UNIFORM APPROACHES TO THE VERIFICATION OF FINITESTATE SYSTEMSby

SANDEEP KUMAR SHUKLAc Copyright, 1997

This thesis is dedicated toMa (Mrs. Atashi Shukla)Dida (Mrs. Nirupama Basu)Ankadadu (Mr. Anil Banerjee)andBhaiya (Mr. Rajiv K. Shukla)ii

UNIFORM APPROACHES TO THE VERIFICATION OF FINITESTATE SYSTEMSbySANDEEP KUMAR SHUKLAA DissertationSubmitted to the University at Albany, State University of New York at Albanyin Partial Ful�llment ofthe Requirements for the Degree ofDoctor of PhilosophyCollege of Arts and SciencesDepartment of Computer Science1997

AbstractGiven the increasing size and complexity of modern computing systems, the for-mal veri�cation of hardware designs and distributed protocols has been gaining im-portance. Research in formal veri�cation mainly involves the following activities :development of appropriate models for capturing essential aspects of systems; designof speci�cation formalisms for describing desirable properties; development of algo-rithmic techniques to establish the conformance of systems to the desired properties;and analysis of the complexity of algorithmic problems arising in these contexts. Thecontributions of thesis are mainly in the last two of these areas, the main emphasisbeing on the development of uniform techniques.We consider two well known approaches to the veri�cation of �nite state systems.The �rst approach is based on process algebras and the second is based on variousmodal logics that capture properties of systems. In �rst approach the modeling as wellas speci�cation is given as process algebraic terms. These process terms are e�cientlytranslated to transition systems. In the second approach the models of systems aregiven as transition systems and the speci�cation is given as a modal logic formula. Thecorrectness in the �rst approach is shown by establishing process algebraic relationssuch as bisimulation equivalence between the model and the speci�cation. In thesecond approach, the correctness is checked via model checking.Here, we develop a uniform methodology that enables us to derive e�cient algo-rithms for various veri�cation problems occurring in both approaches. This method-ology is based on e�cient algorithms for the solution of several variants of the satis�-ability problem for Horn formulas. The key idea in this methodology is to show thatmany apparently di�erent veri�cational problems are very e�ciently reducible to thisclass of satis�ability problems. Since there are linear time and on-line algorithms forthis class of problems, the algorithms that are obtained by applying our methodol-ogy are not only very e�cient but also combines certain other advantages that manydistinct approaches had separately, that is to say that our algorithms are on-the- y,local and incremental.In the approach based on process algebra, we consider all simulation-like equiva-lences and preorders in the linear-time/branching-time hierarchy of Rob van Glabbeek.We investigate the following class of problems. Given a relation �, decide if T1 � T2,where T1 and T2 are transition systems. We show that for all simulation-like relationsin the hierarchy as well as for some relations de�ned in the context of I/O automata ofNancy Lynch and Frits Vaandrager, our uniform approach allows us to derive e�cientalgorithms for this class of problems.In the second approach based on model checking we use our methodology to derivee�cient algorithms for model checking alternation-free mu-calculus. Mu-calculus isiv

a modal logic widely used for expressing properties of systems and various existingmodal logics can be e�ciently translated to fragments of mu-calculus. Our resultscan be extended to derive e�cient algorithms for model checking other logics, suchas CTL, LTL etc. Again, the algorithms obtained will be on the y, local and incre-mental.Presently most veri�cation tools are used for debugging purposes at the earlystages of design. As a result, it is extremely important that a veri�cation methodol-ogy yields diagnostic information when a system fails to satisfy the property underconsideration. This diagnostic information is usually in the form of a trace or a logicalformula and is used in debugging the system. We show that our methodology allowsus to derive algorithms that also generate diagnostic information without any penaltyin the asymptotic complexity of the algorithm.However, the time complexity of algorithms obtained by our methodology arepolynomial in the size of the state space of the systems being veri�ed. A naturalquestion arises, as to what are the complexity lower bounds for these problems whensystems are represented succinctly, for example, as parallel composition of sequentialsystems. At the end of this thesis we investigate these lower bounds. In some inter-esting cases we obtain uniform lower bounds for a class of decision problems and showthat our lower bounds are tight by showing existence of decision problems in this classwhich has matching upper bounds. In the area of characterization of subclasses ofproblems we have two groups of results. First, through a game theoretic approachwe obtain su�cient conditions for polynomial time decidability of process algebraicrelations. Second, through our reduction from veri�cational problems to satis�abilityproblems, we strengthen some parallelizability results of Smolka et al. and obtainsome new results.v

ACKNOWLEDGEMENTSI am immensely grateful to My thesis Advisors, Prof. Harry B. Hunt III and Prof.Daniel J. Rosenkrantz for their continuous encouragement, academic and personaladvices and generosity with time and ideas. Prof. Hunt spent hours after hours dis-cussing ideas and problems and teaching me how to do research. Prof. Rosenkrantzshowed me in innumerable research meetings how to reduce apparently complex prob-lems to their essence to gain clarity. In the process I have learned how to ask ques-tions which are germane to research. I am grateful to Prof. Hunt and Prof. RichardStearns for supporting me as a research assistant for almost three years. Their gen-erosity helped me visit research workshops, summer schools and enabled me to presentpapers in various places both within the US and abroad.My special thanks goes to Prof. S. S. Ravi and Prof. Paliath Narendran fortheir encouragements, stimulating discussions and the collaborative research work.Like most other graduate students in this department, I have been bene�ted by thecontinuous presence of Prof. Ravi in the department, during late hours and weekends.Not only I received his advice on academic and personal matters, he has served as aliving encyclopedia of known results and their sources.I am also grateful to Prof. Deepak Kapur for his advice and contributions tomy graduate studies. I thank Prof. Dan Willard, and Prof. Seth Chaiken for manyinteresting discussions and for their advices.My sincerest thanks goes to Tushar Saxena who has been a wonderful house matein the last four years and made my life in Albany pleasurable. My thanks also goesto his family for providing a homely environment for several semesters.I thank George Becker for being such an understanding o�ce mate and for teachingme among other things, how to drive. I thank Madhav Marathe, Simona Babiceanu,Xiaodong Lu, Dongning Zhang, Guo Qing, Xiaomin Zhang and many others whohave made working in the department a pleasurable experience. I thank Pat Kellerand Joan Nellhaus for helping me with all sorts of administrative details.vi

I thank Jim Ault and facilities stu� for keeping the system running in the depart-ment.I also thank Rita, Romita, Sanjoy, Arush and Anirban for their friendship, localor long distance which kept me from going insane.Last but not the least, I thank ma, dida, ankadadu, bhaiya, mama, didimashi,sejdimashi, chordimashi, mashi and Rinkididi for helping me come this far in life. Icannot thank them adequately in words.I am afraid that I am leaving out many who have contributed to my well beingand I thank them all and apologize for failing to acknowledge them individually.The research reported in this thesis was partially funded by NSF grant CCR-94-06611.

vii

Contents1 Introduction 11.1 Motivation and Background . . . . . . . . . . . . . . . . . . . . . . . 51.2 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.3 Overviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.3.1 Process Algebraic Equivalences and Preorders . . . . . . . . . 111.3.2 Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . 131.3.3 Uniform Lower Bounds . . . . . . . . . . . . . . . . . . . . . . 161.4 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . 212 Preliminary De�nitions and Results 242.1 Basic De�nitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.1.1 Transition Systems, Simulations and Equivalences . . . . . . . 242.1.2 Parallel Composition and Hiding . . . . . . . . . . . . . . . . 312.1.3 HORNSAT and NHORNSAT . . . . . . . . . . . . . . . . . . 332.2 Algorithms for (N)HORNSAT . . . . . . . . . . . . . . . . . . . . . . 342.2.1 Linear time solvability of HORNSAT . . . . . . . . . . . . . . 342.2.2 Solution for Maximal-NHORNSAT . . . . . . . . . . . . . . . 37viii

2.3 Unique minimal and maximal solutions forHORNSAT and NHORNSAT . . . . . . . . . . . . . . . . . . . . . . 382.4 Logical Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402.4.1 Prebisimulation and IntuitionisticHennessy-Milner Logic . . . . . . . . . . . . . . . . . . . . . . 402.4.2 Alternation Free Modal Mu-Calculus . . . . . . . . . . . . . . 423 A Uniform Framework for Deciding Process Algebraic Relations 463.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473.2 Advantages of Our Approach . . . . . . . . . . . . . . . . . . . . . . 483.3 Overview of the Uniform Reduction Technique . . . . . . . . . . . . . 513.4 A Polynomial Time Algorithm for Bisimulation Equivalence . . . . . 543.5 Simulation Equivalence, Forward, Ready, and Complete Simulation . 623.5.1 Simulation and Forward Simulation . . . . . . . . . . . . . . . 633.5.2 Ready simulation and Complete simulation . . . . . . . . . . . 633.6 A Polynomial Time Algorithm for 2-nested Simulation . . . . . . . . 653.7 A Polynomial Time Algorithm for Backward Simulation . . . . . . . . 693.8 A HORNSAT interpretation of the Bottom Up Algorithms . . . . . . 743.9 Computing Simulations on Finite Graphs . . . . . . . . . . . . . . . . 773.10 A Corollary : NC Algorithm for Deterministic Systems . . . . . . . . 793.11 Comparison with Related Approaches . . . . . . . . . . . . . . . . . . 814 Stirling Games and Process Algebraic Relations 874.1 Game Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884.1.1 Game for rooted NHORNSAT . . . . . . . . . . . . . . . . . . 89ix

4.1.2 Stirling Class of Games . . . . . . . . . . . . . . . . . . . . . . 904.2 Simulations and Equivalences as games in the Stirling Class . . . . . 924.2.1 Characteristic Game for 2-nested Simulation Relation . . . . . 944.3 The Characteristic Game Theorem . . . . . . . . . . . . . . . . . . . 974.4 A Subclass of Stirling Class . . . . . . . . . . . . . . . . . . . . . . . 985 Model Checking and HORNSAT 995.1 Motivation, Results and Related Work . . . . . . . . . . . . . . . . . 995.2 (N)HORNSAT and Systems of Boolean Equations . . . . . . . . . . . 1025.3 Desirable Properties of Model Checking Algorithms . . . . . . . . . . 1055.4 Motivating Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085.5 Fragments of Modal Mu-Calculus . . . . . . . . . . . . . . . . . . . . 1145.5.1 Model Checking to (N)HORNSAT . . . . . . . . . . . . . . . 1155.6 Parallel Complexity of Model Checking and (N)HORNSAT . . . . . . 1196 Diagnostics Generation 1246.1 Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1256.2 Diagnostics for Bisimulation Equivalence . . . . . . . . . . . . . . . . 1266.3 Diagnostics for Prebisimulation . . . . . . . . . . . . . . . . . . . . . 1296.3.1 HORNSAT based checking of Prebisimulation Preorder . . . . 1306.3.2 Generating Diagnostic Formula . . . . . . . . . . . . . . . . . 1327 Uniform Lower Bounds 1357.1 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1367.2 Results and Contributions . . . . . . . . . . . . . . . . . . . . . . . . 138x

7.3 Results on Problems P1; P2 and P3 . . . . . . . . . . . . . . . . . . . 1427.3.1 Reachability Problem and Uniform Lower Bounds: . . . . . . 1427.3.2 Complexity of Deciding Relations to any Fixed Process . . . . 1547.3.3 Complexity of Predicates that Respects Weak Bisimilarity . . 1627.3.4 Complexity of Re�nementMapping, History Relation and ProphecyRelation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1638 Conclusions 1678.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1678.2 Open Problems Resulting from Our Work . . . . . . . . . . . . . . . 171

xi

List of Figures1.1 A Trivial Example of a Transition System . . . . . . . . . . . . . . . 51.2 The linear-time/branching time hierarchy of equivalences. . . . . . . . 131.3 The linear-time/branching time hierarchy of preorders. . . . . . . . . 143.1 Algorithm for reducing the bisimulation instance to NHORNSAT in-stance: Algorithm Bisim-NHorn. . . . . . . . . . . . . . . . . . . . . . 563.2 (a) Illustrating T1 6�bsim T2 (b) Illustrating T1 �bsim T2. . . . . . . . . 573.3 Algorithm for reducing backward simulation instance to NHORNSATinstance: Algorithm BACKNHorn. . . . . . . . . . . . . . . . . . . . 723.4 Algorithm for reducing the problem of computing simulations on �nitegraphs to NHORNSAT: Algorithm SFG1. . . . . . . . . . . . . . . . 853.5 Algorithm for reducing the problem SFG2 on �nite graphs to NHORN-SAT: Algorithm SFG2. . . . . . . . . . . . . . . . . . . . . . . . . . . 865.1 Transition System T1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085.2 Dowling-Gallier Graph for the minimal-HORNSAT instance . . . . . 1115.3 Transition System T2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125.4 The Dowling-Gallier Graph for the maximal-NHORNSAT instance. . 1146.1 Extension of the Algorithm for reducing the bisimulation instance toNHORNSAT instance for producing diagnostics. . . . . . . . . . . . 127xii

7.1 Transition system Pi corresponding to clause Ci in the proof of Theo-rem 7.3.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

xiii

Chapter 1IntroductionIn this thesis we develop a uniform approach to a variety of problems that arisein the analysis and veri�cation of �nite state systems. Such systems include hard-ware designs, circuits and many communication protocols. Formal veri�cation hasreceived signi�cant attention in recent years due to the increasing size and complex-ity of modern computing systems. Consequently, there has been a signi�cant amountof research activities in the last 10-15 years in the area of formal veri�cation. This re-search mainly entails the following : development of appropriate models for capturingessential aspects of systems; design of speci�cation formalisms for describing desir-able properties; development of algorithmic techniques to establish the conformanceof systems to desired properties; analysis of the complexity of various algorithmicproblems arising in these contexts; and characterization of classes of problems whichhave e�cient algorithmic solutions. The contributions of this thesis are mainly inthe last three areas mentioned above. Our main emphasis is on the development ofuniform techniques.Research in the development of models for formal description of real systems hasled to the development of paradigms based upon the use of process algebras, Kripkestructures, transition systems, !-automata, etc. The formalisms for specifying systemproperties include modal logics, process algebraic speci�cations, etc. The correctnessof an implementation with respect to its speci�cation is shown by demonstrating the1

conformance of the model of the implementation to the speci�cation. For example, ifthe implementation is modeled as a transition system and the speci�cation is givenas a temporal logic formula, correctness of the implementation is proved by showingthat the transition system satis�es the given formula. The notions of conformance areformulated in terms of various equivalences and preorders, model checking, etc. Therehas been a signi�cant amount of research work on developing algorithmic methodsfor checking conformance and generating diagnostic information 1. We contributeto this research in three ways. First, we develop a uniform methodology for deriv-ing e�cient algorithms for various problems occurring in the context of veri�cation.These problems include the problems of deciding equivalences and preorders, modelchecking, etc. Second, we obtain uniform lower bounds for various related problemsand show the tightness of such uniform lower bounds by demonstrating matchingupper bounds for some of these problems. These uniform lower bound results aregiven for classes of relational problems for processes represented via parallel compo-sition. Third, we develop a uniform game theoretic framework that gives su�cientconditions for the polynomial time decidability of process algebraic relations. Theseconditions are satis�ed by a large number of equivalences and preorders in the linear-time/branching-time hierarchy [vG90]. We also characterize subclasses of severalveri�cational problems which have e�cient parallel algorithms.In the past two decades, a lot of research e�ort has been invested in process al-gebraic models and their use in veri�cation of concurrent systems. The most wellknown process algebras include Communicating Sequential Processes (CSP) [Hoa84],Calculus of Communicating Systems (CCS) [Mil80, Mil89], Algebra of Communicat-ing Processes (ACP) [BK84]. The notion of conformance in the process algebraicframework is given in terms of equivalence relations and preorders such as bisimula-tion, ready simulation [Mil89, HS96], trace equivalence [Hoa84], etc. Several temporallogics such as CTL [CE81], LTL [Pnu77, Lam80], �-calculus [Koz83, Bra92] have alsobeen developed as formalisms in which various desirable properties of systems can be1When a system model fails to conform to its speci�cation, usually a counter example explainingthe failure is provided as a diagnostic information.2

expressed. When modal logics are used to specify properties of systems, conformanceof systems to the properties is checked via model checking. Algorithmic methods formodel checking �nite state systems were �rst developed in [QS81, CE81].Presently there are a number of veri�cation tools that implement di�erent method-ologies for veri�cation of �nite state systems. Some of these tools also generate diag-nostic information when the �nite state system does not satisfy its speci�cation. Infact, the most promising veri�cation tools are those which provide diagnostic infor-mation because such tools can also be used for debugging incorrect designs. Thesetools include Concurrency Work Bench (CWB) [Cle93b], Concurrency Factory (CF)[CGL+94], Symbolic Model Checker (SMV) [McM93], etc. CWB and CF employprocess algebraic methods as well as �-calculus model checking. SMV uses CTL�[McM93] model checking.2 The algorithmic methods used in these approaches areusually quite di�erent. Thus, an improvement in one of the algorithmic methods maynot have much direct e�ect on the improvement of the other methods.At the outset of this research, we conjectured that these seemingly dissimilar al-gorithmic problems can be solved using uniform algorithmic techniques. As strongevidence of the correctness of our conjecture, we show that many of these veri�ca-tional problems can be, intuitively, viewed as subproblems of a particular class ofsatis�ability problems. We refer to this special class of satis�ability problems as(N)HORNSAT. This class comprises of several variants of the satis�ability problemfor Horn formulas.3. We should point out here that in later chapters we use theterms HORNSAT, NHORNSAT, maximal-NHORNSAT, and minimal-HORNSAT todenote particular satis�ability problems from this class. However, for the sake ofbrevity we also call this class of problems as (N)HORNSAT. We demonstrate thatmany veri�cational problems can be uniformly and e�ciently reduced to the problemsof this class. It is worth noting that our reductions are space e�cient (NLOGSPACE),2CTL� is a temporal logic that can express both branching time and linear time properties.Syntactically it is an enhancement of the branching time logic CTL [CE81].3This is the problem of checking satis�ability of weakly positive and weakly negative CNF for-mulas [Sch78] 3

can be carried out e�ciently in parallel (with polynomial number of processors andlogarithmic time), and local. Our e�ort to unify various methods has given rise to auniform methodology for deriving e�cient algorithms, for various process algebraicequivalences and preorders as well as for model checking. Moreover, the propertiesof our reductions allow us to characterize subclasses of problems considered that aree�ciently solvable.Our methodology also enables us to outline a 2-level design for a veri�cation toolthat employs both process algebraic as well as model checkingmethods for veri�cation.At the �rst or core level, there is a very e�cient solver for (N)HORNSAT, and atthe second or top level, there are reduction suites. These reduction suites consistof algorithms for reducing a veri�cational problem to the core satis�ability problem.Since all our reductions are very e�cient as already discussed, this 2-level designhas di�erent advantages. First, we can optimize both levels of the tool separately.Second, researchers have developed various innovative data structures for the solutionsto these algorithmic problems (for example, [CS91, And94]), but the e�cient datastructures developed by the researchers in the logic programming community forsolving (N)HORNSAT [DG84, AI91] in linear time can be reused for these e�cientveri�cation algorithms. Third, there has been a lot of e�orts spent in developingveri�cation algorithms which are on the y [CVWY92, FM91], local [Lar90, SW91,Bra92] and incremental [SS94]. Our methodology derives algorithms which naturallyhave these properties. In the upcoming sections of this chapter it will become clearthat these properties are important for feasible veri�cation methodologies. Fourth,our methodology enables us to to systematically derive e�cient parallel algorithmsfor several special cases of veri�cational problems studied in the literature. Earlierin the literature [ZSS94], there has been ad hoc attempts to identify the varioussubproblems that are e�ciently parallelizable.A second kind of result in this thesis is the uniform derivation of lower boundsfor several classes of veri�cational problems. To do this, we use the dichotomizationtechnique developed in early seventies by Hunt et al. [HS76, HR83, HR84, Hun84]4

to prove uniform lower bounds for classes of relational problems. In particular, wesigni�cantly strengthen several lower bound results obtained by Groote and Moller[GM92] and Rabinovich [Rab92, Rab95] for the problem of deciding equivalencesbetween succinctly represented transition systems. In many cases, we show that ouruniform lower bounds are tight uniform lower bounds.1.1 Motivation and Backgrounda a

a

a

s1

s2s4

s3

PFigure 1.1: A Trivial Example of a Transition SystemConsider the trivial transition system shown in Figure 1.1. This transition systemdescribes a system that is viewed at an abstract level as a system with four distinctstates. It has a single visible action named a, execution of which may change its state.A predicate P is true in some states (for example, a predicate that states that \some ag is high" or \some message has been sent" etc.). In our trivial example, predicateP is true only in state S4. S1 is the initial state of the system. Now suppose we areinterested in the following property of the system. There is an execution sequence ofthis system in which the predicate P eventually becomes true. One can easily see thatthis property holds for the system depicted in Figure 1.1. However, one needs a logicalframework in which such properties can be stated unambiguously. A number of modaland temporal logics can be used to formally state such properties. For example, inCTL [McM93, CE81], one can state the above mentioned property as EFP where E5

is a path quanti�er stating that there exists a path and F is a modality expressingeventually. Now notice that EFP can also be thought of in the following manner. Inorder that EFP is true in a particular state of a transition system either P should betrue at that state or in one of the possible next states EFP must be true. In otherwords, EFP � P _ EX(EFP )Note that X is a modality for denoting next state information. The above �xedpoint equation suggests a �xed point formulation of this property. In fact, EFP isobtainable as the set of states which is the least �xed point solution to the equationY � P _ EXY . In modal �-calculus [Bra92, Koz83] this property can be stated as�X:(P _ haiX).For simple systems such as the one in Figure 1.1 and for the simple formula asabove, it is easy to check that the system satis�es the property speci�ed by theformula. For large systems and for complex properties, veri�cation can be nontrivial.The Veri�cation that a system satis�es a given property expressed as a formula isdone via model checking. Model checking can be described informally as follows.Given a system description and a modal logic statement, decide if thesystem satis�es that statement.For many modal logics, model checking for �nite state systems is decidable. In thisthesis we are consider only �nite state systems. There has been research on modelchecking in�nite state systems [Bra92] but we do not consider such systems here.In recent years, people have developed model checking algorithms for such logicsas CTL, LTL [CE81, McM93], �-calculus [Lar90, SW91], and equational �-calculus[CS91, And94]. These algorithms have been implemented and incorporated into sev-eral veri�cation tools. Lots of nontrivial bugs have been discovered in standard designsusing model checking, for examples see [BCM+92, McM93]. Hence, model checkinghas become an important area of research in the �nite state systems veri�cation. Tocope with the increasing size of systems, it is extremely desirable to use memory6

e�cient model checking algorithms. Several such memory e�cient model checkingalgorithms have been proposed recently. These algorithms are called on the y al-gorithms and local algorithms, depending on the strategy used for economic memoryusage. Since the terms on the y and local have not been rigorously de�ned in theliterature, we discuss their intuitive meanings. An algorithm that does not requirethat the whole system state space be explicitly constructed in memory before thealgorithm is applied is called an on the y algorithm [CVWY92, BCG95]. This isbecause the algorithm constructs the system state space from its succinct descriptionas and when required during the execution of the model checking algorithm. In theworst case these algorithms can construct the whole state space and thus still canrequire a large amount of memory. However, in many large practical designs bugsare often located within a small distance from the start state. As a result, to �ndbugs and produce diagnostics, the whole state space will not be constructed if an onthe y algorithm is applied. This makes it possible debug large designs even if theveri�cation of large designs of comparable size may not be possible because of mem-ory limitations. Another interesting paradigm is that of local [Lar90, SW91, Bra92]model checking where an exhaustive search is usually avoided by exploring only thoseparts of the state space which are absolutely necessary to explore in proving correct-ness. The veri�cation goal and the structure of the system determines which parts ofthe state space is explored. Also, incremental model checking has been considered inthe literature [SS94]. In incremental model checking old information from an earliermodel checking e�ort is maintained and reused when a revision of a faulty design isveri�ed again. This helps in coping with the enormous time and space requirementsof model checking problems. We show that our uniform methodology enables us todevelop algorithms for a number of veri�cation problems which are as e�cient asthe best existing algorithms for these problems and additionally our algorithms aresimultaneously on the y, local and incremental.A number of process algebraic approaches also evolved in in the last 10-15 years,including CSP [Hoa84], CCS [Mil89], ACP [BK84] etc. In these approaches a systemis described as a term in an algebra. A term is constructed from a few primitive7

process terms using the operators of the algebra. The primitives usually correspondto standard systems, for example 0 might correspond to a system that does notengage in any activity. Some set of actions is de�ned depending on the applicationdomain. For example, in modeling a communication protocol at an abstract level,one might denote the action of sending a message by an action symbol a, the actionof receiving a message as action b and every other action of the sender and receiver as� which stands for an internal or invisible action. The operators are used to constructprocess terms corresponding to more complex systems. For example, there may bea pre�xing operator denoted by � such that a � 0 denotes a process that engages inaction a and then does nothing. In general, given a process P and an action a, a � Pdenotes a new process that engages in action a and then behaves like the processcorresponding to P . Similarly, there may be choice operator denoted by +, such thatP + Q denotes a system that can nondeterministically behave like P or Q. Also,there may be an operator k for parallel composition, that denotes a system that hastwo communicating components P and Q and they communicate according to somerules of composition. The properties of these primitives and the operators are usuallygiven axiomatically. Given the set of primitive processes (constants), variables andthe operators, the term algebra of such an equational theory is a process algebra.However, given a system description as a process term, one has to attach semanticsto it formally, in order to understand the behavior of the system it denotes. Usuallya Plotkin style [Plo81] rule based operational semantics is used to give operationalmeaning to these terms. For example, to give semantics to a term P +Q one speci�estwo conditional rules as follows. P a! P 0P +Q a! P 0and Q a! Q0P +Q a! Q0This intuitively states when the process term P + Q can engage in an a action andhow it may behave afterwards. It may either behave as P 0 or Q0 depending on thestructures of P and Q. 8

Given an operational semantics, one can easily obtain a state transition systemcorresponding to a process term. Each subterm in the term correspond to a statein this transition system. The transition relation is obtained using the operationalsemantics of the terms. Note that two distinct process terms might represent thesame system at two di�erent levels of abstraction. Therefore it is desirable thatthere is a way to relate them. One possibility is to relate the two transition systemscorresponding to these process terms via some equivalence relation. For this reason,bisimulation equivalence was �rst formulated by Park [Par81] and was later adoptedby Milner [Mil80] for CCS. Since then a number of such relations have been de�nedbetween process terms or between transition systems. A survey of such relationsappears in [vG90] and a recent survey on the complexity of deciding these relationsappears in [HS96].In this thesis, we consider process algebraic veri�cation at the level of transitionsystems. Given process terms one can obtain the transition systems from those termsby applying the operational semantics of the process algebra. The relational ver-i�cation them amounts to establishing the appropriate equivalences and preordersbetween transition systems. We call the veri�cation methodology based on establish-ing various relations between transition systems process algebraic veri�cation becausemost of these relations originated from semantic considerations for process algebraiclanguages.1.2 ObjectiveThe following activities are undertaken in the development of a methodology for theveri�cation of �nite state systems.The main activities include:1. Development of Modeling Paradigms.2. Development of Speci�cation Paradigms.9

3. De�nition of an appropriate notion of Conformance.4. Development of Algorithms to check Conformance and/or to generate diagnosticinformation.5. Implementation of Tool suite and optimize its performance.6. Characterization of subclasses of veri�cation problems for which e�cient algo-rithms are possible.We use �nite state transition systems to model real systems. Transition systemscan be can be easily obtained from many other models such as process algebras,Kripke structures etc. Also �nite state transition systems are easier to understandand they can be easily manipulated when composition of such systems are investi-gated. We consider two speci�cation paradigms. In what we call process algebraicveri�cation, we consider a transition system at a higher level of abstraction, as thesystem speci�cation also. This is done in most process algebraic frameworks. Thecorrectness criteria is given via some notion of conformance. If the transition systemmodeling an implementation conforms to the speci�cation, then some appropriateequivalence or preorder holds between the transition system representing the imple-mentation and the one representing the speci�cation. We also consider modal logicsas speci�cation languages. Although our uniform methodology applies to most othermodal logics, we illustrate it through equational �-calculus [CS91]. Producing diag-nostic information is probably the most important part of a veri�cation tool becausein the industrial context, debugging is very important and when a system model failsto satisfy a property, one needs to know the reason so that a revision of the designcan be made. We concentrate on this aspect of a veri�cation methodology and showthat our methodology is capable of producing diagnostic information without anyadditional complexity overhead. In the implementational aspect, although we areplanning the design of a new tool suite, we have not implemented any so far. How-ever, as discussed in the beginning of this chapter, this uniform methodology gives usa better and strati�ed design of a veri�cation tool suite.10

Complexity theoretic characterization plays an important role in this thesis. Firstof all, by identifying the main algorithmic issues underlying all the veri�cation prob-lems considered we gain clarity which enables us to easily characterize a class ofproblems which are e�ciently parallelizable. Secondly, we look at the process alge-braic veri�cation problems when the system model is not an explicitly representedtransition system but is implicitly described as a parallel composition of transitionsystems. In real designs, that is a commonly encountered description mechanism.We establish uniform lower bounds for classes of problems and show matching upperbounds for some of these problems.We also give a su�cient characterization of the process algebraic relations in thelinear-time/ branching time spectrum of [vG90] which are polynomial time decidable.We take a game theoretic approach to provide this characterization.1.3 Overviews1.3.1 Process Algebraic Equivalences and PreordersHere, we consider equivalences and preorders that arise in the study of interleav-ing semantics in the context of process calculi in the tradition of CCS [Mil80] andCSP [Hoa84]. Most of these preorders and equivalences originate in the literature ofcomparative concurrency semantics [vG90, BIM88, GV92]. In comparative concur-rency semantics, the main emphasis is on full abstraction and di�erent equivalenceshave been found to be fully abstract for di�erent language constructs. For exam-ple, bisimulation equivalence is used in CCS [Mil80, Mil89] to identify processeswhich are equivalent under a particular semantic notion [Par81, Mil89]. However,in [BIM88], bisimulation has been shown not to be fully abstract and the notion ofready simulation has been de�ned. In [GV92], a new notion of 2-nested simulationequivalence has been de�ned and shown to be fully abstract for languages with ageneral format called the tyft/tyxt. 11

In computer-aided veri�cation, the process algebraic relations have been exten-sively used to prove the correctness of concurrent systems [BCM+92, Cle93b]. Thecorrectness criterion is that the implementation is equivalent to the speci�cation.Also, establishing that a given simulation relation holds has been used as a partialprocedure for proving some safety properties [LV91].In [vG90] van Glabbeek proposed the linear/branching time spectrum as a unifyingframework for classifying all known equivalences in the area of comparative concur-rency semantics. We shall follow this classi�cation here. Figure 1.2 [vG90] illustratesthe classi�cation as a hierarchy with the help of a Hasse diagram. The arrows inthe diagram imply strict inclusion. Hence if there is an arrow from a relation R toanother relation Q, that means R is less discriminating than Q. In other words, iftwo processes are related by R then they must be related by Q but the converse is nottrue in general. The least discriminating equivalence (i.e. the coarsest equivalence)is trace equivalence shown at the bottom of the diagram. The most discriminatingor the �nest equivalence is bisimulation equivalence shown at the top. As all equiva-lences except bisimilarity are de�ned as the symmetric closure of a preorder, there isa similar hierarchy for the preorders also, illustrated in Figure 1.3.Motivated by the importance of these relations in automated veri�cation, severalresearchers have studied the decision problems for these relations [KS90, PT87, HT94,SRHS96, BP94, And93, And94, ABGS91, CS91, MS95, HS96, HT94]. It is well-known that all behavioral relations in the van Glabbeek hierarchy are decidable for�nite-state processes, and the main concern is therefore that of the computationalcomplexity of the decision procedures.Also, note that in the hierarchy shown here, we have depicted only the strongrelations which means that the internal actions are considered as ordinary actions.If instead, weak relations are considered, that is, if we give special status to theinternal actions so that an action a can be matched against a number of internalactions followed by an a action followed by a number of internal actions, then we geta similar hierarchy. The �nest relation in that hierarchy will be weak bisimulation12

Bisimulation equivalence?2-nested simulation equivalence���) ?Ready simulation equivalence? QQQQQQQQQQQs����� Simulation equivalence��������������Possible-futures equivalenceJJJ

��������+2-bounded-tr-bisimulation?Readiness equivalenceReady trace equivalence� JJJJJFailures trace equivalenceJJJJJ �Failures equivalence?Completed trace equivalence?Trace equivalenceFigure 1.2: The linear-time/branching time hierarchy of equivalences.and the coarsest relation will be weak trace equivalence. Some of the uniform lowerbound results in Chapter 7 are for this hierarchy of weak relations rather than thevan Glabbeek hierarchy depicted here.1.3.2 Model CheckingIn model checking, the idea is to interpret some appropriate modal logic formulasover transition systems, and then to decide if a given transition system satis�es agiven formula of the logic expressing some desirable property. Here the algorithmicproblem isto decide for a given model M and a given formula f in that logic, ifM j= f . 13

2-nested simulation preorder���) ?Ready simulation preorder? QQQQQQQQQQQs����� Simulation preorder��������������Possible-futures preorderJJJ2-bounded-tr-bisimulation preorder?Readiness preorderReady trace preorder� JJJJJFailures trace preorderJJJJJ �Failures preorder?Completed trace preorder?Trace preorderFigure 1.3: The linear-time/branching time hierarchy of preorders.Clarke and Emerson [CE81] and Queille and Sifakis [QS81] independently started thisalgorithmic approach towards proving correctness of �nite state systems. Clarke andEmerson [CE81, CES86] gave a model checking algorithm for the branching time logicCTL. However, around the same time Pratt and Kozen introduced a temporal logicwhere they combined a standard modal logic of actions with a least and a greatest�xed point operator. The �xed point operators allow expression of properties ofexecutions of unspeci�ed length. This proves extremely useful since most reactivesystems have computations of unspeci�ed lengths and most useful properties of suchsystems refer to such computations. This logic, known as modal �-calculus subsumesmany temporal logics [Bra92, BCM+92] and many logics are translated very e�cientlyto various fragments of this calculus. Hence, there has been a lot of work in �ndinge�cient model checking algorithms for �-calculus [EL86, And93, And94, CS91].14

In this thesis, a particular variant of �-calculus called equational �-calculus [CS91]is used for illustrating our methodology for deriving model checking algorithms. Equa-tional �-calculus is as expressive as ordinary �-calculus [CS91] and ordinary �-calculusformulas can be translated into equational �-calculus formulas with at most a linearincrease in size.Early model checkers [CE81, CES86] used a global strategy for model checking.For a given formula, they constructed the set of all subformulas and for each sub-formula exhaustively searched through the state space of the model to �nd the setof states that satisfy the subformula. Eventually, if the initial state of the systembelongs to the set of states that satisfy the original formula, then the model checkingis said to have a positive answer. However, the disadvantages of these global methodsare as follows. First, they needed the full state space generated in the memory beforestarting the search. This puts a limit on the size of the system that can be modelchecked. Second, many times the system fails to satisfy the property. But the globalmethods execute an exhaustive search when in fact, the failure to satisfy the propertymight be attributed to the states which are reachable in a few steps from the startstate. To circumvent these pragmatic problems, researchers have considered on the ymodel checking [CVWY92, BCG95] and local model checking [SW91, Lar90, Bra92]which have proved advantageous in locating bugs in incorrect designs even for verylarge designs whereas verifying correctness of comparable size designs may not bepossible for memory limitations.If small revisions of an already veri�ed design are made, then it might be usefulto reuse some information saved from the previous veri�cation e�ort to speed up theveri�cation of the revised design. Such veri�cation algorithms are called incrementalalgorithms [SS94]. We show in Chapter 5 that our uniform methodology enables us toobtain model checking algorithms that are naturally on the y, local and incremental.15

1.3.3 Uniform Lower BoundsGiven a domain D of objects (such as automata, program schemes, grammars, tran-sition systems etc.) and a class of relations R = f�j� � D � Dg, one can consider aclass of decision problems parameterized by the relations from R as follows.�R = f�(�) j � 2 Rg where �(�) denotes the following decision problem.Given O1;O2 2 D as inputs, decide if (O1;O2) 2 �.In the early 70's much research was carried out in proving uniform lower bounds forclasses of such problems for program schemata, grammars, automata, etc. Techniquesfor for proving such uniform lower bounds can be found in [HS76, Hun76, HR83, HR84,Hun84].Second aspect of the research in [Hun76, HR83, Hun84] was to consider the classesof problems which are parameterized both by the relations and by a �xed object fromthe domain.A class of problems parameterized by relations from R and �xed objectsfrom D : �RD = f�(�;Of) j � 2 R;Of 2 Dgwhere �(�;Of) denotes the following decision problem. Given O 2 D asinput decide if (O;Of) 2 � where Of is a �xed object from the domain.To appreciate the reason for considering complexity bounds for this second classof problems recall the following facts. Usually when lower bound results are estab-lished, worst case instances are constructed. For example, to show that the equiv-alence problem for regular expression is PSPACE-hard, it was shown that there isa regular expression r over an alphabet � such that whether r is equivalent to ��,is PSPACE-hard. However, there are regular expressions, (for example the regularexpression denoting the empty language) such that deciding equivalence to them maybe much easier. So an interesting question is to characterize the class of �xed regular16

expressions for which the equivalence problem is uniformly hard. In the present workwe consider all the process algebraic relations between weak bisimulation equivalenceand trace preorder as our set of relations, and all transition systems speci�ed usingparallel composition with hiding abstraction as out domain of inputs and all transi-tion systems as our domain of �xed objects. We prove uniform PSPACE-hard lowerbound for the whole class of problems �RD . In many veri�cation systems, librariesof transition systems corresponding to speci�c properties are built, and the veri�ca-tion entails establishing relations to these �xed transition systems. This provides amotivation for investigating these lower bounds.A uniform lower bound for the class of problems �R is said to be a tight uniformlower bound if there exists a relation � 2 R such that the upper bound on �(�)matches this lower bound. Similarly, a uniform lower bound for the class of problems�RD is a tight uniform lower bound for this class if the following condition holds. Thereexists a relation � 2 R and a �xed object Of 2 D such that the upper bound on theproblem �(�;Of) matches the uniform lower bound.One of the central techniques used in the work of Hunt, Szymanski and Rosenkrantzetal. was that of dichotomization [HS76] and reduction of an appropriate executabilityor reachability problem to a class of problems. The idea of dichotomy turns out to bevery strong in the sense that it can be used to prove uniform lower bounds for possiblyin�nitely many relational decision problems. We have used the same dichotomizationidea in the context of process algebraic relational problems. Therefore, we brie ydiscuss the idea of dichotomy here.Let � be any relation (say a binary relation over a domain of objects such asautomata, program schemes or grammars) between two relations � and �. In otherwords, � is a weaker relation than � and stronger than �. Let us consider a suitableexecutability problem for an object O in our domain of objects (It may be a func-tion executability problem for a program scheme, a state reachability problem forautomata etc.). From O create two new objects O1 and O2 such that either (O1�O2)or :(O1�O2). The construction should be such that if the answer to the executability17

problem is \yes", then (O1�O2) holds. and if the answer is \no", then :(O1�O2).Now (O1�O2) would imply that (O1�O2) which because of dichotomy implies that theanswer to the executability problem is \yes". However, if :(O1�O2) then :(O1�O2)which implies that the answer to the executability problem is \no". Thus, decidingany relation � which is weaker than � and stronger than � is shown to be at least ashard as the chosen executability problem.Here we show how similar ideas carry over to all relations in the linear-time/branching-time hierarchy, and more generally to any relations between the bisim-ulation equivalence and trace preorder. In Chapter 7 we show that for all relationsbetween bisimulation and trace preorder, when the systems are represented as parallelcomposition (without hiding) of transition systems, the use of this technique yieldsuniform NSPACE(n) lower bounds which are the tightest possible uniform bound forthese problems. This tightness is shown by proving the existence of relations in thisclass which have matching upper bounds.In earlier work by [Rab92, Rab95] PSPACE-hard lower bound was establishedusing a di�erent technique which might be called collapsing. [Rab92, Rab95] used thefact that there is a class of transition systems (parallel composition of deterministictransition systems) for which the whole hierarchy of relations collapses to the bisim-ulation problem and then showed a PSPACE-hard lower bound for the bisimulationproblem. Comparison of the lower bound results in [Rab92, Rab95, GM92] with oursshows that we prove stronger results, and that our reduction techniques have signi�-cant implications not obtainable from those previous results in [Rab92, Rab95, GM92].Chapter 7 details these results and gives comparisons. Here we discuss some of ourresults and reductions and their implications.1. We fully characterize the complexity of the reachability problem for the parallelcomposition of �nite sequential transition systems. The reachability problemfor �nite state processes is the problem of deciding if a given state is reachablein some execution of a given process speci�cation. The complement of thereachability problem is called the nonreachability problem. We show that18

both the problems are NSPACE(n)-Complete when the individual transitionsystems in the composition (both with and without hiding) are deterministicas well as when they are nondeterministic. We use this result to establishNSPACE(n)-hard lower bound for all relations between bisimulation and tracepreorder. This result is very similar to the NSPACE(n) lower bound establishedin [RH93] for the reachability problem in a network of �nite state machines.2. Although [Rab92, Rab95] proved PSPACE-hardness for all equivalences be-tween bisimulation and trace equivalence when processes are represented byparallel composition with hiding, we show that deciding all these relationsis NSPACE(n)-hard even without hiding. After [SHRS96b] appeared, it wasclaimed in [Rab96] that the stronger result establishing the PSPACE-hard lowerbound for the case without hiding could be proven in [Rab92]. However, sincethere was no explicit result of that nature in [Rab92, Rab95], we regard thisas a new result. Since establishing PSPACE-hardness in all these cases hasbeen via generic reductions (for example see [RH93]), it is not di�cult to seethat by slight changes in the constructions in [Rab95] one can obtain the lowerbound for the without hiding case. But, our reduction is quite di�erent fromthe reduction in [Rab95] and has the following advantages over the reductionin [Rab95].(a) Our reduction shows that the problems are NSPACE(n)-hard where asthe reduction in [Rab92, Rab95] only establishes at best DSPACE(n)-hardlower bound.(b) We also show that there are some relations in the class of relations con-sidered, for which the upper bound is NSPACE(n) and hence we get atight uniform lower bound. Hence, unless DSPACE(n) = NSPACE(n),our results are stronger.(c) The lower bound proof in [Rab92, Rab95] uses a reduction where the re-sulting parallel system is highly centralized. Thus his reduction provesthe lower bound only for centralized systems where there is one process to19

which every other process communicates but none of the other processescommunicate with each other. We believe that such a system cannot becalled a truely distributed parallel system. Our reduction yields a parallelsystem where there are local interactions between processes.(d) Moreover, in the reduction in [Rab95], the central process has to com-municate with an unbounded number of processes. Hence, it proves thelower bound for a star topology of process networks where the center ofthe star has unbounded degree, which is unrealistic because of physicallimitations on the number of channels a process might be allocated. Inour case, the processes communicate with at most two 4 other processesand hence represent a more feasible model of interaction. Moreover, ourreduction shows that the network of processes is a linear array for whichthis lower bound holds. Since the signi�cance of a lower bound dependson the kind of instances for which the lower bound holds, our lower boundis more signi�cant. A linear array of process networks can be embedded inmost other network topologies and hence our lower bound holds for mostrealistic model of distributed parallelism.(e) The reduction in [Rab92, Rab95] is from a deterministic polynomial spacebounded machine, whereas our reduction being from a nondeterministicdevice, we can obtain other lower bound results in [GM92, Rab92, Rab95]as particular cases. For example, [GM92, Rab92, Rab95] used di�erentreductions for proving the Co-NP-hardness of the problem of deciding re-lations between interacting acyclic transition systems. We can obtain thesame result, from a particularization of the generic reduction. A similarparticularization of the reduction in [Rab92, Rab95] can at best lead to aP-hardness result.4Note that if each process is restricted to interact with at most one process, then we can partitionthe set of processes into groups of two processes which do not interact, and hence many of the decisionproblems becomes easy [GM92]. 20

We also consider the class of problems �RD whereR is the class of relations betweenweak bisimulation equivalence and trace preorder and D is the domain of transitionsystems. Using ideas similar to dichotomization, we establish uniform NSPACE(n)-hard lower bound for this class whenD is the domain of transition systems representedwith parallel composition and hiding. We also prove Co-NP-hard lower bounds forthis class of problems when D is the domain of transition systems represented asparallel composition of acyclic transition systems with hiding. These uniform lowerbounds are also tight uniform bounds because there are �xed transition systems inthese domains and there are relations such that the corresponding decision problemsin this class have upper bounds that match the uniform lower bounds.Our uniform lower bound results can also be extended to many other succinct rep-resentations of processes including composition of I/O automata [LV91] and networkof interconnected automata [ASSB94].We also use techniques similar to dichotomization to obtain uniform lower boundresults for deciding classes of predicates for parallel transition systems.1.4 Organization of the ThesisThis thesis is organized as follows. In Chapter 2 we provide relevant de�nitions andresults used throughout the thesis. We assume knowledge of complexity theory andprovide no de�nition of any complexity theoretic concepts. De�nitions of variouscomplexity classes can be found in [HU79, Pap94]. We de�ne all process algebraicconcepts considered here, syntax and semantics of equational �-calculus and HORN-SAT and its variants. We also prove some results about the e�cient solvability ofHORNSAT and its variants.In Chapter 3 we present our uniform framework for deriving e�cient algorithmsfor all simulation-like relations in the linear-time/branching-time hierarchy. We alsopresent some interesting corollaries including e�cient algorithms for computing sim-ulations on �nite graphs, an NC algorithm for deciding bisimulation between deter-21

ministic transition systems etc. The results in this chapter also appear in our paper[SRHS96].In Chapter 4 we present a uniform game theoretic formulation which enables us toobtain a su�cient condition on process algebraic relations so that they are polynomialtime decidable. We present a parameterized class of games which we named as Stirlingclass after Colin Stirling who �rst proposed the characteristic game for bisimulationin [Sti93]. We show that by varying these parameters we can obtain characteristicgames for all the relations in the linear-time/branching-time hierarchy [vG90]. Wethen show that under certain conditions, the problem of deciding the winning strategyin such games can be e�ciently reduced to the (N)HORNSAT problem. This leadsus to the su�ciency characterization. These results were previously presented in ourpaper [SHR96a].In Chapter 5 we show how our (N)HORNSAT based methodology can be usedto obtain a model checking algorithm for the alternation-free equational �-calculus[CS91] which is as e�cient as the best known algorithms [CS91, And94]. Our al-gorithm also have other advantages namely, our algorithms are on the y, local andincremental. We derive this model checking algorithm for the alternation free frag-ment of mu-calculus as an illustration. We point out that we can obtain modelchecking algorithms for CTL, LTL etc., which are as e�cient as the best known ex-isting ones and yet local, on the y and incremental. We also discuss subclasses ofmodel checking problems for which e�cient parallelization is possible. Some of theresults in this chapter appear in our papers [SHR96a, SHR95, SHR+96c].In Chapter 6 we illustrate how our HORNSAT based methodology can be ex-tended to obtain diagnostic information without any additional asymptotic complex-ity overhead. However, we illustrate this through two examples. First we show howto extend the NHORNSAT based algorithm for checking bisimulation equivalence toobtain diagnostic information in the form of Hennessy-Milner logic formulas. Thenwe consider the prebisimulation preorder. Prebisimulation is a preorder relation be-tween transition systems which are incompletely speci�ed or under-de�ned. Given a22

transition system, its behavior at some states on certain actions may be incompletelyspeci�ed. Hence, under-de�nedness is a relation "� S � Act, where S is the set ofstates and Act is the set of actions. However, if "= �, then we obtain ordinary tran-sition systems. Many existing preorders can actually be looked upon as a special caseof prebisimulation. In [CC92], this particular preorder was considered for developingthe notion of diagnostics generation. Following [CC92], we use the same set up andshow that our methodology yields the diagnostic information more e�ciently thanthe algorithms given in [CC92]. This extension of our methodology for generatingdiagnostic information is quite general and can be applied to any of the algorithmspresented earlier.In Chapter 7 we present uniform lower bound results for relational problems forsuccinctly represented transition systems. We also prove other lower bound resultsfor ordinary transition systems at the end of this chapter. Most of these results alsoappear in [SHR+96b, SHRS96b, SHRS95].Chapter 8 consists of some discussion on the results of this research work andpresents some open problems.

23

Chapter 2Preliminary De�nitions andResultsIn this chapter we de�ne the relevant terminology and discuss some results uponwhich the research in this thesis is based. In particular, we de�ne the followings:1. Transition systems as our model of �nite state processes,2. Various equivalences and preorders between transition systems, and3. Various logical theories that are relevant to the veri�cation problemsthat we have been studying in this thesis.2.1 Basic De�nitions2.1.1 Transition Systems, Simulations and EquivalencesIn this section we brie y discuss transition systems as our model of �nite state sys-tems. Transition systems are semantic objects corresponding to CCS [Mil89] or CSP[Hoa84] terms. The operational semantics of an abstract programming notation likeCSP/CCS has two stages. The �rst is deriving a labelled transition system, whosestates correspond to the terms of the language and whose transitions are given in the24

structured operational semantics technique of Plotkin [Plo81]. Thus given a term � inthe language, the state corresponding to this term is the start state of the transitionsystem corresponding to �. The second stage involves de�ning appropriate equiva-lence relations on the transition systems. Two terms � and are de�ned to havethe same operational semantics if their transition systems are in the same equivalenceclass. We now de�ne these concepts more precisely.In modelling �nite state systems, one abstracts a real system under considerationby deciding which aspects of the real systems are relevant to the property beingveri�ed. As a result, one decides which actions of the systems are to be consideredobservable actions and which ones can be abstracted out as internal actions. Thisway, one �xes the action alphabet Act while modelling the real system as a �nitestate transition system.In the following de�nitions, Act is a set of actions containing a special action �called the internal action which is assumed to be unobservable (invisible).De�nition 2.1.1 1. A transition system T over Act is a triple hS;D; s1i whereS is a set of states,the set of transitions is D � S � Act � Sand s1 2 S is the starting state.2. T = hS;D; s1i is said to be �nite if both S and Act are �nite.3. ext(T ) = Act� f�g is the set of external or visible(observable) actions.4. If � is a countable sequence over Act, then � is the sequence over ext(T )obtained by deleting all occurrences of � actions in �.5. We write p1 a! p2 if (p1; a; p2) 2 D. In addition we write p1 �=) p2 and callthis an extended step, if � is a sequence of actions such that there is a sequence oftransitions from state p1 to a state p2 through some intermediate steps whose sequenceof actions is �.6. Given T = hS;D; s1i, let D = f(p; a; p0) j p 2 S ^ a 2 Act ^ p0 2 S ^ 9� 225

� �a� �1; p �=) p0g. We call D the extended transition relation of T .A transition system can be represented graphically by an edge labelled directedmultigraph with a special vertex denoting the starting state. In such a graphicalrepresentation, the vertex corresponding to the starting state is understood fromcontext or is indicated by an arrow adjacent to it. Transition systems are similarto classical NFAs with two important di�erences. First, transition systems have asingle starting state. Second, there is no concept of a �nal state. This is because thetransition systems are not used as language recognizers.This de�nition of transition systems corresponds to the untimed automata ofLynch and Vaandrager [LV91], except that transition systems have a single startingstate. However, one can easily see that one can obtain a transition system with asingle start state which is weakly bisimilar 2 to one with multiple start states byaddition of a single start state and transitions over internal actions to all the multiplestart states. Hence, many of our results can also be extended to transition systemswith multiple starting states. However, to simplify the presentation, we assume herethat there is only one starting state.We now de�ne several terms that are used in later de�nitions. In the followingde�nitions, we use the notation of [HT94].De�nition 2.1.2 Let T = hS;D; s1 ibe a transition system and let p 2 S.1. The initial set of p is de�ned as init(p) = fa 2 Act j 9t 2 S such that (p; a; t) 2Dg.2. p is said to be a terminal state if init(p) = �.We now de�ne the various relations we consider in this thesis. Let T1 = hS;D1; s1iand T2 = hT;D2; t1i be two transition systems.1��a�� denotes a set of all sequences which have zero or more internal actions followed by thevisible action a followed by another sequence of zero or more internal actions2See the de�nitions below 26

De�nition 2.1.3 Let R � S � T be a binary relation between S and T . R is asimulation if8(s; t) 2 R(8a 2 Act;8s0 2 S((s; a; s0) 2 D1 ) (9t0 2 T ((t; a; t0) 2 D2 ^ (s0; t0) 2 R)))).R is a bisimulation if R and R�1 are both simulations.R is a ready simulation if R is a simulation and for each (s; t) 2 R, init(s) =init(t).R is a complete simulation if R is a simulation and for all (s; t) 2 R, init(s) =� , init(t) = �.We now use the above de�nitions to de�ne the equivalences and preorders consid-ered here.De�nition 2.1.4 Let T1 = hS;D1; s1 i and T2 = hT;D2; t1 i be two transition sys-tems. We de�ne T1 to be bisimulation equivalent to T2, denoted by T1 �bsim T2,i� there is a bisimulation R such that (s1; t1) 2 R.T1 is said to be simulated by T2, denoted by T1 �sim T2, i� there is a simulationR such that (s1; t1) 2 R.T1 and T2 are simulation equivalent, denoted by T1 �sim T2, i� both T1 �sim T2and T2 �sim T1.T1 is said to be ready-simulated by T2, denoted by T1 �rsim T2, i� there is aready-simulation R such that (s1; t1) 2 R.T1 and T2 are ready-simulation equivalent, denoted by T1 �rsim T2, i� bothT1 �rsim T2 and T2 �rsim T1.T1 is said to be complete-simulated by T2 [vG90], denoted by T1 �csim T2, i�27

there is a complete-simulation R such that (s1; t1) 2 R.T1 and T2 are complete-simulation equivalent, denoted by T1 �csim T2, i� bothT1 �csim T2 and T2 �rsim T1.De�nition 2.1.5 Let T1 = hS;D1; s1 i and T2 = hT;D2; t1 i be two transition sys-tems. B � S � T is a weak bisimulation or observational equivalence [Mil89]relation from T1 to T2 if the following conditions are satis�ed.1. (s1; t1) 2 B2. 8(r; s) 2 B;w 2 (Act� f�g)� :if 9 : = w ^ r ) r0 then 9s09� : � = w ^ s �) s0 ^ (r0; s0) 2 B.and if 9� : � = w ^ s �) s0 then 9r09 : = w ^ r ) r0 ^ (r0; s0) 2 B.If there exists a weak bisimulation from T1 to T2, then we say that they are weakbisimulation equivalent, denoted by T1 �wbsim T2.De�nition 2.1.6 Let T1 = hS;D1; s1 i and T2 = hT;D2; t1 i be two transition sys-tems. We say is a trace of a transition system T = hS;D; s iif there is a �nitesequence 3 � 2 Act� for which there is a state q 2 S such that s �=) q and = �.Let traces(T ) denote the set of all �nite traces of a transition system T . We de�netrace preorder 4 and trace equivalence as follows. If traces(T1) � traces(T2) thenwe say that (T1;T2) is in the trace preorder and denote this by (T1 �trace T2). Iftraces(T1) = traces(T2) then we say that (T1;T2) are trace equivalent and denotethis by (T1 �trace T2).We now de�ne failure and readiness equivalences.De�nition 2.1.7 The failure set of a state s in a transition system T , denoted byFailures(s), is de�ned by3We do not consider in�nite traces here.4A binary relation is called a preorder if it is re exive and transitive.28

Failures(s) = f(x;Z) 2 (Act � f�g)� � 2(Act�f�g) j 9q 2 S 9 2 Act� : s x=) q andinit(q)\ Z = � and = xgTwo transition systems T1 and T2 are Failure Equivalent if Failures(s1) = Failures(s2)where s1 and s2 are the start states of T1 and T2.De�nition 2.1.8 The ready set of a state s in a transition system T , denoted byReadies(s), is de�ned byReadies(s) = f(x;Z) 2 (Act� f�g)� � 2(Act�f�g) j 9q 2 S : s x=) q and init(q) = Zand = xgTwo transition systems T1 and T2 are Readiness Equivalent if Readies(s1) =Readies(s2) where s1 and s2 are the starting states of T1 and T2.Next, we de�ne forward simulation and backward simulation following [LV91].We have adapted these de�nitions for transition systems.De�nition 2.1.9 Let T1 = hS;D1; s1 i and T2 = hT;D2; t1 i be two �nite transitionsystems.Let F be a binary relation between S and T . F is a forward simulation (orpossibilities mapping) from T1 to T2 if the following conditions are satis�ed.1. (s1; t1) 2 F .2. 8(s; t) 2 F(8a 2 Act;8s0 2 S;((s; a; s0) 2D1 ) (9t02 T (9� 2 � �a� �(t �) t0 ^ (s0; t0) 2 F ))))).We write T1 �F T2 if there is a forward simulation from T1 and T2. T1 and T2are forward-simulation equivalent denoted by T1 �F T2 i� both T1 �F T2 andT2 �F T1 29

De�nition 2.1.10 Let T1 = hS;D1; s1 iand T2 = hT;D2; t1 ibe two �nite transitionsystems.Let B be a total5 binary relation between S and T . B is a backward simulationfrom T1 to T2 if the following conditions are satis�ed.1. (s1; t1) 2 B and there is no other t 2 T such that (s1; t) 2 B.2. 8(s0; t0) 2 B(8a 2 Act;8s 2 S;((s; a; s0) 2 D1 ) (9t 2 T (9� 2 � �a� �(t �) t0 ^ (s; t) 2 B))))).We write T1 �B T2 if there is a backward simulation from T1 and T2. T1 and T2are backward simulation equivalent denoted by T1 �B T2 i� both T1 �B T2 andT2 �B T1Now we consider a generalization of simulation relations.De�nition 2.1.11 Let T1 = hS;D1; s1 iand T2 = hT;D2; t1 ibe two �nite transitionsystems. Let a -simulation be a relation from S to T which satis�es certain con-straints. As in all our previous de�nitions, we say T1 � T2 if there is a -simulationR � S�T containing (s1; t1). We also de�ne -simulation equivalence as T1 � sim T2i� both T1 � T2 and T2 � T1.We also de�ne a -simulation relation R as a -bisimulation if R�1 is also a -simulation relation.Suppose for some -simulation relation de�ned on the transition systems, T1 � T2is shown by constructing a binary relation R from S to T such that R is a -simulationrelation containing (s1; t1). Then we say that R is a witness of the -simulation ofT1 by T2.5A binary relation R � S � T is total if for all s 2 S there exists t 2 T such that (s; t) 2 R.30

To determine whether two transition systems are -simulation equivalent, we haveto solve two decision problems namely, whether T1 � T2 and whether T1 � T2. Sup-pose existence of -simulation is reducible to NHORNSAT . Then according to ourreduction scheme this amounts to solving two NHORNSAT instances independently.However, in order to decide if they are -bisimulation equivalent, we have to solvethe conjunction of those two instances of NHORNSAT . However, the conjunctionmay be unsatis�able while each of the two separate instances are satis�able. Thiswould imply that -bisimulation is a �ner relation than -simulation.We now de�ne re�nementmapping, history relation and prophecy relation,adapting the de�nitions given in [LV95] for transition systems.De�nition 2.1.12 Let T1 = hS;D1; s1 iand T2 = hT;D2; t1 ibe two �nite transitionsystems. A re�nement from T1 to T2 is a function r : S ! T such that the followingconditions hold.1. r(s1) = t1:2. If s a! s0 in T1 then 9� 2 � �a� � such that r(s) �) r(s0) in T2.We write T1 �R T2 if there exists a re�nement from T1 to T2.A relation h over S and T is a history relation from T1 to T2 if h is a forwardsimulation from T1 to T2 and h�1 is a re�nement from T2 to T1. We write T1 �H T2if there exists a history relation from T1 to T2.A relation p over S and T is a prophecy relation from T1 to T2 if p is a backwardsimulation from T1 to T2 and p�1 is a re�nement from T2 to T1. We write T1 �P T2if there exists a prophecy relation from T1 to T2.2.1.2 Parallel Composition and HidingBefore we de�ne parallel composition, we note that in the context of parallel com-position a transition system is represented as a 4-tuple, rather than 3-tuple as in31

De�nition 2.1.1. Here, a transition system hS;D; si over an action alphabet Act isrepresented as hS; s;A;!i, where A = Act�f�g and!= D. 6 Although the compo-sition we de�ne here is in the style of CSP [Hoa84], the complexity bounds obtainedin this paper also hold for variants of this style of parallel composition. For example,composition of I/O automata, composition in CCS [Mil89] etc.The parallel composition of two transition systems T1 and T2 denoted by T1kT2is de�ned as follows. Here we are de�ning synchronous parallel composition followingHoare [Hoa84].De�nition 2.1.13 Let T1 = hQ1; q10; A1;!1i and T2 = hQ2; q20; A2;!2i. Let T =T1kT2 =hQ; q0; A;! i. Then Q = Q1 � Q2, q0 = (q10; q20), A = A1 [ A2. Thetransition relation ! for T is given by the following inference rules.1. If a 62 A1 \A2 thenq1 a!1q2(q1;q) a!(q2;q) and q1 a!2q2(q;q1) a!(q;q2).2. � -transitions.q1 �!1q2(q1;q) �!(q2;q) and q1 �!2q2(q;q1) �!(q;q2).3. if a is in A1 \A2 thenq1 a!1q01 q2 a!1q02(q1;q2) a!(q01;q02)Now we de�ne the Hiding operation on transition systems.De�nition 2.1.14 Let T1 =hQ1; q10; A1;!1 ibe a transition system. Then T =hide a inT1 is the transition system hQ; q0; A;! iwhere Q = Q1, A = A1 � fag,q0 = q10, and transition relation ! of T is de�ned by the following inference rules.1. If a0 6= a thenq1 a0!1q2hide a in (q1)a0!hide a in (q2) .6This notational change is needed because in parallel composition, the action alphabet di�ersfrom one transition system to another. However, it is assumed that all transition systems may have� transitions, unless they are deterministic. 32

2. � -transitionsq1 �!1q2hide a in (q1) �!hide a in (q2) and q1 a!1q2hide a in (q1) �!hide a in (q2) .Let A � Act be a set of actions.Then hideA inT means hide a1 in(hide a2 in(::::in(hide an inT )::::)):.2.1.3 HORNSAT and NHORNSATNow we de�ne NHORNSAT to which is the basis of our uniform methodology forderiving e�cient algorithms to many veri�cation problems.De�nition 2.1.15 A Boolean clause is a Horn Clause if it has at most one positiveliteral. The satis�ability problem for conjunctions of Horn clauses is called HORN-SAT.If instead of at most one positive literal, each clause has at most one negative literalthen the satis�ability of the conjunction of such weakly negative [Sch78] clauses willbe called NHORNSAT.It is well known that HORNSAT is in P . A linear time algorithm for HORNSATappears in [DG84]. It follows that NHORNSAT is also solvable in linear time.Lemma 2.1.1 NHORNSAT is solvable in linear time [DG84].De�nition 2.1.16 The size of a HORNSAT or NHORNSAT instance is the sum ofthe sizes of the clauses. The size of a clause is the number of literals occurring in theclause.Notation 2.1.1 An instance of HORNSAT or NHORNSAT is given as a pair (X;C)where X is the set of propositional variables and C is the set of clauses.Suppose h = (X;C) is a HORNSAT instance which is satis�able. Note that anysatisfying assignment � : X ! f0; 1g, partitions X into two disjoint subsets X1 and33

X0 such that for any x 2 X1, �(x) = 1 and for any y 2 X0, �(y) = 0. Similarly, anypartition of X into two disjoint subsets induces an assignment for h.A minimal satisfying assignment � for h is an assignment with the following prop-erties:1. � is satisfying assignment for h.2. The partition induced by � on X beX1 and X0 such that for all y 2 X1,�(y) = 1 and for all y 2 X0, �(x) = 0.3. If Xy1 [ Xy0 be a new partition on X such that Xy1 = X1 [ fyg andXy0 = X0 n fyg for some y 2 X0 then this partition does not induces asatisfying assignment for any y 2 X0.Dually, we can de�ne a maximal satisfying assignment for NHORNSAT.De�nition 2.1.17 Given a HORNSAT instance h, the problem of �nding a mini-mal satisfying assignment for h, if any exists, is called the minimal-HORNSATproblem. Similarly, given an NHORNSAT instance h, the problem of �nding a maxi-mal satisfying assignment for h, if any exists, is called the maximal-NHORNSATproblem.2.2 Algorithms for (N)HORNSAT2.2.1 Linear time solvability of HORNSATGiven an instance of a propositional CNF satis�ability problem, which is a conjunctionof clauses and each clause is a disjunction of positive and negative literals with the setof clauses constrained by either of the following two restrictions, we are interested in�nding a maximal or minimal satisfying assignment (if one exists) respectively. Therestrictions are as follows: 34

1. Each clause is a disjunction of literals with at most one negative literal.2. Each clause is a disjunction of literals with at most one positive literal.We call this problem when the �rst restriction applies the NHORNSAT problem,and when the second restriction applies, we call it the HORNSAT problem [DG84].An instance of the problem is presented as a pair (X;C), whereX = fx1; x2; :::; xngis a �nite set of propositional variables taking Boolean values, and C = fC1; C2; :::; Cmgis a set of clauses with one of the restrictions discussed above.Note that if an instance has a satisfying assignment, such an assignment can berepresented as an element of n-dimensional Boolean lattice f0; 1gn. Notice that if weconsider 0 < 1, then with a pointwise extension of the ordering, and a pointwise ^and _ as meet and join operation, we get a complete lattice. Now, for an instanceof a satis�ability problem h, let us denote the set of all satisfying assignment asSAT (h) � f0; 1gn. An element x 2 SAT (h) is minimal, if no other y 2 SAT (h), isless than x in the ordering of f0; 1gn. Dually, an element x 2 SAT (h) is maximal, ifno other y 2 SAT (h), is greater than x in the ordering of f0; 1gn.So now we have the following two problems:1. Problem maximal-NHORNSAT: Given an NHORNSAT instance, �nda maximal satisfying assignment, if there is one. otherwise, conclude thatthe instance is not satis�able.2. Problem minimal-HORNSAT: Given a HORNSAT instance, �nd aminimal satisfying assignment, if there is one. Otherwise, conclude thatthe instance is not satis�able.The problem minimal-HORNSAT has been solved in [DG84]. The approach thereis based on graph pebbling. The problem instance is represented as a labelled directedgraph with n+2 nodes, n nodes corresponding to the n propositional variables in theinstance and two special nodes designated true and false. If clause Ci in the instanceis of the form x1, where x1 is a propositional variable, then there is an edge labelled35

i, from the node true to the node corresponding to x1. If clause Cj is of the formxi1_xi2_ :::_xik, then there are edges labelled j from each of nodes corresponding toxi1; xi2; :::; xik to the node false. If clause Cl is of the form xi1 ^ xi2 ^ :::^ xik ) xa,then there are edges labelled l, from each of the nodes corresponding to xi1; xi2; :::; xik,to the node corresponding to xa.Given this graph representation, they de�ned a notion of pebbling as follows.Notation 2.2.1 The graph constructed this way or dually for HORNSAT or NHORN-SAT respectively, will be called a Dowling-Gallier graph in the rest of this thesis.De�nition 2.2.1 [DG84] Let G = (V;E;L) be an edge-labelled directed graph. Thereis a pebbling of a node Q 2 V from a set X � V if either Q belongs to X or, forsome label i, there are pebblings for P1; P2; :::; Pq from X, where P1; ::::; Pq are thesources of all incoming edges to Q labelled i.Note that pebbling is equivalent to hypergraph reachability.Given this de�nition, [DG84] proves the following :Proposition 2.2.2 [DG84] Given a HORNSAT instance h, let Gh = (V;E;L) be itscorresponding graph.1. h is satis�able if and only if there is no pebbling of false from ftrueg.2. If h is satis�able, the truth assignment (v(x1); v(x2); :::; v(xn)) such that v(xi) =1 if and only if there is a pebbling of the node corresponding to xi from ftruegand v(xi) = false otherwise, is the least element in SAT (h).Recall that SAT (h) is the subset of the Boolean lattice f0; 1gn representing allthe satisfying assignments of h.Using this result and by using convenient data structures, they implemented thisbasic pebbling algorithm to obtain a linear time algorithm for the problem minimal-HORNSAT. 36

In the next section we show that a dualization of the ideas in [DG84] gives a lineartime algorithm for the problem maximal-NHORNSAT.2.2.2 Solution for Maximal-NHORNSATIn this section we show that a simple dualization of the methods in [DG84] gives alinear time algorithm for the maximal-NHORNSAT problem.Recall that an NHORNSAT instance (X;C) has clauses of the following threeforms.1. Disjunction of positive literals only (e.g., xi1 _ xi2 _ ::: _ xik).2. An implication of the form xa ) xi1 _ xi2 _ :::_ xik3. A single negated literal (e.g., xj).Now given an instance of NHORNSAT h = (X;C), where X = fx1; x2; :::; xng andC = fC1; C2; :::; Cmg, we construct a graphGh = (V;E;L), where V = fx1; x2; :::; xng[ftrue; falseg. The label set is f1; 2; :::;mg. The edges can be described as follows:1.If the clause Ci is of the form xi1_xi2_ :::_xik, there is an edge labelledi, from each of the nodes xij to the node true.2. If Ci is an implication clause of the form xa ) xi1 _ xi2 _ :::_ xik, thenthere is an edge labelled i from each of the nodes xij to the node xa.3. If Ci is a single negated literal, xj, then there is an edge labelled i fromthe node false to xj .Now we can prove a theorem similar to the Proposition 2.2.2 using a dual argumentwhich shows that an instance h is satis�able if and only if there is no pebbling in Gh,of true from ffalseg. And also, in the process of checking for satisfaction, a pebblingalgorithm will produce a maximal satisfying assignment if h is satis�able.Theorem 2.2.1 Given a NHORNSAT instance h, let Gh = (V;E;L) be its corre-sponding graph. 37

1. h is satis�able if and only if there is no pebbling of true from ffalseg.2. If h is satis�able, the truth assignment (v(x1); v(x2); :::; v(xn) such that v(xi) = 0if and only if there is a pebbling of the node corresponding to xi from ffalsegand v(xi) = true otherwise, is the greatest element in SAT (h).Now we can use the re�nements similar to [DG84] of the pebbling based algorithmto obtain a linear time algorithm for the problem maximal-NHORNSAT.2.3 Unique minimal and maximal solutions forHORNSAT and NHORNSATThe existence of unique minimal solution of the type of HORNSAT instances createdin our reductions is obvious to readers familiar with Datalog [Ull88]. However, forthe sake of completeness, we include the following discussion.On a number of occasions in the course of proving correctness of our reductions weused unique minimal solution of HORNSAT instances and unique maximal solutionof NHORNSAT instances. However, those HORNSAT and NHORNSAT instancesare of a particular type. The HORNSAT instances had only two types of clauses.1. Single literal clauses with a positive literal. (e.g., xi)2. Conditional clauses of the form xi Vj xj. In such a conditional clauseC, we call the positive literal xi as head(C) and the Wj xj as tail(C).Note that a positive literal clause xi can be thought of as xi true. We call thesatis�ability problem for this type of Horn clauses PHORNSAT.Similarly the NHORNSAT instances have clauses of the following two types1. Single negated literal clauses. (e.g., xi)2. Conditional clauses of the form xi ! Wj xj38

In such a conditional clause C, we call the positive literal xi as head(C)and the Wj xj as tail(C).We call the satis�ability problem for this type of NHORNSAT PNHORNSAT.We now prove that a unique minimal satisfying assignment for any PHORNSATinstance exists and a simple dualization of our argument shows that a unique maximalsatisfying assignment of PNHORNSAT exists.Let h be a PHORNSAT instance and let X = fx1; :::; xng be the set of variablesin the instance h. Let Sh denote the set of satisfying assignments. Let us identify asatisfying assignment � : X ! f0; 1g with a subset �S of X such that � is simply thecharacteristic function of �S . Obviously Sh � 2X . Now notice that 2X , with the setinclusion relation � as partial order, set union as join and set intersection as meetoperation forms a complete lattice. The empty set � is the least and the set X is thegreatest element of the lattice.Now let Fh : 2X ! 2X be a function de�ned as follows: Let Stail(C) = fxkjxk is avariable in tail(C)g. Note that if C is a single literal clause then Stail(C) = �.Fh(S) = S [ fxi j 9C 2 h : Stail(C) � S ^ head(C) = xigIt is easy to see that Fh is monotonic and by Knaster-Tarski theorem Fh has aunique least �xed point. Since X is �nite, we have an iterative characterization ofthe least �xed point as follows.Let f0 = �fi+1 = Fh(fi);8i � 0Since Fh is monotonic, we get [i�0fi as the �xed point. Notice that startingwith �, after the �rst iteration f1 will contain only those variables which appear insingle literal clauses. In the (i+1)th iteration those variables will be included whichare at the head of a conditional clause such that all the variables in the tail of that39

conditional are in fi. When the �xed point is reached no more variable is needed tobe included. In other words, all the variables that are needed to set to true to satisfythe instance are included at this point. Now obviously, none of them can be droppedbecause, then it is easy to see that at least one clause will remain unsatis�ed.Now suppose Smax � X be the unique �xed point of F . Then the characteris-tic function of Smax provides the minimal satisfying assignment of the PHORNSATinstance h. The uniqueness follows from the Tarski-Knaster theorem.Theorem 2.3.1 Given a PHORNSAT instance, there is a unique minimal satisfyingassignment.A dualization also proves the following theorem.Theorem 2.3.2 Given a PNHORNSAT instance, there is a unique maximal satis-fying assignment.2.4 Logical Frameworks2.4.1 Prebisimulation and IntuitionisticHennessy-Milner LogicIn Chapter 6 we consider the problem of prebisimulation preorder between incom-pletely speci�ed transition systems. In the early stages of a design, transition sys-tems with such incomplete transition relation is useful in modelling the design. Theincompleteness of the transition system is captured in a under-de�nedness relation"� S �Act where S is the set of states and Act is the set of actions. (s; a) 2" if thebehavior of s on action a is not completely known.De�nition 2.4.1 [CC92] Let P = (hP;Act;!; "i; p0) and Q = (hQ;Act;!; "i; q0)be two processes. A relation R � P � Q is a prebisimulation preorder between Pand Q if (p; q) 2 R implies that for all a 2 Act the following holds:40

1. p a! p0 ) 9q0:q a! q0 ^ (p0; q0) 2 R2. p # a! (q # a ^ (q a! q0) 9p0:p a! p0 ^ (p0; q0) 2 R))We say that P v Q if there is a prebisimulation R with (p0; q0) 2 R.We use p " a in place of (p; a) 2" and p # a in place of :(p " a).Intuitionistic Hennessy-Milner Logic We now recall the logical characteriza-tion of the prebisimulation preorder in terms of Intuitionistic Hennessy Milner Logic(IHML) as presented in [Sti87]. The abstract syntax of an IHML formula is given as� ::= true j false j � ^ � j � _ � j< a > � j [a]#�where a 2 Act.The formal semantics of IHML is given in terms of the following set of rules thatrelates the states of a process P = (hP;Act;!; "i; p0) to formulas. Formally j= is thesmallest relation satisfying the following set of rules, where p 2 P :p j= truep j= �1 ^ �2 if p j= �1 and p j= �2p j= �1 _ �2 if p j= �1 or p j= �2p j=< a > � if 9q:p a! q and q j= �p j= [a]#� if p # a and 8q if p a! q then, q j= �We say that P j= � if p0 j= �.It turns out [Sti87] that IHML is the characteristic logic for prebisimulation. Thismeans that if two transition systems are related by a prebisimulation relation thenthey satisfy exactly the same set of IHML formulas. This means that if they arenot related by prebisimulation preorder then there exists IHML formula which oneof them satis�es and the other does not. This particular distinguishing formula canbe used as a diagnostic formula as discussed in [CC92]. In Chapter 6 we show thatour methodology can obtain this kind of diagnostic formula more e�ciently than thealgorithm described in [CC92]. 41

2.4.2 Alternation Free Modal Mu-CalculusSyntax and Semantics of Basic FormulasLet Var be a countable set of variables. A a set of atomic propositions, and Act a setof actions. The abstract syntax of basic formulas is given by the following BNF stylenotation. � ::= A j X j � ^ � j � _ � j hai� j [a]�where X 2 V ar, A 2 A and a 2 Act.Formulas are interpreted with respect to a �xed labelled transition system hS; Act;!i, a valuation � : A ! 2S , and an environment e : V ar ! 2S . The valuation mapassociates states with atomic propositions, the environment associates states withvariables. Thus intuitively the semantics of a formula � with respect an environmente, a transition system T , and a valuation �, denoted as k�ke, means the set of statesin which � is true. The formal semantics can now be given as follows:kAke = �(A)kXke = e(X)k�1 ^ �2ke = k�1ke \ k�2kek�1 _ �2ke = k�1ke [ k�2kekhai�ke = fs j 9s0:s a! s0 ^ s0 2 k�kegk[a]�ke = fs j 8s0:s a! s0) s0 2 k�kegSyntax of Equational BlocksBasic formulas are not much expressive by themselves and hence there have beenenhancements of this logic by adding �xed point operators. However, the �xed pointoperator is not directly added to the syntax as in [Koz83, Bra92]. Instead, equationalblocks are used following [CS91] to express the �xed points.42

A block of equations has one of the two forms, maxfEg or minfEg where E isa list of equations fX1 = �1;X2 = �2; :::;Xn = �ng, and each �i is a basic formulaand Xi's are all distinct.If we are restricted to using a single such block to de�ne a formula, then we arerestricted to the fragment of modal mu-calculus which corresponds to the Hennessy-Milner Logic with recursion [Lar88, Lar90]. We also call this fragment single �xedpoint fragment of modal mu-calculus.In the case of alternation free modal mu-calculus, several such equational blocksmay be used. [CS91] gives a syntactic characterization of alternation-free modal mu-calculus in terms of block graphs.De�nition 2.4.2 [CS91] Let B be a set of blocks. Then the block graph of B isde�ned as follows.1. The nodes are the elements (blocks) of B.2. The edges are de�ned by: Bi ! Bj, if Bi and Bj are distinct and aleft-hand-side variable in Bi appears in a right-hand-side expression of Bj.If we are restricted to using blocks such that the corresponding block graph isacyclic, then we are restricted to the fragment of modal mu-calculus called thealternation-free modal mu-calculus.Semantics of Equational BlocksFollowing [CS91], we �rst de�ne the semantics of a single block B = mfEg where mcould be max or min and E = fX1 = �1; :::;Xn = �ng.Given a �xed environment e, we can build a semantic function f eE : (2S)n ! (2S )nas follows: Let S = hS1; :::; Sni 2 (2S )n, and let eS = e[X1 7! S1; :::;Xn 7! Sn] be theenvironment that results from e by updating the bindings of Xi to Si. Thenf eE(S) = hk�1keS ; :::; k�nkeS i43

. Note that (2S )n forms a complete lattice, where the ordering, join and meet arethe pointwise extensions of set theoretic inclusion, union and intersection. More-over, f eE is monotonic with respect to this lattice for any equation system E andgiven environment e. Hence, by the Tarski �xed-point theorem [Tar55], it has bothgreatest and least �xed points, denoted as �f eE and �f eE respectively. By [Tar55],�f eE = SfS j S � f eE(S)g and �f eE = TfS j f eE(S) � Sg.When the labelled transition systems are �nite state, f eE is continuous and henceboth the greatest and the least �xed points have iterative characterization. Letf0 = hS; :::;Sif0 = h�; :::; �ifi+1 = f eE(fi)8i�0^fi+1 = f eE(fi)8i�0Then �f eE = T1i=0 fi and �f eE = S1i=0 fiNow, blocks maxfEg and minfEg are interpreted as environments as follows:kmaxfEgke = e�feEkminfEgke = e�feESo maxfEg(minfEg) represents the greatest (least) �xed point of E.Now, one can give the semantics of a �nite set of blocks. Let B = fB1; :::; Bng bea topological sorting of the blocks in B according to the relation ! de�ned above.The syntactic restriction on the alternation free fragment of modal mu-calculus makessure that a variable appearing on the right-hand-side of a block Bj , can only appearin the left-hand side of a block Bi with i � j, if they appear on the left side at all.Given a starting environment e, we de�ne the following sequence of environmentsas in [CS91]. e1 = kB1ke; ::::; em = kBmkem�144

. Then kBke = emNow one can talk about the semantics of a formula � whose variables are boundby a set of equations.Given a basic formula � whose variables are bound by a set of equational blocksB, we de�ne the semantics with respect to an initial environment e as k�k(kBke).The alternation free fragment of modal mu-calculus is denoted by L�1 [EL86].The expressivity theorem in [CS91] states that every formula in � 2 L�1 can betranslated in linear time to a block set B with k�ke = kXk(kBke) for some left handside variable X. Similarly, for every block set B and variable X, there is a formula �in L�1, with kXk(kBke) = k�ke.They also show that with a linear blow up in size, one can make all the right handsides simple formulas in linear time in a semantics preserving transformation.De�nition 2.4.3 [CS91, And94] A formula is simple if it is of the form A, Xi _Xj ,Xi ^Xj , haiXi or [a]Xi, where A is atomic and Xi;Xj are variables.Hence we assume that the equational blocks have only simple formulas on theright hand side.45

Chapter 3A Uniform Framework for DecidingProcess Algebraic RelationsIn this chapter we present a uniform approach for proving the polynomial time decid-ability of various simulation and equivalence relations for �nite state processes. Ourapproach involves e�cient reductions to the satis�ability problem for Horn formulas.It applies directly and naturally to most of the simulation preorders and equivalencerelations, studied in the literature [vG90, HS96]. Here we illustrate our methodologyby deriving e�cient algorithms for a number of such relations. For some of these re-lations, we present polynomial time algorithms for the �rst time in the literature. Wealso present a HORNSAT based interpretation of the existing bottom-up algorithmfor bisimulation equivalence [KS90] to provide a better understanding of such bottom-up partition based methods [KS90, PT87]. Corollaries of our results include an NCalgorithm for bisimulation equivalence for deterministic transition systems (posed asan open problem in [GHR95]), an easy algorithm for computing simulations on �nitegraphs [HHK95] etc.Our approach naturally gives rise to algorithms which are on the y [VW86,FM91], local [CS91, Lar92] and incremental [SS94]. Moreover, diagnostic information[CC92, FM91] can be obtained without any additional complexity overhead in thismethodology. Details of the diagnostics generation is discussed in Chapter 6.46

Any practical veri�cation tool employing process algebraic veri�cation methodol-ogy (for example, [CGL+94]) needs e�cient algorithms for deciding these relationsand equivalences. Our e�cient and uniform methodology can provide considerableperformance enhancement in such tools. Currently our methodology is being used todesign a veri�cation tool suite for the veri�cation of �nite state systems.Here, we use this generic methodology to prove the polynomial time decidabilityof the following equivalence relations on processes:1. Strong-Bisimulation Equivalence1[Par81, Mil89, KS90]2. Simulation Equivalence [vG90, HT94]3. Ready-Simulation Equivalence [vG90, HT94, BP94]4. Complete-Simulation Equivalence [vG90]5. 2-nested Simulation Equivalence [GV92]6. Possibilities Equivalence or Forward-Simulation Equivalence [LV91]7. Backward-Simulation Equivalence [LV91]3.1 SummaryIn the next section we brie y sketch an outline of our methodology and discuss theadvantages of this uniform approach over existing approaches to solving these decisionproblems. The de�nitions of transition systems and various simulation and equiva-lence relations and the de�nitions of HORNSAT and its variant NHORNSAT canbe found in Chapter 2. In Section 3.4 we illustrate our reduction method by describing1We use the word bisimulation for strong-bisimulation all through. We reduce the decidabilityof strong-bisimulation to the satis�ability problem for Horn formulas. But using the reduction ofweak bisimulation [Mil89] to strong bisimulation given in [KS90], we can also prove polynomial timedecidability of weak bisimulation. 47

in detail the reduction of bisimulation equivalence problem toNHORNSAT. Thereductions applicable to simulation preorder, ready-simulation and complete simula-tion are similar. They are brie y discussed in the Section 3.5. 2-nested simulation andbackward simulation are discussed in details in Section 3.6 and Section 3.7. We pro-vide polynomial time algorithms for these problems for the �rst time in the literature.In Section 3.8 we show how to interpret the algorithm for bisimulation equivalence in[KS90] as a satis�ability problem for Horn formulas. In the same section we show howto obtain an e�cient algorithm for computing simulations on �nite graphs (de�nedin [HHK95]) in our methodology. In the next section, we show that all equivalencesbetween bisimulation and trace equivalence for deterministic transition systems arein NC (In fact, all these relations coincide for deterministic systems). In section 3.11we compare our methodology with model checking based uniform methodology fordeciding behavioral relations presented in [CS91, CH92, BCM+92, And93, SHR96a].The last section contains concluding remarks.3.2 Advantages of Our ApproachAs mentioned above, in our methodology we reduce these decision problems (i.e., theproblem of deciding if two transition systems are related by a particular relation) tothe satis�ability problem for weakly negative Horn formulas [Sch78] and we call thisproblem as the NHORNSAT problem (See Chapter 2 for details). Since there are lin-ear time algorithms for NHORNSAT [DG84, AI91] (see Chapter 2), this shows thatall these equivalences are decidable in polynomial time. The �rst three of these equiv-alences have been shown to be polynomial time decidable in [KS90, HT94, BP94].The fourth equivalence considered here can be easily shown to be polynomial time de-cidable from the results in [HT94, BP94]. Here we show that the 2-nested simulationequivalence and k�nested simulation equivalence for any k can be shown to be poly-nomial time decidable in our framework. To the best of our knowledge, there is noother polynomial time algorithm for 2-nested or k�nested simulation relation in the48

literature. The last two equivalences mentioned above are based on two simulationrelations in [LV91]. In [SHRS96b] we announced their polynomial time decidabilityfor the �rst time in the literature. Here, we present detailed algorithms for these twosimulation relations, together with their correctness proofs.With a few exceptions (e.g., [FM91]), in most earlier works (e.g., [KS90, PT87,HT94, BP94]), the algorithms for deciding process equivalences are bottom-up andglobal [KS90, PT87, HT94]. These algorithms construct all pairs of states that arerelated by the equivalence relation using a partition re�nement type strategy [KS90].Here, we show how to interpret these bottom-up methods as solving the satis�abilityproblem for Horn formulas using the algorithm in [KS90] as an illustrative example.This also leads to HORNSAT based algorithms for many other problems as discussedin Chapter 8. This gives a better understanding of the partition re�nement basedprocedures for establishing equivalences between �nite state processes. As a corollaryof this we obtain an e�cient algorithm for computing simulation relations on �nitegraphs as de�ned in [HHK95]. We get an O(m2) algorithm for computing simulationrelations on a graph with m edges and n vertices. The algorithm in [HHK95] is moree�cient in general, with a time complexity of O(mn), but is quite complex becauseof its complex data structures for achieving this e�ciency. Our algorithm is moredirect and simple. Moreover, our algorithm is incremental, in the sense that we canhandle dynamic graphs with possibility of deletion and addition of edges and vertices.Moreover, if we need to know if two particular vertices are related, our algorithm willnot need to explore all the pairs. Our algorithm will explore only that part of thegraph which seems absolutely necessary to explore. Hence we present an e�cient,local and incremental algorithm for the problem in [HHK95] as a corollary of ourresults.Another corollary of our reduction technique shows directly that for deterministictransition systems, the bisimulation equivalence problem has an NC algorithm. Thisresolves an open problem in [GHR95]. Since all other equivalences between bisimu-lation and trace equivalence coincide for deterministic transition systems, our result49

also shows that all such equivalences are in NC for deterministic transition systems.2 In Chapter 5 (also in [SHR96a]), we developed a HORNSAT based approach toe�cient model checking which has a number of other advantages. It easily followsthat those advantages are also obtained in our HORNSAT based methodology forchecking various equivalences and simulation relations between �nite state processes.In [CS91] it was shown that many of the important process equivalences can bereduced to model checking problems and hence any advantages that the correspondingmodel checking algorithm provides also carry over to the process equivalence andpreorder algorithms based on those reductions. However, here we point out that wedo not need to go through the model checking algorithms to obtain e�cient algorithmsfor simulation preorders and equivalences.Moreover, since our model checking methodology is also based on e�cient reduc-tions to HORNSAT problem we obtain all the advantages described in Chapter 5 forthe algorithms discussed here as well.Our algorithms are on the y which means that we do not need the whole tran-sition system to be constructed in memory before our algorithms can be applied.The only other on the y algorithm for some process equivalences (e.g., bisimulationequivalence) appears in [FM91]. However, our methodology naturally yields such analgorithm and our algorithm has worst case time complexity O(m1m2) where mi isthe size of the transition relation of transition system Ti (i = 1; 2), whereas the al-gorithm in [FM91] has a worst case time complexity of O((n1n2)2) where ni is thenumber of states in transition system Ti (i = 1; 2). As a result, for sparse transitionsystems our algorithm is much better. Moreover, since our algorithm is local, it rarelyachieves the worst case time complexity especially when the systems are not related.Recall that a veri�cation algorithm is local [Lar92, SW91] if the algorithm does2Although in [HT94], it was proved that all these relations are in NL, which implies that theyare in NC, our approach directly produces an NC algorithm for the problem. This result was �rstannounced in [SHRS96b] 50

not explore the whole state space unless it is necessary to do so. So a local algorithmexplores only those states which are absolutely necessary to explore to decide theproblem. It is easy to see that most of our algorithms presented here are local unlikethe global algorithms based on bottom-up partition re�nement.Our algorithms are incremental as well, because, if the given transition systemsare changed by adding or deleting transitions or states, the algorithms can maintainthe results computed earlier and decide the equivalence of the changed systems witha minimal amount of work. The changes in transitions amount to changes in clausesin the NHORNSAT instance. The HORNSAT algorithms we use being incremental[AI91], it takes O(q) amortized time to maintain the satis�ability where q is the size ofthe changes in clauses. In [SS94, SHR96a] incremental algorithms for model checkingwere presented. From our results here, it is easily seen that our methodology naturallygives incremental algorithms for the behavioral equivalence checking problem.In Chapter 6 we also show how to compute diagnostic information without anyoverhead in the asymptotic complexity for the prebisimulation problem. It is easyto see that we can apply the same technique for the class of algorithms obtainedhere to compute diagnostic information in each case. By diagnostic information wemean the following. If two transition systems are decided to be inequivalent or notin the preorder relation, then we want to know some information as to why they arenot related. Diagnostic information is typically a logical formula which one systemsatis�es and the other does not. Moreover, it is a formula in the characteristic logicof that relation [Wal88, CC92, SHR96a].3.3 Overview of the Uniform Reduction TechniqueIn [KS90], Kanellakis and Smolka proved that bisimulation equivalence of �nite tran-sition systems is polynomial time decidable by reducing the decision problem to ageneralized partition re�nement problem. In [HT94], Huynh and Tian proved thattwo other �nite state process equivalences, namely simulation equivalence and ready-51

simulation equivalence, are also polynomial time decidable. Their proof involvedshowing that each of these simulation relations is the intersection of a chain of poly-nomially decidable relations. In both cases the methods use bottom-up re�nementtechniques. For example, the partition re�nement discussed in [KS90] starts with allpossibilities and then computes (in a bottom up fashion) the maximal bisimulation.In contrast, given a type of simulation relation, our method entails a top-downconstruction of a CNF formula f as follows:1. The variables in the formula f are Xp;q where p and q are states in the twotransition systems.2. The clauses in the formula f are of the following three types.(a) A single positive literal Xp;q. When we want (p; q) to be in the simulationrelation we construct this type of clause.(b) A single negated literal Xp;q. Such a clause is constructed when (p; q)cannot be in any simulation relation of the given type.(c) Implication clauses of the form Xp;q ) Wi;j Xi;j. A clause of this formis constructed when for (p; q) to be in the simulation relation, one of the(i; j)'s must also be in the simulation relation.Depending on the properties of the relation under consideration, we create the CNFformulas. For some relations, we consider all pairs of states (e.g. backward simulation)and in other cases we consider only simultaneously reachable3 pairs of states. Thee�ectiveness of the reduction relies on the property that if we generate a clause ofthe form Xs;t, then it is guaranteed that no relation satisfying the properties of thatparticular relation can contain the pair (s; t). So, the basic idea involves1. encoding the properties of a relation into a type of CNF formula whosesatis�ability is polynomial time decidable, and3We call a pair of states (p; q) simultaneously reachable if there is a � 2 Act� such that both pand q are reachable from the respective start states via the action sequence �.52

2. proving that the pair of processes is in the relation if and only if theresulting CNF formula is satis�able.Hence the decision problem on the process domain is encoded as a Horn formulasatis�ability problem which can be solved in polynomial time.The resulting CNF formulas in our method are weakly negative Horn formulas4[Sch78]. The satis�ability of such formulas is called here NHORNSAT and it is easyto show that NHORNSAT is decidable in linear time [DG84, AI91]. More over, from[AI91], it is easy to construct an algorithm for NHORNSAT which is incremental oron-line.However, sometimes instead of deciding if two given states are related via a speci�csimulation relation, we are interested in computing the relation on a given transitionsystem. For example, we may be interested to know for all pairs of states, if theyare related. In such a case, our reduction is slightly di�erent. For each pair (p; q),if there is a direct evidence that they could not be related, then we add a clauseof the form Xp;q. For example, if we are considering bisimulation relation and thereis an action a enabled at p but not at q, or vice versa, then we are sure that theycannot be related and hence add a clause of this form. Otherwise, we add conditionalclauses encoding the conditions to be satis�ed for p; q could be related. This type ofreduction creates instances of NHORNSAT which have either single literal (negated)clauses, or conditional clauses of the form xi ! Wj xj. As mentioned earlier, wecall this subclass of NHORNSAT instances PNHORNSAT. Note that these instancesare always satis�able by assigning the Boolean value false to every variable. Theproblem we solve in this case is the maximal-PNHORNSAT.We can show that thereis a unique maximal satisfying assignment (see Chapter 2) for this type of instancesand moreover, the maximal satisfying assignment corresponds to the relation we arecomputing.4A weakly negative clause is a clause which contains at most one negative literal.53

3.4 A Polynomial Time Algorithm for Bisimula-tion EquivalenceIt is well known that bisimulation equivalence of �nite transition systems is decidablein polynomial time [KS90]. In [KS90] there is an e�cient algorithm for this problemwith time complexity O(mlogn + n) where n is the number of states in the twotransition systems andm is the number of transitions in the transition relations. Theiralgorithm is a bottom-up re�nement taking advantage of Paige and Tarjan's e�cientalgorithm for relational coarsest partition problem [PT87]. Here, we illustrate ourmethodology by giving an alternative proof of the polynomial decidability of strongbisimulation equivalence, utilizing a polynomial time reduction to the satis�abilityproblem for Horn formulas in order to illustrate our methodology.Let T1 = hS;D1; s1 i and T2 = hT;D2; t1 i be two �nite transition systems.We give a polynomial time algorithm that takes T1 and T2 as input and outputsan instance h of NHORNSAT . In instance h the number of variables is � jSj � jT jand the size of the instance is O(jD1j � jD2j).The algorithm is given in Figure 3.1. Before giving an informal description of thealgorithm, we explain some of the functions used in the description of the algorithm.Let STEP1(a; p) = fp0 j (p; a; p0) 2 D1g. Intuitively STEP1(a; p) is the set of allstates that are reachable from state p by executing an a action.Similarly, STEP2(a; q) = fq0 j (q; a; q0) 2 D2g.Now CLAUSE(p; a; p0; q) = Wq02STEP2(a;q)Xp0 ;q0if STEP2(a; q) 6= � else false.This function is used to create the conditional clauses. Whenever we are con-sidering the pair (p; q), we want to represent the conditions for their inclusion in a54

bisimulation relation. Given a transition (p; a; p0) 2 D1 there must be a transition(q; a; q0) 2 D2 for which (p0; q0) is in the bisimulation relation. CLAUSE computesclauses expressing this fact.V ARS(p; a; p0 ; q) = fXp0 ;q0 j q0 2 STEP2(a; q)g if STEP2(a; q) 6= � else �.Function V ARS keeps track of the variable occurrences in a newly created con-ditional clause created by a call to CLAUSE.CLAUSE 0 and V ARS 0 are de�ned in a similar manner except that STEP1 isused instead of STEP2. The algorithm constructs an instance h of NHORNSATsuch that h is satis�able i� T1 and T2 are bisimulation equivalent. So we start withthe single literal clause Xs1;t1. Then, for each step from s1 via some action a to somestate s, we construct a clause specifying the following. There is some step in T2 fromt1 via action a to some state t such that (s; t) is in the bisimulation relation whichwitnesses the bisimulation between T1 and T2.The constructed NHORNSAT instance h has the property that given any satis-fying assignment, if we specify a relation R by saying that (p; q) 2 R i� Xp;q = 1 inthe satisfying assignment and Xp;q appears in h, then R witnesses the bisimulationequivalence between T1 and T2. Furthermore, if T1 �bsim T2 then there exists a wit-ness bisimulation R � S � T such that, if we specify the truth assignment by sayingthat Xp;q = 1 i� (p; q) 2 R, then this truth assignment satis�es h.Before we prove the correctness of the reduction algorithm and prove its poly-nomial time complexity let us consider the examples in �gure 3.2. Consider T1 andT2 in Figure 3.2(a). They are not bisimulation equivalent and we shall see that theNHORNSAT instance will not be satis�able.In the example of Figure 3.2(a), algorithm Bisim-NHorn outputs the followingclauses: 55

Comment: The sets V and W keep track of all the variables generated and processed respectively.The set C will contain the set of clauses of the NHORNSAT instance.1. Comment: The pair (s1; t1) must be in the relation.C := fXs1;t1g; V := fXs1;t1g; W := �;2. do until V is empty.(a) Let Xp;q be any element in V .(b) V := V � fXp;qg; W :=W [ fXp;qg;Comment: If for the pair of states (p; q), both have no actions out of them, the pairmay be in the relation.(c) If for no a 2 Act there is p0 2 S such that (p; a; p0) 2 D1and for no a 2 Act there is a q0 2 T such that (q; a; q0) 2 D2 thenC := C [ fXp;qg;Comment: Steps (d) and (e) create implication clauses to encode the conditions ofbisimulation relation.(d) for each a 2 Act; p0 2 S such that (p; a; p0) 2 D1 doC := C [ fXp;q _CLAUSE(p; a; p0 ; q)g;V := V [ (V ARS(p; a; p0; q)�W );endfor(e) for each a 2 Act; q0 2 Tsuch that (q; a; q0) 2 D2 doC := C [ fXp;q _CLAUSE0(q; a; q0; p)gV := V [ (V ARS0(q; a; q0; p)�W )endforend do3. Output C.Figure 3.1: Algorithm for reducing the bisimulation instance to NHORNSAT in-stance: Algorithm Bisim-NHorn. 56

a

cb

T1

s1

s3

t1

t2 t3

t4 t5

a a

b c

T2

s1

s2

s3

t1

t2t3

t4 t5 t6

a

b

a

b

a

b b

T1 T2

s4

s2

fig(a)

fig(b)Figure 3.2: (a) Illustrating T1 6�bsim T2 (b) Illustrating T1 �bsim T2.fXs1;t1 ; Xs1;t1_Xs2;t2_Xs2;t3 ; Xs1;t1_Xs2;t2; Xs1;t1_Xs2;t3 ; Xs2;t2_Xs3;t4 ; Xs2;t2; Xs2 ;t3 _Xs4;t5,Xs2;t3 ; Xs3;t4; Xs4;t5gThis set of weakly negative clauses are not satis�able and hence the two �nitetransition systems are not bisimulation equivalent. Now consider the example ofFigure 2(b). These transition systems are bisimulation equivalent [Mil89]. The set ofclauses output by algorithm Bisim-NHorn is the following:fXs1;t1 ; Xs1;t1 _Xs2;t2 _ Xs2;t3 ; Xs1;t1 _ Xs2;t2 ; Xs1;t1 _Xs2;t3 ; Xs2;t3 _Xs3;t4 ; Xs2;t2 _Xs3;t5 _Xs3;t6 ; Xs2;t2 _Xs3 ;t5; Xs2;t2 _Xs3;t6 ; Xs3;t4; Xs3;t5 ; Xs3;t6gThis set of clauses has a satisfying assignment namely Xs1;t1 = Xs2;t2 = Xs2;t3 =Xs3;t4 = Xs3;t5 = Xs3;t6 = 1 and all other variables 0. Thus the witness bisimulationrelation from S to T is f(s1; t1); (s2; t2); (s2; t3); (s3; t4); (s3; t5); (s3; t6)g.Now that we have explored two examples, we are ready to prove the correctnessand polynomial time complexity of this algorithm for reducing bisimulation equiva-lence of two �nite transition systems to NHORNSAT . The fact that NHORNSATis linear time solvable [DG84] together with the correctness of the polynomial time57

reduction proves that bisimulation equivalence problem for �nite transition systemsis in P.Theorem 3.4.1 The NHORNSAT instance produced by the algorithmBisim-NHornfrom two �nite transition systems has a satisfying assignment i� the two input tran-sition systems are bisimulation equivalent.The following sequence of lemmas will establish this theorem.Lemma 3.4.2 If T1 �bsim T2 and R � S � T is a witness bisimulation relation thenthe following conditions hold: for all � 2 Act�, if s1 �=) p then there exists q 2 Tsuch that t1 �=) q and (p; q) 2 Rand if t1 �=) q then there exists p 2 S such that s1 �=) p and (p; q) 2 R.Proof: By induction on the length of �. .The following lemma asserts that if Xp;q is a clause in the NHORNSAT instancethen there is no bisimulation relation that can contain the pair (p; q).Lemma 3.4.3 If clause Xp;q (a clause consisting of a single negative literal) appearsin the NHORNSAT instance created by the algorithm Bisim-NHorn, then there isno bisimulation relation R from S to T such that (p; q) 2 R.Proof: The claim in the above lemma is that no bisimulation relation witnessing thebisimulation equivalence of T1 and T2 can have the pair (p; q) in it. Such a clause canbe generated either in step 3(d) or in step 3(e) of the algorithmBisim-NHorn. Thatis possible when CLAUSE(p; a; p0; q) or CLAUSE 0(q; a; q0; p) returns false. This canhappen if STEP2(a; q) = � for some a 2 Act or if STEP1(a; p) = � for some a 2 Act58

respectively. In the �rst case this means that (p; a; p0) 2 D1 for some p0 2 S but thereis no q0 2 T such that (q; a; q0) 2 D2. Then obviously by the de�nition of bisimulationrelation p and q are not in any bisimulation relation. The latter case can be arguedsimilarly. .Lemma 3.4.4 If the instance of NHORNSAT output by the algorithm Bisim-NHorn is satis�able then T1 �bsim T2.Proof: Suppose the NHORNSAT instance (say h) is satis�able. Let be a satis-fying truth assignment to the variables Xp;q. Let R � S � T be de�ned by (p; q) 2 Ri� the variable Xp;q appears in h and (Xp;q) = 1. We claim that R is a witnessbisimulation. Since Xs1 ;t1 appears as a single literal clause in h, (Xs1;t1) = 1 andthus (s1; t1) 2 R.For any (p; q) 2 R we have to show that for all a 2 Act and p0 2 S, if (p; a; p0) 2 D1then there is q0 2 T such that (q; a; q0) 2 D2 and (p0; q0) 2 R, and the reverse fortransitions from q. Consider the conditional clause that Step 2(d) of the algorithmconstructs for Xp;q, a, and p0. Since (p; q) 2 R and R was constructed from thesatisfying assignment, we have (Xp;q) = 1. Consequently, one of the disjuncts inthe right{hand side of the conditional clause must be true. Suppose disjunct Xp0;q0from CLAUSE(p; a; p0; q) is true. Then (q; a; q0) 2 D2 and Xp0;q0 = 1 which means(p0; q0) 2 R. A similar argument applies to the reverse case of transitions from q. .Lemma 3.4.5 If T1�bsimT2 then the instance of NHORNSAT produced by algo-rithm Bisim-NHorn is satis�able.Proof: Let R be a witness bisimulation. Let be the assignment of truth values tothe variables Xp;q, given by 59

Xp;q = 1 if (p; q) 2 RXp;q = 0 if (p; q) =2 R.Since R is a witness bisimulation (s1; t1) 2 R, and so (Xs1;t1) = 1 and thus thesingle positive literal clause Xs1;t1 is satis�ed. The single negated literal clauses ofthe form Xp;q will be satis�ed (by lemma 3.4.3). All other clauses are of the formXp;q ) Wi;j Xi;j . If (p; q) is not in R then such a clause will be trivially satis�ed.But if (p; q) 2 R, then to satisfy such a clause one of the disjuncts on the right handside must be satis�ed. But the disjunct is constructed so that if the correspondingcondition for (p; q) being in a bisimulation is true then one of the disjuncts must betrue and (p; q) is indeed in a bisimulation. .An examination of Algorithm Bisim-NHorn yields the following:Theorem 3.4.6 The algorithm Bisim-NHorn runs in O(jD1j � jD2j) time and pro-duces an instance of NHORNSAT of size O(jD1j � jD2j).Proof: Let Act = fa1; a2; :::; akg, jSj = n1, jT j = n2, jD1j = m1 and jD2j = m2. Alsolet maji denote the cardinality of the set of transitions in Di over the action aj. Notethat �kj=1maji = mi (for i = 1; 2).Let ds denote the number of transitions out of a state s in its correspondingtransition system.Let dsaj be the cardinality of the set of transitions out of s in its transition systemover action aj.Note that �kj=1dsaj = ds, �sdsaj = maji , and �s2Sds = m1 and �s2Tdt = m2.When creating clauses inside the do until loop (numbered 2) in the algorithm inFigure 3.1 corresponding to a variable Xp;q, the size of the clause corresponding to an60

action aj (step 2(d)) is dqaj +1 and hence the total size of the set of clauses created inthe step 2(d) is dpaj(dqaj + 1) and the total size of all clauses created in 2(d) and 2(e)comes to dpaj(dqaj + 1) + dqaj(dpaj + 1).Assuming that all state pairs (p; q) are explored 5 the total size of the NHORNSATinstance will be at most�p�q�kj=1(dpaj(dqaj + 1) + dqaj(dpaj + 1))= �p�q�kj=1(2 � dpaj � dqaj + dqaj + dpaj )= �p�q(2(�kj=1dpaj � dqaj) + �kj=1dqaj + �kj=1dpaj)= �p�q(2(�kj=1dpaj � dqaj ) + dp + dq)= 2(�p�q(�kj=1dpaj � dqaj)) + �p�qdp + �p�qdq= 2(�kj=1�p�qdpaj � dqaj) +m1n2 +m2n1= 2(�kj=1(�pdpaj ��qdqaj)) +m1n2 +m2n1= 2(�kj=1maj1 �maj2 ) +m1n2 +m2n1� 2m1m2 +m1n2 +m2n16Note that all the variables occurring in the NHORNSAT instance involve reachablestates, i.e, if Xp;q is a variable, then p and q are reachable from their respectivestarting states. The number of reachable states of a transition system can exceed thenumber of transitions by at most one. Therefore, the above bound can be re�ned tobe O(m1m2), which is O(jD1j � jD2j). 2Since we have a linear time algorithm for solving NHORNSAT (see Chapter2), a composition of the algorithm Bisim-NHorn with the linear time algorithm forNHORNSAT yields an algorithm for deciding bisimulation equivalence of two tran-sition systems in time O(m1m2) whereas the algorithm in [PT87, KS90] has a time5In our construction only those pairs are explored in the NHORNSAT construction which aresimultaneously reachable from the start states, hence the size obtained in this analysis will be anover estimate6Note: �jmaj1 ��jmaj2 � �jmaj1 �maj2 61

complexityO((m1+m2) log (n1 + n2)). However, as mentioned earlier, our algorithmis on the y because we do not need the transition systems in memory before applyingour algorithm. We explore the state pairs which are simultaneously reachable fromthe start state pair and thus generate the transition system as and when required.Moreover, since there is an incremental algorithm for NHORNSAT [AI91], we obtainan incremental algorithm for bisimulation this way. In Chapter 6 we also show how toobtain diagnostic information using this approach, without any additional complexityoverhead.Although the algorithm presented in this section decides bisimulation of transitionsystems, it could easily be extended to the problem of deciding weak bisimulation orobservational equivalence. One has to compute a � -closure of the transition relationswhich can be done in polynomial time as discussed in [KS90] and then apply the samealgorithm as discussed here.3.5 Simulation Equivalence, Forward, Ready, andComplete SimulationIn the previous section we presented a polynomial time algorithm for deciding bisim-ulation equivalence of transition systems. This illustrated our uniform technique viareduction to NHORNSAT. The simulation relations discussed in this section are verysimilar and the same reduction technique works for proving the polynomial time de-cidability of these relations as well. Hence we do not provide the details of thesereductions, but we point out the di�erences in all the individual cases. The correct-ness proofs and complexity analysis are also omitted because they are very similar tothe ones in the previous section.First we consider simulation equivalence and forward simulation together becausetheir de�nitions are very similar. In fact, forward simulation decidability can be re-duced to simulation decidability exactly in the same way as observational equivalence62

is reduced to bisimulation equivalence by precomputing the extended transition re-lation in polynomial time [KS90]. Subsequently, we brie y discuss the modi�cationsneeded for ready simulation and complete simulation.3.5.1 Simulation and Forward SimulationGiven two �nite transition systems T1 and T2, deciding T1 �sim T2 is decidable inpolynomial time [HT94]. Here we outline how our generic reduction can be used toprove this. To decide T1 �sim T2 we have to apply the above method twice, once tocheck whether T1 �sim T2 and then to check whether T2 �sim T1.The reduction algorithm in this case is very similar to algorithm bisim-NHornexcept that step 3(e) is omitted. The polynomial time reduction algorithm producesan instance of NHORNSAT which has a satisfying assignment i� T1 �sim T2. Thisgives us a polynomial time algorithm to decide if T1 �sim T2.The same method will work for deciding T1 �F T2 with a small modi�cation. Inthis case, we have to compute D2 = f(p; a; p0) j a 2 Act(T2)g and 9� 2 � �a� � suchthat p �=) p0g. As proved in [KS90] this will take polynomial time. With D2 as thetransition relation of T2 the same algorithm will work for forward simulation.3.5.2 Ready simulation and Complete simulationThe reduction algorithm in the ready simulation case is almost similar to the simu-lation case except that the de�nitions of CLAUSE and V ARS are to be modi�ed asdescribed below.As before, let T1 = hS;D1; s1 i and T2 = hT;D2; t1 i be two �nite transitionsystems.Let STEPR(a; qj; p0i) = fq0j j (qj; a; q0j) 2 D2 ^ init(p0i) = init(q0j)g.63

This modi�cation is needed because the de�nition of ready simulation requires thatfor (p; q) to be in the ready simulation relation they must satisfy init(p) = init(q) inaddition to satisfying the conditions for being in a simulation relation.Let RCLAUSE(pi; a; p0i; qj) = Wq0j2STEPR(a;qj;p0i)Xp0i ;q0jif STEPR(a; qj; p0i) 6= � else falseRV ARS(pi; a; p0i; qj) = fXp0i;q0j j q0j 2 STEPR(a; qj; p0i)gif STEPR(a; qj; p0i) 6= � else �.To get the desired polynomial time reduction algorithm we just have to1. Replace CLAUSE and V ARS by their new de�nitions given above inthe reduction algorithm for the simulation relation.2. Add a �rst step as follows:If (init(s1) 6= init(t1)) then return an unsatis�able formula of the formXs1;t1 ^Xs1 ;t1 and terminate.This algorithm produces an instance h of NHORNSAT such that h has a satisfyingassignment i� T1 �rsim T2. Thus to decide, T1 �rsim T2, one can use this methodtwice.In case of complete simulation we slightly modify the de�nitions of the functionRCLAUSE and RV ARS in the following manner. De�ne STEPC(a; qj; p0i) = fq0j j(qj; a; q0j) 2 D2 ^ (init(p0i) = �, init(q0j) = �)g.This modi�cation is needed because the de�nition of complete simulation requires apair (p; q) to satisfy the conditions for being in a simulation relation plus the additionalcondition init(p) = �, init(q) = �.Now to get a polynomial time reduction to NHORNSAT1. Use STEPC in place of STEPR in the de�nitions of RCLAUSE and64

RV ARS.2. Add a �rst step which adds Xs1;t1 as a clause if the extra condition forcomplete simulation is satis�ed. If not, the algorithm terminates produc-ing an unsatis�able formula of the form Xs1;t1 ^Xs1;t1.As a result of our brief discussion above we reach the following conclusion.Theorem 3.5.1 The problems of deciding simulation, forward simulation, readysimulation and complete simulation equivalences of transitions systems are allpolynomial time reducible to the problem of satis�ability of Horn formulas. Hence,they are all polynomial time decidable. In fact, they are decidable in time O(jD1j�jD2j).The proof is similar in each case to the proof in the previous section. In fact, ourmethodology lets us design algorithm for each of these relations which has a timecomplexity of O(jD1j � jD2j).3.6 A Polynomial Time Algorithm for 2-nested Sim-ulationGiven a Transition system T = hS;D; zi over Act, where S is the set of states,D � S � Act � S is the transition relation and z is a starting state, any state ofT can be thought of as a process. A state p is a process whose transition systemis Tp = hS;D; pi. So any relation that we de�ne over states, can also be thoughtof as being de�ned over processes. So, below, we are going to de�ne various binaryrelations over processes.First we recall the de�nition of simulation relation.De�nition 3.6.1 A relation R between processes is a simulation i� whenever (p; q) 2R, then for each a 2 Act, for each p0 2 S, p a! p0 implies 9q0 : q a! q0 ^ (p0; q0) 2 R.A process p is simulated by a process q, denoted by p �sim q, i� there is a simu-lation relation R, such that (p; q) 2 R. 65

Two processes p and q are simulation equivalent, denoted by p �sim q, i� p �sim qand q �sim p.Now we de�ne n�nested simulation equivalence between processes. The notionof n�nested simulation equivalence was introduced by Groote and Vaandrager in[GV92].De�nition 3.6.2 For all n 2 N7, n�nested simulation, written �n, is inductivelyde�ned as follows.� p �0 q for all processes p; q.� p �n+1 q i� there is a simulation R � (�n)�1 with (p; q) 2 R.Two processes p and q are n�nested simulation equivalent, denoted p �n q, i�p �n q and q �n p.Note that 1�nested simulation is just simulation and hence 1�nested simulationequivalence is the same as simulation equivalence. In other words �sim=�1.Although the de�nition of 2-nested simulation relation should be clear from De�-nition 4.2.3, we de�ne it explicitly for the sake of clarity.De�nition 3.6.3 2�nested simulation, written �2, is de�ned as follows.p �2 q i� there is a simulation R � (�sim)�1 with (p; q) 2 R.Two processes p and q are 2�nested simulation equivalent, denoted p �2 q, i�p �2 q and q �2 p.De�nition 3.6.4 Given two transitions systems T1 = hS1;!1; s1i and T2 = hS2;!2; s2i, we say that T1 is 2-nested simulated by T2, written T1 �2 T2, if and only ifs1 �2 s2.7The set of natural numbers 66

We now prove the following fact about 2-nested simulation.Lemma 3.6.1 Given two transitions systems T1 = hS1;!1; s1i and T2 = hS2;!2; s2i, the following are equivalent:1. T1 is 2-nested simulated by T2 (i.e., T1 �2 T2)2. There is a simulation relation R � S1 � S2, such that (s1; s2) 2 R, and for all(x; y) 2 R; y �sim x.Proof: First we prove (1)) (2). Recall De�nition 4.2.4 and De�nition 4.2.5. T1 �2T2 implies that s1 �2 s2. That implies that there is a simulation relation R containing(s1; s2) with the property that for any (x; y) 2 R, y �sim x because by De�nition 4.2.4R � (�sim)�1.We now prove that (2)) (1). By the conditions in 2, there is a simulation relationR that relates s1 and s2 and has the property that for each (x; y) 2 R, x �sim y andhence y �sim x. Consequently, R � (�sim)�1. Hence by De�nition 4.2.4 s1 �2 s2 andthus by De�nition 4.2.5 T1 is 2-nested simulated by T2. 2We can generalize the above lemma for k + 1-nested (for k � 2) simulation asfollows.Lemma 3.6.2 Given two transitions systems T1 = hS1;!1; s1i and T2 = hS2;!2; s2i, the following are equivalent:1. T1 is k + 1�nested simulated by T2 (i.e., T1 �k+1 T2)2. There is a simulation relation R � S1 � S2, such that (s1; s2) 2 R, and for all(x; y) 2 R; y �k x.On the basis of Lemma 3.6.1 we can now describe how to derive a NHORNSATbased algorithm for deciding if two transition systems T1 = hS1;!1; s1i and T2 =67

hS2;!2; s2i are related by the 2-nested simulation relation. From Lemma 3.6.2 wecan derive a similar algorithm for k�nested simulation relation.As an initial step, the algorithm �nds and eliminates unreachable states from eachtransition system. This can be done in linear time, and ensures that the constructedNHORNSAT instance has size O(j !1 j � j !2 j).The main idea is as follows. The algorithm performs two reductions. In the �rstreduction, we reduce simulation to an NHORNSAT instance. This �rst reductionwill take time O(j !1 j � j !2 j) and the will produce an NHORNSAT instance of sizeO(j !1 j � j !2 j). Let the variables in this NHORNSAT instance be from the set Y =fYp;qjp 2 S1; q 2 S2g. The created NHORNSAT instance has the following property.Let the maximal satisfying assignment for this instance be �. Then �(Yp;q) = 1 if andonly if p �sim q (in other words p �1 q). The reduction is similar to that in AlgorithmBisim-NHorn, except for the following. In Step 1, C := � and V := fYp;qjp 2 S1; q 2S2g. Also, Step 3(e) is omitted.In the second reduction, we create another NHORNSAT instance, but this timewe use variables from a set of variables X = fXp;qjp 2 S1; q 2 S2g, such that X andY are disjoint. The creation of this new NHORNSAT instance is initiated by addingXs1;s2 as a clause and adding Xs1;s2 in the set of Variables to be explored. Now, foran unexplored variable Xp;q the following steps are taken:1. If �(Yp;q) = 0 then add the clause Xp;q.2. If jinit(p)j�jinit(q)j 6= 0, then add the clause Xp;q to the set of clauses.3. Otherwise, if �(Yq;p) = 1 thenFor each a 2 Act, each p0 2 S1, such that p a!1 p0, create aclause Xp;q ) _qj2fq0jq a!2q0gXp0;qjThe NHORNSAT instance created has size O(j !1 j � j !2 j). The �rst NHORN-SAT instance is solved for its maximal satisfying assignment �rst and then the assign-68

ment of values of the variables in Y are used to construct the second NHORNSATinstance. It is not di�cult to see that the two transition systems are in the 2-nestedsimulation preorder if and only if the second NHORNSAT instance has a satisfyingassignment.For k�nested (k � 2) simulation relations, the algorithm uses k phases. The max-imal satisfying assignment in the �rst phase will be used to construct the NHORNSATinstance in the second phase, and the maximal satisfying assignment in the (k � 1)thphase will be used to construct the NHORNSAT instance in the kth phase. As aresult, the algorithm will require O(k � (j !1 j � j !2 j)) time. For a �xed k, thatis O(j !1 j � j !2 j), for arbitrary k, the time complexity is polynomial in k and thesizes of the transition relations. Since k�nested for k � max(jS1j; jS2j) coincides withbisimulation equivalence [GV92], this complexity isO(max(jS1j; jS2j) � (j !1 j � j !2 j))time.3.7 A Polynomial Time Algorithm for BackwardSimulationThe reduction from a backward simulation instance to NHORNSAT is di�erentfrom the reduction in the previous subsection in a subtle way. These di�erences arisebecause of the following three facts.1. Backward simulation is a total relation2. The start state of T1 can be related only to the start state of T2.3. Backward simulation between two states depends on whether sameactions can lead to them from (backward) similar states rather than onwhat actions are possible from them.As a result, unlike the other cases, here we have to consider all possible pairs, andthe computation of the conditional clauses is slightly di�erent from the other cases.69

Given T1 = (S;D1; s1), T2 = (T;D2; t1) we want to �nd if there is a total relationB � S � T such that B is a backward simulation.The �rst step is to compute D2 = f(p; a; p0) j 9� 2 � �a� �; p �=) p0; a 2 Act(T2)g.This can be done in polynomial time by the same method as in [KS90].Once we have this extended transition relation D2, we can apply algorithmBACKNHorn as shown in Figure 3.3. BACKNHorn is a polynomial time algo-rithm that takes T1 and T2 as input and outputs an instance of NHORNSAT wherethe number of variables is � nm (where j S j= n and j T j= m). The number ofclauses in this NHORNSAT instance will be O(j D1 jj D2 j). We now de�ne thefunctions used in the description of the reduction algorithm.The functions BACKCLAUSES and BACKVARS are de�ned as follows:Let BACKEXTSTEP (a; q0) = fq j (q; a; q0) 2 D2g.Let BACKSTEP (a; p0) = fp j (p; a; p0) 2 D1g.Now BACKCLAUSES(p0; a; p; q0) = Wq2BACKEXTSTEP (a;q0)Xp;qif BACKEXTSTEP (a; q0) 6= � else falseBACKVARS(p0 ; a; p; q0) = fXp;q j q 2 BACKEXTSTEP (a; q0)gif BACKEXTSTEP (a; q0) 6= � else �.70

Our algorithm constructs an instance h of NHORNSAT such that h is satis�ablei� T1 �B T2 . So we start with the single literal clause Xs1;t1. We also add singlenegative literal clauses Xs1;tj for all j 6= 1 (to satisfy the �rst condition of backwardsimulation).This is done because we do not want any other state in T to be relatedto s1 other than t1. Since we want the relation to be total we add clauses of theform Wt2T Xs;t for each s 2 S such that s 6= s1. For each variable Xp0 ;q0 occurringin h, we add a clause expressing the following requirement. If (p0 ; q0) 2 B then foreach step of the form (p; a; p0) 2 D1 there must be an extended step in D2 of theform (q; a; q0) where (p; q) is in the backward simulation relation which witnesses thebackward simulation from T1 to T2. Thus if there is a satisfying assignment of h thenin that satisfying assignment Xp;q = 1 i� (p; q) 2 B where B is a particular witnessbackward simulation from S to T .To prove that algorithm BACKNHorn produces an instance h of NHORNSATsuch that h is satis�able i� T1 �B T2 we begin with the following lemmas.Lemma 3.7.1 If Xp;q is a clause in h then there is no backward simulation B � S�Tsuch that (p; q) 2 B.Proof: There are two ways in which the algorithm BACKNHorn produces clausesof the form Xp;q. Step 1 produces clauses of the form Xs1;tj for all tj 6= t1. Thesepairs (s1; tj) cannot be in any backward simulation for any tj 6= t1, by the def-inition of backward simulation. The other clauses of this form are produced ifBACKCLAUSES(p0; a; p; q0) is false for some a 2 Act and some (p0 ; q0) pair. Thatshows, by the de�nition of BACKCLAUSES, that the condition for (p0 ; q0) to be inB is not satis�ed. .Lemma 3.7.2 If T1 �B T2 then h is satis�able.71

Comment: The sets V and W keep track of all the variables generated and processed respectively.The set C will contain the set of clauses of the NHORNSAT instance.1. C := fXs1;t1g; V := fXs1;t1g; W := �;Comment: The pair (s1; t1) must be in the relation.Comment: Also, (s1; tj) should not be in the relation for tj 6= t1.for all tj 6= t1 doC [ fXs1;tjg; V := V [ fXs1;tjgendforComment: The relation must be total.2. for each s 2 S � fs1g doC := C [ f_t2TXs;tg; V := V [ f[t2TXs;tg;endfor3. do until V is empty.(a) Let Xp0;q0 be any element of V .(b) V := V � fXp0;q0g; W := W [ fXp0;q0g;Comment: Step (c) creates implication clauses to encode the conditions of backwardsimulation relation.(c) For each a 2 Act; p0 2 Ssuch that (p; a; p0) 2 D1C := C [ fXp0;q0 _BACKCLAUSES(p0; a; p; q0)gV := (V [BACKV ARS(p0; a; p; q0)) �W ;end do4. Output C.Figure 3.3: Algorithm for reducing backward simulation instance to NHORNSATinstance: Algorithm BACKNHorn. 72

Proof: Suppose T1 �B T2. Then there is a witness backward simulation R � S � T .We construct a satisfying assignment for h as follows: Let Xp;q = 1 i� (p; q) 2 R.We claim that this is a satisfying assignment for h. First note that (s1; t1) 2 R bythe de�nition of T1 �B T2. Thus the positive literal clause Xs1 ;t1 will be satis�ed.All clauses of the form Xs1;tj will be satis�ed because s1 is related to only t1 in R.Now consider the implication clauses. If (si; tj) is not in R then the implicationswhere Xsi;tj appear on the right hand side are trivially satis�ed. If (si; tj) 2 R, thenXsi ;tj = 1 and hence one of the disjuncts on the right hand side should be satis�edin order that the implication be satis�ed. However, by the de�nition of backwardsimulation, it is easy to see that one of the disjuncts Xs0i;t0j must be satis�ed becausein order that (si; tj) 2 R, there must exist (s0i; t0j) 2 R satisfying condition in thede�nition of backward simulation. Also notice that since any backward simulation isa total relation all clauses containing all positive literals generated at step 2 of thealgorithm will be also satis�ed. .Lemma 3.7.3 If h is satis�able then T1 �B T2.Proof: We construct a relation R � S � T from the satisfying assignment to has follows: Include (p; q) in R i� in the satisfying assignment of h, Xp;q = 1. Weclaim that R is a backward simulation relation. Since Xs1;t1 is a single positive literalclause in h, Xs1;t1 = 1 in any satisfying assignment of h. Further, since Xs1;tj aresingle negated literal clauses in h for all tj 6= t1, (s1; tj) is not in R for any tj 6= t1.Also the clauses of the form Wt2T Xs;t generated at step 2 ensure that R is a totalrelation. Thus relation R satis�es the �rst condition in the de�nition of backwardsimulation.Now consider the implication clauses in h. They are all satis�ed. Now if an im-plication clause is trivially satis�ed because its left hand side literal Xp;q is false (inany NHORNSAT instance, left hand sides of all implications are positive literals),73

then the corresponding (p; q) is not in R. However, if Xp;q = 1, i.e., (p; q) 2 R, thenwe must show that the second condition in the de�nition of backward simulation issatis�ed. However, since Xp;q is 1, one of the disjuncts in the right hand side must besatis�ed and by the construction of these disjuncts, it follows that the second condi-tion of the de�nition is satis�ed.Theorem 3.7.4 Given two transition systems T1 = hS;D1; s1 i and T2 = hT;D2; t1i , the instance of NHORNSAT output by Algorithm BACKNHorn is satis�ablei� T1 �B T2. Further, algorithm BACKNHorn runs in O(jD1j � jD2j) time andproduces an instance of NHORNSAT of size O(jD1j � jD2j).Now by the de�nition of backward simulation equivalence, to decide whetherT1 �B T2 we �rst decide whether T1 �B T2 and then decide whether T2 �B T1. Thisamounts to solving two separate instances of the NHORNSAT problem.3.8 A HORNSAT interpretation of the BottomUp AlgorithmsIn this section we show how to interpret the existing algorithms for �nite state pro-cess equivalences which work in a bottom up fashion as a satis�ability problem forHorn formulas. As a consequence of this perspective, we obtain an e�cient and nat-ural algorithm for computing simulations on �nite graphs, a problem introduced in[HHK95].First, we interpret the partition re�nement based algorithm for bisimulation equiv-alence presented in [KS90] as a HORNSAT problem. In the next subsection we giveour algorithm for the problem in [HHK95] as applied to �nite graphs.Given a transition system T = hS;D; si, let I = finit(p) j p 2 Sg. ObviouslyI � 2Act where Act is the set of action symbols including the internal action � .74

Each member of I is a maximal set of actions enabled at some state in S. Thebisimulation algorithm based on partition re�nement as described in [KS90] may belooked described follows:1. Start with a partition of S, f�igi2I such that �j = fq j init(q) = Aj ^Aj 2 Ig.2. Given the current partition do the following re�nement for each block �i in thepartition:For each pair p; q 2 �i if there is an action a 2 Act such that (p; a; p0) 2D and p0 2 �j for some j and for all q0 such that (q; a; q0) 2 D q0 =2 �jorif there is an action a 2 Act such that (q; a; q0) 2 D and q0 2 �j forsome j and for all p0 such that (p; a; p0) 2 D p0 =2 �j then split (re�ne)�i so that p and q are in di�erent equivalence classes.3. At the end of step 2, we get a new partition of S which is a re�nement ofthe previous partition. With the new partition repeat Step 2 until there is nochange in the partition.4. If (s; t) is being tested for bisimulation equivalence, check if they are in the sameequivalence class at the end. If they are, then they are bisimulation equivalent,otherwise they are not.Note that the above algorithm of [KS90] is a �x-point computation. We shallencode the above �x-point computation into an HORNSAT instance which will havea unique minimal satisfying assignment and the assignment will allow us to tell forany pair of states, if they are bisimulation equivalent.The HORNSAT encoding of the bottom up algorithm is as follows:For each pair of states (p; q) let xpq be a variable. We want our HORNSAT instanceto have a unique minimal satisfying assignment such thatxpq = 1, p 6�bsim q75

. So, we carry out the following steps:1. Generate single literal clauses xpq for all (p; q) such that init(p) 6= init(q).2. For all pairs (p; q)for all a 2 Actfor all p0 such that (p; a; p0) 2 Dcreate clausexpq ^i2STEP (q;a)xp0iwhere STEP (q; a) = fq0j(q; a; q0) 2 Dg.for all q0 such that (q; a; q0) 2 Dcreate clausexpq ^i2STEP (p;a)xiq0where STEP (p; a) = fp0j(p; a; p0) 2 Dg.We now make the following claim. Proof of the claim is straight forward fromTarski's �xed point theorem and is omitted due to lack of space.Theorem 3.8.1 Let h be the HORNSAT instance created by the procedure describedhere.1. There is a unique minimal satisfying assignment � for h.2. �(xpq) = 0, p �bsim qThe proof of the �rst part of this theorem follows from the proof of existence ofunique minimal satisfying assignment of this type of HORNSAT instances (obtained76

in this reduction) shown in Chapter 2. The proof of the second part is similar to thecorrectness proof in Section 3.4.Note that the HORNSAT interpretation of the bottom up algorithm is less e�cientthan the direct bottom up algorithm because the partition based algorithm has a verye�cient representation. For example if there are n states which are not bisimilar,in the HORNSAT approach we need to represent the information in �n2� variableswhereas in the partition re�nement based case, the relationship between states isrepresented more succinctly as a partition.However, we exploit this HORNSAT formulation in the next subsection.3.9 Computing Simulations on Finite GraphsIn [HHK95] the following problem was addressed.De�nition 3.9.1 [HHK95] A labeled graph G = (V;E;A;���) is a directed graphwith a set of vertices V , a set E � V 2 of edges, a set A of labels, and a function���: V ! A that maps each vertex v to a label �v�. We write post(v) = fu j(v; u) 2 Eg for the successor set of the vertex v. A binary relation �� V 2 on thevertex set is a simulation if u � v implies(1) �u� = �v�(2) for all vertices u0 2 post(u), there is a vertex v0 2 post(v), such thatu0 � v0.The vertex v simulates the vertex u if there is a simulation � such that u � v.The vertices u and v are similar, written u �S v, if u simulates v and v simulatesu. The similarity relation �S� V 2 is an equivalence relation.[HHK95] provides an algorithm for the �rst of the following two problems.1. Problem SFG1: Given a labeled graph, compute the similarity relation (i.e., For77

every pair of vertices determine if they are similar).2. Problem SFG2: Given a labeled graph and a pair of vertices u; v, determine if theyare similar.Here we present two algorithms, both based on e�cient reduction to NHORNSAT.Since there is a linear time algorithm for NHORNSAT, the time complexity of ouralgorithms are bounded by the size of the NHORNSAT instance created. We callthe following two algorithms Algorithm SFG1 and SFG2, and they are described inFigures 3.4 and 3.5 respectively. Each algorithm takes as input a labeled graph G =(V;E;A;���) and outputs an NHORNSAT instance. In the NHORNSAT instances,the variables are from the set X = fXu;v j (u; v) 2 V � V g. The NHORNSATinstances created are such that, u �S v if and only if in the maximal satisfyingassignment of the NHORNSAT instance, Xu;v is set to true.For the �rst problem, the NHORNSAT instance is created so that all the variablesin X appear in the instance, whereas for the second problem only those Xu;v that arenecessary appear in the instance.Algorithm SFG2 is local. It starts with the pair of vertices (u; v) and exploresonly those pairs which are absolutely necessary.We sketch the correctness proof for Algorithm SFG1; the correctness proof forAlgorithm SFG2 is similar.Let G = (V;E;A;���) be a labeled graph which is input to Algorithm SFG1.Let h be the constructed NHORNSAT instance. The set of variables in h is X =fXu;v j (u; v) 2 V � V gLemma 3.9.1 The NHORNSAT instance h produced by SFG1 always has a uniquemaximal satisfying assignment �max.Proof: See Chapter 2 2Lemma 3.9.2 The size of the NHORNSAT instance h is O(m2) where m = max(jV j; jEj).78

Proof: The proof of this lemma is similar to the analysis shown in the proof oftheorem 3.4.6. 2Lemma 3.9.3 In the maximal satisfying assignment, a variable Xu;v is set to true ifand only if u �S v. (i.e., �max(Xu;v) = true() u �S v).Proof: The proof of this lemma follows from our construction. It is similar to theproofs in Section 3.4. 2Theorem 3.9.4 There is an algorithm to solve problem SFG1 which runs in O(m2)time.Proof: Follows from Lemma3.9.2 and linear time solvability of maximal-NHORNSAT.2 It is easy to prove that the algorithm obtained by a sequential composition ofalgorithm SFG1 and an on-line algorithm for solving NHORNSAT [AI91], gives anincremental algorithm for the problem SFG1.Similar arguments can be used to prove the correctness of an algorithm for problemSFG2. This algorithm can be obtained as a composition of the algorithm SFG2 andan on-line algorithm for NHORNSAT. This algorithm for SFG2 has the property thatit is local, on the y and incremental.3.10 A Corollary : NC Algorithm for Determinis-tic SystemsIn this section we show that for deterministic transition systems, our reductions canbe done inNC. 8 We also show that for deterministic transition systems , the resultingNHORNSAT instance is always an instance of 2-SAT. It is well known that 2-SAThas an NC-algorithm [GHR95]. Combining these two facts, we obtain that bisimula-tion equivalence for deterministic transition systems is in NC. This solves an open8This result appeared as a part of [SHRS96b].79

problem posed in [GHR95].9 We note that for deterministic transition systems, allequivalences between bisimulation equivalence and trace equivalence coincide. Thusall these equivalences are decidable in NC for deterministic transition systems. Thisimplies that it is possible to design fast parallel algorithms for deciding these equiva-lences when the transition systems are deterministic. In contrast, for nondeterministictransition systems bisimulation equivalence is P-complete [ABGS91]. Thus unless P= NC, there is no [GHR95] fast parallel algorithm for deciding bisimulation equiva-lence of nondeterministic transition systems.The reason why our reduction algorithm is an NC algorithm follows from the factthat for deterministic transition system for each state there is only one transition ona particular action. We take n�m�k processors (we are not optimizing the numberof processors here, which can be done too) where n and m are the number of statesin the two transition systems and k is the size of the action alphabet. Each processorcorresponds to a pair of states and a particular action. Let P apq be the processor thatcorresponds to states p of the �rst system, state q of the second system and actiona. This processor generates a clause of the form Xp;q ! Xs;t if there is a transition(p; a; s) in the �rst transition system and correspondingly there is a transition (q; a; t)in the second system. If there is a transition in one but not in the other then theclause generated is Xp;q. If there is no transition on both on the action a then thisprocessor generates the clause True.It is not di�cult to see that each processor takes constant time to generate itsclause. Since the system is deterministic these clauses are either single literal or 2-literal clauses and hence the instance of CNF produced will be a 2� SAT instance.It is known as in [GHR95] that there is an NC algorithm for 2�SAT and hence by acombination of the NC reduction and an NC algorithm for 2� SAT we get an NCalgorithm for the bisimulation equivalence of deterministic transition system.Note that our reduction is in NC even for nondeterministic transition systems9Independently, [HT94] also showed that this problem is in NL. However, our method directlyprovides an NC algorithm. 80

but for simplicity we only show this for the deterministic case.Theorem 3.10.1 Bisimulation equivalence of deterministic transition systems isin NC.3.11 Comparison with Related ApproachesAnother uniform approach to deciding various preorders and equivalences between �-nite state processes also emerge from the papers by Cleaveland, Ste�en and Hennessy[CS91, CS93, CH92]. In [CH92], it has been shown how to transform transition sys-tems T1 and T2 to new transition systems T 01 and T 01 so that T 01 and T 02 are bisimulationequivalent if and only if the original transition systems are testing equivalent. Conceiv-ably, various other preorders and equivalences can also be decided via prebisimulationpreorder (de�ned in [CS91]) or bisimulation equivalence between transformed transi-tion systems using similar transformations. Also [And93, BCM+92] provide slightlydi�erent reductions of various preorder and equivalences to the model checking prob-lem for modal ��calculus [Koz83]. In [CS93] a linear time model checking algorithmfor alternation free ��calculus has been presented. In [CS91], Cleaveland and Ste�enshowed how to express prebisimulation preorder as a model checking problem in afragment of ��calculus, namely ��calculus with only the maximal �xed point op-erator. In [And94], it has been shown that the model checking problem consideredin [CS91, CS93] can be reduced to solving sets of simultaneous Boolean equations.In [SHR96a], we showed how to reduce the ��calculus model checking problem to(N)HORNSAT problem. As a result, these form a basis for a uniform approach todeciding various preorders and equivalences for �nite state processes. In fact, the re-sults in [SHR96a] shows that eventually, all preorders and equivalences are reducibleto (N)HORNSAT. However, the present work shows that we could do that more di-rectly rather than two step reductions via model checking. Moreover, by carrying outsuch a natural and direct reduction we obtain various other advantages.Before discussing the relativemerits of our methodology as outlined in the previous81

sections over the methodology from the papers described above, we outline the stepsinvolved in deciding a preorder or equivalence in the methodology emerging from[CS91, CH92, And94, SHR96a]. To decide a preorder or equivalence R between twotransition systems T1 and T2 using that methodology, the following steps are carriedout.1. Transform T1 and T2 into appropriate transition systems T 01 and T 02 so that T1and T2 are in R preorder (equivalence relation) if and only if T 01 and T 02 are inthe prebisimulation preorder (bisimulation equivalence). This transformationis shown in cases of must, may, testing preorders and equivalences in [CH92].However, for di�erent relations R, it may not be very obvious and easy to devisean appropriate transformation.2. Construct the characteristic formula for T 01 in alternation free ��calculus withmax operators as described in [CS91]. The size of the formula or equation setE is O(jT 01j).3. Use the model checking algorithm presented in [CS91, CS93] or reduce theproblem to a set of simultaneous Boolean equations as in [And94], or reducethe problem to NHORNSAT [SHR96a] to decide the prebisimulation preorder.This step runs in O(jEj � jT 02j) = O(jT 01j � jT 02j) time.If the transformations in Step 1 can be carried out in linear time then the overallmethod requires O(jT1j � jT2j) time. However, the constants hidden by the big-O arelarge because each step of the transformation introduces constants.Approaches of [And93, BCM+92] are di�erent in the following sense. They directlyencode the properties of the relations in modal ��calculus and then apply modelchecking.We summarize a few comparative comments to bring out the di�erences betweenour uniform approach and the other uniform approaches, for deciding equivalencesbetween �nite state processes below. 82

1. For particular relations (such as backward and forward simulation), it may bedi�cult to devise the transformations required in Step 1, Also, these transfor-mations may increase the size of the transition systems, thus introducing largerconstants into the overall complexity. In the approach of [And93, BCM+92]only bisimulation, weak bisimulation, ready simulation etc. were encoded in��calculus. It is not an obvious exercise to extend them to relations such ask�nested simulation.2. The other approaches do not attempt to reuse any existing e�cient data struc-tures or algorithms. Our NHORNSAT based methodology reuses the lineartime algorithms for HORNSAT and related data structures and thus relievesthe implementor from the obligation of inventing new data structures.3. Our methodology directly translates into datalog [Ull88] because of the natureof the NHORNSAT instances required.4. By noticing that our reduction can be carried out in NLOGSPACE, we havea memory e�cient reduction and since there are on-line algorithms for solv-ing (N)HORNSAT [AI91], we obtain on the y algorithms for preorders andequivalences.5. Our algorithms are naturally local because they do not involve all pairs of statesunless the relation is to be computed for all possible pairs or the relation needsto be a total relation.6. Our algorithm is also incremental by virtue of the incremental HORNSAT al-gorithm of [AI91].7. Finally, the alternative methodology appears to be involved and thus may re-quire a substantial implementation e�ort since crucial data structures need tobe carefully maintained [CS91, CS93, And94].Another interesting point of our work is the following. It is known that theHennessy Milner logic without recursion is not expressive enough to express various83

invariant properties of �nite state processes. For example in [Lar88] it was noted thatwithout recursion Hennessy Milner logic is capable of describing only a �nite part ofa system. As a result, it may seem surprising at �rst that a simple HORNSAT basedmethod can be used to compute semantic relations between �nite state processes. A�xed point computation appears to be essential in computing these relations [Wol95].Even the bottom-up algorithm in [KS90] implicitly mimics a �xed point computationin terms of partition re�nement. However, our top down method actually has animplicit maximal �xed point computation.To summarize, the main advantages of our uniform technique are that it seemsmore direct and natural to encode the preorders and equivalences in to NHORNSAT,and it naturally leads to algorithms which have additional advantages of being local,on the y, and incremental with as much e�ciency as the other uniform approachesprovide. Moreover, as discussed in Chapter 6 it is easy to obtain diagnostic informa-tion in this methodology without any extra overhead in the asymptotic complexity.

84

Comment: The set C will contain the set of clauses of the NHORNSAT instance.C := �For each u 2 V doC := C [fXu;ugendforFor each v 2 V doFor each u 2 V such that u 6= v doCase 1: If (�u� 6= �v�) then C := C[fXv;ugCase 2: If (�u� = �v�) thenCase I: If (post(u) = post(v)) then C := C[fXv;ugCase II:If (post(u) 6= post(v)) thenCase a: If (post(u) = �^ post(v) 6= �)_ (post(u) 6= �^ post(v) =�) then C := C [ fXv;ugCase b: If (post(u) 6= � ^ post(v) 6= �) thenFor each v0 2 post(v) doC := C [ fXv;u ! Wu02fsjs2post(u)^�s�=�v0�gXv0 ;u0gNote: If the set fsjs 2 post(u)^ � s�=� v0�g is empty then, thisdisjunction is equivalent to falseFor each u0 2 post(u) doC := C [ fXv;u ! Wv02fsjs2post(v)^�s�=�u0�gXv0 ;u0gNote: If the set fsjs 2 post(v)^ � s�=� u0�g is empty then, thisdisjunction is equivalent to falseFigure 3.4: Algorithm for reducing the problem of computing simulations on �nitegraphs to NHORNSAT: Algorithm SFG1.85

Comment: The set C will contain the set of clauses of the NHORNSAT instance.C := fXu;vg; V ar : = fXu;vg; W := �;Until V ar is not empty doLet Xs;t be any element in V arV ar := V ar � fXs;tg; W := W [fXs;tgCase 1: If (�s� 6= � t�) then C := C[fXs;tgCase 2: If (�s� = � t�) thenCase I: If (post(s) = post(t)) then C := C[fXs;tgCase II:If (post(s) 6= post(t)) thenCase a: If (post(s) =�^post(t) 6=�) _ (post(s) 6=�^post(t) =�)then C := C[fXs;tgCase b: If (post(s) 6= � ^ post(t) 6= �) thenFor each s0 2 post(s) doC := C [fXs;t ! Wt02ftijti2post(t)^�ti�=�s0�gXs0;t0gNote: If the set ftijti 2 post(t)^ � ti�=� s0�g is empty then, thisdisjunction is equivalent to false.V ar = V ar [ fXs0;t0 jt0 2 ftijti 2 post(t)^ � ti�=�s0�gg�WFor each t0 2 post(t) doC := C [fXs;t ! Ws02fsijsi2post(s)^�si�=�t0�gXs0;t0gNote: If the set fsijsi 2 post(s)^ � si�=� t0�g is empty then, thisdisjunction is equivalent to false.V ar = V ar [ fXs0;t0 js0 2 fsijsi 2 post(s)^ �si�=� t0�gg�WFigure 3.5: Algorithm for reducing the problem SFG2 on �nite graphs to NHORN-SAT: Algorithm SFG2. 86

Chapter 4Stirling Games and ProcessAlgebraic RelationsIn Chapter 3, we have developed a uniform methodology which allows us to de-rive polynomial time algorithms for various simulation relations between �nite stateprocesses. A natural question that arises is how to tell which of the relations are poly-nomial time decidable. In other words, is there a characterization of the relations, sothat by checking the de�nition of a relation, one can tell if there is a polynomial timealgorithm to decide that relation? In this chapter we answer this question.Here we develop uniform game theoretic formulations of all the relations in thelinear time/branching time hierarchy of [vG90]. We de�ne a class of games such thatevery relation in the hierarchy has its characteristic game in this class. This class,which we call the Stirling class, includes the bisimulation game of [Sti93]. We alsoshow that our HORNSAT based methodology implies the existence of such a class ofgames, since there is a natural game associated with the kind of HORNSAT instancescreated using our methodology. As a corollary, we obtain natural su�cient conditionson any behavioral relation �, for � to be polynomial time decidable for �nite statetransition systems.Extending a result in [Sti93], we de�ne a general class of games and show that this87

class includes a characteristic game for each of the behavioral relations in the lineartime/branching time hierarchy [vG90]. We also show that the existence of such a classof characteristic games also follows from our rooted NHORNSAT based methodologyfor behavioral relations since,(i) we show that there is a natural two player game associated with rootedNHORNSAT problem, and (ii) we show that all the relations in the lineartime/branching time hierarchy [vG90] can be reduced to rooted NHORN-SAT.Then we recall from Chapter 3 (also in [SRHS96]) that many polynomial time decid-able relations in [vG90] are reducible to rooted NHORNSAT in polynomial time. Wealso observe that existence of the winning strategies in the games corresponding tothese relations are also reducible to the NHORNSAT problem. A generalization ofthese observations leads to a su�ciency condition for these relations to be polynomialtime decidable for �nite state systems.4.1 Game ModelsWe now describe a game for rooted NHORNSAT. We showed in Chapter 3, how to re-duce the problem of checking prebisimulation relation between �nite state processes torooted NHORNSAT. Note that in [CS91, Ste89], it was shown that most equivalencesand preorders including failure equivalence, trace equivalence etc., are reducible toprebisimulation problem(via process transformation). Hence, all those relations thatare reducible to a prebisimulation problem are also reducible to rooted NHORNSAT.Given a two-player game for rooted NHORNSAT, we can easily associate games to allthese relations as well. Now recall that Colin Stirling in [Sti93] de�ned a character-istic game for bisimulation. Our results show that such a game formulation is verynatural given the game for rooted NHORNSAT.However, we develop here a di�erent class of games such that all relational pre-88

orders and equivalences between �nite state processes in linear time /branching timehierarchy [vG90] have their characteristic games in this class. In particular Stirling'sbisimulation game is one game in our class. Henceforth we call our class of gamesStirling Class of games.4.1.1 Game for rooted NHORNSATRecall the de�nition of rooted HORNSAT from Chapter 2. Game for an instance ofa rooted NHORNSAT instance h = (X;C; x1) is a two player game Gh as follows:Player I is called a spoiler who wants to show that the instance h is not satis�able andPlayer II is called a duplicator who wants to show that the instance h is satis�able.The game proceeds in rounds. In the �rst round, the spoiler opens the game bychoosing a clause Ci such that head(Ci) = x1. Duplicator has to reciprocate bychoosing xij such that xij is a disjunct in tail(Ci). In the subsequent rounds, thespoiler chooses a clause Ck such that head(Ck) = xij where xij was chosen by theduplicator in the previous round. The duplicator has to reciprocate by choosing adisjunct in the tail of Ck. The game continues until one of the player loses.The duplicator loses if it does not have such a disjunct to choose (i.e, when thespoiler has chosen a clause of the form xl in its last move), the spoiler loses when thegame continues for ever (which is not possible in a �nite size NHORNSAT instance)or when the spoiler chooses a clause chosen earlier.It is easy to prove the following theorem by recalling the pebbling based algorithmfor solving NHORNSAT discussed in Chapter 2.Theorem 4.1.1 Given an instance h = (X;C; x1) of the rooted NHORNSAT prob-lem, the duplicator has a winning strategy 1 in the corresponding game if and only ifh is satis�able.1For the de�nition of winning strategy, see next subsection89

4.1.2 Stirling Class of GamesNow we are ready to describe Stirling Class of games. Each game in this class also hastwo players. One player is called duplicator or prover and the other is called spoileror disprover. Each game in the class has the following components:1. Two Finite Transition systems T1 = hS1; A;!1; s1i and T2 = hS2; A;!2; s2i.2. Two languages R1 � A� and R2 � A�.3. Two total relations m2 � R1 �A� and m2 � R2 �A�.4. A set of (winning positions) � � S1 � S2.5. A set of starting positions � � � � S1 � S2.6. A set M � f1; 2g which denotes the indices of the coordinate of aposition that spoiler can play on. In each round the duplicator plays onthe other coordinate.7. A positive integer r denoting the number of rounds allowed in thegame. This is crucial for some of the games.The game starts in a position hs; ti 2 �. A play of the game is a �nite or in�nitelength sequence of the form hs10; s20i; :::; hs1i ; s2i i; :::. The spoiler wants to show thatthere is a di�erence between the two transition systems (the kind of di�erence itwants to show depends on the relation the game corresponds to). The duplicatorwants to show that such a distinction attempted by the spoiler is not possible.A partial play in a game is a pre�x of a play of the game. Let �j be a partial playhs10; s20i; :::; hs1j; s2j i. The next pair hs1j+1; s2j+1i is determined by the following moverule:� The Spoiler picks a triple hi; x; ui such that i 2 M and x 2 Ri and sij x=)i u.and u = sij+1. (Note that =)i denotes an extended step in the transition systemTi).� Let the choice of the spoiler in the move be hi; x; ui and let i0 6= i. Thenthe Duplicator picks a pair hy; u0i such that (x; y) 2 mi0 and si0j y=)i0 u0 and90

u0 = si0j+1.Extending a partial play �j to �j+1 by the above move rule is called a round of thegame. Hence a play can be thought of as a sequence of rounds. Each round consistsof two moves. The �rst move of each round is a move by the spoiler and the secondmove is by the duplicator. If in a round, after the spoiler has made its move, theduplicator can also make a move according to the moves described above, then wesay that the duplicator has a matching move in that round.Now we describe the winning conditions of a game of this kind. The game maycontinue until one of the players wins. The winning conditions for each players is asfollows.� Duplicator wins:1. The play is hs10; s20i; :::; hs1n; s2ni and there is no available transitions from sinand M = fig. In case M = f1; 2g, the corresponding condition is that s1nand s2n both have no available transitions.2. A partial play is hs10; s20i; :::; hs1n; s2ni and for some i < n, s1i = s1n ands2i = s2n.� Spoiler wins:1. The play is hs10; s20i; :::; hs1n; s2ni and hs1n; s2ni =2 �.2. M = f1; 2g and a partial play is hs10; s20i; :::; hs1n; s2ni. For some i 2 M ,9x 2 Ri:(9si 2 Si:(sin x=)i si) but for i0 2 M � fig, forall y such that((x; y) 2 mi0 and for all si0 2 Si0, there is no transition si0n y=)i0 si0.3. M = fig(i 2 f1; 2g) and a partial play is hs10; s20i; :::; hs1n; s2ni, 9x 2 Ri:(9si 2Si:(sin x=)i si) but for i0 2M �fig, forall y such that ((x; y) 2 mi0 and forall si0 2 Si0, there is no transition si0n y=)i0 si0.So the duplicator wins the game if either in the last position of the play, there is nofurther allowable move by none (when M = f1; 2g ) or there is no further allowable91

move by the spoiler(when jM j = 1), depending on the cardinality of the set M .Duplicator also wins, if in the play a position is repeated. In both cases, the spoilerhas failed to expose a distinction between the transition systems.The spoiler wins, if in the last position of the play is not a winning position whichmeans the spoiler has been able to force the duplicator to a non winning position ofthe game or if in the last position, the spoiler has an allowable move but the duplicatordoes not have a matching move.A strategy for a player is a set of rules which tells him/her how to make a movedepending on the partial play and opponent's move so far.A strategy is a winning strategy for a player, if playing with that strategy, thatplayer wins against all possible strategies of the opponent.4.2 Simulations and Equivalences as games in theStirling ClassWe now de�ne what is meant by a characteristic game for a particular relation orequivalence relation between �nite state processes.De�nition 4.2.1 A game G in Stirling class is called a characteristic game for arelation R between two �nite state processes, if the following condition holds. Letthe game G be played on two transition systems T1 and T2 and the duplicator has ahistory free winning strategy if and only if T1 and T2 are related by the relation R.Now we illustrate the characteristic games for the following relations between �nitestate transition systems.1. Bisimulation Game(Bsim� game)2. Weak Bisimulation Game(Weakbsim� game)3. Simulation Game(Sim� game) 92

4. Ready Simulation Game(Rsim� game)5. Failure Equivalence Game(Failure� game)6. Forward Simulation Game (Fsim� game)7. Trace Equivalence Game (Trace� game)8. Readiness Equivalence Game (Readiness� game)In the next subsection we discuss the characteristic game for the 2-nested Equiv-alence (2�nested� game) in details with a proof that the game we obtain is indeeda characteristic game for this relation.Many other equivalences considered in the literature may be shown to have acharacteristic game in the Stirling Class. Here, we list the restrictions on variousparameters of the Stirling class of games which make the games a characteristic gamefor the particular relations. Note that � denotes the identity relation in the subsequentparagraphs. We also assume in the following that all the games are being played onT1 = hS1; A;!1; s1i and T2 = hS2; A;!2; s2i.Characteristic Game for Bisimulation : Bsim�game is a game in Stirling classwith the following parameters: R1 = R2 = A, m1;m2 = �, � = S1�S2, � = fhs1; s2ig,M = f1; 2g, r =j S1 j � j S2 j +1.Characteristic Game For Weak Bisimulation: WeakBsim� game is a game inStirling class with the following parameters: R1 = R2 = � �A� �,m1(a) = � �a� �;m2(a) =� �a� �8a 2 A, � = S1 � S2, � = fhs1; s2ig, M = f1; 2g, r =j S1 j � j S2 j +1.Characteristic Game For Simulation preorder : sim � game is a game inStirling class with the following parameters: R1 = R2 = A, m1;m2 = �, � = S1 � S2,� = fhs1; s2ig, M = f1g, r =j S1 j � j S2 j +1.93

Characteristic Game For Ready-simulation preorder : Rsim � game is agame in Stirling class with the following parameters: R1 = R2 = A, m1;m2 = �,� = fhs; ti j s 2 S1; t 2 S2 ^ init(s) = init(t)g, � = fhs1; s2ig, M = f1g,r =j S1 j � j S2 j +1.Characteristic Game For Failure Equivalence: Failure� game is a game inStirling class with the following parameters: R1 = R2 = A�, m1;m2 = �, � = fhs; ti js 2 S1; t 2 S2 ^ Failures(s) = Failures(t)g, � = fhs1; s2ig, M = f1; 2g, r = 1.Characteristic Game For Forward simulation preorder Fsim�game is a gamein Stirling class with the following parameters: R1 = R2 = A,m1(a) = � �a� �;m2(a) =� �a� �8a 2 A, � = S1 � S2, � = fhs1; s2ig, M = f1g, r =j S1 j � j S2 j +1Characteristic Game For Trace Equivalence Trace�game is a game in Stirlingclass with the following parameters: R1 = R2 = A�, m1;m2 = �, � = S1 � S2,� = fhs1; s2ig, M = f1; 2g, r = 1,Characteristic Game For Readiness Equivalence The ready set of a state s ina transition system T , denoted by Readies(s), is de�ned byReadies(s) = f(x;Z) 2 (Act� f�g)� � 2(Act�f�g) j 9q 2 S : s x=) q and init(q) = ZgTwo transition systems T1 and T2 are Readiness Equivalent if Readies(s1) =Readies(s2) where s1 and s2 are the starting states of T1 and T2.Readiness� game is a game in Stirling class with the following parameters:R1 = R2 = A�, m1;m2 = �, � = fhs; ti j s 2 S1; t 2 S2 ^ Readies(s) = Readies(t)g,� = fhs1; s2ig, M = f1; 2g, r = 1.4.2.1 Characteristic Game for 2-nested Simulation RelationGiven a Transition system T = hS;D; zi over Act, where S is the set of states,D � S � Act � S is the transition relation and z is a starting state, any state ofT can be thought of as a process. A state p is a process whose transition system94

Tp = hS;D; pi. So any relation that we de�ne over states, can also be thought ofas being de�ned over processes. So, below, we are going to de�ne various binaryrelations over processes.De�nition 4.2.2 A relation R between processes is a simulation i� whenever (p; q) 2R, then for each a 2 Act, for each p0 2 S, p a! p0 implies 9q0 : q a! q0 ^ (p0; q0) 2 R.A process p is simulated by a process q, denoted by p �sim q, i� there is a simu-lation relation R, such that (p; q) 2 R.Two processes p and q are simulation equivalent, denoted by p �sim q, i� p �sim qand q �sim p.Now we de�ne n�nested simulation equivalence between processes. The notionof n�nested simulation equivalence was introduced by Groote and Vaandrager in[GV92].De�nition 4.2.3 For all n 2 @, n�nested simulation, written �n, is inductivelyde�ned as follows.� p �0 q for all processes p; q.� p �n+1 q i� there is a simulation R � (�n)�1 with (p; q) 2 R.Two processes p and q are n�nested simulation equivalent, denoted p �n q, i�p �n q and q �n p.Note that 1�nested simulation is just simulation and hence 1�nested simulationequivalence is same as simulation equivalence. In other words �sim=�1.Although the de�nition of 2-nested simulation relation should be clear from De�-nition 4.2.3, we de�ne it explicitly for the sake of clarity.De�nition 4.2.4 2�nested simulation, written �2, is de�ned as follows.p �2 q i� there is a simulation R � (�sim)�1 with (p; q) 2 R.95

Two processes p and q are 2�nested simulation equivalent, denoted p �2 q, i�p �2 and q �2 p.We now prove the following fact about 2-nested simulation.De�nition 4.2.5 Given two transitions systems T1 = hS1;!1; s1i and T2 = hS2;!2; s2i, we say that T1 is 2-nested simulated by T2, written T1 �2 T2, if and only ifs1 �2 s2.Lemma 4.2.1 Given two transitions systems T1 = hS1;!1; s1i and T2 = hS2;!2; s2i, the following are equivalent:1. T1 is 2-nested simulated by T2 (i.e., T1 �2 T2)2. There is a simulation relation R � S1 � S2, such that (s1; s2) 2 R, and for all(x; y) 2 R;x �sim y.Proof: First we prove (1)) (2). Recall De�nition 4.2.4 and De�nition 4.2.5. T1 �2T2 implies that s1 �2 s2. That implies that there is a simulation relation R containing(s1; s2) with the property that for any (x; y) 2 R, y �sim x because by De�nition4.2.4 R � (�sim)�1. Now since (x; y) 2 R and R is a simulation relation, obviouslyx �sim y, hence we get by De�nition 4.2.2 x �sim y.We now prove that (2) ) (1). By conditions in 2, there is a simulation relationR that relates s1 and s2 and it has the property that for each (x; y) 2 R, x �sim yand hence y �sim x and that means that R � (�sim)�1. Hence by De�nition 4.2.4s1 �2 s2 and thus by De�nition 4.2.5 T1 is 2-nested simulated by T2. 2We now de�ne the characteristic game for 2-nested simulation relation. 2nested�game is a game in Stirling class with the following parameters: R1 = R2 = A,m1;m2 = �, � = f(x; y) 2 S1 � S2 j x �sim yg, � = fhs1; s2ig, M = f1; 2g,r =j S1 jj S2 j +1, 96

4.3 The Characteristic Game TheoremFor each relationR, in the linear-time/branching time hierarchy, and its characteristicgame GR, the following theorem can be proved easily.Theorem 4.3.1 Let T1; T2 be two transition systems and let GR be the instance ofthe characteristic game for a relation R, such that the game is played on T1 and T2.The duplicator has a winning strategy for this instance of the game GR if and only ifR holds between the given two transitions systems.For certain subclass of Stirling class, the problem whether the duplicator has awinning strategy is directly reducible to rooted NHORNSAT problem. Hence, forany behavioral relation, whose characteristic game is in this subclass, the problemof checking that relation between two �nite state transition systems is reducible tothe rooted NHORNSAT problem. This leads to a polynomial time algorithm for theproblem of checking that relation, provided one can create the instance of the gamefrom the instance of the relational problem in polynomial time. For all the games inStirling Class, given that the transition systems are represented as �nite state systems,the transformation to game instance is polynomial time, provided that the winningpositions can be decided in polynomial time. Hence, we get a su�ciency conditionas to under what condition a behavioral relation between �nite state processes ispolynomial time decidable. So far as we know, this is the �rst time such a su�cientcharacterization of polynomial time decidable behavioral relations between �nite statetransition systems is given.This is useful, because, when ever a new relation is de�ned, if that relation satis�esthis set of conditions, it is guaranteed that the relation is polynomial time decidablefor �nite state transition systems. 97

4.4 A Subclass of Stirling ClassWe now brie y give a su�cient characterization as to when a game in Stirling Classis reducible to an instance of rooted NHORNSAT in polynomial time.1. R1 and R2 are �nite and explicitly enumerated. For example, in bisim-ulation game R1 = R2 = A, where A is the set of action symbols.2. The representation of the set of winning position is either by an ex-plicit listing or such that determining if a position of the game is a winningposition is polynomial time decidable.As a corollary we get the following result:Theorem 4.4.1 Given a game G in Stirling class satisfying the conditions listedabove, whether the duplicator has a winning strategy for G, can be decided in polyno-mial time.Hence the corollary is :Corollary 4.4.2 Any behavioral relation between two �nite state transition systems,whose characteristic game satisfy the conditions listed above, is decidable in poly-nomial time. Hence, strong and weak bisimulation equivalence, forward simulation,simulation equivalence, ready simulation and equivalence, prebisimulation, k-nestedsimulation for any �xed k are all polynomial time decidable relations for �nite statetransition systems. 98

Chapter 5Model Checking and HORNSATIn this chapter we describe how to derive model checking algorithms for variouslogics using our uniform methodology. In particular, we consider alternation-freemu-calculus as an illustrative example. Our methodology leads us to derive algo-rithms that are as e�cient as the best known in the literature and also combines theadvantages of being on-the- y, local and incremental.5.1 Motivation, Results and Related WorkWe consider the model checking problem for various logics including alternation-free mu-calculus. We outline a methodology for solving these problems, based upone�cient reductions to the satis�ability problems for HORN formulas. The advantagesof this methodology include the following:(i) it yields e�cient solutions,(ii) it yields local and on the y solutions naturally,(iii) it can be used to generate diagnostic information e�ciently,(iv) it can be modi�ed easily to yield incremental solutions, and(v) data structures and algorithms for the e�cient solutions of the requiredHORN satis�ability problems already exist in the literature [DG84, AI91].99

(See Chapter 2)The desirability of (i) through (iv) for veri�cation algorithms has been widely dis-cussed [VW86, BCG95, CC92, FM91, Lar88, Lar90, CVWY92, CS91, And94, SS94,SW91, Cle90]. However, none of the solutions proposed in the literature has all theseadvantages. Our uniform methodology combines all these advantages in the samesolution.Again, our methodology is based upon e�cient reductions of the problems con-sidered to the minimal and maximal satis�ability problems, for weakly positive andweakly negative [Sch78] Horn formulas. We call these satis�ability problems minimal-HORNSAT and maximal-NHORNSAT respectively. In fact, a restricted form of theseHorn formulas is enough for some of the problems. We call this restricted form ofHORNSAT and NHORNSAT rooted (N)HORNSAT. In Section 2, we outline howour algorithm for model checking for modal mu-calculus is a simpli�cation of theones in [Lar92, And94]. (Recall that [Lar92] involves consistent and factual solu-tions of Boolean equation systems and [And94] involves maximal and minimal �xedpoints of Boolean equation systems.) We further illustrate our (N)HORNSAT basedmethodology by outlining our e�cient algorithms for model checking alternation-freemu-calculus.We discuss why our algorithms are naturally local and on the y in the sense of[VW86, Lar88, SW91, FM91, CVWY92, BCG95]; and we observe that they canbe modi�ed easily into run incrementally in the sense of [SS94]. Moreover, the(N)HORNSAT based algorithms for these problems are as e�cient as the algorithmsfor these problems presented in [FM91, CC92, CS91, And94, SS94, Lar88, SW91].Consequently, it turns out that an e�cient veri�er can be based on an implemen-tation whose core consists of a solver for (N)HORNSAT which runs in linear time, (wediscuss such algorithms in Chapter 2), which has the option to run on the y for spacee�ciency, and an option to run incrementally (e.g., using simple modi�cations of theincremental HORNSAT algorithms given in [AI91]). The fact that e�cient solutionsfor HORNSAT and its variants already exist in the literature [DG84, AI91] and that100

many important veri�cation problems are reducible to those variants of HORNSATmakes the implementation of veri�cation tools easier. Moreover, it relieves the de-signer of the veri�er from the obligation of reinventing complex data structures whichalready exist in the literature on HORNSAT. Many model checking algorithms in theliterature [CS91, Cle93a] involved inventing complex new data structures, whereasexisting e�cient data structures for solving variants of HORNSAT are su�cient toobtain the same e�ciency. Moreover, this approach leads to modular design, becausethe e�cient implementation of HORNSAT solver can be delegated to a di�erent de-signer.In the model checking literature such a reuse of existing e�cient data structureis not found, except that, in [KVW95] a data structure for a linear time algorithmof functional dependency in relational databases [Bee80] was reused to obtain modelchecking algorithm for CTL. It is interesting to note that functional dependency isalso reducible to HORNSAT, and in [AI91, ADS83] the same kinds of data structuresare used to solve them in linear time. 1 In [And94] the model checking problemfor mu-calculus was reduced to �nding �x points of Boolean equations; for e�ciency,complex graph-based data structures were invented. Our results show that the fullpower of Boolean equations are not needed to solve these problems. In fact, the kindof implication based methodology embodied in (N)HORNSAT is enough.Not only from implementational point of view, but also theoretically, our resultsbring out the underlying principles of a number of veri�cation methodologies. Under-standing the di�erent methodologies from a unifying framework has been emphasizedalso in [KVW95].Organization of this Chapter1However, (N)HORNSAT captures the essence of these problems more directly and intuitively.Moreover, e�cient data structures for solving (N)HORNSAT are easily implementable. Also, HORN-SAT based methods are directly implementable in PROLOG.101

We assume that the reader is familiar with the syntax and semantics of modalmu-calculus, HORNSAT and its variants and the linear time algorithm for HORN-SAT. Otherwise, these basics can be found in Chapter 2. Section 5.2 reviews basicnotions of (N)HORNSAT and discusses its relationship with Boolean equation basedmethodologies in [Lar92, And94]. Section 5.3, we discuss the desirability of on the y,local and incremental properties of veri�cation algorithms and point out that theseproperties come naturally in our (N)HORNSAT based methodology. In Section 5.4we motivate our methodology by showing two examples of model checking exercisesthrough �xed point iterations as well as through (N)HORNSAT. In Section 5.5, wedevelop algorithms for model checking alternation-free mu-calculus and Hennessy-Milner logic with recursion using (N)HORNSAT based method. In Section 5.6, weshow how our (N)HORNSAT based interpretation of the model checking problemleads to systematic characterization of the special cases of the problem which havee�cient parallel algorithms.5.2 (N)HORNSAT and Systems of Boolean Equa-tionsAlthough most of the de�nitions related to mu-calculus, transition systems etc., aregiven in Chapter 2, de�nitions of satis�ability problems for HORNSAT and its vari-ants are reviewed below. We recall these de�nitions here again because we havereduced all our problems to (N)HORNSAT and hence it is crucial.Let us consider an instance of a propositional CNF satis�ability problem, whichis a conjunction of clauses where each clause is a disjunction of positive and negativeliterals with either of the following two restrictions.1. Each clause is a disjunction of literals with at most one negative literal.2. Each clause is a disjunction of literals with at most one positive literal.When the �rst restriction applies, we call the problem NHORNSAT, and when the102

second restriction applies, we call it HORNSAT [DG84]. We are interested in �ndingmaximal and minimal satisfying assignment (if one exists) respectively.An instance of the problem is a pair (X;C), where X = fx1; x2; :::; xng, a �niteset of propositional variables which take Boolean values, and C = fC1; C2; :::; Cmg, aset of clauses with one of the restrictions discussed above. Note that if an instancehas a satisfying assignment, such an assignment can be represented as an element ofan n-dimensional Boolean lattice f0; 1gn. If we consider 0 < 1, then with a pointwiseextension of the ordering, and a pointwise ^ and _ as meet and join operation, we geta complete lattice. Now, for an instance of a satis�ability problem h, let us denotethe set of all satisfying assignment as SAT (h) � f0; 1gn. An element x 2 SAT (h)is minimal, if no other y 2 SAT (h) is less than x in the ordering of f0; 1gn. Dually,an element x 2 SAT (h) is maximal, if no other y 2 SAT (h) is greater than x in theordering of f0; 1gn. So now we have the following two problems:1. Problem maximal-NHORNSAT: Given an NHORNSAT instance, �nda maximal satisfying assignment, if there is one. Otherwise, conclude thatthe instance is not satis�able.2. Problem minimal-HORNSAT: Given a HORNSAT instance, �nd aminimal satisfying assignment, if there is one. Otherwise, conclude thatthe instance is not satis�able.A linear time algorithm for minimal-HORNSAT appears in [DG84] (See Chapter2). It follows that maximal-NHORNSAT is also solvable in linear time (See Chapter2). In some of our applications we have a special type of HORNSAT or NHORNSATinstances. Here we discuss that special type of NHORNSAT, called rooted NHORN-SAT. The corresponding cases and algorithms for HORNSAT are very similar.De�nition 5.2.1 Given a clause Ck of the form xj ) Wi2I xi, where I is an indexset possibly empty (note that the disjunction Wi2I xi = true when I = �.), we call xjthe head of clause Ck, denoted as head(Ck) = xj, and Wi2I xi the tail of Ck. Any103

variable xi appearing in tail(Ck), is called a disjunct in the tail.Note that for a clause of the form Ck = xj, head(Ck) = xj and tail(Ck) = false.Similarly, for a clause of the form Ck = xj, head(Ck) = true and tail(Ck) = xj.De�nition 5.2.2 An instance of the rooted NHORNSAT problem is (X;C; x1) where(X;C) is an NHORNSAT instance and the clauses in C are ordered. Also. C1 = x1(a single positive literal clause), where x1 2 X. Furthermore, for each clause Ck, ifhead(Ck) = xj then there must be a clause Cl(l < k) preceding Ck, such that xj is adisjunct in tail(Cl). Also for a single literal clause Ck = xp (k > 1), xp must also bea disjunct in tail(Cl) for some l < k. and xp cannot be the head of any clause.The correctness of our (N)HORNSAT based methodology for model checking canbe easily demonstrated by showing the following. There is a local reduction betweenthe (N)HORNSATbased methodology and the methodologies in [Lar92, And94] basedupon systems of simple Boolean equations. The (N)HORNSAT based approach hasthe advantage that e�cient algorithms and data structures for (N)HORNSAT arealready available in the literature [DG84, AI91]. The soundness and completeness ofour methodology easily follow from the following theorem and its extensions to theresults in [And94].Theorem 5.2.1 The factuality problem and the consistency problem of system ofsimpleBoolean equations described in [Lar92] can be e�ciently reduced to the minimal-HORNSAT and maximal-NHORNSAT problems respectively.The reason why this theorem holds is as follows: Given a system of simple Booleanequations, if we are interested in factuality [Lar92], we replacean equation of the form x = true by a single literal clause x,an equation of the form x = false by a single negated literal clause x,an equation of the form x = x1 ^ x2 by a clause x( x1 ^ x2, andan equation of the form x = x1 _ x2 by two clauses x( x1 and x( x2.104

It is easy to prove that the variables which are assigned a value 1 in the minimalsatisfying assignment for this HORNSAT instance are the factual variables of theoriginal Boolean equational system. A dualization of this will show that the con-sistency problem of [Lar92] can be reduced e�ciently to the maximal-NHORNSATproblem.Similarly, the problems of �nding the least and greatest �xed points of the Booleanequations of [And94] can be reduced to minimal-HORNSATand maximal-NHORNSATrespectively.5.3 Desirable Properties of Model Checking Algo-rithmsIn this section, we discuss the desirable properties of a model checking algorithm sothat it can better cope with large state space with memory limitations. In particularwe discuss the merits of local, on the y and incremental algorithms for model check-ing. We also brie y indicate how our (N)HORNSAT based methodology achievesthese desirable goals.Local Model Checking : The idea of �nite state model checking is to decide if agiven state of a �nite state system satis�es a given speci�cation. The speci�cationis expressed in a suitable logic, such as modal mu-calculus. However, the originalalgorithms [EL86] for �nite state model checking were \global" in the following sense.These global algorithms use a �x point approximation technique for computing setsof states which satisfy a �xed point formula. However, in many cases, this involvesmany unnecessary computations as discussed in [Lar90, SW91, Bra92]. Hence, in[SW91] a tableau based algorithm for model checking was introduced. They ap-pealed to an implicit �xed point induction rather than iterative approximation andour (N)HORNSAT construction also appeals to an implicit �xed point induction. A105

local model checking algorithm does not explore all the states of the �nite state sys-tem, if not required. It tries to explore only a minimal set of states and determineswhether certain properties are true in those states in order to infer that a given prop-erty is true in a given state. The tableau based methods in [Lar90, SW91, Bra92]are examples of such local algorithms for model checking. Our (N)HORNSAT basedmethod achieves this objectives naturally. Given a �x point formula �, and a states� of a �nite transition system, suppose we want to determine if s� satis�es �. Wegenerate (N)HORN formulas roughly as follows: We use a Boolean variable Y �s , suchthat s satis�es the property expressed in � if and only if Y �s is true in the satisfyingassignment of the maximal/minimal (N)HORNSAT instance. If � is a maximal �xedpoint formula, then we generate a maximal-NHORNSAT instance, if � is a minimal�x point formula, we generate a minimal-HORNSAT instance, in case of nested �xpoints it is more subtle. However, in the next sections, it will be clear, that we ex-plore only those states which are necessary to be explored in our method. Hence, ourmodel checking algorithms are as local as any other local model checking algorithmin the literature.On the Fly Model Checking : Traditional model checking algorithms such as[EL86] require the whole state space to be constructed in memory before they can beapplied. However, in many applications, one can �nd counter examples much beforeexploring the whole state space. More over, when the �nite state systems are describedsuccinctly, for example, using parallel composition operator, the actual state spacemay be exponentially large and hence, it might be impractical to construct the wholestate space in memory. As a result in [VW86, CVWY92, BCG95, KVW95, FM91] onthe y model checking and behavioral relation checking have been emphasized. In anon the y algorithm the state space is constructed on demand, hence the veri�cationtakes place together with the construction of the state space. In our (N)HORNSATbased approach, on the y algorithm is obtained naturally because of the existing onthe y or on-line algorithms for (N)HORNSAT [AI91] and some minor improvementson them. Our reduction to (N)HORNSAT can be done in NLOGSPACE and on the106

y algorithm for HORNSAT works in O(q) amortized time, where q is the size of eachnew clause generated. Since the size of the (N)HORNSAT instance created is linearin the product of the size of the transition system and the speci�cation in the caseof model checking, and product of the sizes of the two transition systems in case ofrelational checking, we might use in the worst case, linear space and linear time inthose measures. For on the y behavioral relation checking this is an improvementover [FM91] which requires quadratic time in these measures for behavioral relationchecking. However, in most cases, counter examples are found after constructing sub-stantially less number of clauses.Incremental Model Checking : In [SS94], an incremental algorithm for modelchecking alternation free mu-calculus was developed. The basic idea behind the algo-rithm was as follows: Suppose that a model checking algorithm is run on a transitionsystem and a formula and the information regarding satis�ability of subformulas atdi�erent states are available. Now, suppose that there are some changes in the spec-i�cation of the transition system, so that some new transitions are added and sometransitions are deleted from the transition system. An incremental algorithm exploitsthe information available from the previous runs of the model checking algorithm. Itcarries out minimal computation so that the model checking problem with respectto the changed transition system is solved in time O(�), where � is a measure ofchanges in the transition system. It has been pointed out [SS94] that in the worst case,this may not be possible. One can construct examples, such that one has to spendas much time in the incremental algorithm as required in model checking from thescratch. However, in the best case and more importantly, in many practical situationsthe incremental computation could be linear in the size of the modi�cation. It can beshown that minor modi�cations of the on-line algorithm for HORNSAT [AI91] willgive an incremental algorithm for (N)HORNSAT. Hence, with addition and deletionof clauses, the amortized time in incrementally solving the modi�ed (N)HORNSATproblem will be linear in the size of the modi�cation. Since modi�cation in the tran-sition system will be re ected in the changes in the corresponding (N)HORNSAT107

instance, we can now directly obtain incremental algorithms for all the problems con-sidered in this paper including the behavioral relation checking and model checkingwhich have amortized time complexity linear in the size of the modi�cations.5.4 Motivating ExamplesWe now consider two easy examples of �xed point computations involved in a modelchecking exercise. We show that Kleene's iterative characterization of �xed pointcomputation and pebbling on Dowling-Gallier graph (see Chapter 2) for solving(N)HORNSAT are quite analogous and this observation leads us to reduce the modelchecking problems to the (N)HORNSAT problem.a a

a

a

s1

s2s4

s3

PFigure 5.1: Transition System T1Consider the transition system in Figure 5.1. We are interested in checking if thereis an execution path in this model such that predicate P eventually becomes true onthat path. In �-calculus, this model checking exercise is equivalent to checking ifs1 2 k�X:(P _ haiXk?Let us denote �X:(P _ haiX as f . Using Kleene's iterative characterization of�xed points for continuous functionals we get the following iterative steps.Iteration 1: X �108

kfk kPk = fs4gIteration 2: X fs4gkfk fs4; s3gIteration 3: X fs4; s3gkfk fs4; s3; s1gThe basis idea is that in order to solve the least �xed point equationX = P _ haiX;start the iteration by assuming none of the states satisfy X. Then in the next iter-ations keep adding the states to the semantics of X if and only if those states aremandated to be in kXk by the structure of the transition system and the formula.Now recall from Chapter 2 that Dowling-Gallier's pebbling algorithm for minimal-HORNSAT works very similarly. It starts by assuming that the set of variables to beassigned \true" is empty and then keeps adding variables if and only if the structureof the Dowling-Gallier graph mandates that. Now we show our reduction of theabove model checking problem to a minimal-HORNSAT problem. Note that in apropositional clause p q, q is a su�cient condition for p and p is a necessarycondition for q. This fact is crucial to understand our reduction. Denoting �X:(P _haiX) by f we get the following instance of HORNSAT by our reduction. In this109

example, we give reasons for generation of each clause so that the reader can get anidea of our reduction.Note that a propositional variable Xfs encodes the proposition \s 2 kfk".1. Xfs1 XPs1 . Since for s1 2 kfk, it is su�cient that s1 2 kPk.2. Xfs1 Xfs3 . Since for s1 2 kfk, it is su�cient that one of the a-derivatives of s1 satisfy f and s3; s4 are the two a-derivatives of s1.3. Xfs1 Xfs4 . For the same reason as clause 2.4. XPs1 because we know that s1 =2 kPk.5. Xfs3 XPs3 . For reasons similar to that of clause 1.6. Xfs3 Xfs4 . For reasons similar to that of clauses 2,3.7. Xfs2 XPs2 . For reasons similar to that of clause 1.Note that there is no a-derivative of s2 and hence there is no clausessimilar to clauses 2,3 in this case.8. XPs2 because we know that s2 =2 kPk.9. XPs3 because we know that s3 =2 kPk.10. Xfs4 XPs4 . For reasons similar to that of clause 1.Note that s4 is its own a-derivative and hence no clause is generatedsimilar to 2,3.11. XPs4 because we know s4 2 kPkNow if we construct the Dowling-Gallier graph for this HORNSAT instance asshown in Figure 5.2 and start pebbling from \true" node, we see that the �rst variablethat is pebbled is XPs4 and that forces a pebbling of Xfs4 which correspond to the endof iteration 1 in the �xed point computation. Then this forces a pebbling of Xfs3which accomplishes the same as the iteration 2 of the �xed point computation and�nally this forces pebbling of Xfs1 which says that s1 2 kfk. Note that in Figure 5.2the pebbled variables are marked with �. Now we consider an example of a greatest�xed point computation.Suppose we want to know if for the transition system T2, P is always true. This110

�������������������������������� ������������� JJJ] ��������������/

�������*�����������/�����SSSSSw PPPPPPPPPPi

��� ���� ����>false

true

4 8 731 261011XPs1 XPs2Xfs1Xfs3Xfs4XPs4

Xfs2 XPs359* * **

Figure 5.2: Dowling-Gallier Graph for the minimal-HORNSAT instancemodel checking exercise can be formulated in �-calculus as the following question.s1 2 k�X:(P ^ [a]X)k?Let us denote �X:(P ^ [a]X) as f . Then Kleene's �xed point iteration will give usthe following.Iteration 1: X fs1; s2; s3; s4gkfk fs1; s2; s3g111

s1

a

a a

as2

s3 s4

P

P

P not(P)Figure 5.3: Transition System T2Iteration 2: X fs1; s2; s3gkfk fs1; s3gIteration 3: X fs1gkfk fs3gHence, we �nd that s1 =2 k�X:(P ^ [a]X)k. Now we consider the maximal-NHORNSAT instance produced in our reduction for this case and we �nd that thepebbling also proceeds in a manner similar to the above iterations.The NHORN clauses produced are given below with the reasons for their pro-duction. Note that for a propositional clause p ! q, q is a necessary condition forp. 1. Xfs1 ! XPs12. Xfs1 ! Xfs2 112

Note that for s1 2 kfk it is necessary that s1 2 kPk and more over,for all a-derivative si of s1, it is necessary that si 2 kfk. Here the onlya-derivative is s2.3. XPs1 ; since it is given that s1 2 kPk4. Xfs2 ! XPs25. Xfs2 ! Xfs36. Xfs2 ! Xfs4Clause 4 is produced for the same reason as for 1 and clauses 5 and 6are produced for the same reason as for clause 2. Note that s2 is an a-derivative of itself but that leads to a trivially satis�ed clause Xfs2 ! Xfs2and hence omitted.7. XPs2 ; since it is given that s2 2 kPk8. Xfs3 ! XPs3 (same reason as for clause 1)9. XPs3 ; since it is given that s3 2 kPk10. Xfs4 ! XPs4 (same reason as for clause 1)11. XPs4 ; since it is given that s3 =2 kPkNote that since s3 and s4 have no a-derivative, we do not have to con-struct clauses similar to clause 2 for them because for then [a]f is triviallysatis�ed.If we now construct the Dowling-Gallier graph for this instance of maximal-NHORNSAT (shown in Figure 5.4), and start pebbling from the node \false", we�nd that XPs4 gets pebbled �rst which forces a pebble on Xfs4 which corresponds tothe end of iteration 1 of the �xed point computation when s4 gets dropped fromkfk. Next, variable Xfs2 gets pebbled which correspond to iteration 2, when s2 getsdropped from kfk. Finally, this forces the pebbling of Xfs1 which correspond to thedecision that s1 =2 kfk. In Figure 5.4, the pebbled variables are marked with �.113

������������������������ ������������ ���������

�����SSSSSw PPPPPPPPPPi

��� ���� ����>SSo������������������ SSSSSSSSSSo �������=1 2610

XPs1 Xfs1Xfs4XPs4XPs3

false

true

11 Xfs23 7 9 Xfs3 85 XPs24

* * **Figure 5.4: The Dowling-Gallier Graph for the maximal-NHORNSAT instance.5.5 Fragments of Modal Mu-CalculusAlthough our methodology can be extended to apply to general Mu-Calculus [Koz83,Bra92], we illustrate our methods through two well discussed fragments of modalmu-calculus. One is the unnested single �xed point fragment. This is similar to theHennessy-Milner Logic with recursion [Lar88, Lar90]. The other is alternation-freemu-calculus, as discussed in [CS91]. We presented these de�nitions from [CS91] inChapter 2. 114

5.5.1 Model Checking to (N)HORNSATNow we illustrate how to reduce the model checking problem for the above mentionedfragments of modal mu-calculus to (N)HORNSAT.Model Checking Single Fix point Mu-Calculus to (N)HORNSATFor each state s 2 S of the given �nite state system T and each variable Xi of theequational speci�cation, we associate a boolean variable Y Xis . Recall that in the single�xed point calculus there is a single block of equations which is either a max blockor a min block.We consider the case when the block is a max block B = maxfEg where E =fX1 = �1; :::;Xn = �ng. A dualization will hold for min blocks.Here, the model checking problem is to determine if s� 2 kXikkBke, for a giventransition system T = hS; Act;!i, for an initial environment e, and s� 2 S. (SeeChapter 2 for clari�cation on the notations). The reduction proceeds as follows:1. Create a variable Y Xis� and put the variable Y Xis� in a queue.2. For each variable of the form Y Xjs on the queue, such that Xj appearsin the left-hand side of an equation e in B(i) If e is Xj = A where A is atomic, then create a clause Y Asif A is true at s else create a clause Y As . (from valuation map)Put the variable Y As in the queue if this variable was never onthe queue before.(ii) If e isXj = Xp_Xq, then create the clause Y Xjs ! Y Xps _Y Xqsand put the variables Y Xps and Y Xqs into the queue, if thesevariables were never on the queue before.(iii) If e is Xj = Xp ^Xq, then create two clauses Y Xjs ! Y Xpsand Y Xjs ! Y Xqs and put the variables Y Xps and Y Xqs into the115

queue, if they were never on the queue before.(iv) If e is Xj = haiXp, then create a clause of the form Y Xjs !Ws02a(s) Y Xps0 where a(s) = fs0 j 9s0 : s a! s0g. When a(s) isempty, the disjunction is equivalent to false. Put the variablesY Xps0 on the queue if they were never on the queue before.(v) If e is Xj = [a]Xp, then create clauses of the form Y Xjs !Y Xps0 for each s0 2 a(s) where a(s) = fs0 j 9s0 : s a! s0g. Putthe variables Y Xps0 on the queue if they were never on the queuebefore. When a(s) is empty, create the single literal clause Y Xjs .3. If Y Xjs is in the queue and if Xj does not appear on the left hand sidein B, then if s 2 e(Xj), add a single literal clause Y Xjs else add the clauseY Xjs .This will produce an NHORNSAT instance, of the size linear in the product ofthe size of the transition system and equational block B. We now state the theo-rem stating the correctness of the reduction. The correctness of the model checkingalgorithm obtained this way follows from the discussions in Section 5.2.Let s 2 S is a state in the given �nite state transition system T = hS; Act;!i.Let Xi be a variable in the equational block used in specifying a property using thesyntax of [CS91] and let the initial environment be e. Suppose the block specifyingthe formula is a max block, B = maxfEg where E = fX1 = �1; :::;Xn = �ng.Theorem 5.5.1 If h is the instance of NHORNSAT produced by the algorithm de-scribed above from the given model checking problem (if s� 2 kXikkBke), then h issatis�able and in the maximal satisfying assignment of h, Y Xis� = 1, if and only ifs� 2 kXikkBke.The dual of the above theorem holds for min blocks. Which means that in theminimal solution of the HORNSAT instance produced in that case, Y Xis� = 1 if andonly if s� 2 kXikkBke. This gives us a linear time algorithm for the problem.116

One might note that contrary to our claims earlier, the above reduction is not aLOGSPACE reduction. The reason is that we are keeping track of the new variablesin a queue and whether they are being expanded. However, this is being done toavoid generation of irrelevant variables. For example, suppose to check if s 2 kfk,it is irrelevant to check if some other state s0 satis�es a subformula f 0 of f , thenthe variable Xf 0s0 is irrelevant. However, at the expense of generating these irrelevantvariables and clauses corresponding to them, we can obtain a LOGSPACE reductionas follows. For each subformula f 0 of f , and for each state s of the system, create avariable Xf 0s . Now depending on the structure of f 0, create the clauses as describedin the above reduction.Alternation free mu calculusNow we generalize the algorithm in the previous section, to obtain a (N)HORNSATbased algorithm for the model checking of alternation free mu-calculus. A linear timealgorithm for the same problem was presented in [CS91]. Their algorithm needed toinvent an e�cient data structure to obtain the linear time algorithm. Our methodbrings out the fact that the essential data structure necessary to obtain the linear timealgorithm for model checking could also be obtained by noting the fact that crucialdata structuring [DG84] gives linear time algorithm for HORNSAT/NHORNSAT.Given a Transition system T , a valuation map �, an initial environment e, ablockset B, the model checking problem is to decide if s� 2 kXikkBke, for a given states� in the transition system and a given variable Xi appearing on the left hand side ofsome equation in some block Bl in B.Brie y, the steps in the (N)HORNSAT based version of the algorithm for modelchecking alternation free mu-calculus are as follows:1. Create a variable Y Xis� and put the variable Y Xis� in the queue associated withthe block Bl where Xi appears on the left hand side.2. Expand the variables in the queue associated with each block, in the reverse117

topological order, 2 with the following rules:If the block is a max block then use the methods described in the previoussubsection and if the block is a min block use a dual approach. Keep theNHORN or HORN clauses for each block separated. If new variable Y Xjs isgenerated and Xj belongs to a di�erent block B , put that variable in thequeue associated with block B.If the a variable Y Xjs in the queue for a block B is already expanded thenremove it from the queue otherwise expand it.3. Start solving the minimal-HORNSAT/maximal-NHORNSAT instances cor-responding to each block in the topological order. Let hB be the HORNSAT/NHORNSAT instance corresponding to block B. Suppose a variable Y Xjs wasassigned a value 1 in the solution of a hB (where Xj appears on the left handside in B) then add a clause Y Xjs in the (N)HORNSAT instances correspondingto the blocks which had to put this variable in the queue of the block B (Thisinformation can be read o� the block graph also). If Y Xjs was assigned a value0 in the solution of a hB (where Xj appears on the left hand side in B) thenadd a clause Y Xjs in the (N)HORNSAT instances corresponding to the blockswhich put this variable in the queue of the block B. Then continue solving thenext block HORNSAT instance.Suppose the block B corresponding to Xi, is a max block. (Dual holds for min blocks). Themaximal-NHORNSAT instance for the block B is satis�able and Y Xis� = 1, in the maximalsatisfying assignment, if and only if s� 2 kXikkBke.Note that this algorithm produces a sequence of HORNSAT and NHORNSATinstances and it is local and it can be made into an On the y algorithm by notingthat one can use the on the y algorithm for each HORNSAT instance. We state thetheorem about the correctness and e�ciency of the algorithm sketched above without proof.2Given B, the block set, topologically sort the blocks in B with respect to the variable dependencyrelation depicted in block graph. Let B1; B2; :::; Bm be the set of blocks in the topologically sortedorder. 118

Theorem 5.5.2 The algorithm for model checking alternation free mu-calculus ob-tained by reducing the problem to a sequence of minimal-HORNSAT and maximal-NHORNSAT problems runs in time linear in the product of the sizes of the transitionsystem and the block set specifying the property. Hence the HORNSAT based algo-rithm is as e�cient as the algorithm in [CS91].Our methods can also be extended to develop HORNSAT based methods to cap-ture the tableau based local model checking in [Cle90] and [SW91]. However, we donot discuss the details here.5.6 Parallel Complexity of Model Checking and(N)HORNSATIn [ZSS94], the parallel complexity of the model checking problem for alternation-freemu-calculus was investigated. It was shown there that the problem of model check-ing is P-hard 3 even when the mu-calculus formula is �xed and contains only oneminimal �xed point operator. Moreover, this lower bound holds even for determin-istic transition systems is with the fanin and fanout of the transition relation beingbounded by 2. They also gave e�cient parallel algorithms for two special cases of themodel checking problem. However, the characterizations of these special cases camein somewhat ad-hoc manner in [ZSS94] and their parallel solutions in the two casesare completely di�erent.Here we point out that our (N)HORNSAT based methodology leads to the sameor stronger results in a uniform manner.P-Completeness of Model Checking Problem: Since the P-Completeness forthe model checking problem is already well known [ZSS94], we only point out how ourNHORNSAT approach leads to an alternative proof. It is easy to see that NHORN-SAT is a P-Complete problem. But there is no intuitive reduction from this problem3All polynomial time decidable problems are reducible in LOGSPACE to this problem.119

to the model checking problem. However, we can show a very intuitive and directreduction from a restricted version of the NHORNSAT problem to the model check-ing problem. Moreover, we can also reduce the Synchronous Alternating MonotoneCircuit Value Problem with fanin and fanout bounded by 2 (SAM2CVP) [GHR95]to this restricted NHORNSAT, thereby showing that this restricted version is alsoP-hard. Our reduction from the restricted NHORNSAT to the model checking prob-lem produces instances where the mu-calculus formula is �xed and contains a singlemaximal �xed point and the transition system is deterministic.We do not give detains of our reduction because this reduction is very close tothe reduction in [ZSS94], except that here the structure of the Gallier-Dowling graphis manipulated in the reduction rather than the monotone circuit of the SAM2CVPproblem.Interestingly, our interpretation of the model checking problem as (N)HORNSATleads to natural characterization of cases where the model checking problem can besolved e�ciently in parallel. Two such characterizations are described below. The�rst one is a strengthening of a result in [ZSS94] and the second one is also obtainedin [ZSS94]. In [ZSS94] these restrictions were obtained in a rather ad-hoc manner.In the �rst case, the parallel algorithm was obtained by direct parallelization of themodel checking algorithm in [CS91] and in the second case, they reduced the problemto a datalog [Ull88] program with polynomial fringe property which implies e�cientparallel evaluation of the datalog program. Our results show that these restrictions arenatural consequences of our (N)HORNSAT approach to model checking. Moreover,our parallel algorithms does not require any extra e�ort of parallelization.Tree Structure in Dowling-Gallier GraphConsider the Dowling-Gallier graph in solving a rooted NHORNSAT instance. Sup-pose that we modify the graph in the following manner.1. The node marked \true" with all its incoming edges are removed fromthe Dowling-Gallier graph,2. directions of all the edges in this graph are reversed, and120

3. node marked \false" is duplicated for each incoming edge to the \false"node in the original graph.Note that this modi�cation can be carried out in LOGSPACE and hence can becarried out in NC. If this modi�ed Dowling-Gallier graph is a tree, then we call thecorresponding rooted NHORNSAT instance a tree-NHORNSAT. It is easy to see thatfor such a case, the pebbling can be achieved in logarithmic time with polynomi-ally many processors on a CRCW PRAM using a version of Reif and Miller's Treecontraction algorithm [MR89, RMMM93].Thus for a tree-NHORNSAT the satis�ability problem can be solved in NC.Similary we can de�ne tree-HORNSAT which also can be solved in NC.It is easy to see that if the transition system is a tree and the mu-calculus for-mula contains a bounded nesting of a single type of �xed point (either maximalor minimal) then the (N)HORNSAT instances produced by our algorithm will betree-(N)HORNSAT instances. Since our reductions can be carried out in NC, bycomposition we obtain NC algorithm for model checking for this special case.In [ZSS94] however, a restriction on the transition system was that it shouldhave bounded degree. However, we can relax that restriction because by using anasynchronous version of the tree contraction algorithm [RMMM93] we can still getNC algorithm for trees with unbounded degree.Deterministic Transition SystemsThe second characterization is the same as the one in [ZSS94]. However, our proofis very easy and follows directly from our (N)HORNSAT based methodology. Ifthe transition system is deterministic and the mu-calculus formula contains boundednesting of only minimal �xed point operators and the formula does not contain any^, or if the mu-calculus formula contains bounded nesting of maximal �xed pointoperators with no occurrences of _, then we obtain 2-SAT instances in our reductionto (N)HORNSAT. Since our reduction can be carried out in NC and since 2SAT hasNC algorithms [GHR95], by composition we obtain an NC algorithm for this case121

also.In view of the above observations we obtain the following two theorems. The �rsttheorem a strengthening of a theorem in [ZSS94] and the second one is a reformulationof the corresponding one in [ZSS94].The proofs of the following two theorems are not discussed in details because theyeasily follow from the above discussions.

122

Theorem 5.6.1 If the transition system is a tree and the mu-calculus formula con-tains bounded nesting of a single kind of �xed point operator (either maximal orminimal), then the model checking problem can be solved in NC.Theorem 5.6.2 If the transition system is deterministic and the mu-calculus formulahas either (i) bounded nesting of maximal �xed point operator with no occurrence of_, or (ii) bounded nesting of minimal �xed point operators with no occurrence of ^,then the model checking problem is solvable in NC.

123

Chapter 6Diagnostics GenerationIt is very important that a veri�cation tool is capable of generating diagnostic infor-mation when the result of a veri�cation e�ort is negative. This enables the designersto debug and revise the design. In view of the importance of diagnostics genera-tion, any algorithmic veri�cation methodology should provide for such facilities. Inthis chapter we show how to extend our uniform methodology to generate diagnos-tic information. Our extension does not increase the time complexity of any of ouralgorithms. We describe the extension by way of an illustration. We illustrate howto generate diagnostic formula in Hennessy-Milner logic for the case of bisimulationequivalence. We also consider the prebisimulation preorder in the later half of thischapter. This particular preorder is de�ned for incompletely speci�ed transition sys-tems and we present polynomial time algorithm for deciding prebisimulation preorderbetween two incompletely speci�ed transition systems. Our algorithm also generatesIntuitionistic Hennessy-Milner logic formula as diagnostics. In [CC92] a diagnosticgeneration algorithm for the same preorder was presented. However, our time com-plexity is better than that in [CC92]. More over, our diagnostics generation methodis a natural extension of our uniform methodology.124

6.1 DiagnosticsGiven a veri�cation problem, question arises as to what is a suitable diagnostics infor-mation for the problem. In other words, if the veri�cation e�ort results in a negativeanswer, then what information should we produce which helps in understanding thereason for the negative answer. For example, if we check for bisimulation equivalenceand the two transition systems under consideration are not bisimilar, we can producea Hennessy-Milner logic (HML) formula which is satis�ed by one of the transitionsystems and not by the other. This is possible because Hennessy-Milner logic is acharacteristic logic for bisimulation equivalence. This means that two transition sys-tems are bisimilar if and only if they satisfy the same set of HML formulas. Thus,if two transition systems are not bisimilar there must be a distinguishing HML for-mula. Similarly, in [vG90] other characteristic logics for di�erent preorders have beendiscussed. Hence, for all these preorders, the diagnostics would be distinguishingformulas in the corresponding characteristic logics. In case of model checking, the di-agnostic is given as a sequence of states which lead to the falsi�cation of the requiredproperty. However, we do not consider the diagnostic generation for model check-ing. We only illustrate the diagnostic generation in our methodology for equivalenceand preorder checking. Our �rst illustration shows the extension of the bisimulationchecking algorithm described in Chapter 3 for constructing distinguishing HML for-mula for non-bisimilar systems. Our second illustration is in a generalized context. Inthis we consider extended transition systems with under-de�ned transition relationsand consider the problem of deciding prebisimulation preorder between such transi-tion systems. Since this problem was not considered in any earlier chapter in thisthesis, we present both the decision algorithm as well as the extensions for generatingdistinguishing formula in Intuitionistic Hennessy-Milner Logic (IHML).125

6.2 Diagnostics for Bisimulation EquivalenceIn this section we brie y sketch the extensions of the algorithm Bisim-NHorn devel-oped in Chapter 3 so that in case the two transition systems are inequivalent, we cangenerate a distinguishing formula in Hennessy-Milner logic. Recall from Chapter 2that Hennessy-Milner logic has the same syntax and semantics of mu-calculus withoutany �xed point operators. Note that if two transition systems are not bisimilar, onecan either produce an HML formula which is satis�ed by the �rst transition systemand not by the second or the other way around. Here, we assume that we alwaysproduces HML formula that is satis�ed by the �rst one and not by the second one.Also, it is possible to construct example of transition systems such that distinguishingHML formula is exponentially large if represented as a single formula. However, if werepresent the formula as a set of equations or as a straight line program then we canalways guarantee a polynomial size representation of the formula. In our extension,we represent the formula as a set of equations in variables of the form dp;q, where p; qare the states from the two transition systems and a solution of dp;q corresponds to adistinguishing formula for these two states. In Figure 6.1 we show the extensions inthe algorithm for deciding bisimulation equivalence described in Figure 3.1 of Chapter3. The modi�cations in Figure 6.1 over the algorithm presented in Figure 3.1 inChapter 3 can be exploited to construct the equational representation of the distin-guishing HML formula as follows:The distinguishing formula for (p; q) 2 P � Q is obtained by the following rules:We are assuming that the NHORNSAT instance produced by the algorithm in theprevious section is unsatis�able and thus there is a pebbling from ffalseg to truethrough Xs1;t1.The equations are given in the variables of the form dp;q such that the value ofthe variable ds1;t1, if the equations are solved, will give the distinguishing formula forthe two transition systems. The value of dp;q gives the distinguishing formula for the126

Comment: The sets V and W keep track of all the variables generatedand processed respectively. The set C will contain the set of clauses of the NHORNSAT instance.1. Comment: The pair (s1; t1) must be in the relation.C := fXs1;t1g; V := fXs1;t1g; W := �;2. do until V is empty.(a) Let Xp;q be any element in V .(b) V := V � fXp;qg; W := W [ fXp;qg;Comment: If for the pair of states (p; q), both have no actions out of them,the pair may be in the relation.(c) If for no a 2 Act there is p0 2 S such that (p; a; p0) 2 D1and for no a 2 Act there is a q0 2 T such that (q; a; q0) 2 D2 thenC := C [ fXp;qg;Comment: Steps (d) and (e) create implication clauses to encodethe conditions of bisimulation relation.(d) for each a 2 Act; p0 2 S such that (p; a; p0) 2 D1 doC := C [ fXp;q _ CLAUSE(p; a; p0 ; q)g;if CLAUSE(p; a; p0 ; q)g = � then mark the clause with < a > trueelse mark it as (a;1)Comment: < a > true is used to denote that p has an outgoing a actionand q does not(a;1) denotes that this clause encodes the obligation of a matching a actionfrom q corresponding to an a action from pV := V [ (VARS(p; a; p0 ; q)�W );endfor(e) for each a 2 Act; q0 2 Tsuch that (q; a; q0) 2 D2 doC := C [ fXp;q _ CLAUSE0(q; a; q0 ; p)gif CLAUSE0(q; a; q0 ; p)g = � then mark the clause with [a]falseelse mark it as (a;2)Comment: [a]true is used to denote that q has an outgoing a action and p does not(a;2) denotes that this clause encodes the obligation of a matching a action from pcorresponding to an a action from qV := V [ (VARS0(q; a; q0 ; p)�W )endforend do3. Output C.Figure 6.1: Extension of the Algorithm for reducing the bisimulation instance toNHORNSAT instance for producing diagnostics.127

states p; q1. If there is an edge directly from the node false in the graph to Xp;q (which alsomeans that there is a clause Ci = Xp;q.) obviously that edge must be marked (i;m)where m is either < a > true or [a]false. Then create the equation dp;q = m.2. Let Xp;q be pebbled and the pebbling is via edges marked with (i; (a; 1)) for someclause Ci, for some a 2 Act, and the clause Ci is of the form Xp;q ) Wr2S(q;a)Xp0;rwhere S(q; a) = fqi j q a! qig. Then create a new equation dp;q =< a > (Vr2S(q;a) dp0;r).Comment: This says that there is an a action from p leading to a state which is notbisimilar to any of the a-descendant of q and the reason of such non-bisimilarity isgiven as a conjunction of the distinguishing formulas for p0 and each a-descendant ofq.3. Let Xp;q be pebbled via edges marked with (i; (a; 2)) for some clause Ci, for somea 2 Act, and the clause Ci is of the form Xp;q ) Wr2S(p;a)Xr;q0 where S(p; a) = fpi jp a! pig. Then create a new equation dp;q = [a](Wr2S(q;a) dr;q0).Comment: This says that there is an a action from q leading to a state which is notbisimilar to any of the a-descendant of p and the reason of such non-bisimilarity isgiven as a disjunction of the distinguishing formulas for q0 and each a-descendant ofp.The proof of correctness can be given as an induction on the pebbling distance from thenode \false". Before we present the proof of correctness, we de�ne pebbling distance in aDowling-Gallier graph as follows.De�nition 6.2.1 Let X � V be a subset of nodes in a Dowling-Gallier graph and let x bea node. The pebbling distance d of x from X is de�ned inductively as follows. If x 2 X thend = 0. Otherwise, d = minjfdjg where dj = 1 +maxfd1; :::; dqg where di is the pebblingdistance of pi from X and p1; :::; pq are the sources of all the incoming edges to x labelledby clause number j and there are pebblings from X to each pi.For pebbling distance 1, the correctness is obvious because the clauses are markedwith the distinguishing formula itself. Now suppose that up to a pebbling distance j, the128

equational representation of the formulas are correct (Induction hypothesis). This meansthat if a dp;q is constructed for a node Xp;q which is at a pebbling distance j or less, thenthe solution of dp;q is indeed a distinguishing formula for p and q. Now consider a nodemarked Xp;q at a pebbling distance j + 1. This must either be pebbled via a set of edgescorresponding to a clause marked (l; (a; 1)) or marked (l; (a; 2)). Suppose clause numberedl is of the form Xp;q ) Wr2S(p;a)Xr;q0 where S(p; a) = fpi j p a! pig for some a 2 Act.Then this clause expresses an obligation that for q0 there must be a matching a-descendantof p. Thus this clause must be marked (a; 2). Since Xp;q is being pebbled at this point, allof Xr;q0 must have already been pebbled and hence by induction hypothesis, dr;q0 must berepresenting the correct distinguishing formulas. It is now easy to see that all a-descendantsof p are nonbisimilar to q0. Hence [a]((Wr2S(q;a) dr;q0) is a distinguishing formula for P andq. The case when the clause l is marked with (a; 1) is similar.Hence by induction on pebbling distance, we have proved the correctness of our distin-guishing formula for the bisimulation non-equivalence.Theorem 6.2.1 The method outlined above produces a set of propositional equations withpropositional variables of the form dp;q such that the value of ds1;t1 (when the substitutionsare made according to the equation set,) is a diagnostic HML formula for two transitionsystems T1 and T2 when T1 6�bsim T2.Moreover, the size of this equational representation of the diagnostic formula is O(jT1j �jT2j)Since the size of the NHORNSAT instance remains essentially the same there is noasymptotic complexity overhead in this diagnostics generation.6.3 Diagnostics for PrebisimulationDe�nition 6.3.1 [CC92, Wal88] An Extended Labelled Transition System(elts) isa quadruple hS;Act;!; "i where hS;Act;!i is a labelled transition system and "� S �Actis an underde�nedness relation.The relation " represents underde�nedness. If (p; a) 2" then the behavior of p in response129

to action a is not completely speci�ed. Other a�transitions may be added later.A process is a pair (T; s) where T is an extended transition system and s is a state inthat transition system.notation: We use p " a in place of (p; a) 2" and p # a in place of :(p " a).In Chapter 2 we de�ned a particular relation on elts called prebisimulation preorderand it can be easily seen [CC92] that many other simulation relations and equivalences canbe shown as special cases of this preorder. We denote the preorder by v. If two processes Pand Q are in the prebisimulation preorder, we write P v Q. We also de�ned IntuitionisticHennessy-Milner Logic (IHML) which is a characteristic logic for prebisimulation in Chapter2 following [Sti87].The logical characterization of prebisimulation preorder [Sti87] says that if P v Q thenthe set of IHML formulas satis�ed by P is a subset of the set of IHML formulas satis�edby Q.De�nition 6.3.2 We call an IHML formula � a diagnostic formula for two processesP = (hP;Act;!; "i; p0) and Q = (hQ;Act;!; "i; q0), if P j= � but Q 6j= �. (In which casewe say that � distinguishes P from Q.)So given two processes, P = (hP;Act;!; "i; p0) and Q = (hQ;Act;!; "i; q0), we areinterested in constructing a diagnostic formula for them if P 6v Q. In [CC92] an algorithmfor this problem is presented. The complexity of their algorithm is quite high. Althoughin [CS91] an e�cient algorithm for computing behavioral relations via model checking ispresented, the method in [CC92] for producing diagnostic traces does not trivially apply tothat algorithm.6.3.1 HORNSAT based checking of Prebisimulation PreorderWe now apply our uniform methodology developed in Chapter 3 to reduce the prebisimu-lation problem to rooted NHORNSAT.Given two �nite state processes P = (hP;Act;!; "i; p0) and Q = (hQ;Act;!; "i; q0), weoutline an algorithm for checking if P v Q. We give an e�cient reduction to an NHORNSAT130

instance and since there is linear time algorithm to check the satis�ability of NHORNSAT,that gives us an e�cient algorithm for prebisimulation preorder checking.Our reduction of the prebisimulation problem to an NHORNSAT instance f is as fol-lows:1. The variables in the formula f are Xp;q where p and q are the states in the twotransition systems.2. The clauses in the formula f are of the following three types.(a) A single positive literal Xp;q. If (p; q) is required to be in the prebisimulationrelation we construct this type of clause. We always createXp0;q0 because (p0; q0)requires to be in the prebisimulation relation for the relation to hold betweenthe two transition systems. Also, if there is a pair (p; q) such that p; q haveno out going transition and p " a for all a 2 Act, or if p; q have no out goingtransition and p # a as well as q # a for all a 2 Act, then we generate a clauseXp;q.(b) A single negated literal Xp;q. Such a clause is constructed to indicate that (p; q)cannot be in any prebisimulation relation. We create such a clause when one ofthe followings is true:i. When there is an a 2 Act such that p a! p0 for some p0 but there is noq0 such that q a! q0. We mark such a clause with a clause number and< a > true to indicate that q does not have an a action whereas p has one.ii. For some a 2 Act, p # a but q " a. We mark this clause with the clausenumber and [a]#true to denote that p satis�es [a]#true but q does not.iii. For some a 2 Act, p # a and q # a but there is q0 such that q a! q0 but thereis no p0 such that p a! p0. Mark this clause with a clause number and[a]#false to denote that [a]#false is satis�ed by p but not by q. (Note that[a]#false can be satis�ed by a state p if and only if there is no a action outof it and p # a).(c) Implication clauses of the form Xp;q ) Wi;j Xi;j. If a clause of this form isconstructed then it means that for (p; q) to be in the prebisimulation relation131

one of the (i; j)'s must also be in the prebisimulation relation. We generatethese clauses in the following cases:i. For each action a 2 Act, for each transition p a! p0. in P , we create animplication clause in the following manner:Let S(q; a) = fqi j q a! qig. Then we generate a clauseXp;q ) Wr2S(q;a)Xp0;rand mark this clause with a clause number and \a1" to denote that itcorresponds to obligation that an a action in the �rst process needs to bematched by a similar one in the second process.ii. If for all a 2 Act, both p # a and q # a, then for each a 2 Act, for eachtransition q a! q0. in Q, we create an implication clause in the followingmanner:Let S(p; a) = fpi j p a! pig. Then we generate a clauseXp;q ) Wr2S(p;a)Xr;q0and mark this clause with a clause number and \a2" to denote that itcorresponds to the obligation that an a action in the second process needsto be matched by a similar one in the �rst.The proof of the fact that the NHORNSAT instance produced in the above re-duction is satis�able if and only if the prebisimulation preorder holds between thetwo transition systems (i.e., P v Q) is similar to the proofs in Chapter 3. The sizeof the NHORNSAT instance is O(jPj � jQj) and hence a linear time NHORNSATsolver based on [DG84] combined with the above reduction will give as e�cient analgorithm for prebisimulation checking.Theorem 6.3.1 the NHORNSAT instance produced by the algorithm described above,is satis�able if and only if P v Q. The running time of the prebisimulation checkingalgorithm obtained this way is O(jPj � jQj).6.3.2 Generating Diagnostic FormulaNow we show how to obtain diagnostic IHML formula without increasing the asymp-totic complexity, in case P 6v Q. 132

Recall that the linear time algorithm for HORNSAT satis�ability presented in[DG84] �rst builds a graph representation of the instance and then do pebbling onthe graph. The on the y algorithm for HORNSAT in [AI91] builds this graphincrementally on demand basis. In Chapter 3, we have outlined, how to adapt thispebbling to NHORNSAT. This pebbling helps us to generate the diagnostic IHMLformula without any extra overhead.Note that when the two systems are not related by prebisimulation preorder, thereis a pebbling from ffalseg to true in the graph. Now, since (p0; q0) are not related,there is a pebbling through Xp0;q0. We can �nd such a pebbling in linear time andonce such a pebbling has been found we construct the IHML formula as follows:� Recall that we mark each clause with a clause number and a certain �xed sizeinformation whose size only depends on the size of Act. While building the Dowling-Gallier graph for solving the NHORNSAT instance, we label the edges of the graphby clause numbers as well as the other markings of the clauses.The distinguishing formula for (p; q) 2 P � Q is obtained by the following rules:We are assuming that the NHORNSAT instance produced by the algorithm in theprevious section is unsatis�able and thus there is a pebbling from ffalseg to truethrough Xp0;q0.� The distinguishing formula is not represented as a single expression but as a setof equations (rather as a straight line program) in variables of the form dp;q such thatthe value of the variable dp0;q0, if the equations are solved, will give the distinguishingformula for the two transition systems. The value of dp;q gives the distinguishingformula for the states p; q1.1. If there is an edge directly from the node false in the graph to Xp;q (which alsomeans that there is a clause Ci = Xp;q.) Obviously that edge must be marked by1We can construct examples of transition systems P and Q such that P 6v Q and the distinguish-ing IHML formula is exponential in the size of the description of P and Q. This lower bound on thedistinguishing formula size justi�es our use of the equational representation for the distinguishingformula. 133

(i;m) where m is either of the following three symbols. < a > true, [a]#true and[a]#false. Then create the equation dp;q = m.2. Let Xp;q be pebbled and the pebbling is via edges marked with (i; a1) for some clauseCi, for some a 2 Act, and the clause Ci is of the form Xp;q ) Wr2S(q;a)Xp0;r whereS(q; a) = fqi j q a! qig. Then create a new equation dp;q =< a > (Vr2S(q;a) dp0;r).3. LetXp;q be pebbled via edges marked with (i; a2) for some clause Ci, for some a 2 Act,and the clause Ci is of the form Xp;q ) Wr2S(p;a)Xr;q0 where S(p; a) = fpi j p a! pig.Then create a new equation dp;q = [a]#(Wr2S(q;a) dr;q0).The following theorem states the correctness of the above method and the proofis again by induction on the pebbling distance [DG84].Theorem 6.3.2 The method outlined above produces a set of propositional equationswith propositional variables of the form dp;q such that the value of dp0;q0 (when thesubstitutions are made according to the equation set,) is a diagnostic IHML formulafor the processes P and Q when P 6v Q.Moreover, the size of this equational representation of the diagnostic formula isO(jP j � jQj �max(jP j; jQj))However, it is easy to see that the size of the NHORNSAT instance will be O(jP j�jQj � (max(jP j; jQj))2) and using the linear time implementation of the pebbling andwriting the distinguishing formula during the pebbling itself will provide an algorithmthat runs in O(jP j � jQj � (max(jP j; jQj))2) time which is O(jPj � jQj) 2and which hasthe property that it decides if P v Q and in case P 6v Q, it produces an equationalrepresentation of a diagnostic IHML formula without any extra cost in the asymptoticcomplexity.2Note that jPj = O(jP j2) 134

Chapter 7Uniform Lower BoundsIn the previous chapters we developed a uniform methodology for deriving e�cientalgorithms for various problems related to veri�cation of �nite state systems. How-ever, as already noted, these algorithms have time complexity polynomial in the sizeof the state space of the transitions systems representing real systems. In practice,however, real systems are not described by explicit state space enumeration. Usuallysome kind of composition operator is de�ned and the actual system is described as acomposition of more primitive transition systems. A question that arises naturally iswhether one can design e�cient algorithms for the same veri�cation problems whensystems are so presented in terms of composition. It is easy to see that most compo-sition operators in the literature lead to succinct descriptions of the state space (i.e.,the actual state space is exponential in the size of the description.).In most cases, if we apply our uniform methodology to succinctly described sys-tems, we end up with an EXPTIME algorithm in the size of the representation. Inthis chapter we investigate the complexity of these problems and we also compare our�ndings with the known results on these complexity bounds.Here we consider a particular succinct description mechanisms and we establishthe lower bounds for various veri�cation problems for them. This succinct descriptionmechanism is based on CSP-style [Hoa84] parallel composition. Similar lower bound135

results can be obtain using our techniques for many other description formalismsincluding I/O automata [LV95], CCS [Mil89], network of interconnected �nite statemachines [ASSB94] etc.7.1 ProblemsSome of the description formalisms that allow succinct representations include processalgebraic formalisms as the Communicating Sequential Processes(CSP) [Hoa84], theCalculus of Communicating Systems(CCS) [Mil89], the Algebra of CommunicatingProcesses(ACP) [BK84], etc, as well as automata theoretic formalisms as the I/Oautomata of Lynch et al. [LV91, LV95]. One can view these formalisms as abstractprogramming languages for the speci�cation of the data and control ow in concurrentsystems. To each such abstract speci�cation one associates an appropriate semanticobject. Often these semantic objects are transition systems [Mil89, Hoa84], which maybe related via appropriate equivalence relations (e.g., strong and weak bisimulation,trace equivalence, etc. [Mil89, Hoa84]).We call a transition system represented by an explicit enumeration of its statesand transition relation a sequential transition system. Transition systems repre-sented as parallel compositions of sequential transition systems are called paralleltransition systems. We consider parallel transition systems both with and withouthiding abstraction [Hoa84].Let � be a binary relation on �nite processes, and let p0 be a �xed �nite stateprocess. Consider the following two relational problems.P1: Determine for processes p and q, if p � q.P2: Determine for a process p, if p � p0.We study these problems for various relations � de�ned in the literature [Mil89,BHR84, HT94, Rab92, LV95] for the following reasons:1. Many veri�cation problems are modelled as problem P1 for some appropriate136

relation �, (see Chapter 2, for examples of such relations) where the speci�cationof a system is represented as a process q and the implementation as a process p[LV95, Kur94].2. In many industrial automated veri�cation tools, libraries of transition systemscorresponding to desired properties or operations of systems have been implemented[Kur94]. Hence, to prove that some implementation P conforms to a given speci�ca-tion, one establishes relations with a �xed transition system from the library [Kur94].As mentioned already, for modelling concurrent/parallel systems, parallel com-position and hiding abstraction have been widely used [Hoa84, Mil89, BK84]. Forparallel transition systems with or without hiding, the state space of the system canbe exponentially larger than the size of the system description. As a result, a directapplication of the methodologies described earlier in this thesis yields EXPTIME al-gorithms for problems P1 and P2 when the representations are succinct. Thus, westudy the complexity of problems P1; P2 for such systems. We also, consider the com-plexity of nontrivial predicates on �nite processes when processes are represented asparallel transition systems. This problem which we call P3 is de�ned as follows:P3: Let � be a nontrivial predicate on �nite state processes such that�(x) = �(y) whenever x and y are weakly bisimilar. Determine, for aprocess p, if �(p) holds .We also consider problem P1 for sequential transition systems for some relationsde�ned in the context of I/O automata in [LV91, LV95]. Although we have alreadyconsidered upper bounds for the problem P1 for sequential transition systems forvarious relations in the linear-time/branching-time hierarchy [vG90] in Chapter 3,here we consider some lower bounds also. The complexity of these relations hasnot been studied in the literature previously. However, these problems are worthinvestigating because automated veri�cation tools based on the I/O automata modelneed to implement these decision procedures.137

7.2 Results and ContributionsHere we present two sets of results. Our �rst set of results is for processes representedby parallel transition system with or without hiding.The results obtained are as follows:1. We fully characterize the complexity of the reachability problem for the parallelcomposition of �nite sequential transition systems. The reachability problemfor �nite state processes is the problem of deciding if a given state is reachablein any execution of a given process speci�cation. The complement of the reach-ability problem is called the nonreachability problem. We show that boththe problems are NSPACE(n)-Complete when the individual transition systemsin the composition (both with and without hiding) are deterministic as well aswhen they are nondeterministic. We use this result to establish NSPACE(n)-hard lower bound for all relations between bisimulation and trace preorder. Thisresult is very similar to NSPACE(n) lower bound established in [RH93] for thereachability problem in a network of �nite state machines.2. [Rab92, Rab95] showed the problem P1 is PSPACE-hard for all equivalencesbetween bisimulation and trace equivalence when processes are represented byparallel composition with hiding. We show that for all these relations problemP1 is NSPACE(n)-hard even without hiding. In [Rab96], after [SHRS96b]appeared, it was claimed that the stronger result establishing the PSPACE-hard lower bound for the case without hiding was implied in [Rab92]. However,since there was no explicit result of that nature in [Rab92, Rab95], we regardthis as a new result. Since establishing PSPACE-hardness in all these cases hasbeen via generic reductions (for example see [RH93]), it is not di�cult to seethat by slight changes in the constructions in [Rab95] one can obtain the lowerbound for the without hiding case.(a) Our reduction shows that the problems are NSPACE(n)-hard where as138

the reduction in [Rab92, Rab95] only establishes at best DSPACE(n)-hardlower bound.(b) We also show that there are some relations in the class of relations con-sidered, for which the upper bound is NSPACE(n) and hence we get atight uniform lower bound. Hence, unless DSPACE(n) = NSPACE(n),our results are stronger.(c) The lower bound proof in [Rab92, Rab95] uses a reduction where the re-sulting parallel system is highly centralized. Thus his reduction provesthe lower bound only for centralized systems where there is one process towhich every other process communicates but none of the other processescommunicate with each other. We believe that such a system cannot becalled a truely distributed parallel system. Our reduction yields a parallelsystem where there are local interactions between processes.(d) Moreover, in the reduction in [Rab95], the central process has to com-municate with an unbounded number of processes. Hence, it proves thelower bound for a star topology of process networks where the center ofthe star has unbounded degree, which is unrealistic because of physicallimitations on the number of channels a process might be allocated. Inour case, the processes communicate with at most two 1 other processesand hence represent a more feasible model of interaction. Moreover, ourreduction shows that the network of processes is a linear array for whichthis lower bound holds. Since the signi�cance of a lower bound dependson the kind of instances for which the lower bound holds, our lower boundis more signi�cant. A linear array of process networks can be embedded inmost other network topologies and hence our lower bound holds for mostrealistic model of distributed parallelism.(e) The reduction in [Rab92, Rab95] is from a deterministic polynomial space1Note that if each process is restricted to interact with at most one process, then we can partitionthe set of processes into groups of two processes which do not interact, and hence many of the decisionproblems becomes easy [GM92]. 139

bounded machine, whereas our reduction being from a nondeterministicdevice, we can obtain other lower bound results in [GM92, Rab92, Rab95]as particular cases. For example, [GM92, Rab92, Rab95] used di�erentreductions for proving the Co-NP-hardness of the problem of deciding re-lations between interacting acyclic transition systems. We can obtain thesame result, from a particularization of the generic reduction. A similarparticularization of the reduction in [Rab92, Rab95] can at best lead to aP-hardness result.3. As mentioned already, our lower bounds are tight uniform bounds because weshow the existence of relations that has matching upper bounds. Our uniformapproach is also di�erent. Our proof is based on the following dichotomizationwhich also leads to easier proofs of most of the other results in [Rab92, Rab95].We show that all relations between bisimulation and trace preorder (which in-cludes all equivalences between bisimulation and trace equivalence) are as hardas the nonreachability problem for �nite state processes for the correspond-ing representations. In comparison, the technique for proving the lower boundsin [Rab92, Rab95] can be called collapsing where they establish the lower boundfor deciding the bisimulation relation for a special case (for deterministic sys-tems) when all the equivalences coincide with bisimulation equivalence.We also show that these lower bound results hold even when all the individualtransition systems in the parallel composition (without hiding) have the sametwo-symbol external action alphabet.4. We also show that the trace, failure and readiness equivalences for systems rep-resented in this way are PSPACE-Complete. In fact, we show that they areNSPACE(n)-Complete. From these upper bounds, it is clear that the uni-form lower bound for all relations between bisimulation and trace equivalence(for systems expressed with parallel composition without hiding) can not bestrengthened. Thus our uniform lower bound is the strongest one can obtainfor this class of systems. 140

5. For problem P2 we show that, for all relations �, between weak bisimulationand trace preorder, and for any �xed process p0, deciding if p � p0, for aprocess p represented by parallel composition with hiding, is PSPACE-hard(In fact, NSPACE(n)-hard). This result follows from a similar dichotomization.However, there are �xed processes for which the trace preorder is EXPSPACE-Complete [Rab92, Rab95]. We also observe that there are �xed processes forwhich bisimulation is easy to decide, even for parallel composition with hiding.6. For a process p represented by a parallel composition of acyclic sequential pro-cesses with hiding, we show that, for any �xed acyclic process p0 and any relation� between weak bisimulation and trace preorder, deciding if p � p0, is Co-NP-hard. We also show that deciding trace, failure and readiness equivalences inthis case are all Co-NP-Complete.7. Our work on the composition of acyclic transition systems also yields a simpli�edCo-NP-hard lower bound proof of a stronger version of a result in [Rab92,Rab95]. In [GM92] it was proved that for parallel composition (without hiding)of deterministic acyclic systems (for which all the relations between bisimulationand trace equivalence coincides) the problem P1 is Co-NP-Complete. In [Rab92]a complicated alternative proof of the Co-NP-hardness was presented. However,we signi�cantly strengthen that result by showing that even for nondeterministicsystems deciding trace equivalence, is indeed Co-NP-Complete, which provesthat the Co-NP-hard lower bound is the best possible lower bound for P1 thatholds for all these relations. 2. We also show that the lower bound holds evenfor cases when the individual acyclic transition systems are deterministic withas few as six states and with external alphabet of size at least 2.We also show that when hiding is used with parallel composition of acyclicsystems, deciding trace, failure and readiness equivalences are in the second2Although [Rab92, Rab95] stated that problem P1 is NP-hard as well as Co-NP hard, that wasobviously not literally the case because our result here shows that some of these relations are indeedin Co-NP. 141

level of polynomial hierarchy (�2P = Co�NPNP ).8. We also show that, for any nontrivial predicate on processes, problem P3 forprocesses represented by parallel composition with hiding is NSPACE(n)-hard.Tables 7.1 and 7.2 summarize the new complexity results obtained here for problemP1 and P2 respectively.In the second set of results we consider complexity upper and lower bounds forre�nement mapping, history and prophecy relations as de�ned in [LV91, LV95]. Thecomplexity of these problems has not been considered in the literature previously.We show that �nding existence of re�nement mapping is NP-Complete, and �ndingexistence of history relation and �nding existence of prophecy relation are graph-isomorphism-hard.Table 7.3 shows a summary of our complexity results for sequential transitionsystems.7.3 Results on Problems P1; P2 and P37.3.1 Reachability Problem and Uniform Lower Bounds:We de�ne the reachability problem as follows.De�nition 7.3.1 Let T = hQ; q0; A;!i be a transition system. Let s 2 Q be astate of T . The reachability problem is to decide if there is a �nite sequence� 2 (A [ f�g)�, such that q0 �=) s. We call the complement of this problem, thenonreachability problem.Theorem 7.3.1 shows that the nonreachability problem can be used to obtain auniform lower bound for a number equivalences and preorders. This technique forestablishing uniform lower bounds for classes of relation is called dichotomization andwas used in [HS76, Hun84, HR83] extensively.142

System type Decision Problem lower bound upper boundUnrestricted Nondeterministicwith or without Reachabilityhiding NSPACE(n)Nondeterministic Relations betweenwithout hiding bisimulation NSPACE(n)and trace preorderTrace, Failure,Readiness Equivalence NSPACE(n)Deterministic Relations betweenwithout hiding bisimulationand trace preorder NSPACE(n) NSPACE(n)Acyclic Nondeterministicwith or without Reachabilityhiding NP NPNondeterministic Relations betweenwithout hiding bisimulationand trace preorder co-NPTrace, Failure,Readiness Equivalence co-NPNondeterministicwith hiding Trace, Failure,Readiness equivalence Co-NPNPTable 7.1: Table showing our complexity results for the problem P1 for Parallel Com-position with or without hidingTypes of Systems Decision problem lower bound upper boundUnrestricted Relations betweenweak bisimulation and trace preorder NSPACE(n)Acyclic Relations betweenweak bisimulation and trace preorder Co-NPTrace, FaiureReadiness equivalence co-NPTable 7.2: Table showing our results for problem P2 for processes represented byParallel Composition with hiding. 143

Relation Lower bound Upper boundRe�nement Mapping NP-hard NPHistory Relation Graph-isomorphism-hard NPProphecy Relation Graph-Isomorphism-hard NPTable 7.3: Table showing the complexity of relations for sequential systemsDe�nition 7.3.2 Let T1 and T2 be two transition systems. Let � and � be two binaryrelations de�ned on transition systems. We say � ) � (� implies �) if and only ifwhenever (T1; T2) 2 �, also (T1; T2) 2 �. For any three binary relations �, �, #, wesay that the relation # is between � and �, if �) #) �.Theorem 7.3.1 Consider a particular representation (e.g., sequential or paralleltransition systems) for �nite transition systems. The nonreachability problemfor transition systems with that representation is reducible in linear time and loga-rithmic space to the problem of deciding any relation � such that �bsim)�)�trace3 for transition systems with the same representation.Proof: Let � be any equivalence between bisimulation and trace equivalence andlet � be any preorder between �sim and �trace. In other words �bsim)�)�trace.and �sim)�)�trace. Now suppose we are given an instance of the Reachabilityproblem. So we are given (T; s) where T = hQ; q0; A;! iis a transition system ands 2 Q. We create an instance of the � decision problem as follows. Construct two newtransition systems T1 and T2 such that T1 = hQ1; q10; A1;!1i, T2 = hQ2; q20; A2;!2iwhere Q1 = Q2 = Q [ fdg, (d is not in Q) q10 = q20 = q0, A1 = A [ f$g andA2 = A [ f#g such that $ and # are not in A [ f�g.!1=! [f(s; $; d)g and !2=! [f(s;#; d)g:Now it is not di�cult to verify that T1 �bsim T2 if and only if s is not reachablein T . On the other hand if s is reachable in T , then T1 6�trace T2.3These also include any preorder � such that �sim)�)�trace144

Now if we want to decide the reachability, then test T1 � T2 for any � between�bsim and �trace. Or any preorder � between �sim and �trace. Then reachable(T; s)is true if and only if the answer to this simulation problem instance is \no". Sincereachable(T; s)) T1 6�trace T2 ) T1 6� T2 ) T1 6�bsim T2 and not(reachable(T; s)))T1 �bsim T2 ) T1 � T2, it is clear that testing for � will give a decision algorithm forthe reachability problem. Hence, any lower bound on the nonreachability problemapplies to the problem of deciding any relation � such that �bsim)�)�trace. 2Now we show using Theorem 7.3.1 that for transition systems represented suc-cinctly using parallel composition (without hiding), any relation � between bisimu-lation equivalence and trace equivalence as well as any relation � between simulationpreorder and trace preorder is PSPACE-hard (In fact, NSPACE(n)-hard). Moreover,we also show that trace equivalence, failure equivalence and readiness equivalence areNSPACE(n)-Complete for parallel transition systems. This shows that the uniformlower bound obtained here is the strongest that holds uniformly for all relations inthese ranges.Reachability in Parallel Transition SystemsFirst we present a few relevant de�nitions and results to prove the other theorems inthis section.De�nition 7.3.3 The ��closure of a state s of a transition system hQ; q0; A;!i, isthe set of states that the system could reach from s, either by executing no transition,or by a sequence of � transitions . In other words, ��closure(s) = fs0 j 9� 2 � � :s �=) s0 g. Given a set of states S, ��closure(S) = Ss2S ��closure(s).De�nition 7.3.4 The a-closure of a state s of a transition system hQ; q0; A;!i, isthe set of states that the system could reach from s, by executing an a action. Givena set of states S, a-closure(S) = Ss2S a-closure(s).Notation 7.3.1 We denote a global state vector hs1; s2; :::; sni as hsiii.145

Lemma 7.3.2 Given a parallel transition system T1kT2k:::Tn and a state of theparallel system s = hsiii, ��closure(s) = S1�S2�:::�Sn, where Si = ��closure(si).Proof : We �rst prove that ��closure(s) � S1 � S2 � ::: � Sn. Let hs0iii 2��closure(s). By the semantics of parallel composition (See Chapter 2), � transitionsare taken independently by the components. Hence, hs0iii must have been obtainedby independent � actions of each component. Hence, hs0iii 2 �ni=1��closure(si) =�ni=1Si.Next we prove that �ni=1��closure(si) � ��closure(hsiii).Let hs0iii 2 �ni=1��closure(si). Let ji be the minimum number of � steps that thecomponent i takes to get from state si to s0i. Then after �ifjig globals steps (in whichcomponent i takes ji � steps), the global system will be able to move from hsiii tohs0iii. Hence hs0iii 2 ��closure(hsiii). 2Now we prove a generalized version of the above Lemma.Lemma 7.3.3 Given a parallel transition system T1kT2k:::Tn and a set of statesS of the parallel system described as the Cartesian product of sets of states of thecomponents (i.e., S = S1 � S2 � :::� Sn), ��closure(S) = S 01 � S 02 � :::� S 0n, whereS 0i = ��closure(Si).Proof: We want to prove that � -closure(�ni=1Si) = �ni=1� -closure(Si). We �rstprove that � -closure(�ni=1Si) � �ni=1� -closure(Si). Let hs0iii 2 � -closure(�ni=1Si).That means 9hsiii 2 �ni=1Si such that hs0iii 2 � -closure(hsiii). But by the pre-vious lemma hs0iii 2 �ni=1� -closure(si). Since si 2 Si, clearly � -closure(si) � � -closure(Si). Hence, hs0iii 2 �ni=1� -closure(Si).Now we prove that �ni=1� -closure(Si) � � -closure(�ni=1Si). Let hs0iii 2 �ni=1� -closure(Si). Then for all i, s0i 2 � -closure(Si). So there must be some si 2 Sisuch that s0i 2 � -closure(si). Hence hs0iii 2 � -closure (hsiii). But hsiii 2 �ni=1Si and146

thus � -closure(hsiii) � � -closure(�ni=1Si) and hence the intended inclusion holds. 2De�nition 7.3.5 A set of states S is said to be � -closed if S = � -closure(S).Lemma 7.3.4 Suppose that a parallel transition system is in some state in a � -closedset of global states �ni=1Si. Let a 2 Act be a visible action and I � f1; 2; :::; ng be suchthat a 2 \i2IActi and a =2 Acti for all i =2 I. Then the set of possible global states forthe system after executing an a action is given by �ni=1S 0i where S 0i = a-closure(Si) ifi 2 I, and S 0i = Si if i =2 I.Proof: We �rst prove that for any global state hsiii 2 �ni=1Si in which an a actionis enabled (which means that for all i 2 I, a-closure(si) 6= �), for all hs0iii such thathsiii a! hs0iii, hs0iii 2 �ni=1S 0i. This is obvious because when in state hsiii an a actionis executed, all the processes with index in I has to participate (By the semanticsof parallel composition). So the set fhs0iii j hsiii a! hs0iiig is actually �ni=1Gi whereGi = a-closure(si) for all i 2 I and Gi = fsig for i =2 I and note that since si 2 Sia-closure(si) = Gi � a�closure(Si) = S 0i when i 2 I and Gi = fsig � Si = S 0i for alli =2 I.Now we prove that if hs0iii 2 �ni=1S 0i then there must exist a global state hsiii suchthat hsiii a! hs0iii. However, note that for i =2 I, si = s0i and for all i 2 I, S 0i being thea-closure of Si, there must be si 2 Si such that s0i 2 a-closure(si). Collecting thesesi's we can construct an hsiii 2 �ni=1Si such that hsiii a! hs0iii. 2Now we prove a theorem about parallel transition systems that is the basis forsome of the PSPACE (actually NSPACE(n)) upper bounds established at the end ofthis section. This theorem is actually a generalization of Lemma 7.3.4. As in thecase of the above lemmas, this theorem also applies only when no hiding abstrac-tion is allowed. Intuitively, this theorem states the following. Let the set of statesthat a parallel transition system could reach via a given trace be S = fs j 9� :147

hq10; q20; :::; qn0 i �) s ^ � = g. Then S is the Cartesian product of sets Si for i = 1::nwhere Si is the set obtainable by keeping track of the set of states that Ti could be invia the projection of the trace on the action alphabet of Ti and � -closures. Note:The set S as de�ned above is � -closed.De�nition 7.3.6 Projection of a trace over an action alphabet A, denoted as " A, is the result of deleting all the symbols in which are not in A. (Note that " A might be � where � is the empty string.)Theorem 7.3.5 Given a parallel transition system T1kT2k:::Tn, and 2 ([iAi)�,fhs1; s2; :::; sni j 9� : hq10; q20; :::; qn0i �) hs1; s2; :::; sni ^ � = g equals S1�S2� � � ��Snwhere Si = fs j 9� : qi0 �)i s ^ � = " Aig.Proof sketch: By induction on the length of .Basis: When the length of is 0, then � and � are strings of � 's and the basis isproved directly by Lemma 7.3.2.Induction Hypothesis: Let the statement of the theorem be true for all suchthat j j = k.Now consider a of length k + 1. However, = 0a for some a 2 [iAi, and 0 isof length k. Hence by the induction hypothesis, the set of states reachable by thesystem is represented as �ni=1Si. However, since this set is � -closed, by Lemma 7.3.4,the set of states reachable by executing the a action also is representable in the sameway. 2Theorem 7.3.5 allows us to obtain a NSPACE(n) algorithm for the reachabilityproblem as described below. Note that this upper bound holds regardless of whetherhiding abstraction is used or not.Let T1kT2k::::kTn be a parallel transition system (without hiding). Let (s1; s2; :::; sn)be the state to be reached as speci�ed in the input of the reachability problem. Wecan guess a string � 2 (A1 [ A2 [ :::: [ An)�, one symbol at a time, and guess cor-responding transitions to con�rm that (q10; q20; :::; qn0) �) (s1; s2; :::; sn). We apply the148

proof of Theorem 7.3.5 to show that this can be done in NSPACE(n) because wehave to keep track of the set of possible next states as a Cartesian product of indi-vidual state sets whose representation is linear in the size of the transition systems.To show hardness, we reduce the nondeterministic LBA acceptance problem to theReachability problem in parallel Transition systems.Recall the following folk theorem :Proposition 7.3.2 There exists a �xed nondeterministic linear bounded automata(LBA) M such that all context-sensitive languages (all languages accepted inNSPACE(n)) are deterministically quasi-linear time/log-space and linear size re-ducible to the language L(M) accepted by M .This theorem tells us that if we can show that the word problem for this �xed Mcan be reduced in log-space and quasi-linear time to a problem P , then the problemP is NSPACE(n)-hard.Now we show that the word problem for the nondeterministic LBA of Proposition7.3.2 is log-space/quasi-linear time reducible to the reachability problem for the par-allel transition systems without hiding. Also note that we can assume without loss ofgenerality that this nondeterministic LBA has a unique accepting state and a uniquerejecting state. (Given an LBA, one can obtain an equivalent LBA with this propertyby adding a counter in the standard way.)So we �x the nondeterministic LBA M by Proposition 7.3.2 and for any giveninput x, we will construct a parallel transition system T and a particular state s ofthe constructed transition system such that the LBA M accepts x if and only if s isreachable in T .Let the LBA be M = hQ;�; q0; qy; qn; �i where Q is the �nite state set, � isthe tape alphabet, q0 is the initial state, qy is the �nal accepting state, qn is therejecting state, � � Q���Q���fL;Rg is the transition relation. Without loss ofgenerality, we may assume that whenever the LBA accepts, it brings the tape head149

to the leftmost tape cell and halts in the special state qy. Otherwise it halts at therejecting state qn.Let x = x1x2:::::xn be an input to the LBA. Now we create the parallel transitionsystem T = T1kT2k::::::kTn as follows.For each Ti the state set is given by Q � � [ � [ f$g. The initial state for T1 is(q0; x1) and for each Ti (1 < i � n)) the initial state is xi.The transition relations are given as follows: for all transitions of M of the form(q; x; q0; x0; L) 2 � for all 1 < i � n, Ti has a transition h(q; x); < i; q; x; q0; x0; L >; x0)iand the correspondingly Ti�1 has transitions (for all b 2 �) h(b;< i; q; x; q0; x0; L >; (q0; b))i.Similarly for all transitions of M of the form (q; x; q0; x0; R) 2 � for all 1 � i < n,Ti has a transition h(q; x); < i; q; x; q0; x0; R >; x0)i and the correspondingly Ti+1 hastransitions (for all b 2 �) h(b;< i; q; x; q0; x0; R >; (q0; b))i. Also for each Ti(i 6= 1),for all b 2 �, hb;#; $i are in the transition relation, and for T1 h(qy; b);#; $i is in thetransition relation.So whenever, T1 reaches the accepting state it can do the # action and synchro-nizes with all Tj; j 6= 1, so that all of them pass into a state called $: So if themachineM reaches an accepting state, the system T reaches the state ($; $; :::; $) andvice versa.It is easy to check that each state of the parallel transition system is actually amachine instantaneous description(ID) of M . So T starts with the initial ID and ineach step it simulates the machine. Whenever Ti is ready to do an action, it can dothat only if Ti�1 or Ti+1 are ready to do that action depending on which of Ti�1 or Ti+1is sharing that action with Ti. As a result whenever Ti is in a state of the form (q; x)only then it can do an action because depending on �(q; x), it will be synchronizingwith an action with Ti�1 or with Ti+1. So eventually, the parallel transition systemreaches the state ($; $; :::; $) i� the machineM accepts x.150

Note: The parallel transition system T constructed in the above reduction isdeterministic because each individual Ti is deterministic. This determinism in eachTi is obtained by encoding the nondeterministic steps ofM in a larger action alphabet.By the above Proposition 7.3.2 and the construction detailed above we obtain thefollowing theorem.Theorem 7.3.6 For a transition system speci�ed as a parallel composition (withouthiding) of deterministic transition systems, the reachability problem is NSPACE(n)-hard. Moreover, this is true even when all the individual transition systems in thecomposition have the same two-symbol external action alphabet.The second statement of Theorem 7.3.6 can be proved using standard encodingof the action alphabet of the transition systems using a 2 letter alphabet. This isa standard technique employed in the literature on formal language theory [HR78].However, by a close observation of the construction we presented above, one can makethe following observations.1. The above theorem shows that the reachability problem for parallel compo-sition of deterministic transition systems is NSPACE(n)-hard. As we have al-ready shown that the nonreachabilty problem can be solved by nondeterministicguesses in linear space, and nondeterministic space being closed under comple-ment [Imm88], it follows that the reachability problem for parallel transition sys-tems (with or without hiding) is NSPACE(n)-Complete. Hence, the nonreach-ability problem is also NSPACE(n)-Complete. This observation together withTheorem 7.3.1 proves that all the relations between bisimulation equivalenceand trace preorder are NSPACE(n)-hard to decide for parallel transition sys-tems without hiding. This contrasts with the results in [Rab92, Rab95, Rab96]because the lower bound established there is merely DSPACE(p(n)) for somepolynomial p(n)). Even if we let p(n) = cn for some constant c, the lowerbound is weaker unless DSPACE(n) = NSPACE(n) which is unlikely, giventhe present status of knowledge in Complexity theory.151

2. The construction presented above also shows that even if the parallel transitionsystems are fully distributed in the sense that there is no central controllerprocess, the problem is NSPACE(n)-hard. In our construction, we obtain asystem of parallel transition systems in which each process only communicateswith two other processes. In Rabinovich's construction [Rab92, Rab95], eachprocess communicates only with a central controller process which basicallykeeps track of the Turing machine con�guration. Since in a truely distributedsystem, the presence of such a centralized control is not desirable (because acentralized system is not really distributed) our construction addresses morerealistic situation. Moreover, the central controller needs to communicate withan unbounded number of processes which is also unrealistic.3. The resulting parallel sytem in our reduction has a linear communication topol-ogy. A linear array of processors is a popular topology in distributed computing.Moreover, in this topology communications are local and bounded.4. A construction similar to the one used in this reduction can provide an alterna-tive proof of the NP-Completeness of the reachability problem in parallel com-position of acyclic transition systems. We �rst recall from [Hun73] that thereare n log n time nondeterministic Turing machines which accept NP-Completesets. Moreover, we can modify this machine to run in (n log n)2 time so thatit traverses to the end of the tape before it reverses its tape head. Now, aconstruction similar to the one used in the proof of the Theorem 7.3.6, canbe used to obtain a parallel composition of transition systems that simulatesthe behavior of this machine. However, by noting that this Turing machine ispolynomial time bounded, we can make each transition system acyclic becauseeach time a cell is visited by the tape, the state of the transition system encodesthe count of the number of times the corresponding cell is being visited. Butsince in [Rab92, Rab95] the reduction is from deterministic machine, similarconstructions can at the best establish a P-hardness result which is a muchweaker result. 152

Now refering to Theorem 7.3.1, we can see that for deterministic parallel transitionsystems all relations between bisimulation and trace equivalences are NSPACE(n)-complete. The fact that they are NSPACE(n)-hard follows from Theorem 7.3.6 andTheorem 7.3.1. For deterministic systems all these equivalences coincide [vG90] withtrace equivalence. Trace inequivalence can be easily decided using a nondeterminis-tic NSPACE(n) algorithm by guessing a distinguishing trace one symbol at a timeand keeping track of the resulting next state in linear space. On the other hand,NSPACE(n) being closed under complementation [Imm88], it follows that trace equiv-alence is also decidable in NSPACE(n). Thus for parallel composition of deterministictransition systems, any relation between bisimulation equivalence and trace equiva-lence is NSPACE(n)-complete.For parallel composition of nondeterministic sequential transition systems withouthiding, we obtain the following results.Theorem 7.3.7 Given two �nite state systems represented as parallel transition sys-tems without hiding, deciding any relation between bisimulation and trace equivalenceand any relation between simulation preorder and trace preorder is NSPACE(n)-hard.Moreover, this uniform lower bound holds even when all the individual transition sys-tems in the composition have the same two-symbol external alphabet.Proof: Follows from Theorems 7.3.1 and 7.3.6. 2Now we show that the uniform lower bound obtained above is the tightest possibleuniform bound for all relations in the linear-time/branching-time hierarchy. Ourproof involves showing that the trace equivalence, Failure equivalence and Readinessequivalence are NSPACE(n)-Complete for this class of systems.Theorem 7.3.8 For parallel composition of nondeterministic transition systems with-out hiding, the trace equivalence, failure equivalence and readiness equivalence prob-lems are NSPACE(n)-Complete. 153

Proof sketch: The NSPACE(n)-hardness is shown already. To show Completeness,we show that the complementary problem i.e., not trace equivalent is in NSPACE(n).Then by the fact that NSPACE(n) is closed under complementation it follows thatthe trace equivalence problem for this class of systems is in NSPACE(n). The non-deterministic algorithm is as follows. In order that the two systems are not traceequivalent, one of them must have a �nite trace �, which the other does not have.Guess the transition system which has a trace �. Let us call that transition systemT1 and the other T2. Then guess one symbol of the trace at a time and then computethe set of states that T2 can be in and take � � closure of these states. The crucialpoint is that the set of states that the system could be in can be represented as aCartesian product of the set of states (which takes space that is linear in the sizeof the transition systems) that each individual component could be in. This followsfrom Theorem 7.3.5.Similarly we could show that the failure equivalence [BHR84] and the readinessequivalence [BKO88] are also in NSPACE(n). The proofs for these two cases aresimilar to the above proof. 27.3.2 Complexity of Deciding Relations to any Fixed ProcessLet p0 be any �xed process described as a sequential transition system or paralleltransition system with or without hiding. We are interested in �nding out the com-plexity of the problem P2 as de�ned below. Given any binary relation �, and given aprocess p represented as a parallel composition of �nite processes, with hiding, decideif p � p0. We obtained the following result.Theorem 7.3.9 For any �xed process p0, and for any binary relation � on processesbetween weak bisimulation and trace preorder 4, the problem of deciding if p � p0 for4Note that there is a separate hierarchy of weak relations similar to the linear-time/branching-time hierarchy [vG90] such that weak bisimulation is the strongest relation and trace preorder is the154

any process p represented as a parallel composition of deterministic transition systemswith hiding, is NSPACE(n)-hard.Proof sketch: LetM be the linear space bounded nondeterministic Turing machineof Theorem 7.3.2. Without loss of generality, we can assume thatM always halts andit halts either in qn which is the rejecting state, or in qy, which is the accepting state.(Given any nondeterministic LBA we can always replace it with an equivalent LBAwith this property in a standard manner.) Let p0, be any �xed process. Given aninput x toM , we construct a parallel transition system TM , similar to the constructionin the proof of Theorem 7.3.6. TM mimics the computation of M on x and its statescorrespond to the instantaneous description(ID) of M during its computation on x.We construct TM in such a way such that its action alphabet AM does not intersectthe action alphabet of the given �xed process p0. Add two new transitions, onelabelled �, and another labelled %, such that if TM reaches the accepting state qy itmakes the transition labelled � and starts mimicing p0. If TM reaches qn, then it takesthe % transition and starts mimicing p0. (Technicalities for doing this is routine andconsist of a parallel composition of a small modi�cation of TM and p0.) Now hideAM [ f%g from this new system. It is easy to check that this new system is nottrace equivalent to p0 if M accepts x. On the other hand, if M rejects x, then thissystem is weakly bisimilar to p0. Thus if � is any relation between weak bisimulationand trace, then to decide if M does not accepts x we have to decide if this newlyconstructed system is � related. This shows � is NSPACE(n)-hard. Notice that ourreduction is log-space bounded, linear time and linear size. 2However, there are �xed transition systems [Rab95] such that trace equivalence tothat �xed system is EXPSPACE-Complete. An open question is if there are relationsbetween weak bisimulation and trace preorder for which this lower bound matchesthe upper bound. In that case, this will be the strongest uniform lower bound forproblem P2 for any �xed process and for all the relations between weak bisimulationand trace preorder. On the other hand, certainly, Theorem 7.3.9 does not apply toweakest relation in that hierarchy 155

bisimulation equivalence because there are �xed processes, (for example, a two stateprocess that has a single action from the start state to end state,) for which problem P2for bisimulation equivalence can be easily solved in polynomial time. Hence, Theorem7.3.9 does not apply to bisimulation equivalence.Note that in [Rab92, Rab95, Rab96], the proof of PSPACE-hardness of all therelations can be slightly modi�ed to show that there exists a �xed transition systemsuch that deciding any relation to that �xed system is PSPACE-hard. However, ourresult is much stronger in that it establishes the lower bound for any �xed transitionsystem.Complexity Results for composition of acyclic processesIn this subsection we show the followings:1. The reachability problem for parallel composition of acyclic transition systemswith or without hiding is NP-Complete. Hence the nonreachability problem forthis class of systems is thus Co-NP Complete.2. Applying Theorem 7.3.1 we show that deciding any relation between bisimula-tion equivalence and trace preorder for this class of systems is Co-NP-hard evenwithout hiding. This result was also proved in [GM92]. However, we also showthat this uniform lower bound is tight by showing that deciding trace, failureand readiness equivalences for such systems is Co-NP-Complete. In [GM92] itwas proved that all these relations are Co-NP-Complete for parallel composi-tion of deterministic acyclic systems (no hiding). But for deterministic systemsall these relations coincide. However, our Co-NP-Completeness results hold forparallel composition of nondeterministic transition systems (no hiding).3. We also show that deciding trace, failure and readiness equivalence for parallelcomposition with hiding is in the second level of polynomial hierarchy (Co �NPNP ). 156

4. We then show that problem P2 for this class of systems (with hiding) for anyrelation between weak bisimulation and trace preorder, is Co-NP-hard.5. We also show that deciding trace equivalence to any �xed process is Co-NP-Complete.First we present an alternative proof of a tightened version of the Co-NP-hardlower bound result in [GM92] for the problem P1, for all relations � between bisimu-lation and trace equivalence, for parallel composition of acyclic sequential transitionsystems without hiding. In [Rab92, Rab95] a complicated alternative proof was givenand the corresponding result in [Rab92, Rab95] claims this lower bound as Co-NP-hard as well as NP-hard, which is not the case because later we prove that traceequivalence in this case is decidable in Co-NP. We use our simpli�ed proof of theCo-NP-hard lower bound to obtain the uniform lower bound result for problem P2for composition of this class of systems with hiding.To obtain the lower bound result we �rst prove Theorem 7.3.10 via a polynomialtime reduction from the following NP-Complete problem [Sch78].De�nition 7.3.7 Ex-1-ex-3 Monotone 3SAT:Instance: C = Vmi=1 Ci is a conjunction of m clauses each containing exactly 3positive literals.Question: Is there is a satisfying assignment to this instance such that each clause issatis�ed by setting exactly one literal to true.Note that the complexity of reachability problem is not a�ected by the use ofhiding abstraction.Theorem 7.3.10 The Reachability problem for parallel composition (with or withouthiding) of acyclic transition systems is NP-Complete. The NP-hard lower boundapplies even when each transition system in the composition is deterministic withonly six states. 157

������������������������ ������������.. ?SSSSSw�����/���SSw BBB��/ �����= ���9 ,,,,,,����9 %%%%�������9QQQQQQQQQQs@@@@@RCCCCCWsi1si2 si3 si4si5 xi1 xi2 xi3xi2 xi3 xi1xi3 xi1xi2 si$ $ $Figure 7.1: Transition system Pi corresponding to clause Ci in the proof of Theorem7.3.10Proof: NP-hardness: We reduce the Ex-1-ex-3 Monotone 3SAT problem to thereachability problem for parallel composition of acyclic and deterministic transitionsystems to prove NP-hardness. Given an instance of the Ex-1-ex-3 Monotone 3SAT,let the clause Ci contain the positive occurrences of the variables xi1; xi2; xi3. Weconstruct the transition system Pi = hSi;!i; Ai; si1i as shown in Figure 7.1 corre-sponding to the clause Ci where Si = fsi1; si2; si3; si4; si5; sig, !i is the transitionrelation shown in the Figure 7.1, Ai = fxi1; xi2; xi3; $g and si1 is the starting state.Now consider the parallel composition P1kP2k:::Pm. Envision taking a transition la-belled with a variable as corresponding to setting the truth value of that variable to1. Being monotone, that sets the truth value of each clause containing that variableto 1 also. Also note that if a variable is common to a number of clauses, the paralleltransition system makes a transition labelled by that variable only if all the transitionsystems corresponding to those clauses which have that variable in them make thattransition.It is not di�cult to show that in P1kP2k:::Pm, hs1; s2; :::; smi is reachable if andonly if the given instance of Ex-1-ex-3 Monotone 3SAT has a satisfying assignmentwith exactly one literal in each clause being set to 1.158

Membership in NP: Note that given a P1kP2k:::Pm where the number of states in Piis ni, and each individual Pi is acyclic, the maximum length of a sequence of transi-tions is bounded by �mi=1ni, which is a polynomial bound. Hence, one can guess thesequence of transitions which may lead to a required state from the start state andverify that in polynomial time by keeping track of the set of states that the parallelsystem could be in at every transition. (As shown in the previous section these setof states can be compactly represented). Also note that this NP upper bound is nota�ected by the use of hiding abstraction. 2Corollary 7.3.11 The non-reachability problem for parallel composition (with orwithout hiding) of acyclic transition systems is Co-NP-Complete.Hence by Theorem 7.3.1 we obtain the following corollary, which is a strongerversion of a theorem in [Rab92, Rab95].Corollary 7.3.12 All equivalences between bisimulation and trace equivalence andall preorders between the simulation and trace preorder for parallel composition ofacyclic and deterministic transition systems are Co-NP-hard.Now notice that the length of the longest trace for these systems is polynomi-ally bounded by the size of the system description. As a result, when no hiding isused, trace nonequivalence is in NP because one can guess the trace which witnessesnonequivalence and verify in polynomial time. Also we obtain the following theorem:Theorem 7.3.13 Trace equivalence for parallel composition for acyclic transitionsystems (without hiding) is Co-NP-Complete.Noting the fact that for composition of deterministic systems, all the relationsbetween bisimulation and trace equivalence coincide with trace equivalence and bythe above theorem we obtain as corollary a result in [GM92].159

Corollary 7.3.14 For parallel composition of deterministic acyclic transition sys-tems all equivalences between bisimulation and trace equivalence and all preordersbetween simulation and trace preorder are Co-NP-Complete.Note that [GM92] established the Co-NP-Completeness of all equivalences in thedeterministic case but our Co-NP-Completeness result applies to nondeterministicsystems.However, if hiding is used, then although the length of the traces of these systemsare polynomially bounded, the above argument is not su�cient in establishing anupper bound for the following reason.Notation 7.3.3 If � be a trace of a system represented with hiding, and be asequence of actions such that by hiding the appropriate actions in and deleting the� actions one obtains �, then we denote this by ~ = �.Suppose � is a distinguishing trace between two systems (represented with hiding).That means that there is a trace such that � = ~ , and there is an execution fragmentof the �rst system such that the sequence of actions of that execution is exactly thesequence of actions in and moreover there is no action sequence 0 such that � = ~ 0and there is an execution of the second system whose action sequence is exactly thesame as the sequence in 0.Hence, to prove trace nonequivalence of such systems one has to guess a distin-guishing trace � which is polynomially bounded, but then one has to show existenceof an execution sequence in the �rst system, marked with such that ~ = � and alsoshow nonexistence of any 0 with such property for the second system.So given a � to decide if that is a not a distinguishing trace, amounts to guessing and 0 and verifying that they are execution sequences for the �rst and the secondsystem. Since both the systems are acyclic, both and 0 are polynomially boundedsequences and verifying they are executions of the two systems can be done in poly-nomial time. Hence, given a � deciding if it is a distinguishing trace can be done inco-NP. 160

Now we state a special case of a theorem about polynomial hierarchy from [Pap94].Theorem 7.3.15 [Pap94] A language L is in �2P if and only if there is a polyno-mially balanced relation R such that the language fx; y : (x; y) 2 Rg is in �1P =Co�NP and L = fx : 9y : (x; y) 2 Rg:The above theorem leads to a decision procedure for deciding x 2 L as follows.One has to guess a polynomially bounded y and verify in Co-NP, that (x; y) 2 R.In our cases, we are interested in the language of (T1; T2) such that T1 and T2are trace nonequivalent. We achieve that by guessing a polynomially bounded �(polynomial bound follows from the fact that the transition systems are acyclic), andthe use a Co-NP procedure to verify that � is indeed a distinguishing trace. Thus tracenon-equivalence is in �2P = NPNP . Hence trace equivalence is in �2P = Co�NPNP .Similar arguments can be given for failure and readiness equivalence.Theorem 7.3.16 Trace, Failure and Readiness equivalences for parallel compositionof acyclic transition systems (with hiding) is decidable in Co�NPNP = �2P .Problem P2 for Parallel composition of acyclic transition systems (withhiding)Now consider problem P2 for parallel transition system with hiding, where eachcomponent is acyclic. Consider a �xed acyclic process p0. We can use the reductionfrom the Ex-1-ex-3 Monotone 3SAT as in the proof of Theorem 7.3.10, in the sameway we used the reduction used in theorem 7.3.6 in proving theorem 7.3.9. In thiscase, we modify the reduction as follows. If the transition system constructed fromthe instance of the Ex-1-ex-3-Monotone 3SAT reaches the state hs1; s2; :::; smi, thenit takes a � labelled transition to a state from which the system will mimic p0. Onthe other hand if a process Pi, reaches si5, then it takes a #i transition, and the161

transitions in all Pi is suitably modi�ed so that when ever some Pi reaches si5, thewhole system takes a #i transition to a state from which the whole system mimicsthe process p0. Now hide fx1; x2; :::; xn;#1;#2; :::;#mg from this newly constructedsystem. If the instance was Exactly one in three satis�able, then the � transitionmakes sure that this new system is not trace equivalent to p0. On the other hand, ifit is not 1-3 satis�able, then they are weak bisimilar.Theorem 7.3.17 For any �xed acyclic process p0, and for any binary relation onprocesses between weak bisimulation and trace preorder, problem P2 is Co-NP-hardfor processes which are represented as parallel composition of acyclic processes withhiding abstraction.We can also show that this uniform lower bound is also tight for this set of relationsby showing that the trace preorder is in fact Co-NP-Complete. This follows from thefact that since p0 is �xed, one can determinize this with respect to trace equivalence.Then showing trace nonequivalence amounts to guessing a sequence of actions suchthat is an execution in the input system and ~ is not a trace in p0. Since p0 isdeterminized a priori this can be veri�ed in polynomial time. Also, due to acyclicityof the input transition system, the length of is polynomially bounded.Theorem 7.3.18 For any �xed process p0, for trace preorder, problem P2 is co-NP-complete for processes which are parallel composition of acyclic processes with hidingabstraction.7.3.3 Complexity of Predicates that Respects Weak Bisimi-laritySuppose � is a nontrivial predicate on �nite state processes which respects weakbisimulation relation. In other words, for any two �nite processes x and y, if theyare weak bisimulation equivalent then �(x) = �(y). Here we prove the NSPACE(n)-162

hardness of determining, for a process P , represented as a parallel transition systemwith hiding, if �(P ) = true.If there is a characteristic logic for weak bisimulation (a logic such that whenevertwo systems are weakly bisimilar they satisfy the same set of formulas in that logic),then our result shows that the model checking problem for such a logic for paralleltransition systems (with hiding) is NSPACE(n)-hard.Theorem 7.3.19 Given a nontrivial predicate � on �nite processes that respects weakbisimulation, the problem of determining, for a process P represented by a paralleltransition system with hiding, if �(P ) = true is NSPACE(n)-hard.Proof sketch: The proof is very similar to our proofs based on dichotomization.Consider the nondeterministic LBA M from Proposition 7.3.2 which always haltseither in qn or qy (rejecting state or accepting state). Suppose p is a �nite processsuch that �(p) is true and q is another process such that �(q) is false. Now use asimilar reduction as in the proof of Theorem 7.3.9. In this case make sure wheneverthe parallel transition system corresponding to computation of M on input x, (callit TM) reaches the accepting state, a transition labelled � is taken to a state fromwhere process p is mimiced. Also whenever, the transition system for M reaches arejecting state then the system takes a % labelled transition to a state from where itmimics the computation of q. Now in this new system hide all action symbols of TMand �. It is easy to verify that this new system after hiding, is weakly bisimilar to pifM accepts and weakly bisimilar to q if it rejects. Hence,M accepts if and only if �is true for this new transition system. Thus deciding � on processes represented byparallel transition systems (with hiding) is NSPACE(n)-hard. 27.3.4 Complexity of Re�nement Mapping, History Relationand Prophecy RelationIn this section we consider the complexity of deciding the existence of re�nementmapping, history relation and prophecy relation between two transition systems T1163

and T2.For each of these decision problems, membership in NP can be established easily.Before we give the lower bound proofs, we need to recall the de�nitions of the the K-Clique problem and the Graph Isomorphism problem. The following de�nitionsare from [GJ79]. The �rst problem is NP-Complete [GJ79]. We reduce this problemto deciding the existence of re�nement mapping to establish our NP-hardness result.The graph-isomorphism problem is not known to be in P nor is it known to be NP-hard [GJ79]. Here, we reduce the graph-isomorphism problem to the existence ofhistory relation and prophecy relation, thus proving the graph-isomorphism-hardnessof these decision problems.De�nition 7.3.8 K-Clique Problem: Given a graph G = (V;E), and an integer4 � K �j V j, does there exist a subset V 0 � V such that j V 0 j= K such that everypair of vertices in V 0 are joined by an edge in E?De�nition 7.3.9 Graph Isomorphism Problem: Given two graphs G = (V;E)and G0 = (V 0; E 0), does there exist a bijection f : V ! V 0 such that (u; v) 2 E if andonly if (f(u); f(v)) 2 V 0 ?In the above de�nitions, it is assumed that the graphs speci�ed are simple (i.e.,no multi edges or self loops) and connected. In the following proofs we assume thatall the given graphs are connected and simple.Given a graph G = (V;E), in all the following proofs we construct a correspondingtransition system TG = hSG;!G; sGi over action alphabet fa; bg as follows.SG = V [ fsGg where sG =2 V ; !G= f(sG; a; v) j v 2 V gSf(u; b; v); (v; b; u) j(u; v) 2 Eg.In essence, Theorem 7.3.20 is proved by reducing the K-clique problem to there�nement mapping problem as follows. We show that a graph G has a K size clique,if and only if TKK �R TG. Similarly, we prove Theorem 7.3.21 by showing that two164

graphs G;G0 of equal size are isomorphic if and only if TG �H TG0. A similar reductionexists for for Theorem 7.3.22.Theorem 7.3.20 Given two transition systems T1 and T2. The problem of deter-mining whether there is a re�nement mapping from T1 to T2 is NP-Complete.Proof: As mentioned earlier, the problem is in NP. We now show how to reduce theK-Clique problem to the re�nement mapping problem. Let KK denote the completegraph on K vertices (a clique on K nodes). and let G be the input graph to the K-Clique problem instance. We construct the transition system TKK and TG as describedabove. We claim that there is a re�nement mapping from TKK to TG if and only ifthere is a K-clique in G.Suppose G has a K � clique consisting of nodes vi1; vi2; :::; vik. Then it can beveri�ed that any function r that maps the start state of TKK to the start state of TGand which sets a one-to-one correspondence between the other states of TKK to thestates corresponding to vertices vi1; vi2; :::; vik in TG, is a re�nement mapping fromTKK to TG.Now recall that re�nement mapping is a function from the states of TKK to thestates of TG. Suppose there is a re�nement mapping r from TKK to TG. First notethat r has to be one-to-one because of the following reasons. The start state of TKKmust be mapped to start state of TG. Secondly, if for two distinct states s and s0,r(s) = r(s0), then there must be a self loop at r(s) because by construction s b!TKK s0and s0 b!TKK s, But that is not possible because we assumed G does not have aself-loop. So each of the states of TKK are mapped to distinct states of TG via r.Moreover, since r is a re�nement mapping, for any pair of states (x; y) of these Kstates in TG, x b! y and therefore (x; y) is an edge in G. Thus, the corresponding Kvertices in G form a K-clique. 2Theorem 7.3.21 Given two transition systems T1 and T2, the problem of determin-ing whether T1 �H T2 is graph-isomorphism-hard.165

Proof: Let G = (V;E); G0 = (V 0; E 0) be two connected graphs given forming aninstance of the graph isomorphism problem. We can assume that jV j = jV 0j becauseotherwise, G and G0 can not be isomorphic. Let us construct TG and TG0 . We nowshow that G;G0 are isomorphic if and only if TG �H TG0.If G;H are isomorphic then any isomorphism between them will produce a one toone correspondence between the states of TG and TG0 which satis�es the de�nition ofa history relation.Now suppose that there is a history relation h from TG to TG0. Since h�1 is are�nement mapping, it is a (single valued) function. So h must be a relation suchthat jh(x)j � 1 for any state x of TG. Although h is a relation, we claim that in thiscase h is a function. Suppose h is not a function. Then there is a state in TG suchthat jh(x)j > 1 or j h(x) j= 0 . Since every state in TG is reachable from the startstate by construction, and h is a forward simulation, h relates every state of TG toone or more states in TG0. So there is no x such that jh(x)j = 0. On the other handfor two distinct states x; y in TG h(x) \ h(y) = � because otherwise h�1 can not bea function. But Sx2states(TG) h(x) = states(TG0)( Note that it is a union of disjointsets) by the fact that h is onto (otherwise h�1 will not be a re�nement mapping.jstates(TG0)j = �x2states(TG)jh(x)j > jstates(TG)j (because there is at least one x suchthat jh(x)j > 1). But we started with graphs G;G0 with equal number of verticesand hence it is a contradiction. So we infer that h must be a one to one and ontofunction. Now it is straight forward to construct the graph isomorphism between Gand G0. 2A similar argument proves the following theorem.Theorem 7.3.22 Given two transition systems T1 and T2, the problem of decidingwhether T1 �P T2 is graph-isomorphism-hard.166

Chapter 8ConclusionsWe conclude this thesis with a summary of the results obtained in this thesis and adiscussion of possible extensions.8.1 SummaryThe main objective of this thesis was twofold, both related to the idea of unifyingapparently di�erent themes. First, we wanted to show that many apparently di�erentapproaches to the veri�cation of �nite state systems can be uni�ed by demonstratingthat they have the same underlying algorithmic problem. Second, we wanted toinvestigate lower bounds for a number of problems in a uniform way. As byproductsof this line of research we arrived at many other results as well.Here we provide a chapter-wise summary of what we achieved towards ful�llingthese goals.In Chapter 2 we provided relevant de�nitions and backgrounds. In particular,we de�ned variants of the HORNSAT problem used in this thesis. We also outlinede�cient (linear time) solution strategies for these variants. These linear time algo-rithms are of central importance to this thesis because in the later chapters we showedhow these e�cient solutions can be used in deriving e�cient algorithms for various167

veri�cational problems.In Chapter 3, we developed a uniform methodology based on NHORNSAT, thatallowed us to derive polynomial time algorithms for all simulation-like [HS96] equiv-alences and preorders in the linear-time/branching time hierarchy of [vG90]. Poly-nomial time algorithms for some of these decision problems were known previouslybut the algorithms used distinct approaches [KS90, HT94, BP94]. For some of therelations, polynomial time algorithms were not known previously. For example, nopolynomial time decision algorithms for 2-nested simulation, k-nested simulation, andbackward simulation were known and for some researchers it came as a surprise thatthey are decidable in polynomial time. The clarity obtained by using our uniformapproach enabled us to develop these e�cient algorithms.As a corollary to these results we solved an open problem posed in [GHR95]. In[GHR95], it was asked if there was an NC algorithm for deciding bisimulation equiva-lence between deterministic transition systems. Since we showed that the bisimulationequivalence problem can be reduced to the NHORNSAT problem in NC, and sincefor deterministic transition system, the NHORNSAT instance produced is alwaysa 2-SAT instance, we obtain an NC reduction from the open problem to the 2-SATproblem. 2-SAT is solvable in NC [GHR95], hence via composition [Pap94], we obtaina NC algorithm for the problem.We also gave an HORNSAT interpretation of the existing bottom-up algorithmsfor bisimulation, simulation and other relations [KS90, HT94, BP94]. We have shownelsewhere that many classical automata theoretic problems [SHRS96a] are amenableto our uniform technique (for example, minimization of deterministic automata).We also show how to compute simulations on �nite graphs, a problem also ad-dressed in [HHK95], using our HORNSAT based techniques.Also, note that most of the existing algorithms for these decision problems (except[FM91]) are not local. Our algorithms are not only local but also on-the- y andincremental. In Chapter 6 we also illustrated how to generate diagnostic informationin case the answer to the decision problem is in the negative.168

In Chapter 4, we explored the question of su�cient characterization of the relationsin the linear-time/branching-time hierarchy such that one can easily determine fromthe de�nition of a relation, if it is a polynomial time decidable relation. In thisinvestigation we took a game theoretic approach. In [Sti93], a characteristic gamefor bisimulation equivalence was presented. We generalized that idea to obtain aparameterized class of games which we called the Stirling class. By appropriateinstantiation of the parameters of this class, we can obtain characteristic games forall the relations in the linear-time/branching time hierarchy. On the other hand, weobtained a game for the rooted-NHORNSAT problem to which all the problems inthe previous chapter were reduced. This shows that actually, the polynomial timedecidability of those relations can be looked at via the two-person games. If wehave a relation whose characteristic game can be formulated as a game for rooted-NHORNSAT, and this formulation can be carried out e�ciently, then that relationcan be decided in polynomial time. This way, we obtained the su�cient conditionon relations for their polynomial time decidability. Another important understandingwas that all the simulation-like relations in the hierarchy are in fact polynomial timedecidable. Moreover, these decision problems are nothing but AND/OR reachabilityproblems [Nil80].In Chapter 5, we applied our uniformmethodology to the model checking problem.This came through a proper understanding of Kleene's iterative characterization ofthe least and the greatest �xed points of continuous functionals and its relation tothe pebbling algorithms for solving the variants of HORNSAT described in Chapter2. We �gured that the pebbling in the Dowling-Gallier graph [DG84] for �ndingminimal HORNSAT problem is very much analogous to the iterative least �xed pointcomputation and that led us to our NLOGSPACE reduction of the model checkingproblem for alternation free �-calculus to the (N)HORNSAT problem. Although thesame type of e�cient reductions are possible for other temporal logics such as CTLand LTL, we illustrated this for alternation free mu-calculus only, for the sake ofclarity. 169

In this methodology, we obtained model checking algorithms which are on-the- y,local and incremental. This was possible because we adapted the on-line algorithmfor solving HORNSAT given in [AI91] so that it is incremental. Also the fact, thatto produce the individual clauses we do not need the whole state space constructeda priori makes the algorithms on-the- y.We also identi�ed some subclasses of the model checking problem that can havee�cient parallel algorithms (solvable in NC). Not only that we identi�ed some moregeneral classes than the previously known ones [ZSS94], in fact, our identi�cation wassystematic as compared to rather ad hoc methods in [ZSS94]. This is due to the factthat our reductions are all NC reductions and for the subclasses we considered, theHORNSAT instances produced are of special types (e.g, 2-SAT instance, an instancesuch that the Dowling-Gallier graph is a tree which can be solved in NC via treecontraction algorithms [MR89]).In Chapter 6 we illustrated how our methodology can be extended to obtaindiagnostic information when the answer to the veri�cation problem is in the negative.We recognized this problem as an extremely important one because we envision thecurrent usage of veri�cation tools as a debugging technique rather than a full- edgedguarantee of correctness. Although, all our HORNSAT based methodology could beextended in a similar way so that they produce diagnostic information, we illustratethe case with bisimulation and prebisimulation because we wanted to compare ourdiagnostics generation with that of [CC92] which also used this as an illustrativeexample.In Chapter 7 we explored the lower bounds and upper bounds for a number ofproblems. The Main emphasis of this chapter has been on applying the uniform lowerbound techniques (such as dichotomization [HS76]) in the veri�cation problems forsuccinctly represented systems. In particular, we considered the parallel compositionof transition systems with and without hiding. We improved on known results in thisarea [Rab92, Rab95, GM92] in di�erent ways. We have also shown that the uniformlower bound results obtained are fairly tight by showing matching upper bound results170

in many cases. We also presented some other complexity results for a few decisionproblems (such as re�nement mapping, history and prophecy relation etc.) that arisein the context of I/O automata [LV91].8.2 Open Problems Resulting from Our WorkAlthough plan to implement our uniform methodology in to a veri�cation tool, wehave not achieved it yet. We explained in the preceding chapters how our methodologysuggests a strati�ed design of a veri�cation tool which is capable of process algebraicas well as model checking methods for verifying �nite state system. Our immediategoal towards the extension of the research work in this thesis is to implement a toolincorporating all the ideas and also compare its performance with other veri�cationtools on benchmark problems.Other than this implementational project we also identi�ed a number of importanttheoretical questions that allured us during this research activity and which we thinkare very important problems to be addressed. We conclude this thesis by providinga partial list of such problems.1. Is there a necessary characterization of the relations in the linear-time/branching-time hierarchy for polynomial time decidability?2. What are the complexity lower bounds for the simulation-like relations in the hi-erarchy? We know from [ABGS91] that bisimulation equivalence is P-Completeto decide. In [KV96] P-Completeness of a fair simulation problem was shown.However, it is not clear if P-Completeness of fair simulation implies the same forthe simulation relation. It will be interesting to obtain a uniform lower boundfor all the simulation-like relations.3. Can our (N)HORNSAT based approach give a better upper bound on the modelchecking problem for full modal �-calculus? In [EL86] it was shown that the171

problem is in NP\co-NP. It is also P-hard [ZSS94]. Can we �nd a tighter lowerbound or a better upper bound?4. In Chapter 7 we showed that the uniform lower bound on the problem of decid-ing any relation between bisimulation and trace preorder for parallel transitionsystems without hiding is the tightest one can obtain uniformly. This is be-cause we demonstrated that trace, failure and readiness equivalences are indeedPSPACE-Complete. However, it is not known if we can strengthen the lowerbound for bisimulation and other simulation-like equivalences.5. We also showed that for parallel transition systems with hiding deciding anyrelation in the weak version of the linear time/branching time hierarchy (seeChapter 1) to any �xed transition system is PSPACE-hard. Is that a tightlower bound for all those relations?We also looked at the problem of model checking as well as relational veri�cationfor models represented hierarchically. We obtained a number of lower bound resultsin this context which are not reported in this thesis. However, the interesting ques-tion that we are pursuing is as follows. Are there interesting classes of hierarchicallyrepresented systems for which various veri�cation problems can be solved e�ciently?This needs to be explored because the structure of the hierarchy contains some infor-mation about the systems which should be exploited to obtain e�cient veri�cationmethodologies for such systems.172

Bibliography[ABGS91] C. Alvarez, J.L Balcazar, J. Gabarro, and M Santha. Parallel complexityin the design and analysis of concurrent systems. In PARLE91, LectureNotes in Computer Science 505 Springer-Verlag, 1991.[ADS83] G. Ausiello, A. D'Atri, and D. Sacca. Graph algorithms for functionaldependency manipulation. Journal of Association for Computing Ma-chinery, 30(4):752{766, Oct 1983.[AI91] G. Ausiello and G. F. Italiano. On-line algorithms for polynomiallysolvable satis�ability problems. Journal of Logic Programming, 10:69{90, 1991.[And93] H. R. Andersen. Veri�cation of technical properties of concurrent sys-tems. Technical Report DAIMI PB-445, Computer Science Department,Aarhus University, Aarhus University, Denmark, 1993.[And94] H. R. Andersen. Model checking and boolean graphs. Theoretical Com-puter Science, 126(1):3{30, 1994.[ASSB94] A. Aziz, V. Singhal, G. M. Swamy, and R. K. Brayton. Minimizing in-teracting �nite state machines: A compositional approach to languagecontainment. In Proceedings of the International Conference on Com-puter Design : VLSI in Computers and Processors, pages 255{263, LosAlamitos, CA, USA, October 1994. IEEE Computer Society Press.173

[BCG95] G. Bhat, R. Cleaveland, and O. Grumberg. E�cient on-the- y modelchecking for ctl. In Proceedings of IEEE Symposium on Logic In Com-puter Science' 95, 1995.[BCM+92] J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang.Symbolic model checking: 1020 states and beyond. Information andComputation, 98(2):142{170, June 1992.[Bee80] C. Beeri. On the membership problem for functional and multivalueddependencies in relational databases. ACM Transactions on DatabaseSystems, 5:241{259, 1980.[BHR84] S. D. Brookes, C. A. R. Hoare, and W. Roscoe. A theory of commu-nicating sequential processes. J. Association of Computing Machinery,31:560{599, 1984.[BIM88] Bard Bloom, Sorin Istrail, and Albert R. Meyer. Bisimulation can't betraced. In Conference Record of the Fifteenth Annual ACM Symposiumon Principles of Programming Languages, pages 229{239, San Diego,California, January 13{15, 1988. ACM SIGACT-SIGPLAN, ACM Press.Preliminary Report.[BK84] J. A. Bergstra and J. W. Klop. Process algebra for synchronous commu-nications. Information and Control, 60:109{137, 1984.[BKO88] J. A. Bergstra, J. W. Klop, and E. R. Olderog. Readies and failures inthe algebra of communicating processes. SIAM Journal of Computing,17:1134{1177, 1988.[BP94] B. Bloom and R. Paige. Transformational design and implementation ofa new e�cient solution to the ready simulation problem. Draft, 1994.[Bra92] J. C. Brad�eld. Verifying Temporal Properties of Systems. Birkhauser,1992. 174

[CC92] U. Celikkan and R. Cleaveland. Generating diagnostic information forbehavioral preorders. In Proceedings of Computer Aided Veri�cation:1992, Lecture Notes in Computer Science 663, pages 370{383, 1992.[CE81] E.M. Clarke and E.A. Emerson. Design and Synthesis of SynchronizationSkeletons using Branching Time Temporal Logic. In D. Kozen, editor,Proceedings of the Workshop on Logics of Programs, volume 131 of Lec-ture Notes in Computer Science, pages 52{71, Yorktown Heights, NewYork, May 1981. Springer-Verlag.[CES86] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic veri�cationsof �nite-state concurrent systems using temporal logic speci�cations.ACM Transactions on Programming Languages and Systems, 8(2):244{263, April 1986.[CGL+94] R. Cleaveland, J. N. Gada, P. M. Lewis, S. A. Smolka, O. Sokolsky, andS. Zhang. The Concurrency Factory{ practical tools for speci�cation,simulation, veri�cation and implementation of concurrent systems. InDIMACS workshop on Speci�cation of Parallel Algorithms, 1994.[CH92] R. Cleveland and M. Hennessy. Testing equivalence as a bisimulationequivalence. Formal Aspects of Computing, 3, 1992.[Cle90] R. Cleaveland. Tableau-based model checking in the propositional mu-calculus. Acta Informatica, 27:725{747, 1990.[Cle93a] R. Cleaveland. A linear-time model-checking algorithm for thealternation-free modal �-calculus. Formal Methods in System Design,2:121{147, 1993.[Cle93b] Rance Cleaveland. Analyzing Concurrent Systems Using the Concur-rency Workbench, volume 693 of Lecture Notes in Computer Science,pages 129{144. Springer Verlag, 1993.175

[CS91] R. Cleaveland and B. Ste�en. Computing behavioural relations, logically.In ICALP, pages 127{138, 1991.[CS93] R. Cleveland and B. Ste�en. Linear time model checking algorithm foralternation-free modal mu calculus. Formal Methods of Software Design,2:127{147, 1993.[CVWY92] C. Courcoubetis, M. Y. Vardi, P. Wolper, and M. Yannakakis. Memorye�cient algorithms for the veri�cation of temporal properties. FormalMethods in System Design, 1:275{288, 1992.[DG84] W.F. Dowling and J.H. Gallier. Linear time algorithm for testing the sat-is�ability of propositional horn formulae. Journal of Logic Programming,3:267{284, 1984.[EL86] E. A. Emerson and C. L. Lei. E�cient model checking in fragments ofthe propositional modal mu-calculus. In Proceedings of LICS 1986, pages267{278, 1986.[FM91] J. C. Fernandez and L. Mounier. On the y veri�cation of behavioralequivalences and preorders. In The 3rd International Workshop on Com-puter Aided Veri�cation 1991, Lecture Notes in Computer Science 575,pages 181{191, 1991.[GHR95] R. Greenlaw, H. J. Hoover, and W. L. Ruzzo. Limits to Parallel Com-putation: P-completeness Theory. Oxford University Press, 1995.[GJ79] M. Garey and D. Johnson. Computers and Intractability: A Guide tothe Theory of NP-Completeness. Freeman, SanFrancisco, 1979.[GM92] J. F. Groote and F. Moller. Veri�cation of parallel systems via decom-position. Proceedings of CONCUR'92, LNCS 630, pages 62{76, 1992.[GV92] J.F. Groote and F.W. Vaandrager. Structured operational semantics andbisimulation as a congruence. Information and Computation, 100(2):202{260, Oct 1992. 176

[HHK95] M. R. Henzinger, T. Henzinger, and P. W. Kopke. Computing simula-tions on �nite and in�nite graphs. In Proceedings of IEEE Conferenceon Foundations of Computer Science, 1995.[Hoa84] C. A. R. Hoare. Communicating Sequential Processes. Prentice HallInternational, 1984.[HR78] Harry B Hunt III and Daniel J Rosenkrantz. Computational parallelsbetween the regular and context-free languages. SIAM Journal of Com-puting, 7(1):99{114, 1978.[HR83] H. B. Hunt III and D. J. Rosenkrantz. The complexity of monadic recur-sion schemes: Executability problems, nesting depth, and applications.Theoretical Computer Science, 27(1{2):3{38, November 1983.[HR84] H. B. Hunt III and D. J. Rosenkrantz. The complexity of monadicrecursion schemes: Exponential time bounds. Journal of Computer andSystem Sciences, 28(3):395{419, June 1984.[HS76] H. B. Hunt, III and T. G. Szymanski. Dichotomization, reachability,and the forbidden subgraph problem (extended abstract). In ConferenceRecord of the Eighth Annual ACM Symposium on Theory of Computing,pages 126{134, Hershey, Pennsylvania, 3{5 May 1976.[HS96] H. Huttel and S. K. Shukla. Complexity of preorders and equivalencesin process algebra : A survey. Research Report RS-96-39, BRICS, Den-mark, 1996.[HT94] Dung T. Huynh and Lu Tian. On deciding some equivalences for con-current processes. Theoretical Informatics and Applications, 28(1):51{71,1994.[HU79] J. E. Hopcroft and J. D. Ullman. Introduction to Automata Theory,Languages and Computation. Addison-Wesley, Reading, Mass., 1979.177

[Hun73] H. B. Hunt III. On the time and tape complexity of languages. TechnicalReport TR73-156, Department of Computer Science, Cornell University,PhD Thesis, 1973.[Hun76] Harry B. Hunt III. On the complexity of �nite, pushdown, and stackautomata. Mathematical Systems Theory, 10:33{52, 1976.[Hun84] H. B. Hunt III. Terminating turing machine computations and the com-plexity and/or decidability of correspondence problems, grammars, andprogram schemes. Journal of the Association for Computing Machinery,31(2):299{318, April 1984.[Imm88] N. Immerman. Nondeterministic space is closed under complementation.SIAM Journal of Computing, 17:935{938, 1988.[Koz83] D. Kozen. Results on the propositional mu-calculus. Theoretical Com-puter Science, 27, 1983.[KS90] Paris C Kanellakis and Scott A Smolka. CCS expressions, �nite stateprocesses and three problems of equivalence. Information and Compu-tation, 86:43{68, 1990.[Kur94] R. Kurshan. Computer Aided Veri�cation of Coordinating processes :An Automata Theoretic Approach. Princeton University Press, 1994.[KV96] O. Kupferman and M. Y. Vardi. Veri�cation of fair transition systems.Lecture Notes in Computer Science, 1102:372{382, 1996.[KVW95] O. Kupferman, M. Y. Vardi, and P. Wolper. An automata-theoreticapproach to branching time model checking. Draft, 1995.[Lam80] L. Lamport. "sometime" is sometimes "not never"-on the temporal logicof programs. In Proceedings of the Seventh ACM Symposium on Princi-ples of Programming Languages, pages 174{185, New York, 1980. ACM.178

[Lar88] K. G. Larsen. Proof systems for hennessy milner logic with recursion. InCAAP'88 Lecture Notes in Computer Science 299, 1988.[Lar90] K. G. Larsen. Proof systems for satis�ability in hennessy-milner logicwith recursion. Theoretical Computer Science, 72:265{288, 1990.[Lar92] K. G. Larsen. E�cient local correctness checking. In CAV 92, LectureNotes in Computer Science 663, pages 30{43, 1992.[LV91] Nancy Lynch and Frits Vaandrager. Forward and backward simula-tion:untimed systems. In REX Workshop on Real Time systems, 1991.[LV95] Nancy Lynch and Frits Vaandrager. Forward and backward simulations-part i: Untimes systems. Information and Computation, 1995.[McM93] K. L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers,1993.[Mil80] R. Milner. A calculus of communicating systems. Lecture Notes in Com-puter Science, 92, 1980.[Mil89] R. Milner. Communication and Concurrency. International Series inComputer Science. Prentice Hall, 1989. SU Fisher Research 511/24.[MR89] G. L. Miller and J. H. Reif. Parallel tree contraction, Part 1: Fun-damentals. In S. Micali, editor, Advances in Computing Research 5:Randomness and Computation. JAI Press, Greenwich, CT, 1989.[MS95] F. Moller and S. A. Smolka. On the computational complexity of bisim-ulation. ACM Computing Surveys, 27(2):287{289, 1995.[Nil80] Nils J. Nilsson. Principles of arti�cial intelligence. Tioga/Morgan Kauf-man, 476 pages; ISBN 0-934613-10-9; US&Canada $54.95 CALL NUM-BER: Q335 .N515, 1980.[Pap94] C. Papadimitriou. Computational Complexity. Addison-Wesley, 1994.179

[Par81] D. Park. Concurrency and automata on in�nite sequences. In Theoret-ical Computer Science, 5th GI. Conference, Lecture Notes in ComputerScience 104, pages 167{183, 1981.[Plo81] Gordon D. Plotkin. A structural approach to operational semantics.Technical Report DAIMI FN-19, Computer Science Department, AarhusUniversity, Aarhus University, Denmark, 1981.[Pnu77] A. Pnueli. The temporal logic of programs. In Proceedings of the 18thIEEE Symposium on the Foundations of Computer Science (FOCS-77),pages 46{57, Providence, Rhode Island, October 31{November 2 1977.IEEE, IEEE Computer Society Press.[PT87] Robert Paige and Robert E Tarjan. Three partition re�nement algo-rithms. SIAM Journal Of Computing, 16:973{989, 1987.[QS81] J.P. Queille and J. Sifakis. Speci�cation and veri�cation of concurrentsystems in CESAR. In Proceedings of the Fifth International Symposiumin Programming, 1981.[Rab92] Alexander Rabinovich. Checking equivalences between concurrent sys-tems of �nite state agents. In ICALP, Lecture Notes in Computer Science623, pages 696{707, 1992.[Rab95] A. Rabinovich. Complexity of Equivalence Problems for Concurrent Sys-tems of Finite Agents. (Draft), May 1995.[Rab96] A. Rabinovich. Personal communication. August 1996.[RH93] D. J. Rosenkrantz and H. B. Hunt III. The complexity of processinghierarchical speci�cations. SIAM Journal of Computing, 22(3):627{649,1993.[RMMM93] M. Reid-Miller, G. L. Miller, and F. Modugno. List ranking and paralleltree contraction. In John H. Reif (Ed.), Synthesis of Parallel Algorithms,Morgan Kaufmann. 1993. 180

[Sch78] Thomas J. Schaefer. The complexity of satis�ability problems. In TenthAnnual Symposium on Theory of Computing, 1978.[SHR95] S. K. Shukla, H. B. Hunt III, and D. J. Rosenkrantz. Hornsat, modelchecking, veri�cation, and games. Research Report TR-95-8, Depart-ment of Computer Science, SUNY Albany, 1995.[SHR96a] S. K. Shukla, H. B. Hunt III, and D. J. Rosenkrantz. Hornsat, modelchecking, veri�cation and games. In Proceedings of CAV'96, LNCS 1102,pages 99{110, 1996.[SHR+96b] S. K. Shukla, H. B. Hunt III, D. J. Rosenkrantz, S. S. Ravi, and R. E.Stearns. I/o automata based veri�cation of �nite state distributed sys-tems: Complexity issues. In Proceedings of PODC 1996, 1996.[SHR+96c] S. K. Shukla, H. B. Hunt III, D. J. Rosenkrantz, S. S. Ravi, and R. E.Stearns. A uniform approach to model checking and veri�cation. In TheNew York State Workshop on Academic Electronics, June 1996.[SHRS95] S. K. Shukla, H. B. Hunt III, D. J. Rosenkrantz, and R. E. Stearns.Complexity of relational problems for �nite state processes. ResearchReport TR-95-7, Department of Computer Science, SUNY Albany, 1995.[SHRS96a] S. K. Shukla, H. B. Hunt III, D. J. Rosenkrantz, and R. E. Stearns. Newrecipe for old automata theoretic problems. Draft, 1996.[SHRS96b] S. K. Shukla, H. B. Hunt III, D. J. Rosenkrantz, and R. E. Stearns.On the complexity of relational problems for �nite state processes. InProceedings of ICALP 1996, LNCS 1099, pages 466{477, 1996.[SRHS96] S. K. Shukla, D. J. Rosenkrantz, H. B. Hunt III, and R. E. Stearns. Ahornsat based approach to the polynomial time decidability of simulationrelations for �nite state processes. DIMACS workshop on Satis�abilityProblem: Theory and Practice, 1996.181

[SS94] O. Sokolsky and S. A. Smolka. Incremental model checking in the modalmu-calculus. In Proceedings of CAV'94, 1994.[Ste89] B. U. Ste�en. Characteristic formulae for ccs with divergence. In Pro-ceedings of ICALP 89, Lecture Notes in Computer Science 372, pages723{733, 1989.[Sti87] C. Stirling. Modal logics for communicating systems. Theoretical Com-puter Science, 49:311{347, 1987.[Sti93] Colin Stirling. Modal and temporal logics for processes. In Notes forSummer School in Logic Methods in Concurrency, pages Department ofComputer Science, Aarhus University, 1993.[SW91] C. Stirling and D. Walker. Local model checking in the modal mu-calculus. Theoretical Computer Science, 89:161{177, 1991.[Tar55] A. Tarski. A lattice theoretic �xpoint theorem and its applications.Paci�c Journal of Mathematics, 5, 1955.[Ull88] J. D. Ullman. Principles of Database and Knowledge Base Systems :Volume I. Computer Science Press, Rockville, MD, 1988.[vG90] R.J. van Glabbeek. The linear time - branching time spectrum. Techni-cal Report CS-R9029, Computer Science Department, CWI, Centre forMathematics and Computer Science, Netherlands, 1990.[VW86] M. Vardi and P. Wolper. An automata theoretic approach to automaticprogram veri�cation. In Proceedings of LICS 1986, pages 332{344, 1986.[Wal88] D. Walker. Bisimulation and divergence. In Proceedings of the ThirdAnnual Symposium on Logic in Computer Science, pages 186{192, 1988.[Wol95] P. Wolper. Private communications. 1995.182

[ZSS94] S. Zhang, O. Sokolsky, and S. A. Smolka. On the parallel complexity ofmodel checking in the modal mu-calculus. In Proceedings of LICS 1994,1994.

183