Abstract
Runtime enforcement is a dynamic analysis technique that uses monitors to enforce the behaviour specified by some correctness property on an executing system. The enforceability of a logic captures the extent to which the properties expressible via the logic can be enforced at runtime for a specified operational model of enforcing monitors. We study the enforceability of branching-time, first-order properties expressed in the Hennessy–Milner Logic with Recursion (\(\mu \) HML) with respect to monitors that can enforce behaviour involving events that carry data. To this end, we develop an operational framework for first-order enforcement via suppressions, insertions and replacements. We then use this model to formalise the meaning of enforcing a branching-time property. We also show that a safety syntactic fragment of the logic is enforceable within this framework by providing an automated synthesis function that generates correct suppression monitors from any formula taken from this logical fragment.
Similar content being viewed by others
References
Francalanza, A.: A theory of monitors. Inf. Comput. 281, 104704 (2021). https://doi.org/10.1016/j.ic.2021.104704
Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 3(1), 30–50 (2000)
Francalanza, A., Aceto, L., Achilleos, A., Attard, D.P., Cassar, I., Della Monica, D., Ingólfsdóttir, A.: A foundation for runtime monitoring. In: Lahiri, S., Reger, G. (eds.) Runtime Verification, pp. 8–29. Springer, Cham (2017)
Ligatti, J., Bauer, L., Walker, D.: Edit automata: enforcement mechanisms for run-time security policies. Int. J. Inf. Secur. 4(1), 2–16 (2005)
Ligatti, J., Reddy, S.: A theory of runtime enforcement, with results. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) CESORICS, pp. 87–100. Springer, Berlin (2010)
Falcone, Y., Mounier, L., Fernandez, J.-C., Richier, J.-L.: Runtime enforcement monitors: composition, synthesis, and enforcement abilities. Formal Methods Syst. Des. 38(3), 223–262 (2011)
Berstel, J., Boasson, L.: Transductions and context-free languages. Ed. Teubner, pp. 1–278 (1979)
Sakarovitch, J.: Elements of Automata Theory. Cambridge University Press, New York (2009)
Alur, R., Černý, P.: Streaming transducers for algorithmic verification of single-pass list-processing programs. In: Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 599–610. ACM, ISBN 978-1-4503-0490-0 (2011)
Könighofer, B., Alshiekh, M., Bloem, R., Humphrey, L., Könighofer, R., Topcu, U., Wang, C.: Shield synthesis. Formal Methods Syst. Des. 51(2), 332–361 (2017)
Francalanza, A., Aceto, L., Ingólfsdóttir, A.: Monitorability for the Hennessy–Milner logic with recursion. Formal Methods Syst. Des. 51(1), 87–116 (2017)
Aceto, L., Achilleos, A., Francalanza, A., Ingólfsdóttir, A.: Monitoring for silent actions. In: Lokam, S., Ramanujam, R. (eds.) FSTTCS 2017: Foundations of Software Technology and Theoretical Computer Science, volume 93 of LIPIcs, p. 7:1-7:14. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Dagstuhl (2018)
Aceto, L., Achilleos, A., Francalanza, A., Ingólfsdóttir, A.: A framework for parameterized monitorability. In: Baier, C., Dal Lago, U. (eds.) Foundations of Software Science and Computation Structures, pp. 203–220. Springer, Cham (2018)
Aceto, L., Cassar, I., Francalanza, A., Ingólfsdóttir, A.: On bidirectional runtime enforcement. In: Peters, K., Willemse, T.A.C. (eds.) FORTE, volume 12719 of Lecture Notes in Computer Science, pp. 3–21. Springer, Cham (2021)
Aceto, L., Cassar, I., Francalanza, A., Ingólfsdóttir, A.: Comparing controlled system synthesis and suppression enforcement. Int. J. Softw. Tools Technol. Transf. 23(4), 601–614 (2021)
Burlò, C.B., Francalanza, A., Scalas, A.: On the monitorability of session types, in theory and practice. In: Møller, A., Sridharan, M. (eds.) 35th European Conference on Object-Oriented Programming, ECOOP 2021, July 11–17, 2021, Aarhus, Denmark (Virtual Conference), volume 194 of LIPIcs, p. 20:1-20:30. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Dagstuhl (2021)
Artho, C., Barringer, H., Goldberg, A., Havelund, K., Khurshid, S., Lowry, M.R., Pasareanu, C.S., Rosu, G., Sen, K., Visser, W., Washington, R.: Combining test case generation and runtime verification. Theoret. Comput. Sci. 336(2–3), 209–234 (2005)
Desai, A., Dreossi, T., Seshia, S.A.: Combining model checking and runtime verification for safe robotics. In: Lahiri, S., Reger, G. (eds.) Runtime Verification (RV), LNCS, pp. 172–189. Springer, Cham (2017)
Bocchi, L., Chen, T.-C., Demangeon, R., Honda, K., Yoshida, N.: Monitoring networks through multiparty session types. Theor. Comput. Sci. 669, 33–58 (2017)
Jia, L., Gommerstadt, H., Pfenning, F.: Monitors and blame assignment for higher-order session types. In: Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, New York, pp. 582–594 (2016)
Ferrando, A., Dennis, L.A., Ancona, D., Fisher, M., Mascardi, V.: Verifying and validating autonomous systems: towards an integrated approach. In: Colombo, C., Leucker, M. (eds.) Runtime Verification—18th International Conference, RV 2018, volume 11237 of Lecture Notes in Computer Science, pp. 263–281. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03769-7_15
Kejstová, K., Ročkai, P., Barnat, J.: From model checking to runtime verification and back. In: Lahiri, S., Reger, G. (eds.) Runtime Verification RV 2017. Springer, Cham (2017)
Aceto, L., Achilleos, A., Francalanza, A., Ingólfsdóttir, A., Lehtinen, K.: Adventures in monitorability: from branching to linear time and back again. Proc. ACM Program. Lang. 3, 52:1-52:29 (2019). https://doi.org/10.1145/3290365
Chang, E., Manna, Z., Pnueli, A.: The safety-progress classification. In: Bauer, F.L., et al. (eds.) Logic and Algebra of Specification, pp. 143–202. Springer, Berlin (1993)
Pnueli, A., Zaks, A.: PSL model checking and run-time verification via testers. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) International Symposium on Formal Methods, pp. 573–586. Springer, Berlin (2006)
Francalanza, A., Cini, C.: Computer says no: verdict explainability for runtime monitors using a local proof system. J. Log. Algebraic Methods Program. 119, 100636 (2021). https://doi.org/10.1016/j.jlamp.2020.100636
Aceto, L., Achilleos, A., Francalanza, A., Ingólfsdóttir, A., Lehtinen, K.: The best a monitor can do. In: Baier, C., Goubault-Larrecq, J. (eds.) 29th EACSL Annual Conference on Computer Science Logic, CSL 2021, January 25–28, 2021, Ljubljana, Slovenia (Virtual Conference), volume 183 of LIPIcs, p. 7:1-7:23. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Dagstu (2021). https://doi.org/10.4230/LIPIcs.CSL.2021.7
Falcone, Y., Fernandez, J.-C., Mounier, L.: What can you verify and enforce at runtime? Int. J. Softw. Tools Technol. Transf. 14(3), 349 (2012)
Kozen, D.C.: Results on the propositional \(\mu \)-calculus. Theoret. Comput. Sci. 27, 333–354 (1983)
Larsen, K.G.: Proof systems for satisfiability in Hennessy–Milner logic with recursion. Theor. Comput. Sci. 72(2), 265–288 (1990)
Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching time temporal logic. In: Kozen, D. (ed.) 25 Years of Model Checking, pp. 196–215. Springer, Berlin (2008)
Aceto, L., Achilleos, A., Francalanza, A., Ingólfsdóttir, A., Lehtinen, K.: An operational guide to monitorability with applications to regular properties. Softw. Syst. Model. 20(2), 335–361 (2021). https://doi.org/10.1007/s10270-020-00860-z
Bauer, A., Leucker, M., Schallhart, C.: The good, the bad, and the ugly, but how ugly is ugly? In: Sokolsky, O., Tasiran, S. (eds.) International Workshop on Runtime Verification, pp. 126–138. Springer, Berlin (2007)
Artho, C., Barringer, H., Goldberg, A., Havelund, K., Khurshid, S., Lowry, M.R., Pasareanu, C.S., Rosu, G., Sen, K., Visser, W., Washington, R.: Combining test case generation and runtime verification. Theor. Comput. Sci. 336(2–3), 209–234 (2005)
Leucker, M.: Sliding between model checking and runtime verification. In: Qadeer, S., Tasiran, S. (eds.) RV, volume 7687 of Lecture Notes in Computer Science, pp. 82–87. Springer, Berlin (2012)
Decker, N., Leucker, M., Thoma, D.: junit\({}^{\text{ rv }}\)-adding runtime verification to junit. In: Brat, G., Rungta, N., Venet, A. (eds.) NASA Formal Methods, volume 7871 of Lecture Notes in Computer Science, pp. 459–464. Springer, Berlin (2013)
Desai, A., Dreossi, T., Seshia, S.A.: Combining model checking and runtime verification for safe robotics. In: Lahiri, S., Reger, G. (eds.) RV, volume 10548 of Lecture Notes in Computer Science, pp. 172–189. Springer, Cham (2017)
Kejstová, K., Rockai, P., Barnat, J.: From model checking to runtime verification and back. In: Lahiri, S., Reger, G. (eds.) RV, volume 10548 of Lecture Notes in Computer Science, pp. 225–240. Springer, Cham (2017)
Aceto, L., Achilleos, A., Francalanza, A., Ingólfsdóttir, A., Lehtinen, K.: Testing equivalence vs. runtime monitoring. In: Boreale, M., Corradini, F., Loreti, M., Pugliese, R. (eds.) Models, Languages, and Tools for Concurrent and Distributed Programming, volume 11665 of Lecture Notes in Computer Science, pp. 28–44. Springer, Berlin (2019)
Monica, D.D, Francalanza, A.L.: Pushing runtime verification to the limit: may process semantics be with us. In: OVERLAY@AI*IA, volume 2509 of CEUR Workshop Proceedings, pp. 47–52. CEUR-WS.org (2019)
Havelund, K., Peled, D.: Bdds for representing data in runtime verification. In: Deshmukh, J., Nickovic, D. (eds.) RV, volume 12399 of Lecture Notes in Computer Science, pp. 107–128. Springer, Cham (2020)
Guzmán, M., Riganelli, O., Micucci, D., Mariani, L.: Test4enforcers: test case generation for software enforcers. In: Deshmukh, J., Nickovic, D. (eds.) RV, volume 12399 of Lecture Notes in Computer Science, pp. 279–297. Springer, Cham (2020)
Burlò, C.B., Francalanza, A., Scalas, A.: Towards a hybrid verification methodology for communication protocols (short paper). In: Gotsman, A., Sokolova, A. (eds.) FORTE, volume 12136 of Lecture Notes in Computer Science, pp. 227–235. Springer, Cham (2020)
Shijubo, J., Waga, M., Suenaga, K.: Efficient black-box checking via model checking with strengthened specifications. In: Feng, L., Fisman, D. (eds.) RV, volume 12974 of Lecture Notes in Computer Science, pp. 100–120. Springer, Cham (2021)
Martinelli, F., Matteucci, I.: Partial model checking, process algebra operators and satisfiability procedures for (automatically) enforcing security properties. In: Foundations of Computer Security. Citeseer, pp. 133–144 (2005)
Andersen, H.R.: Partial model checking. In: Proceedings of Tenth Annual IEEE Symposium on Logic in Computer Science. IEEE, pp. 398–407 (1995)
Lang, F., Mateescu, R.: Partial model checking using networks of labelled transition systems and Boolean equation systems. In: Flanagan, C., König, B. (eds.) TACAS, pp. 141–156. Springer, Berlin (2012)
Attard, D.P., Francalanza, A.: A monitoring tool for a branching-time logic. In: Falcone, Y., Sanchez, C. (eds.) Runtime Verification, pp. 473–481. Springer, Cham (2016)
Attard, D.P., Cassar, I., Francalanza, A., Aceto, L., Ingolfsdottir, A.: A Runtime Monitoring Tool for Actor-Based Systems, pp. 49–74. River Publishers, Aalborg (2017)
Francalanza, A., Xuereb, J.: On implementing symbolic controllability. In: Bliudze, S., Bocchi, L. (eds.) COORDINATION, volume 12134 of Lecture Notes in Computer Science, pp. 350–369. Springer, Cham (2020)
Attard, D.P., Aceto, L., Achilleos, A., Francalanza, A., Ingólfsdóttir, A., Lehtinen, K.: Better late than never or: verifying asynchronous components at runtime. In: Peters, K., Willemse, T.A.C. (eds.) Formal Techniques for Distributed Objects, Components, and Systems—41st IFIP WG 6.1 International Conference, FORTE 2021, Held as Part of the 16th International Federated Conference on Distributed Computing Techniques, DisCoTec 2021, Valletta, Malta, June 14–18, 2021, Proceedings, volume 12719 of Lecture Notes in Computer Science, pp. 207–225. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78089-0_14
Achilleos, A., Exibard, L., Francalanza, A., Lehtinen, K., Xuereb, J.: A synthesis tool for optimal monitors in a branching-time setting. In: ter Beek, M.H., Sirjani, M. (eds.) COORDINATION, volume 13271 of Lecture Notes in Computer Science, pp. 181–199. Springer, Cham (2022)
Aceto, L., Achilleos, A., Attard, D.P., Exibard, L., Francalanza, A., Ingólfsdóttir, A.: A monitoring tool for linear-time \(\mu \)hml. In: ter Beek, M.H., Sirjani, M. (eds.) COORDINATION, volume 13271 of Lecture Notes in Computer Science, pp. 200–219. Springer, Cham (2022)
Aceto, L., Cassar, I., Francalanza, A., Ingólfsdóttir, A.: On runtime enforcement via suppressions. In: 29th International Conference on Concurrency Theory, CONCUR 2018, September 4–7, 2018, Beijing, China, pp. 34:1–34:17 (2018). https://doi.org/10.4230/LIPIcs.CONCUR.2018.34
Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes. I. Inf. Comput. 100(1), 1–40 (1992)
Sangiorgi, D.: Introduction to Bisimulation and Coinduction. Cambridge University Press, New York (2011)
Aceto, L., Ingólfsdóttir, A., Larsen, K.G., Srba, J.: Reactive Systems: Modelling, Specification and Verification. Cambridge University Press, New York (2007)
Hennessy, M., Milner, R.: Algebraic laws for nondeterminism and concurrency. J. ACM 32(1), 137–161 (1985)
Stirling, C.: Handbook of logic in computer science, vol. 2. Modal and Temporal Logics, pp. 477–563. Oxford University Press, Inc., New York (1992)
Stirling, C.: Model checking and other games. In: Notes for Mathfit Workshop on Finite Model Theory. University of Wales, Swansea (1996)
Francalanza, A.: A Theory of Monitors (extended abstract). In: International Conference on Foundations of Software Science and Computation Structures. Springer, pp. 145–161 (2016)
Francalanza, A.: Consistently-detecting monitors. In: 28th International Conference on Concurrency Theory (CONCUR 2017), volume 85 of Leibniz International Proceedings in Informatics (LIPIcs). Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, pp. 8:1–8:19 (2017)
d’Amorim, M., Roşu, G.: Efficient monitoring of \(\omega \)-languages. In: CAV, pp. 364–378 (2005)
Wolff, E.M., Topcu, U., Murray, R.M.: Efficient reactive controller synthesis for a fragment of linear temporal logic. In: 2013 IEEE International Conference on Robotics and Automation, pp. 5033–5040, May (2013). https://doi.org/10.1109/ICRA.2013.6631296
Dolzhenko, E., Ligatti, J., Reddy, S.: Modeling runtime enforcement with mandatory results automata. Int. J. Inf. Secur. 14(1), 47–60 (2015). https://doi.org/10.1007/s10207-014-0239-8
Debois, S., Hildebrandt, T., Slaats, T.: Safety, liveness and run-time refinement for modular process-aware information systems with dynamic sub processes. In: Bjørner, N., de Boer, F. (eds.) FM 2015: Formal Methods, pp. 143–160. Springer, Cham (2015)
Aceto, L., Achilleos, A., Francalanza, A., Ingólfsdóttir, A., Kjartansson, S.Ö.: Determinizing monitors for HML with recursion. J. Log. Algebraic Methods Program. 111, 100515 (2020). https://doi.org/10.1016/j.jlamp.2019.100515
van Hulst, A.C., Reniers, M.A., Fokkink, W.J.: Maximally permissive controlled system synthesis for non-determinism and modal logic. Discrete Event Dyn. Syst. 27(1), 109–142 (2017)
Milner, R.: Communication and Concurrency. PHI Series in Computer Science, Prentice Hall, Upper Saddle River (1989)
Bielova, N., Massacci, F.: Predictability of enforcement. In: Erlingsson, U., Wieringa, R., Zannone, N. (eds.) International Symposium on Engineering Secure Software and Systems, pp. 73–86. Springer, Berlin (2011)
Attard, D.P., Francalanza, A.: Trace partitioning and local monitoring for asynchronous components. In: Cimatti, A., Sirjani, M. (eds.) Software Engineering and Formal Methods—15th International Conference, SEFM 2017, Trento, Italy, September 4–8, 2017, Proceedings, volume 10469 of Lecture Notes in Computer Science, pp. 219–235. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66197-1_14
Aceto, L., Attard, D.P., Francalanza, A., Ingólfsdóttir, A.: On benchmarking for concurrent runtime verification. In: Guerra, E., Stoelinga, M. (eds.) Fundamental Approaches to Software Engineering—24th International Conference, FASE 2021, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2021, Luxembourg City, Luxembourg, March 27–April 1 (2021), Proceedings, volume 12649 of Lecture Notes in Computer Science, pp. 3–23. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-71500-7_1
Aceto, L., Ingólfsdóttir, A.: Testing Hennessy–Milner logic with recursion. In: Thomas, W. (ed.) Foundations of Software Science and Computation Structures, pp. 41–55. Springer, Berlin (1999)
Rabinovich, A.M.: A complete axiomatisation for trace congruence of finite state behaviors. In: Brookes, S., Main, M., Melton, A., Mislove, M., Schmidt, D. (eds.) Proceedings of the 9th International Conference on Mathematical Foundations of Programming Semantics, pp. 530–543. Springer, London (1994)
Bielova, N.: A theory of constructive and predictable runtime enforcement mechanisms. Ph.D. Thesis, University of Trento (2011)
Pnueli, Z.M.A.: A hierarchy of temporal properties. In: Proceedings of the 2nd Symposium. ACM of Principle Of Distributed Computer (1990)
Pinisetty, S., Falcone, Y., Jéron, T., Marchand, H.: Runtime enforcement of parametric timed properties with practical applications. In: IEEE International Workshop on Discrete Event Systems, Cachan, France, May, pp. 46–53 (2014)
Pinisetty, S., Roop, P.S., Smyth, S., Tripakis, S., von Hanxleden, R.: Runtime enforcement of reactive systems using synchronous enforcers. CoRR, arxiv:1612.05030 (2016)
Pinisetty, S., Roop, P.S., Smyth, S., Allen, N., Tripakis, S., Hanxleden, R.V.: Runtime enforcement of cyber-physical systems. ACM Trans. Embed. Comput. Syst. 16(5), 178:1-178:25 (2017)
Lanotte, R., Merro, M., Munteanu, A.: Runtime enforcement for control system security. In: 33rd IEEE Computer Security Foundations Symposium, CSF 2020, Boston, MA, USA, June 22–26, 2020. IEEE, pp. 246–261 (2020). https://doi.org/10.1109/CSF49147.2020.00025
Martinelli, F., Matteucci, I.: Through modeling to synthesis of security automata. Electron. Not. Theor. Comput. Sci. 179, 31–46 (2006)
Martinelli, F., Matteucci, I.: An approach for the specification, verification and synthesis of secure systems. Electron. Not. Theor. Comput. Sci. 168, 29–43 (2007)
Castellani, I., Dezani-Ciancaglini, M., Pérez, J.A.: Self-adaptation and secure information flow in multiparty communications. Formal Asp. Comput. 28 (4): 669-696 (2016)
Cassar, I., Francalanza, A.: On implementing a monitor-oriented programming framework for actor systems. In: Abraham, E., Huisman, M. (eds.) International Conference on Integrated Formal Methods, pp. 176–192. Springer, Cham (2016)
Francalanza, A., Seychell, A.: Synthesising correct concurrent runtime monitors (extended abstract). In: Legay, A., Bensalem, S. (eds.) RV, volume 8174 of Lecture Notes in Computer Science, vol. 8174, pp. 112–129. Springer, Cham (2013)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
The research work disclosed in this publication is partially supported by the projects “Developing Theoretical Foundations for Runtime Enforcement” (184776-051), “TheoFoMon: Theoretical Foundations for Monitorability” (163406-051) and “Mode(l)s of Verification and Monitorability” (MoVeMent) (217987-051) of the Icelandic Research Fund, by the BehAPI project funded by the EU H2020 RISE of the Marie Skłodowska-Curie action (778233) and by the Endeavour Scholarship Scheme (Malta), part-financed by the European Social Fund (ESF)—Operational Programme II—Cohesion Policy 2014–2020.
Appendices
A Missing proofs from Sect. 5.2
We provide the proofs for Lemmas 6, 8, 9 and 11 which were omitted from the main text.
1.1 A.1 Proving Lemma 6
To prove that for every , we must prove that
-
(a)
; and
-
(b)
.
In order to prove (a) and (b) we rely on the following lemmas:
Lemma 15
For every \(\varphi {\,\in \,}\textsc {sHML} _{{\textbf {2}}} \) if .
Lemma 16
For every \(\varphi {\,\in \,}\textsc {sHML} _{{\textbf {2}}} \) if then
We provide the proofs for these lemmas after the proofs for (a) and (b).
Proof for (a)
Let , we must prove that \(\mathcal {R}\) is a satisfaction relation by showing that it obeys the rules of Fig. 4. We conduct this proof by case analysis on \(\varphi \).
Cases \(\varphi {\,{\,\in \,}\,}\big \{\textsf {ff},X \big \}\). These cases do not apply since and so the assumption that does not hold when \(\varphi {\,{\,\in \,}\,}\big \{\textsf {ff},X \big \}\).
Case \(\varphi =\textsf {tt} \). This case is satisfied trivially since any process satisfies \(\textsf {tt}\) which confirms that \((s,\textsf {tt}){\,\in \,}\mathcal {R} \).
Cases \(\varphi =\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i \). In order to prove this case, we must confirm that \((s,\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i){\,\in \,}\mathcal {R} \) by showing that for every \(\alpha \) and \(i{\,\in \,}I \), if s.t. \(\eta _i (\alpha )=\sigma \) then . Hence, we assume that and since by the definition of we know that then by the definition of \(\vDash \) we have that
Hence, by (119) and the definition of \(\mathcal {R}\) we can finally conclude that
as required.
Case \(\varphi =\textsf {max}\, X.\varphi \). In order to prove this case, we must confirm that \((s,\textsf {max}\, X.\varphi ){\,\in \,}\mathcal {R} \) by showing that \((s,\varphi \{{\textsf {max}\, X.\varphi }/{X}\}){\,\in \,}\mathcal {R} \) as well. Hence, we assume that
and consider the following two subcases for .
-
when \(X {\,\in \,}{\textbf {fv}}(\varphi ) \): Since \(X {\,\in \,}{\textbf {fv}}(\varphi ) \), from (120) and the definition of we have that and so by the definition of \(\vDash \) we can deduce that
(121)Since \(X {\,\in \,}{\textbf {fv}}(\varphi ) \) and by Lemma 15 we have that , and so by Lemma 16, from (121) we deduce that
(122)Hence, by (122) and the definition of \(\mathcal {R}\) we deduce that
$$\begin{aligned} (s,\varphi \{{\textsf {max}\, X.\varphi }/{X}\}){\,\in \,}\mathcal {R} \end{aligned}$$as required.
-
\(X \notin {\textbf {fv}}(\varphi ) \): Since \(X \notin {\textbf {fv}}(\varphi ) \), from (120) and the definition of we have that
(123)and so since \(X \notin {\textbf {fv}}(\varphi ) \) from (123) we infer that is equivalent to since \(X\) is unused in \(\varphi \) which means that from (123) we can deduce that
(124)Hence, from (124) and the definition of \(\mathcal {R}\) we conclude that
$$\begin{aligned} (s,\varphi \{{\textsf {max}\, X.\varphi }/{X}\}){\,\in \,}\mathcal {R} \end{aligned}$$as required, and so we are done.
\(\square \)
Proof for (b)
Let , once again we must prove that \(\mathcal {R}\) is a satisfaction relation and conduct this proof by case analysis on \(\varphi \).
Cases \(\varphi {\,{\,\in \,}\,}\big \{\textsf {ff},X \big \}\). These cases do not apply since the assumption that \(s \vDash \varphi \) does not hold when \(\varphi {\,{\,\in \,}\,}\big \{\textsf {ff},X \big \}\).
Case \(\varphi =\textsf {tt} \) This cases holds trivially since and since any process satisfies \(\textsf {tt}\) which allows us to affirm that .
Case \(\varphi =\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i \). In order to prove this case, we must confirm that . Since , we instead confirm that by showing that for every \(\alpha \) and \(i{\,\in \,}I \), if s.t. \(\eta _i (\alpha )=\sigma \) then . Hence, we start by assuming that \(s \vDash \textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i \) and so by the definition of \(\vDash \) we have that
and so by (125) and the definition of \(\mathcal {R}\) we conclude that
as required.
Case \(\varphi =\textsf {max}\, X.\varphi \). To prove this case, we must confirm that and so we start by assuming that \(s \vDash \textsf {max}\, X.\varphi \) from which by the definitions of \(\vDash \) and \(\mathcal {R}\) we deduce that
We now consider two subcases for .
-
when \(X {\,\in \,}{\textbf {fv}}(\varphi ) \): To confirm that , in this case we must affirm that by showing that as well. Hence, since we assume that \(X {\,\in \,}{\textbf {fv}}(\varphi ) \), by Lemma 15 we deduce that and so by Lemma 16 and from (126) we can conclude that
as required.
-
: Hence, to confirm that , we must now affirm that . Since we now assume that \(X \notin {\textbf {fv}}(\varphi ) \), we know that \(\varphi \{{\textsf {max}\, X.\varphi }/{X}\}\equiv \varphi \) and so from (126) we confirm that as required.
\(\square \)
Proof for Lemma 15
We conduct this proof by structural induction on \(\varphi \).
Cases \(\varphi {\,\in \,}\big \{\textsf {ff},\textsf {tt} \big \}\). These cases do not apply since \(X \notin {\textbf {fv}}(\varphi ) \) when \(\varphi {\,\in \,}\big \{\textsf {ff},\textsf {tt} \big \}\).
Case \(\varphi =\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i \). We first assume that \(X {\,\in \,}{\textbf {fv}}(\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i) \) and so by the definition of \({\textbf {fv}}(-)\) we know that for every \(i{\,\in \,}I \), \(X {\,\in \,}{\textbf {fv}}(\varphi _i) \) and so by applying the inductive hypothesis for every \(i{\,\in \,}I \) we infer that . With this result and by the definitions of \({\textbf {fv}}(-)\) and , we thus conclude that as required, and so we are done.
Case \(\varphi =Y \). We start by assuming that \(X {\,\in \,}{\textbf {fv}}(\varphi ) \) and consider the following cases:
-
when \(Y =X \): This case holds trivially since and so since \(X {\,\in \,}{\textbf {fv}}(X) \) we can infer that as required.
-
when \(Y \ne X \): This case does not apply since \(X \notin {\textbf {fv}}(Y) \) when \(Y \ne X \).
Case \(\varphi =\textsf {max}\, Y.\varphi \). We assume that
and consider the following cases:
-
when \(Y =X \): This case does not apply since \(X \notin {\textbf {fv}}(\textsf {max}\, Y.\varphi ) \) when \(Y =X \).
-
when \(Y \ne X \): From (127) and by the definition of \({\textbf {fv}}(-)\) we can deduce that
$$\begin{aligned} X {\,\in \,}{\textbf {fv}}(\varphi ) \end{aligned}$$(128)and so by the inductive hypothesis we have that from which we can deduce that
(129)Finally, since from (129) and the definition of we can conclude that
(130)as required, and so we are done.
\(\square \)
Proof for Lemma 16
We conduct this proof by structural induction on \(\varphi \).
Cases \(\varphi {\,\in \,}\big \{\textsf {ff},\textsf {tt} \big \}\). These cases do not apply since \(X \notin {\textbf {fv}}(\varphi ) \) when \(\varphi {\,\in \,}\big \{\textsf {ff},\textsf {tt} \big \}\).
Case \(\varphi =\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i \) We first assume that
so that by (131) and the definition of \({\textbf {fv}}(-)\) we know that
Hence, by (132) we can apply the inductive hypothesis for every \(i{\,\in \,}I \) and infer that
and by (134) and the definition of we thus conclude that
as required.
Case \(\varphi =Y \). We start by assuming that
and consider the following cases:
-
when \(Y \ne X \): This case does not apply since (135) does not hold when \(Y \ne X \).
-
when \(Y =X \): Since \(Y =X \) we can thus unfold \(Y \{{\textsf {max}\, X.\psi }/{X}\}\) into \(\textsf {max}\, X.\psi \) such that we have that
(137)Since we can deduce that
(138)Since by (136) and the definition of we know that and so from (137) and (138) we can conclude that
as required.
Case \(\varphi =\textsf {max}\, Y.\varphi \). We assume that
and consider the following cases:
-
when \(Y =X \): This case does not apply since \(X \notin {\textbf {fv}}(\textsf {max}\, Y.\varphi ) \) when \(Y =X \).
-
when \(Y \ne X \): From (139) and by the definition of \({\textbf {fv}}(-)\) we can deduce that \(X {\,\in \,}{\textbf {fv}}(\varphi ) \) and so by (140) and the inductive hypothesis we have that
(141)Hence, by applying the definition of on both sides of equation (141) we get that
(142)as required, and so we are done.
\(\square \)
1.1.1 A.2 Proving Lemma 8.
if \(\textsf {traverse} (\textit{Eq},\{0\},\textsf {partition},\emptyset ) {=}\zeta \) then \(\zeta \) is a well-formed map for Eq.
To prove Lemma 8, we rely on Lemma 17.
Lemma 17
For every set of indices \(I\), \(\zeta \) map, and equation sets \(\textit{Eq} \) and \(\textit{Eq} '\), if \(\textit{Eq} '\subseteq \textit{Eq} \) and \(\textsf {traverse} (\textit{Eq} ',I,\textsf {partition},\zeta ) {=}\zeta '\) and \(\zeta \) is a well-formed map for \(\textit{Eq} _{/\!/{\textbf {dom}}(\zeta )} \) then \(\zeta '\) is a well-formed map for Eq.
We provide the proof for this lemma at the end of this section.
Proof for Lemma 8
Assume that
and since by the definition of \(\textit{Eq} _{/\!/I} \) we know that \(\textit{Eq} _{/\!/{\textbf {dom}}(\emptyset )} =\emptyset \) by the definition of a well-formed map we infer that
and hence by (143), (144) and Lemma 17 we can conclude that
as required.
Proof for Lemma17
We proceed by induction on the structure of \(\textit{Eq} '\).
Case \(\textit{Eq} '=\emptyset \) Initially we assume that \(\emptyset \subseteq \textit{Eq} \) and that
Since \(\textit{Eq} '{=}\emptyset \), by (145) and the definition of traverse we have that \(\zeta =\zeta '\) and so from (146) we can deduce that
From (145) and the definition of traverse, we know that the traversal starts from the full equation set, i.e., \(\textit{Eq} '{\,=\,}\textit{Eq} \), using an empty \(\zeta \) map. With every recursive application of traverse, the equation set \(\textit{Eq} '\) becomes smaller since when traverse recurses it does so wrt. \(\textit{Eq} ''\), i.e., a smaller version of the current \(\textit{Eq} '\) which is computed via \(\textit{Eq} ''{=}\textit{Eq} '\setminus \textit{Eq} '_{/\!/I} \). By contrast, with every recursive application of traverse, the \(\zeta \) accumulator becomes larger as it is updated with new mappings for each index specified by the set of indices \(I\), i.e., with the indices of the equations that are removed from \(\textit{Eq} '\) when creating \(\textit{Eq} ''\). Hence, when the traverse function is recursively applied wrt. some \(\textit{Eq} '''{=}\emptyset \), it means that all the equations specified in Eq have been analysed by the traversal and their indices were thus added as maps in the resultant \(\zeta '\). Hence, we can deduce that \(\textit{Eq} _{/\!/{\textbf {dom}}(\zeta ')} =\textit{Eq} \) so that from (147) we can conclude that
as required.
Case \(\textit{Eq} '\ne \emptyset \). Now, assume that
and consider the following two subcases for the set of indices \(I\).
- –:
-
Since \(I {=}\emptyset \), by (148) and the definition of traverse we know that \(\zeta =\zeta '\) and so from (149) we can deduce that
$$\begin{aligned} \zeta ' \text { is a }{} \textit{well-formed} \text { map for } \textit{Eq} _{/\!/{\textbf {dom}}(\zeta ')}. \end{aligned}$$(151)Since \(I {=}\emptyset \), this means that the traversal has reached a point where no more children can be computed, which means that all the relevant equations (i.e., those reachable from the principle variable) have been analysed. This means that any other equation in Eq (that is not in \(\textit{Eq} _{/\!/{\textbf {dom}}(\zeta ')}\), if any) is redundant and irrelevant. Hence, since from (151) we know that \(\zeta '\) is a well-formed map for the relevant subset of equations in Eq, i.e., \(\textit{Eq} _{/\!/{\textbf {dom}}(\zeta ')}\), then it is also well-formed for the full blown subset of equations Eq (i.e., including any unreachable, redundant equations). Therefore, we can conclude that
$$\begin{aligned} \zeta ' \text { is a }{} \textit{well-formed }\text { map for } \textit{Eq} \end{aligned}$$as required.
- –:
-
By the definition of traverse and from (148) we can infer that
(152)(153)(154)(155)By (149) and the definition of a well-formed map, we know that \(\zeta \) provides a set of mappings which allow for:
$$\begin{aligned}&\begin{array}{l} \bullet \quad \text {renaming the }{data\, variables}\text { of each }{pattern\,equivalent\,sibling\,necessity},\\ \qquad \text { defined in} \textit{Eq} _{/\!/{\textbf {dom}}(\zeta )},\text { to the}\, {same}\text { set of fresh variables.} \end{array} \end{aligned}$$(156)$$\begin{aligned}&\begin{array}{l} \bullet \quad \text { renaming any }\,{reference} \text { to a data variable that is bound by a }\,{renamed }\\ \qquad \,{parent\,necessity}\text { defined in }\textit{Eq} _{/\!/{\textbf {dom}}(\zeta )} \end{array} \end{aligned}$$(157)and by the definition of partition from (152) we have that
(158)From (158) we know that \(\zeta ''\) includes a mapping for each sibling branch that defines a pattern equivalent SA. The added mappings map the child indices of the conjunction branches (i.e., \(j,k{\in }I '\) since from (154) we know that \(I ''\) and \(I '''\) are subsets of \(I '\)) that are defined by the equations identified by the parent indices (i.e., \(i{\in }I \)) specified in \(I\), to a substitution environment. This mapped substitution renames the resp. variable names of these conjunct pattern equivalent sibling necessities, to the same fresh set of variable names, thereby making the equivalent sibling patterns, syntactically equal. Hence, from (156) we can deduce that \(\zeta ''\) provides a set of mappings which allow for
$$\begin{aligned}&\begin{array}{l} \bullet \quad \text { renaming the }\,{data\,variables}\text { of each } \,{pattern\,equivalent\,sibling\,necessity},\\ \qquad \text { defined in }\textit{Eq} _{/\!/{\textbf {dom}}(\zeta ) \cup I '},\text { to the }\,{same}\text { set of fresh variables.} \end{array} \end{aligned}$$(159)Similarly, from (158) we also know that the mappings in \(\zeta ''\) include the substitutions performed upon the parent necessities. This means that in each mapping \(j{\,\mapsto \,}\sigma _j\), the mapped substitution environment \(\sigma _j\) also includes \(\zeta (i)\) where \(i\in I \) is the parent index of \(j{\,\in \,}I '\). Hence, from (157) we can deduce that the mappings provided by \(\zeta ''\) also allow for
$$\begin{aligned}&\begin{array}{l} \bullet \quad \text { renaming any }\,{reference}\text { to a data variable that is bound by a }\,{renamed }\\ \qquad \,{parent \,necessity}\text { defined in }\textit{Eq} _{/\!/{\textbf {dom}}(\zeta ) \cup I '}. \end{array} \end{aligned}$$(160)Hence, by (159), (160) and the definition of a well-formed map we can infer that
$$\begin{aligned} \zeta '' \text { is a }{well-formed}\text { map for } \textit{Eq} _{/\!/{\textbf {dom}}(\zeta ) \cup I '}. \end{aligned}$$(161)From (158) we know that \(\zeta ''\) includes a mapping for each child branch, identified by \(j\in I ''\) and \(k\in I '''\) (where \(I ''\) and \(I '''\) are both subsets of \(I '\)), that is defined in the equation identified by index \(i\in I \) and which defines a pattern equivalent necessity. Hence, we know that the domain of \(\zeta ''\) is an extension of the domain of \(\zeta \) which additionally contains the child indices defined in \(I '\), such that we can deduce that \({\textbf {dom}}(\zeta '') ={\textbf {dom}}(\zeta ) \cup I '\). Hence, from (161) we can infer that
$$\begin{aligned} \zeta '' \text { is a }{} \textit{well-formed}\text { map for } \textit{Eq} _{/\!/{\textbf {dom}}(\zeta '')}. \end{aligned}$$(162)Finally, since from (153) and (150) we have that \(\textit{Eq} ''\subseteq \textit{Eq} \), by (155), (162) and the inductive hypothesis we can conclude that
$$\begin{aligned} \zeta ' \text { is a }{} \textit{well-formed}\text { map for } \textit{Eq} \end{aligned}$$as required, and so we are done.
\(\square \)
1.1.2 A.3 Proving Lemma 9.
For every \(\zeta \) map, and equation set Eq, if \(\zeta \) is a well-formed map for Eq then \(\textsf {uni} (\textit{Eq},\zeta ) {\equiv }\textit{Eq} \) and every equation \((X _k{=}\psi _k){\,\in \,}\textsf {uni} (\textit{Eq},\zeta ) \) is Uniform.
Proof for Lemma 9
We conduct this proof by induction on the structure of Eq.
Case \(\textit{Eq} =\emptyset \). This case holds trivially since \(\textit{Eq} =\emptyset =\textsf {uni} (\emptyset ,\zeta ) \).
Case . We start by assuming that
and so by (163) and the definition of a well-formed map we know that \(\zeta \) provides a set of mappings which allow for
By applying the uni function on Eq and \(\zeta \) we obtain
Now if we assume that \(\eta _j\) defines an arbitrary pattern \((d ^1) \$ (d ^2) \) (where \(d ^1\) and \(d ^2\) are newly bound variables), along with some condition \(c _{j}[d ^1,d ^2,e ^{m}_{<i}] \) whose evaluation depends on \(d ^1\), \(d ^2\) and the values of m variables \(e ^{m}_{<i}\) that are bound by parent modal necessities. Hence, from (164) we can deduce that mapping \(\zeta (j)\) in (166) produces a substitution environment which renames the data bindings \(d ^1 \) and \(d ^2 \) to some fresh variables \(f ^1\) and \(f ^2\), which are the same for all the other conjunct sibling necessities that are pattern equivalent to \(\eta _j\). From (165) we can also deduce that any reference being made to some variable \(e ^{m}_{<i}\) will also be renamed accordingly by \(\zeta (j)\). Hence, by the definition of a uniform equation, we can deduce that
Moreover, from (164) and (165) we can deduce that equation is semantically equivalent to the equation reconstructed by the uni function in (166), i.e., . This holds since when the substitution environment, returned by \(\zeta (j)\), is applied to the equated formula, it only substitutes the variable names in \(\eta _j\) and so if \(\eta _j\) has an arbitrary form this will become .
Notice that the new pattern \((f ^1) \$ (f ^2) \) is equivalent to the original one \((d ^1) \$ (d ^2) \) since it only varies by the name of the data variables it binds. The new condition \(c _{j}[f ^1,f ^2,f ^{m}_{<i}] \) is also equivalent to \(c _{j}[d ^1,d ^2,e ^{m}_{<i}] \) since by (165) we know that \(\zeta (j)\) (where \(\zeta (j)\) also contains \(\zeta (i)\) where i is the parent of j) renames \(d ^1 \) and \(d ^2 \) to \(f ^1\) and \(f ^2\) and \(e ^{m}_{<i}\) to the variable names, \(f ^{m}_{<i}\), bound by the renamed parent necessities. This preserves the semantics of the equation by keeping it closed wrt. data variables. Hence, we can deduce
Now since \(\textit{Eq} '\subset \textit{Eq} \) from (163) we can infer that \(\zeta \) is also a well-formed map for \(\textit{Eq} '\) which allows us to apply the inductive hypothesis and deduce that
Hence, by (166), (169) and (167) we can conclude that
and by (166), (170) and (168) we can conclude
as required, and so this case is done by (171) and (172). \(\square \)
1.1.3 A.4 Proving Lemma 11.
For every eqn. \((X _j{=}\varphi _j){\in }\textit{Eq} \), if \(X _j{=}\varphi _j\) is uniform then \(\textit{Eq} {\equiv }\textsf {traverse} (\textit{Eq},\{0\},\textsf {cond\_comb},\emptyset ) \) and every eqn. \((X _k{=}\psi _k)\in \textsf {traverse} (\textit{Eq},\{0\},\textsf {cond\_comb},\emptyset ) \) is equi-disjoint.
The proof for Lemma 11 depends on Lemma 18. This new lemma states that one can obtain an equi-disjoint equation set, \(\omega '\), that is semantically equivalent to the original equation set Eq, by conducting a traversal upon a uniform subset of \(\textit{Eq} \) (i.e., \(\textit{Eq} '\)). This traversal is conducted wrt. an equi-disjoint accumulator equation set \(\omega \), where \(\omega \) must be semantically equivalent to a subset of Eq that is restricted to the indices associated to the logical variables specified by the domain of \(\omega \), i.e., \(\omega \equiv \textit{Eq} _{/\!/\textsf {dom}_{\textsf {ind}}(\omega )} \), where .
Lemma 18
For every index set \(I\), equi-disjoint set \(\omega \) and equation sets Eq and \(\textit{Eq} '\), if \(\textit{Eq} '\subseteq \textit{Eq} \) and \(\textsf {traverse} (\textit{Eq} ',I,\textsf {cond\_comb},\omega ) {=}\omega '\) and \(\textit{Eq} _{/\!/\textsf {dom}_{\textsf {ind}}(\omega )} {\equiv }\omega \) and every equation \((X _j{=}\varphi _j){\,\in \,}\textit{Eq} '\) is uniform and every equation \((X _k{=}\psi _k){\,\in \,}\omega \) is equi-disjoint then every equation \((X _k{=}\psi _k){\,\in \,}\omega '\) is equi-disjoint and \(\textit{Eq} {\,\equiv \,}\omega '\).
We provide the proof for this lemma at the end of this section.
Proof for Lemma 11
Assume that
By applying the traverse function on Eq starting from \(I {=}\{0\}\) and \(\omega {=}\emptyset \), we know that
and so since \(\omega {=}\emptyset \), by the definition of \(\textit{Eq} _{/\!/I}\) we have that \(\textit{Eq} _{/\!/{\textbf {dom}}(\emptyset )} =\emptyset =\omega \) which means that we can also deduce that every equation \((X _k{=}\psi _k)\in \omega \) is equi-disjoint. With this new information along with (173) and (174), we can use Lemma 18 to infer that
as required, and so we are done. \(\square \)
Proof for Lemma 18
We proceed by induction on the structure of \(I\).
Case \(I {\,=\,}\emptyset \) Let’s start by assuming that
By (176) and the definition of traverse, we know that \(\omega =\omega '\) and so from (177) and (179) we can deduce that
Since \(I {=}\emptyset \), by the definition of traverse and (176) we know the traversal has reached a point where no more children can be computed, which means that all the relevant equations (i.e., those reachable from the principle variable) have been analysed. This implies that any other equation in Eq (if any) is redundant and irrelevant. Hence, since from (181) we know that the equations in \(\omega '\) are equivalent to the relevant subset of equations in Eq, i.e., \(\textit{Eq} _{/\!/\textsf {dom}_{\textsf {ind}}(\omega ')}\), and hence, we can conclude that
as required, and so this case is done by (180) and (182).
Case \(I {\,\ne \,}\emptyset \). Let us now assume that
and let’s proceed by case analysis on \(\textit{Eq} '\).
-
\({\textit{Eq} '=\emptyset :}\) Since \(\textit{Eq} '=\emptyset \), by (184) and the definition of traverse we know that \(\omega =\omega '\) and so from (185) and (187) we can deduce that
$$\begin{aligned} \textit{Eq} _{/\!/\textsf {dom}_{\textsf {ind}}(\omega ')} {\equiv }\omega ', \text { and that} \end{aligned}$$(188)$$\begin{aligned} \text {every equation } (X _k{=}\psi _k)\in \omega '\text { is }{} \textit{equi-disjoint}. \end{aligned}$$(189)By (184) and the definition of traverse, we know that the traversal starts from the full equation set, i.e., \(\textit{Eq} '=\textit{Eq} \), using an empty accumulator, i.e., \(\omega {=}\emptyset \), that would eventually contain the resultant equi-disjoint equation set. Every recursive application of the traverse function is then performed wrt.: a smaller version Eq, i.e., \(\textit{Eq} '{=}\textit{Eq} {\setminus }\textit{Eq} _{/\!/I} \), and a larger accumulator \(\omega '\) containing the reformulated, equi-disjoint equations whose indices are defined in \(I\) (and which where removed from \(\textit{Eq} '\)). Hence, when \(\textit{Eq} '\) becomes \(\emptyset \) it means that and so by the definition of we can deduce that which means that from (188) we can conclude that
(190) -
\({\textit{Eq} '\ne \emptyset :}\) By (184) and the definition of traverse we have that
(191)(192)(193)(194)By applying definition of cond_comb to (191), we deduce that
(195)Now from (195) and the definition of \(\mathbb {C} (j,I ')\), we know that the conjunctions in the reformulated equations (i.e., in every \(\psi _i\)) now include an additional branch for each condition \(c _k\in \mathbb {C} (j,I ') \) where \(c _k\) is a compound condition, e.g., \(c _0\wedge c _1\wedge \ldots \wedge c _n\) or \(c _0\wedge \lnot c _1\wedge \ldots \wedge \lnot c _n\). These compound conditions consist in a truth combination of the filtering conditions of the sibling SAs which specify syntactically equal patterns. This is guaranteed since from (186) we know that the equations in \(\textit{Eq} '\) are uniform, meaning that all sibling pattern equivalent SAs are guaranteed to be syntactically equal as well.
Hence, the reconstructed SAs in these new branches are unable to match the same concrete event \(\alpha \) unless they are define the same pattern and condition. This is so as despite their pattern being syntactically equal, only one compound filtering condition can at most be satisfied by the matching concrete event \(\alpha \). Therefore, from (195) and the definition of equi-disjoint, we can deduce that
(196)which means that from (187), (195) and (196) we can conclude that
(197)as required. We also argue that the reconstructed equations in (195) (i.e., \(X _i{=}\psi _i\)) are in fact semantically equivalent to the original ones (i.e., ), since whenever a guarded branch, , is reconstructed into (possibly) multiple branches, , via the truth combination function \(\mathbb {C} (i,I ')\), the condition, \(c _i\), of the original branch is never negated. This guarantees that continuation \(X _i\) can only be reached when the original condition \(c _i\) is true, and thus preserves the original semantics of the branch. Therefore, we conclude that
which means that from (185) and (195) we can infer that
(198)Finally, since from (183) and (192) we know that \(\textit{Eq} ''\subseteq \textit{Eq} \), from (186) we can infer that every equation is uniform. Hence, with this result along with (194), (197) and (198) we can apply the inductive hypothesis and conclude that
as required, and so we are done.
\(\square \)
B Missing proofs from Sect. 6
1.1 B.1 Proving Lemma 12
We need to prove that for every system \(s\), sHML formula \(\varphi \) and trace when then .
Proof
Since when restricted to sHML \(s \in \llbracket \varphi \rrbracket \) can be defined in terms of the coinductive satisfaction rules of Fig. 4, we prove that is a satisfaction relation that follows the rules of Fig. 4. We proceed by case analysis on \(\varphi \).
Cases \(\varphi \in \big \{\textsf {ff},X \big \}\). These cases do not apply since \(s \not \vDash \varphi \) when .
Case \(\varphi =\textsf {tt} \). This case is satisfied trivially since \(\varphi =\textsf {tt} \).
Case \(\varphi =\bigwedge _{i\in I}\varphi _i \). Assume that from which by the definition of \(\vDash \) we have that for every \(i\in I \), and so by applying the definition of \(\mathcal {R}\) for every we get that as required.
Case \(\varphi =\textsf {max}\, X.\varphi \). Assume that from which by the definition of \(\vDash \) we have that and so by applying the definition of \(\mathcal {R}\) we get that as required.
Case \(\varphi ={[}{}p,c {} {]} \varphi \) Assume that
and that from which by the definition of \(\vDash \) we have that
Since from (200) we know that \(s\) transitions to \(s\) ’ over \(\alpha \), from (199) we can infer that where which means that by (202) and the definition of \(\mathcal {R}\) we have that
Therefore, this case holds by (201), (203) and since and so we are done. \(\square \)
1.1.1 B.2 Proving Lemma 13
We need to prove that for every system transition and sHML formula \(\varphi \), if then . We prove the contrapositive, i.e., if and then .
Proof
We proceed by rule induction on \(\textit{after}_{\varphi }\).
Case \(\textit{after}_{\varphi } (\textsf {ff},\alpha ) \). This case holds trivially since .
Case \(\textit{after}_{\varphi } (\textsf {tt},\alpha ) \). This case does not apply since and so the assumption that is invalid.
Case \(\textit{after}_{\varphi } (\bigwedge _{i\in I}\varphi _i,\alpha ) \). Assume that
and that from which by the definition of \(\textit{after}_{\varphi }\) we have that
Hence, by (204) and (205) we can apply the inductive hypothesis and deduce that there exists a \(j\in I \) such that which means that as required.
Case \(\textit{after}_{\varphi } (\textsf {max}\, X.\varphi ,\alpha ) \). Assume that
and that from which by the definition of \(\textit{after}_{\varphi }\) we have that
and since by (206), (207) and the inductive hypothesis we have that and we can conclude that as required.
Case \(\textit{after}_{\varphi } ({[}{}p,c {} {]} \varphi ,\alpha ) \). Assume that
Now consider the following two cases:
-
and : By (209) and the definition of we know that
(210)and so from (208), (210) and by the definition of \(\llbracket - \rrbracket \) we can infer that since there exists a transition, i.e., (208), that leads to a violation, i.e., (210).
-
Otherwise: This case does not apply since which contradicts assumption (209).
\(\square \)
1.1.2 B.3 Proving Lemma 14
We need to prove that for every action \(\alpha \), sHML formula \(\varphi \) and trace \(t\), if then .
Proof
We proceed by rule induction on \(\textit{after}_{\varphi }\).
Case \(\textit{after}_{\varphi } (\textsf {ff},\alpha ) \). This case does not apply since and so the assumption that is invalid.
Case \(\textit{after}_{\varphi } (\textsf {tt},\alpha ) \). This case holds trivially since .
Case \(\textit{after}_{\varphi } (\bigwedge _{i\in I}\varphi _i,\alpha ) \). Assume that from which by the definition of we have that
Hence, knowing (211) we can apply the inductive hypothesis for every \(i\in I \) and deduce that which means that as required.
Case \(\textit{after}_{\varphi } (\textsf {max}\, X.\varphi ,\alpha ) \). Assume that from which by the definition of we know that
and since by (212) and the inductive hypothesis we have that and we can conclude that as required.
Case \(\textit{after}_{\varphi } ({[}{}p,c {} {]} \varphi ,\alpha ) \). Assume that
and consider the following two cases:
-
and : By (213) and the definition of we have that
(214)Since is a trace process that can only perform \(\alpha \) and transition to \(\textsf {sys}(t) \), i.e., , and since from (214) we know that satisfies \(\varphi \sigma \), by the definition of \(\llbracket - \rrbracket \) we can thus conclude that as required.
-
Otherwise: This case is trivially satisfied since knowing that and that or , by the definition of \(\llbracket - \rrbracket \) we can immediately conclude that as required.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Aceto, L., Cassar, I., Francalanza, A. et al. On first-order runtime enforcement of branching-time properties. Acta Informatica 60, 385–451 (2023). https://doi.org/10.1007/s00236-023-00441-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00236-023-00441-9