[Plo81] G. D. Plotkin. A structural approach to operational semantics. Lecture notes, Aarhus Uni-versity, 1981.[Rab69] M.O. Rabin. Decidability of second order theories and automata on in�nite trees. Trans.Amer. Math. Soc., 141, 1969.[Rab70] M.O. Rabin. Weakly de�nable relations and special automata. In Y. Bar Hillel, editor, Proc.Symp. Math. Logic and Foundations of Set Theory. North-Holland, 1970.[Rab72] M.O. Rabin. Automata on in�nite objects and church's problem. In Proc. Regional AMSConf. Series in Mathemamtics, number 13, 1972.[Sao86] A. Saoudi. Vari�et�es d'automates descendants d'arbres in�nis. TCS, 43, 1986.[Sis85] A. P. Sistla. On characterization of safety and liveness. In Proc. 4th. Symp. Princ. of Dist.Comp., pages 39{48. ACM, 1985.[Str82] R.S. Streett. Propositional dynamic logic of looping and converse. Information and Control,54, 1982.[vG90] R.J. van Glabbeek. The linear time - branching time spectrum. Technical Report CS-R9029,Centre for Mathematics and Computer Science, 1990.[VW86] M.Y. Vardi and P. Wolper. Automata-theoritic techniques for modal logics of programs. J.Comp. Sys. Sci., 32, 1986.[Win83] G. Winskel. Synchronization trees. In J. Diaz, editor, 10th ICALP, LNCS 154, 1983.[Wol89] P. Wolper. On the relation of programs and computations to models of temporal logic. InTemporal Logic in Speci�cation, LNCS 398, 1989.
