On first-order runtime enforcement of branching-time properties

Abstract

Runtime enforcement is a dynamic analysis technique that uses monitors to enforce the behaviour specified by some correctness property on an executing system. The enforceability of a logic captures the extent to which the properties expressible via the logic can be enforced at runtime for a specified operational model of enforcing monitors. We study the enforceability of branching-time, first-order properties expressed in the Hennessy–Milner Logic with Recursion (\(\mu \) HML) with respect to monitors that can enforce behaviour involving events that carry data. To this end, we develop an operational framework for first-order enforcement via suppressions, insertions and replacements. We then use this model to formalise the meaning of enforcing a branching-time property. We also show that a safety syntactic fragment of the logic is enforceable within this framework by providing an automated synthesis function that generates correct suppression monitors from any formula taken from this logical fragment.

Appendices

A Missing proofs from Sect. 5.2

We provide the proofs for Lemmas 6, 8, 9 and 11 which were omitted from the main text.

1.1 A.1 Proving Lemma 6

To prove that for every , we must prove that

1. (a)

   ; and

2. (b)

   .

In order to prove (a) and (b) we rely on the following lemmas:

Lemma 15

For every \(\varphi {\,\in \,}\textsc {sHML} _{{\textbf {2}}} \) if .

Lemma 16

For every \(\varphi {\,\in \,}\textsc {sHML} _{{\textbf {2}}} \) if then

We provide the proofs for these lemmas after the proofs for (a) and (b).

Proof for (a)

Let , we must prove that \(\mathcal {R}\) is a satisfaction relation by showing that it obeys the rules of Fig. 4. We conduct this proof by case analysis on \(\varphi \).

Cases \(\varphi {\,{\,\in \,}\,}\big \{\textsf {ff},X \big \}\). These cases do not apply since and so the assumption that does not hold when \(\varphi {\,{\,\in \,}\,}\big \{\textsf {ff},X \big \}\).

Case \(\varphi =\textsf {tt} \). This case is satisfied trivially since any process satisfies \(\textsf {tt}\) which confirms that \((s,\textsf {tt}){\,\in \,}\mathcal {R} \).

Cases \(\varphi =\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i \). In order to prove this case, we must confirm that \((s,\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i){\,\in \,}\mathcal {R} \) by showing that for every \(\alpha \) and \(i{\,\in \,}I \), if s.t. \(\eta _i (\alpha )=\sigma \) then . Hence, we assume that and since by the definition of we know that then by the definition of \(\vDash \) we have that

(119)

Hence, by (119) and the definition of \(\mathcal {R}\) we can finally conclude that

as required.

Case \(\varphi =\textsf {max}\, X.\varphi \). In order to prove this case, we must confirm that \((s,\textsf {max}\, X.\varphi ){\,\in \,}\mathcal {R} \) by showing that \((s,\varphi \{{\textsf {max}\, X.\varphi }/{X}\}){\,\in \,}\mathcal {R} \) as well. Hence, we assume that

(120)

and consider the following two subcases for .

• when \(X {\,\in \,}{\textbf {fv}}(\varphi ) \): Since \(X {\,\in \,}{\textbf {fv}}(\varphi ) \), from (120) and the definition of we have that and so by the definition of \(\vDash \) we can deduce that

  

  (121)

  Since \(X {\,\in \,}{\textbf {fv}}(\varphi ) \) and by Lemma 15 we have that , and so by Lemma 16, from (121) we deduce that

  

  (122)

  Hence, by (122) and the definition of \(\mathcal {R}\) we deduce that

  $$\begin{aligned} (s,\varphi \{{\textsf {max}\, X.\varphi }/{X}\}){\,\in \,}\mathcal {R} \end{aligned}$$

  as required.

• \(X \notin {\textbf {fv}}(\varphi ) \): Since \(X \notin {\textbf {fv}}(\varphi ) \), from (120) and the definition of we have that

  

  (123)

  and so since \(X \notin {\textbf {fv}}(\varphi ) \) from (123) we infer that is equivalent to since \(X\) is unused in \(\varphi \) which means that from (123) we can deduce that

  

  (124)

  Hence, from (124) and the definition of \(\mathcal {R}\) we conclude that

  $$\begin{aligned} (s,\varphi \{{\textsf {max}\, X.\varphi }/{X}\}){\,\in \,}\mathcal {R} \end{aligned}$$

  as required, and so we are done.

\(\square \)

Proof for (b)

Let , once again we must prove that \(\mathcal {R}\) is a satisfaction relation and conduct this proof by case analysis on \(\varphi \).

Cases \(\varphi {\,{\,\in \,}\,}\big \{\textsf {ff},X \big \}\). These cases do not apply since the assumption that \(s \vDash \varphi \) does not hold when \(\varphi {\,{\,\in \,}\,}\big \{\textsf {ff},X \big \}\).

Case \(\varphi =\textsf {tt} \) This cases holds trivially since and since any process satisfies \(\textsf {tt}\) which allows us to affirm that .

Case \(\varphi =\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i \). In order to prove this case, we must confirm that . Since , we instead confirm that by showing that for every \(\alpha \) and \(i{\,\in \,}I \), if s.t. \(\eta _i (\alpha )=\sigma \) then . Hence, we start by assuming that \(s \vDash \textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i \) and so by the definition of \(\vDash \) we have that

(125)

and so by (125) and the definition of \(\mathcal {R}\) we conclude that

as required.

Case \(\varphi =\textsf {max}\, X.\varphi \). To prove this case, we must confirm that and so we start by assuming that \(s \vDash \textsf {max}\, X.\varphi \) from which by the definitions of \(\vDash \) and \(\mathcal {R}\) we deduce that

(126)

We now consider two subcases for .

• when \(X {\,\in \,}{\textbf {fv}}(\varphi ) \): To confirm that , in this case we must affirm that by showing that as well. Hence, since we assume that \(X {\,\in \,}{\textbf {fv}}(\varphi ) \), by Lemma 15 we deduce that and so by Lemma 16 and from (126) we can conclude that

  

  as required.

• : Hence, to confirm that , we must now affirm that . Since we now assume that \(X \notin {\textbf {fv}}(\varphi ) \), we know that \(\varphi \{{\textsf {max}\, X.\varphi }/{X}\}\equiv \varphi \) and so from (126) we confirm that as required.

\(\square \)

Proof for Lemma 15

We conduct this proof by structural induction on \(\varphi \).

Cases \(\varphi {\,\in \,}\big \{\textsf {ff},\textsf {tt} \big \}\). These cases do not apply since \(X \notin {\textbf {fv}}(\varphi ) \) when \(\varphi {\,\in \,}\big \{\textsf {ff},\textsf {tt} \big \}\).

Case \(\varphi =\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i \). We first assume that \(X {\,\in \,}{\textbf {fv}}(\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i) \) and so by the definition of \({\textbf {fv}}(-)\) we know that for every \(i{\,\in \,}I \), \(X {\,\in \,}{\textbf {fv}}(\varphi _i) \) and so by applying the inductive hypothesis for every \(i{\,\in \,}I \) we infer that . With this result and by the definitions of \({\textbf {fv}}(-)\) and , we thus conclude that as required, and so we are done.

Case \(\varphi =Y \). We start by assuming that \(X {\,\in \,}{\textbf {fv}}(\varphi ) \) and consider the following cases:

• when \(Y =X \): This case holds trivially since and so since \(X {\,\in \,}{\textbf {fv}}(X) \) we can infer that as required.

• when \(Y \ne X \): This case does not apply since \(X \notin {\textbf {fv}}(Y) \) when \(Y \ne X \).

Case \(\varphi =\textsf {max}\, Y.\varphi \). We assume that

$$\begin{aligned} X {\,\in \,}{\textbf {fv}}(\textsf {max}\, Y.\varphi ) \end{aligned}$$

(127)

and consider the following cases:

• when \(Y =X \): This case does not apply since \(X \notin {\textbf {fv}}(\textsf {max}\, Y.\varphi ) \) when \(Y =X \).

• when \(Y \ne X \): From (127) and by the definition of \({\textbf {fv}}(-)\) we can deduce that

  $$\begin{aligned} X {\,\in \,}{\textbf {fv}}(\varphi ) \end{aligned}$$

  (128)

  and so by the inductive hypothesis we have that from which we can deduce that

  

  (129)

  Finally, since from (129) and the definition of we can conclude that

  

  (130)

  as required, and so we are done.

\(\square \)

Proof for Lemma 16

We conduct this proof by structural induction on \(\varphi \).

Cases \(\varphi {\,\in \,}\big \{\textsf {ff},\textsf {tt} \big \}\). These cases do not apply since \(X \notin {\textbf {fv}}(\varphi ) \) when \(\varphi {\,\in \,}\big \{\textsf {ff},\textsf {tt} \big \}\).

Case \(\varphi =\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i \) We first assume that

$$\begin{aligned} X {\,\in \,}{\textbf {fv}}(\textstyle \bigwedge _{i\in I}{[}\eta _i{]} \varphi _i) \end{aligned}$$

(131)

(132)

so that by (131) and the definition of \({\textbf {fv}}(-)\) we know that

$$\begin{aligned} \forall i{\,\in \,}I \cdot X {\,\in \,}{\textbf {fv}}(\varphi _i). \end{aligned}$$

(133)

Hence, by (132) we can apply the inductive hypothesis for every \(i{\,\in \,}I \) and infer that

(134)

and by (134) and the definition of we thus conclude that

as required.

Case \(\varphi =Y \). We start by assuming that

$$\begin{aligned} X {\,\in \,}{\textbf {fv}}(Y) \end{aligned}$$

(135)

(136)

and consider the following cases:

• when \(Y \ne X \): This case does not apply since (135) does not hold when \(Y \ne X \).

• when \(Y =X \): Since \(Y =X \) we can thus unfold \(Y \{{\textsf {max}\, X.\psi }/{X}\}\) into \(\textsf {max}\, X.\psi \) such that we have that

  

  (137)

  Since we can deduce that

  

  (138)

  Since by (136) and the definition of we know that and so from (137) and (138) we can conclude that

  

  as required.

Case \(\varphi =\textsf {max}\, Y.\varphi \). We assume that

$$\begin{aligned} X {\,\in \,}{\textbf {fv}}(\textsf {max}\, Y.\varphi ) \end{aligned}$$

(139)

(140)

and consider the following cases:

• when \(Y =X \): This case does not apply since \(X \notin {\textbf {fv}}(\textsf {max}\, Y.\varphi ) \) when \(Y =X \).

• when \(Y \ne X \): From (139) and by the definition of \({\textbf {fv}}(-)\) we can deduce that \(X {\,\in \,}{\textbf {fv}}(\varphi ) \) and so by (140) and the inductive hypothesis we have that

  

  (141)

  Hence, by applying the definition of on both sides of equation (141) we get that

  

  (142)

  as required, and so we are done.

\(\square \)

1.1.1 A.2 Proving Lemma 8.

if \(\textsf {traverse} (\textit{Eq},\{0\},\textsf {partition},\emptyset ) {=}\zeta \) then \(\zeta \) is a well-formed map for Eq.

To prove Lemma 8, we rely on Lemma 17.

Lemma 17

For every set of indices \(I\), \(\zeta \) map, and equation sets \(\textit{Eq} \) and \(\textit{Eq} '\), if \(\textit{Eq} '\subseteq \textit{Eq} \) and \(\textsf {traverse} (\textit{Eq} ',I,\textsf {partition},\zeta ) {=}\zeta '\) and \(\zeta \) is a well-formed map for \(\textit{Eq} _{/\!/{\textbf {dom}}(\zeta )} \) then \(\zeta '\) is a well-formed map for Eq.

We provide the proof for this lemma at the end of this section.

Proof for Lemma 8

Assume that

$$\begin{aligned} \textsf {traverse} (\textit{Eq},\{0\},\textsf {partition},\emptyset ) {=}\zeta \end{aligned}$$

(143)

and since by the definition of \(\textit{Eq} _{/\!/I} \) we know that \(\textit{Eq} _{/\!/{\textbf {dom}}(\emptyset )} =\emptyset \) by the definition of a well-formed map we infer that

$$\begin{aligned} \emptyset \text { is a }{} Well-formed \text { map for }\textit{Eq} _{/\!/{\textbf {dom}}(\emptyset )} \end{aligned}$$

(144)

and hence by (143), (144) and Lemma 17 we can conclude that

$$\begin{aligned} \zeta \text { is a }{well-formed}\text { map for }\textit{Eq} \end{aligned}$$

as required.

Proof for Lemma17

We proceed by induction on the structure of \(\textit{Eq} '\).

Case \(\textit{Eq} '=\emptyset \) Initially we assume that \(\emptyset \subseteq \textit{Eq} \) and that

$$\begin{aligned} \textsf {traverse} (\emptyset ,I,\textsf {partition},\zeta ) {=}\zeta ' \end{aligned}$$

(145)

$$\begin{aligned} \zeta \text { is a }{well-formed}\text { map for } \textit{Eq} _{/\!/{\textbf {dom}}(\zeta )}. \end{aligned}$$

(146)

Since \(\textit{Eq} '{=}\emptyset \), by (145) and the definition of traverse we have that \(\zeta =\zeta '\) and so from (146) we can deduce that

$$\begin{aligned} \zeta ' \text { is a }{well-formed}\text { map for } \textit{Eq} _{/\!/{\textbf {dom}}(\zeta ')}. \end{aligned}$$

(147)

From (145) and the definition of traverse, we know that the traversal starts from the full equation set, i.e., \(\textit{Eq} '{\,=\,}\textit{Eq} \), using an empty \(\zeta \) map. With every recursive application of traverse, the equation set \(\textit{Eq} '\) becomes smaller since when traverse recurses it does so wrt. \(\textit{Eq} ''\), i.e., a smaller version of the current \(\textit{Eq} '\) which is computed via \(\textit{Eq} ''{=}\textit{Eq} '\setminus \textit{Eq} '_{/\!/I} \). By contrast, with every recursive application of traverse, the \(\zeta \) accumulator becomes larger as it is updated with new mappings for each index specified by the set of indices \(I\), i.e., with the indices of the equations that are removed from \(\textit{Eq} '\) when creating \(\textit{Eq} ''\). Hence, when the traverse function is recursively applied wrt. some \(\textit{Eq} '''{=}\emptyset \), it means that all the equations specified in Eq have been analysed by the traversal and their indices were thus added as maps in the resultant \(\zeta '\). Hence, we can deduce that \(\textit{Eq} _{/\!/{\textbf {dom}}(\zeta ')} =\textit{Eq} \) so that from (147) we can conclude that

$$\begin{aligned} \zeta ' \text { is a }{} \textit{well-formed}\text { map for } \textit{Eq} \end{aligned}$$

as required.

Case \(\textit{Eq} '\ne \emptyset \). Now, assume that

$$\begin{aligned} \textsf {traverse} (\textit{Eq} ',I,\textsf {partition},\zeta ) {=}\zeta ' \end{aligned}$$

(148)

$$\begin{aligned} \zeta \text { is a }{} \textit{well-formed}\,\text { map for } \textit{Eq} _{/\!/{\textbf {dom}}(\zeta )} \end{aligned}$$

(149)

$$\begin{aligned} \textit{Eq} '\subseteq \textit{Eq} \end{aligned}$$

(150)

and consider the following two subcases for the set of indices \(I\).

–:

Since \(I {=}\emptyset \), by (148) and the definition of traverse we know that \(\zeta =\zeta '\) and so from (149) we can deduce that

$$\begin{aligned} \zeta ' \text { is a }{} \textit{well-formed} \text { map for } \textit{Eq} _{/\!/{\textbf {dom}}(\zeta ')}. \end{aligned}$$

(151)

Since \(I {=}\emptyset \), this means that the traversal has reached a point where no more children can be computed, which means that all the relevant equations (i.e., those reachable from the principle variable) have been analysed. This means that any other equation in Eq (that is not in \(\textit{Eq} _{/\!/{\textbf {dom}}(\zeta ')}\), if any) is redundant and irrelevant. Hence, since from (151) we know that \(\zeta '\) is a well-formed map for the relevant subset of equations in Eq, i.e., \(\textit{Eq} _{/\!/{\textbf {dom}}(\zeta ')}\), then it is also well-formed for the full blown subset of equations Eq (i.e., including any unreachable, redundant equations). Therefore, we can conclude that

$$\begin{aligned} \zeta ' \text { is a }{} \textit{well-formed }\text { map for } \textit{Eq} \end{aligned}$$

as required.

–:

By the definition of traverse and from (148) we can infer that

(152)

(153)

(154)

(155)

By (149) and the definition of a well-formed map, we know that \(\zeta \) provides a set of mappings which allow for:

$$\begin{aligned}&\begin{array}{l} \bullet \quad \text {renaming the }{data\, variables}\text { of each }{pattern\,equivalent\,sibling\,necessity},\\ \qquad \text { defined in} \textit{Eq} _{/\!/{\textbf {dom}}(\zeta )},\text { to the}\, {same}\text { set of fresh variables.} \end{array} \end{aligned}$$

(156)

$$\begin{aligned}&\begin{array}{l} \bullet \quad \text { renaming any }\,{reference} \text { to a data variable that is bound by a }\,{renamed }\\ \qquad \,{parent\,necessity}\text { defined in }\textit{Eq} _{/\!/{\textbf {dom}}(\zeta )} \end{array} \end{aligned}$$

(157)

and by the definition of partition from (152) we have that

(158)

From (158) we know that \(\zeta ''\) includes a mapping for each sibling branch that defines a pattern equivalent SA. The added mappings map the child indices of the conjunction branches (i.e., \(j,k{\in }I '\) since from (154) we know that \(I ''\) and \(I '''\) are subsets of \(I '\)) that are defined by the equations identified by the parent indices (i.e., \(i{\in }I \)) specified in \(I\), to a substitution environment. This mapped substitution renames the resp. variable names of these conjunct pattern equivalent sibling necessities, to the same fresh set of variable names, thereby making the equivalent sibling patterns, syntactically equal. Hence, from (156) we can deduce that \(\zeta ''\) provides a set of mappings which allow for

$$\begin{aligned}&\begin{array}{l} \bullet \quad \text { renaming the }\,{data\,variables}\text { of each } \,{pattern\,equivalent\,sibling\,necessity},\\ \qquad \text { defined in }\textit{Eq} _{/\!/{\textbf {dom}}(\zeta ) \cup I '},\text { to the }\,{same}\text { set of fresh variables.} \end{array} \end{aligned}$$

(159)

Similarly, from (158) we also know that the mappings in \(\zeta ''\) include the substitutions performed upon the parent necessities. This means that in each mapping \(j{\,\mapsto \,}\sigma _j\), the mapped substitution environment \(\sigma _j\) also includes \(\zeta (i)\) where \(i\in I \) is the parent index of \(j{\,\in \,}I '\). Hence, from (157) we can deduce that the mappings provided by \(\zeta ''\) also allow for

$$\begin{aligned}&\begin{array}{l} \bullet \quad \text { renaming any }\,{reference}\text { to a data variable that is bound by a }\,{renamed }\\ \qquad \,{parent \,necessity}\text { defined in }\textit{Eq} _{/\!/{\textbf {dom}}(\zeta ) \cup I '}. \end{array} \end{aligned}$$

(160)

Hence, by (159), (160) and the definition of a well-formed map we can infer that

$$\begin{aligned} \zeta '' \text { is a }{well-formed}\text { map for } \textit{Eq} _{/\!/{\textbf {dom}}(\zeta ) \cup I '}. \end{aligned}$$

(161)

From (158) we know that \(\zeta ''\) includes a mapping for each child branch, identified by \(j\in I ''\) and \(k\in I '''\) (where \(I ''\) and \(I '''\) are both subsets of \(I '\)), that is defined in the equation identified by index \(i\in I \) and which defines a pattern equivalent necessity. Hence, we know that the domain of \(\zeta ''\) is an extension of the domain of \(\zeta \) which additionally contains the child indices defined in \(I '\), such that we can deduce that \({\textbf {dom}}(\zeta '') ={\textbf {dom}}(\zeta ) \cup I '\). Hence, from (161) we can infer that

$$\begin{aligned} \zeta '' \text { is a }{} \textit{well-formed}\text { map for } \textit{Eq} _{/\!/{\textbf {dom}}(\zeta '')}. \end{aligned}$$

(162)

Finally, since from (153) and (150) we have that \(\textit{Eq} ''\subseteq \textit{Eq} \), by (155), (162) and the inductive hypothesis we can conclude that

$$\begin{aligned} \zeta ' \text { is a }{} \textit{well-formed}\text { map for } \textit{Eq} \end{aligned}$$

as required, and so we are done.

\(\square \)

1.1.2 A.3 Proving Lemma 9.

For every \(\zeta \) map, and equation set Eq, if \(\zeta \) is a well-formed map for Eq then \(\textsf {uni} (\textit{Eq},\zeta ) {\equiv }\textit{Eq} \) and every equation \((X _k{=}\psi _k){\,\in \,}\textsf {uni} (\textit{Eq},\zeta ) \) is Uniform.

Proof for Lemma 9

We conduct this proof by induction on the structure of Eq.

Case \(\textit{Eq} =\emptyset \). This case holds trivially since \(\textit{Eq} =\emptyset =\textsf {uni} (\emptyset ,\zeta ) \).

Case . We start by assuming that

$$\begin{aligned} \zeta \text { is a }{well-formed}\text { map for } \textit{Eq} \end{aligned}$$

(163)

and so by (163) and the definition of a well-formed map we know that \(\zeta \) provides a set of mappings which allow for

$$\begin{aligned}&\begin{array}{l} \bullet \quad \text { renaming the }\,{data\,variables}\text { of each } \,{pattern\,equivalent\,sibling\,necessity},\\ \qquad \text { defined in }\textit{Eq},\text { to the }\,{same}\text { set of fresh variables. } \end{array} \end{aligned}$$

(164)

$$\begin{aligned}&\begin{array}{l} \bullet \quad \text { renaming any }\,{reference} \text { to a data variable that is bound by a}\,{renamed }\\ \qquad \,{parent\,necessity}\text { defined in }\textit{Eq}. \end{array} \end{aligned}$$

(165)

By applying the uni function on Eq and \(\zeta \) we obtain

(166)

Now if we assume that \(\eta _j\) defines an arbitrary pattern \((d ^1) \$ (d ^2) \) (where \(d ^1\) and \(d ^2\) are newly bound variables), along with some condition \(c _{j}[d ^1,d ^2,e ^{m}_{<i}] \) whose evaluation depends on \(d ^1\), \(d ^2\) and the values of m variables \(e ^{m}_{<i}\) that are bound by parent modal necessities. Hence, from (164) we can deduce that mapping \(\zeta (j)\) in (166) produces a substitution environment which renames the data bindings \(d ^1 \) and \(d ^2 \) to some fresh variables \(f ^1\) and \(f ^2\), which are the same for all the other conjunct sibling necessities that are pattern equivalent to \(\eta _j\). From (165) we can also deduce that any reference being made to some variable \(e ^{m}_{<i}\) will also be renamed accordingly by \(\zeta (j)\). Hence, by the definition of a uniform equation, we can deduce that

(167)

Moreover, from (164) and (165) we can deduce that equation is semantically equivalent to the equation reconstructed by the uni function in (166), i.e., . This holds since when the substitution environment, returned by \(\zeta (j)\), is applied to the equated formula, it only substitutes the variable names in \(\eta _j\) and so if \(\eta _j\) has an arbitrary form this will become .

Notice that the new pattern \((f ^1) \$ (f ^2) \) is equivalent to the original one \((d ^1) \$ (d ^2) \) since it only varies by the name of the data variables it binds. The new condition \(c _{j}[f ^1,f ^2,f ^{m}_{<i}] \) is also equivalent to \(c _{j}[d ^1,d ^2,e ^{m}_{<i}] \) since by (165) we know that \(\zeta (j)\) (where \(\zeta (j)\) also contains \(\zeta (i)\) where i is the parent of j) renames \(d ^1 \) and \(d ^2 \) to \(f ^1\) and \(f ^2\) and \(e ^{m}_{<i}\) to the variable names, \(f ^{m}_{<i}\), bound by the renamed parent necessities. This preserves the semantics of the equation by keeping it closed wrt. data variables. Hence, we can deduce

(168)

Now since \(\textit{Eq} '\subset \textit{Eq} \) from (163) we can infer that \(\zeta \) is also a well-formed map for \(\textit{Eq} '\) which allows us to apply the inductive hypothesis and deduce that

$$\begin{aligned} \text {every equation } (X _k{=}\psi _k)\in \textsf {uni} (\textit{Eq} ',\zeta ) \text { is }{} \textit{uniform}, \text { and that } \end{aligned}$$

(169)

$$\begin{aligned} \textsf {uni} (\textit{Eq} ',\zeta ) {\equiv }\textit{Eq} '. \end{aligned}$$

(170)

Hence, by (166), (169) and (167) we can conclude that

$$\begin{aligned} \text {every equation } (X _k{=}\psi _k)\in \textsf {uni} (\textit{Eq},\zeta ) \text { is }{uniform} \end{aligned}$$

(171)

and by (166), (170) and (168) we can conclude

(172)

as required, and so this case is done by (171) and (172). \(\square \)

1.1.3 A.4 Proving Lemma 11.

For every eqn. \((X _j{=}\varphi _j){\in }\textit{Eq} \), if \(X _j{=}\varphi _j\) is uniform then \(\textit{Eq} {\equiv }\textsf {traverse} (\textit{Eq},\{0\},\textsf {cond\_comb},\emptyset ) \) and every eqn. \((X _k{=}\psi _k)\in \textsf {traverse} (\textit{Eq},\{0\},\textsf {cond\_comb},\emptyset ) \) is equi-disjoint.

The proof for Lemma 11 depends on Lemma 18. This new lemma states that one can obtain an equi-disjoint equation set, \(\omega '\), that is semantically equivalent to the original equation set Eq, by conducting a traversal upon a uniform subset of \(\textit{Eq} \) (i.e., \(\textit{Eq} '\)). This traversal is conducted wrt. an equi-disjoint accumulator equation set \(\omega \), where \(\omega \) must be semantically equivalent to a subset of Eq that is restricted to the indices associated to the logical variables specified by the domain of \(\omega \), i.e., \(\omega \equiv \textit{Eq} _{/\!/\textsf {dom}_{\textsf {ind}}(\omega )} \), where .

Lemma 18

For every index set \(I\), equi-disjoint set \(\omega \) and equation sets Eq and \(\textit{Eq} '\), if \(\textit{Eq} '\subseteq \textit{Eq} \) and \(\textsf {traverse} (\textit{Eq} ',I,\textsf {cond\_comb},\omega ) {=}\omega '\) and \(\textit{Eq} _{/\!/\textsf {dom}_{\textsf {ind}}(\omega )} {\equiv }\omega \) and every equation \((X _j{=}\varphi _j){\,\in \,}\textit{Eq} '\) is uniform and every equation \((X _k{=}\psi _k){\,\in \,}\omega \) is equi-disjoint then every equation \((X _k{=}\psi _k){\,\in \,}\omega '\) is equi-disjoint and \(\textit{Eq} {\,\equiv \,}\omega '\).

We provide the proof for this lemma at the end of this section.

Proof for Lemma 11

Assume that

$$\begin{aligned} \forall (X _j{=}\varphi _j)\in \textit{Eq} \cdot \text { equation }X _j{=}\varphi _j\text { is }{} \textit{uniform}. \end{aligned}$$

(173)

By applying the traverse function on Eq starting from \(I {=}\{0\}\) and \(\omega {=}\emptyset \), we know that

$$\begin{aligned} \textsf {traverse} (\textit{Eq},\{0\},\textsf {cond\_comb},\omega ) =\omega ' \end{aligned}$$

(174)

and so since \(\omega {=}\emptyset \), by the definition of \(\textit{Eq} _{/\!/I}\) we have that \(\textit{Eq} _{/\!/{\textbf {dom}}(\emptyset )} =\emptyset =\omega \) which means that we can also deduce that every equation \((X _k{=}\psi _k)\in \omega \) is equi-disjoint. With this new information along with (173) and (174), we can use Lemma 18 to infer that

$$\begin{aligned} \textit{Eq} \equiv \omega ' \text { and that every equation } (X _k{=}\psi _k)\in \omega '\text { is }{} \textit{equi-disjoint} \end{aligned}$$

as required, and so we are done. \(\square \)

Proof for Lemma 18

We proceed by induction on the structure of \(I\).

Case \(I {\,=\,}\emptyset \) Let’s start by assuming that

$$\begin{aligned} \textit{Eq} '\subseteq \textit{Eq}, \end{aligned}$$

(175)

$$\begin{aligned} \textsf {traverse} (\textit{Eq} ',\emptyset ,\textsf {cond\_comb},\omega ) {=}\omega ', \end{aligned}$$

(176)

$$\begin{aligned} \textit{Eq} _{/\!/\textsf {dom}_{\textsf {ind}}(\omega )} {\equiv }\omega , \end{aligned}$$

(177)

$$\begin{aligned} \text {every equation } (X _j{=}\varphi _j)\in \textit{Eq} '\text { is }{} \textit{uniform},\text { and that} \end{aligned}$$

(178)

$$\begin{aligned} \text {every equation } (X _k{=}\psi _k)\in \omega \text { is }{} \textit{equi-disjoint}. \end{aligned}$$

(179)

By (176) and the definition of traverse, we know that \(\omega =\omega '\) and so from (177) and (179) we can deduce that

$$\begin{aligned} \text {every equation }(X _k{=}\psi _k)\in \omega '\text { is }{} \textit{equi-disjoint} \end{aligned}$$

(180)

$$\begin{aligned} \textit{Eq} _{/\!/\textsf {dom}_{\textsf {ind}}(\omega ')} {\equiv }\omega '. \end{aligned}$$

(181)

Since \(I {=}\emptyset \), by the definition of traverse and (176) we know the traversal has reached a point where no more children can be computed, which means that all the relevant equations (i.e., those reachable from the principle variable) have been analysed. This implies that any other equation in Eq (if any) is redundant and irrelevant. Hence, since from (181) we know that the equations in \(\omega '\) are equivalent to the relevant subset of equations in Eq, i.e., \(\textit{Eq} _{/\!/\textsf {dom}_{\textsf {ind}}(\omega ')}\), and hence, we can conclude that

$$\begin{aligned} \omega '\equiv \textit{Eq} \end{aligned}$$

(182)

as required, and so this case is done by (180) and (182).

Case \(I {\,\ne \,}\emptyset \). Let us now assume that

$$\begin{aligned} \textit{Eq} '\subseteq \textit{Eq} \end{aligned}$$

(183)

$$\begin{aligned} \textsf {traverse} (\textit{Eq} ',I,\textsf {cond\_comb},\omega ) {=}\omega ' \end{aligned}$$

(184)

$$\begin{aligned} \textit{Eq} _{/\!/\textsf {dom}_{\textsf {ind}}(\omega )} {\equiv }\omega \end{aligned}$$

(185)

$$\begin{aligned} \text {every equation } (X _j{=}\varphi _j)\in \textit{Eq} '\text { is }{} \textit{uniform} \end{aligned}$$

(186)

$$\begin{aligned} \text {every equation } (X _k{=}\psi _k)\in \omega \text { is }{} \textit{equi-disjoint} \end{aligned}$$

(187)

and let’s proceed by case analysis on \(\textit{Eq} '\).

• \({\textit{Eq} '=\emptyset :}\) Since \(\textit{Eq} '=\emptyset \), by (184) and the definition of traverse we know that \(\omega =\omega '\) and so from (185) and (187) we can deduce that

  $$\begin{aligned} \textit{Eq} _{/\!/\textsf {dom}_{\textsf {ind}}(\omega ')} {\equiv }\omega ', \text { and that} \end{aligned}$$

  (188)
  $$\begin{aligned} \text {every equation } (X _k{=}\psi _k)\in \omega '\text { is }{} \textit{equi-disjoint}. \end{aligned}$$

  (189)

  By (184) and the definition of traverse, we know that the traversal starts from the full equation set, i.e., \(\textit{Eq} '=\textit{Eq} \), using an empty accumulator, i.e., \(\omega {=}\emptyset \), that would eventually contain the resultant equi-disjoint equation set. Every recursive application of the traverse function is then performed wrt.: a smaller version Eq, i.e., \(\textit{Eq} '{=}\textit{Eq} {\setminus }\textit{Eq} _{/\!/I} \), and a larger accumulator \(\omega '\) containing the reformulated, equi-disjoint equations whose indices are defined in \(I\) (and which where removed from \(\textit{Eq} '\)). Hence, when \(\textit{Eq} '\) becomes \(\emptyset \) it means that and so by the definition of we can deduce that which means that from (188) we can conclude that

  

  (190)

  as required, and so this case holds by (189) and (190).

• \({\textit{Eq} '\ne \emptyset :}\) By (184) and the definition of traverse we have that

  

  (191)
  

  (192)
  

  (193)
  

  (194)

  By applying definition of cond_comb to (191), we deduce that

  

  (195)

  Now from (195) and the definition of \(\mathbb {C} (j,I ')\), we know that the conjunctions in the reformulated equations (i.e., in every \(\psi _i\)) now include an additional branch for each condition \(c _k\in \mathbb {C} (j,I ') \) where \(c _k\) is a compound condition, e.g., \(c _0\wedge c _1\wedge \ldots \wedge c _n\) or \(c _0\wedge \lnot c _1\wedge \ldots \wedge \lnot c _n\). These compound conditions consist in a truth combination of the filtering conditions of the sibling SAs which specify syntactically equal patterns. This is guaranteed since from (186) we know that the equations in \(\textit{Eq} '\) are uniform, meaning that all sibling pattern equivalent SAs are guaranteed to be syntactically equal as well.

  Hence, the reconstructed SAs in these new branches are unable to match the same concrete event \(\alpha \) unless they are define the same pattern and condition. This is so as despite their pattern being syntactically equal, only one compound filtering condition can at most be satisfied by the matching concrete event \(\alpha \). Therefore, from (195) and the definition of equi-disjoint, we can deduce that

  

  (196)

  which means that from (187), (195) and (196) we can conclude that

  

  (197)

  as required. We also argue that the reconstructed equations in (195) (i.e., \(X _i{=}\psi _i\)) are in fact semantically equivalent to the original ones (i.e., ), since whenever a guarded branch, , is reconstructed into (possibly) multiple branches, , via the truth combination function \(\mathbb {C} (i,I ')\), the condition, \(c _i\), of the original branch is never negated. This guarantees that continuation \(X _i\) can only be reached when the original condition \(c _i\) is true, and thus preserves the original semantics of the branch. Therefore, we conclude that

  

  which means that from (185) and (195) we can infer that

  

  (198)

  Finally, since from (183) and (192) we know that \(\textit{Eq} ''\subseteq \textit{Eq} \), from (186) we can infer that every equation is uniform. Hence, with this result along with (194), (197) and (198) we can apply the inductive hypothesis and conclude that

  

  as required, and so we are done.

\(\square \)

B Missing proofs from Sect. 6

1.1 B.1 Proving Lemma 12

We need to prove that for every system \(s\), sHML formula \(\varphi \) and trace when then .

Proof

Since when restricted to sHML \(s \in \llbracket \varphi \rrbracket \) can be defined in terms of the coinductive satisfaction rules of Fig. 4, we prove that is a satisfaction relation that follows the rules of Fig. 4. We proceed by case analysis on \(\varphi \).

Cases \(\varphi \in \big \{\textsf {ff},X \big \}\). These cases do not apply since \(s \not \vDash \varphi \) when .

Case \(\varphi =\textsf {tt} \). This case is satisfied trivially since \(\varphi =\textsf {tt} \).

Case \(\varphi =\bigwedge _{i\in I}\varphi _i \). Assume that from which by the definition of \(\vDash \) we have that for every \(i\in I \), and so by applying the definition of \(\mathcal {R}\) for every we get that as required.

Case \(\varphi =\textsf {max}\, X.\varphi \). Assume that from which by the definition of \(\vDash \) we have that and so by applying the definition of \(\mathcal {R}\) we get that as required.

Case \(\varphi ={[}{}p,c {} {]} \varphi \) Assume that

(199)

and that from which by the definition of \(\vDash \) we have that

(200)

(201)

(202)

Since from (200) we know that \(s\) transitions to \(s\) ’ over \(\alpha \), from (199) we can infer that where which means that by (202) and the definition of \(\mathcal {R}\) we have that

(203)

Therefore, this case holds by (201), (203) and since and so we are done. \(\square \)

1.1.1 B.2 Proving Lemma 13

We need to prove that for every system transition and sHML formula \(\varphi \), if then . We prove the contrapositive, i.e., if and then .

Proof

We proceed by rule induction on \(\textit{after}_{\varphi }\).

Case \(\textit{after}_{\varphi } (\textsf {ff},\alpha ) \). This case holds trivially since .

Case \(\textit{after}_{\varphi } (\textsf {tt},\alpha ) \). This case does not apply since and so the assumption that is invalid.

Case \(\textit{after}_{\varphi } (\bigwedge _{i\in I}\varphi _i,\alpha ) \). Assume that

(204)

and that from which by the definition of \(\textit{after}_{\varphi }\) we have that

(205)

Hence, by (204) and (205) we can apply the inductive hypothesis and deduce that there exists a \(j\in I \) such that which means that as required.

Case \(\textit{after}_{\varphi } (\textsf {max}\, X.\varphi ,\alpha ) \). Assume that

(206)

and that from which by the definition of \(\textit{after}_{\varphi }\) we have that

(207)

and since by (206), (207) and the inductive hypothesis we have that and we can conclude that as required.

Case \(\textit{after}_{\varphi } ({[}{}p,c {} {]} \varphi ,\alpha ) \). Assume that

(208)

(209)

Now consider the following two cases:

• and : By (209) and the definition of we know that

  

  (210)

  and so from (208), (210) and by the definition of \(\llbracket - \rrbracket \) we can infer that since there exists a transition, i.e., (208), that leads to a violation, i.e., (210).

• Otherwise: This case does not apply since which contradicts assumption (209).

\(\square \)

1.1.2 B.3 Proving Lemma 14

We need to prove that for every action \(\alpha \), sHML formula \(\varphi \) and trace \(t\), if then .

Proof

We proceed by rule induction on \(\textit{after}_{\varphi }\).

Case \(\textit{after}_{\varphi } (\textsf {ff},\alpha ) \). This case does not apply since and so the assumption that is invalid.

Case \(\textit{after}_{\varphi } (\textsf {tt},\alpha ) \). This case holds trivially since .

Case \(\textit{after}_{\varphi } (\bigwedge _{i\in I}\varphi _i,\alpha ) \). Assume that from which by the definition of we have that

(211)

Hence, knowing (211) we can apply the inductive hypothesis for every \(i\in I \) and deduce that which means that as required.

Case \(\textit{after}_{\varphi } (\textsf {max}\, X.\varphi ,\alpha ) \). Assume that from which by the definition of we know that

(212)

and since by (212) and the inductive hypothesis we have that and we can conclude that as required.

Case \(\textit{after}_{\varphi } ({[}{}p,c {} {]} \varphi ,\alpha ) \). Assume that

(213)

and consider the following two cases:

• and : By (213) and the definition of we have that

  

  (214)

  Since is a trace process that can only perform \(\alpha \) and transition to \(\textsf {sys}(t) \), i.e., , and since from (214) we know that satisfies \(\varphi \sigma \), by the definition of \(\llbracket - \rrbracket \) we can thus conclude that as required.

• Otherwise: This case is trivially satisfied since knowing that and that or , by the definition of \(\llbracket - \rrbracket \) we can immediately conclude that as required.