The Limit View of Infinite Computations

Home , Borel hierarchy

BRICS ISSN 0909-0878 May 1994 BRICS Report Series RS-94-14 Nils Klarlund The Limit View of Inﬁnite Computations Basic Research in Computer Science

Reproduction of all or part of this work is permitted for educational or research use on condition that this copyright notice is included in any copy.

See back inner page for a list of recent publications in the BRICS Report Series. Copies may be obtained by contacting:

BRICS Department of Computer Science University of Aarhus Ny Munkegade, building 540 DK - 8000 Aarhus C Denmark Telephone:+45 8942 3360 Telefax: +45 8942 3255 Internet: [email protected]

The Limit View of Innite Computations

Nils Klarlund

BRICS Department of Computer Science

University of Aarhus

Ny Munkegade DK Arhus Denmark

klarlunddaimiaaudk

Abstract We showhow to view computations involving very general

liveness prop erties as limits of nite approximation s This computational

mo del do es not require intro duction of innite nondeterminism as with

most traditional approaches Our results allow us directly to relate nite

computations in order to infer prop erties ab out innite computations

Thus we are able to provide a mathematical understanding of what sim

ulations and bisimulation s are when liveness is involved

In addition we establish links b etween verication theory and classical

results in descriptive set theory Our result on simulations is the essential

contents of the KleeneSuslin Theorem and our result on bisimulati on

expresses Martins Theorem ab out the determinacy of Borel games

Intro duction

It is generally b elieved that to mo del general liveness prop erties of concurrent

systems such as those expressed by innitary temp oral logics wemust use ma

chines with innite countable nondeterminism Such mo dels arise for example

in program verication involving fairness where transformations of programs

induce nondeterminism

But it is disturbing that countable nondeterminism for whichnophysical im

plementation seems to exist is intro duced in our mo del of computation In con

e can observe trast any conventional Turing machine can b e implemented and w

its nite runs although not all of them of course due to physical constraints

But howwould a physical device carry out a nondeterministic choice among un

countably many p ossibilities at each computation step Instead it seems more

reasonable to let the machine compute nite information ab out progress that

somehowgives rise to an acceptance condition on innite computations

This article is a revised and extended version of an earlier technical rep ort

Convergence Measures TR Cornell University whichwas

extracted from the authors PhD thesis Due to space limitations all

pro ofs have b een omitted in this article

Partially supp orted by an Alice Richard Netter Scholarship of the Thanks to

Scandinavia Foundation Inc and NSF grant CCR

Basic Research in Computer Science Centre of the Danish National Research

Foundation

Another foundational problem wewould like to address is the lack of general

notions of simulation and bisimulation for programs that incorp orate liveness

conditions Since simulations are lo cal equivalences we also here need a b etter

understanding of progress of nite computations towards dening innite ones

In this pap er weintro duce a limit concept that allows deterministic ma

chines to calculate progress approximations so that analytic or coanalytic sets of

computations are dened Thus nondeterminism is not inherent to mo dels of

computations involving even very general liveness conditions even those that

are expressed by innitary temp oral logics

Our concept is a natural generalization of Buc hi or Rabin conditions which

dene only sets very low in the Borel hierarchy of prop erties Our progress

approximations generalize Buc hi automata where states are designated as ac

cepting or nonaccepting and the limit condition is that innitely many accepting

states are encountered

Our main goal is to show that reasoning ab out the innite b ehavior of our

machines can b e carried out directly in terms of progress approximations without

transformations Sp ecicallywe turn our attention to two fundamental problems

for programs with liveness conditions

nding a progress concept for showing that one program implements another

program so that eachstepcontributing to a live computation of the rst

program is mapp ed to a corresp onding step of the second program and

nding a progress concept for showing that two programs can simulate each

alent other so that each step of one corresp onds to a step of the other equiv

with resp ect to making or not making progress towards a live computation

Our results for these two problems are essentially the contents of the two p er

haps most celebrated results of descriptive set theory the KleeneSuslin Theorem

and Martins Theorem ab out the determinacy of Borel games resp ectively

Previous Work

For certain kinds of sp ecications such as those involving b ounded nonde

terminism or fairness dozens of verication metho ds have b een suggested

The notion of analytic set can b e dened in manyways For example M is analytic

if there is a nondeterministi c automaton with a countable state space suchthatM

is the set of innite sequences allowing an innite run see The class of analytic

sets is denoted The dual of an analytic set is said to b e coanalytic or

The Borel hierarchy is the least class of sets containing the class of op en sets

and closed under countable intersection and union For example the Borel hierarchy

of sets that are countable intersections of op en sets Every contains the class

prop ertydenedbyaBuchi automaton including usual fairness conditions is a nite

Bo olean combination of sets and so is at the third level of the Borel hierarchy

see Every Borel set is analytic and coanalytic Vice versa the KleeneSuslin

Theorem states that any set that is b oth analytic and coanalytic is also Borel

see Yet the general problem has to the au

thors knowledge b een addressed only in relatively few articles The

earlier prop osals solve the verication problem by transformations that intro duce

innite nondeterminism

The most general such approachisthatofVardi Vardi uses a computa

tional mo del corresp onding to nondeterministic automata with innite conjunc

tive branching for dening sp ecications The apparentphysical unrealizability

of this concept motivated the limit view given in the present pap er Vardis

metho d can easily b e reformulated as progress measures ie as mappings

from the states of the implementation These progress measures howeverdonot

imply the ones presented here since we use a dierent computational mo del To

gether with the Boundedness Theorem for sets Vardis results amounttothe

KleeneSuslin Theorem although this was not noted in

A few metho ds have app eared that more directly quantify progress

but these metho ds only apply to sets at lowlevels of the Borel hierarchy

namely nite Bo olean combinations of sets

In a simple progress measure based on a condition called the Liminf

condition was prop osed This condition however can b e used only to reason

ab out sp ecications that are ie at the third level of the Borel hierarchy

Other approaches to viewing computations as limits are based on metrics of

mathematical analysis These approaches also deal with sets at the third

level

Recursiontheoretic asp ects of relating automata with dierent kinds of ac

e b een studied in ceptance conditions hav

In this pap er we rep ort on the most general measure prop osed in In

addition weintro duce here the new concept of progress bisimulation

Overview

Our results are based on an abstract graphtheoretic formulation of the verica

tion problem We represent the transitions of a program as a directed countable

graph G V E where vertices V and edges E corresp ond to program states

and transitions Then the innite paths in G corresp ond to all p ossible innite

computations

To dene live computations weintro duce progress approximations on V that

assign a nite amount of information to eachvertex In turns out that if welet

this information b e a lab eled tree then very general prop erties can b e expressed

Thus a progress approximation asso ciates a nite tree v toeachvertex v

A computation v v denes an innite sequence v v of progress

approximations and a limit tree lim v that consists of the no des that from a

p oint on o ccur in every progress approximation The computation is live if the

limit tree has only nite paths ie if it is wel lfounded it may still b e innite

We call this condition the wel lfoundedness condition of and abbreviate it

The WF condition is extraordinarily p owerful Weprove that the sets sp ec

ied by WF conditions constitute the class of coanalytic sets This class

includes all Borel sets as we show using progress approximations In fact we

show that automata combined with temp oral logics with innite conjunctions

and disjunctions express the class of Borel sets and can b e co ded as WF condi

tions

The dual of the WF condition is the condition that requires the limit tree

to contain some innite path This condition is called the nonwel lfoundedness

condition and denoted WF The sets sp ecied by WF conditions constitute

the class of analytic sets

In order to relate two programs with liveness conditions we rst study a

simpler problem Wemayview WF as a specication that every computation

of G is live Thus wesaythatG satises WF if every innite path v v of G

satises WF Note that this prop erty seems to call for considering uncountably

many innite computations Our rst result is to show that G satises WF can

b e established by lo cal reasoning ab out vertices and edges

Progress Measures

For proving the prop erty of program termination we usually resort to mapping

program states to some values and wethenverify that the value decreases with

every transition These values quantify progress toward the prop erty of termina

tion Similarly for a prop ertyspeciedbya WF condition we seek a relation on

some set of progress values that the states with their progress approximations

can b e mapp ed to The relation must ensure that the limit tree is wellfounded

To do this we use tree emb eddings as the set of progress values Wexa

wellfounded tree T and a mapping suchthatv sp ecies an emb edding of

v inT We then dene the WF progress relation on tree emb eddings

Intuitively it states that emb edded no des moveforward in T according to a

predened ordering If in addition satises the verication condition

VC for any transition from v to v it is the case that v v

then is a WF progress measure Our rst result is

Graph Result

All innite paths in G satisfy WF

if and only if

there is a progress measure for G and

Thus the question of verifying that al l innite computations satisfy the sp eci

cation is equivalenttondingsome mapping that is a WF progress measure In

other words the existence of a progress measure means that each step of a pro

gram contributes in a precise mathematical sense to bringing the computation

closer to the sp ecication

Progress Simulations

To formulate our results on progress simulations we turn to a generally accepted

mo del of innite computations There is an alphab et of letters representing

actions and a program P is a nondeterministic transition system or automaton

over The computations or runs over an innite word a a are the sequences

of states b eginning with an initial state that may o ccur when the word is

pro cessed according to the transition relation A word is recognized by P if it

allows a run The set of words recognized by P is called the language of P and

denoted LP Note that in this mo del wehave abstracted away the details of

the machine structure and technical complications such as stuttering

Thanks to the countable nondeterminism presentinsuch programs they

dene the class of of analytic sets Now given two programs P and Q

called the implementation and specication wesay that P implements Q if

every word recognized by P is also recognized by Q ie if LP LQ The

verication problem is to establish LP LQby relating the states of the

programs without reasoning directly ab out innite computations

It is wellknown that if we can nd a simulation also known as a homomor

phism or renement map from the reachable states of P to the states of Q

then LP LQ This metho d is not complete however since LP LQ

might hold while no simulation exists

The preceding discussion has ignored liveness including common concepts

such as starvation and fairness So assume that P also denes a set Live of

state sequences said to b e live For example the set Live may b e sp ecied by

a formula in temp oral logic or byaWF condition The live language L P of

is the set of words that allow a live computation Wesaythat P satises Q if P

the words allowing a live computation of P also allow a live computation of Q

ie if L P L Q The verication problem is nowtoshowthatP satises

Q without considering innite computations

To simplify matters we assume that a simulation already exists from P to

Q and that the set Live is expressed as a WF condition of a progress approx

imation on Qs state space The set Live cannot b e expressed as a WF

Q P

condition if the verication problem is to b e reduced to only a wellfoundedness

problem Thus we instead sp ecify Live byaWF condition of a progress

approximation on P s state space

We show that there is an op eration merge that merge progress approxi

WF mations so as to express the condition Live Live ieWF

P Q P Q

or equivalently WF WF Thus we formulate a progress simulation from

P Q

P to Q as a simulation h together with a progress measure for the progress

approximation merge p hp which is dened on P s reachable states

P S

We use the Graph Result to derive

If in addition the program P can b e eectively or recursively represented that is the

transition relation can calculated byaTuring machine whichoninputs a s halts

with the answer to whether s a s is in the transition relation then the language

recognized is said to b e analytical The class of such languages is denoted In

general the eective class corresp onding to a class denoted by a b oldface letter is

denoted by the lightface letter

General Progress Simulation Theorem

If there is a simulation from P to Qthen

P satises Q

if and only if

there is a progress simulation from P to Q

The General Progress Simulation Theorem in particular solves the verication

problem for programs and sp ecications that are expressed using formulas in

innitary temp oral logic under the assumption that a simulation exists

The theorem has an eectiveversion whichwecallthe Finite Argument

Theorem It shows that there is a uniform way of obtaining a progress simulation

Thus there is an algorithm that calculates a Turing machine for calculating

a progress simulation given as input Turing machines dening P Qanda

simulation h with L P L S This is not a decidability result but an

explicit reduction of the complete problem of establishing L P L S to

the classic complete problem of whether a recursive tree is wellfounded

There is a strong connection to descriptive set theoryInfactwe showthat

the Finite Argument Theorem expresses the KleeneSuslin Theorem as a state

ment ab out the feasibility of program verication

Progress Bisimulations

Consider a program P with state space P and transition relation and a

Q and transition relation program Q with state space

The notion of bisimulation stipulates that the programs are equivalentif

there is a relation R P Q containing the pair of initial states such that

a a

if Rp q andp p then there is q suchthatq q and Rp q and

P Q

a a

vice versa if Rp q and q q then there is p suchthatp p and

Q Q

Rp q

This denition is central to the algebraic treatment of concurrency The es

sential result is that the existence of the bisimulation relation is equivalentto

the imp ossibility of observing a dierence in b ehavior of the two systems with

resp ect to ability of carrying out actions

Q are bisimilar in this traditional sense can we Assuming now that P and

then compare them also regarding liveness That is wewould liketorelate

program states also with resp ect to how close they are to satisfying the liveness

conditions so as to formalize the intuition for any transition of one program

there is a transition for the other program which is equivalent with resp ect to

progress or nonprogress towards the liveness condition

To get an understanding of what observing liveness means we formulate the

pro cess as an innite game b etween an observer and a responder The game is the

same as the one that characterizes bisimilarity although the winning conditions

are dierent bisimilar programs P and Q are live equivalent if no observer can

devise bisimilar computations of P and Q so that one is live and the other is

not

More precisely the observer is allowed to pick actions and transitions accord

ing to the following rules in order to pro duce corresp onding computations

First the observer cho oses an action and a transition on this action for one

of the programs from its initial state Then the resp onder lets the other program

make a corresp onding transition on the same action from its initial state The

new pair of states must b elong to the bisimulation relation the resp onder can

always nd a new state by denition of bisimulation relation

Next the observer cho oses a second action and a transition for one of the

programs This transition is again matched by the resp onder who lets the other

program make a corresp onding step

This pro cess continues ad innitum and pro duces an innite word and com

putations of P and Q over this word If it is not the case that some observer

can cho ose actions and transitions so that however the resp onder matches the

observers moves a live and a nonlive computation are pro duced then P and

Q are said to b e live equivalent

The way an observer cho oses actions and transitions is called a testing strat

egy Generally a strategy is a function of all previous choices made by the other

player In case a choice is solely dep endent on a current pair of states the strat

egy is said to b e memoryless Similarly the resp onders answers are describ ed by

a response strategy which is also a function of the previous choices The resp onse

strategy is memoryless if it is dep endent only of the current pair of states and

the name and action of the pro cess picked by the observer

For usual bisimulation it can b e shown for b oth players that having a win

ning strategy is equivalenttohaving a winning memoryless strategy Also a

bisimulation relation enco des a class of memoryless resp onse strategies

Unfortunatelythetwo programs b elowshow informally that even for simple

liveness conditions it may happ en that neither player has a winning memoryless

strategy

a a

q q

Q P

a a

p p

a a

r r

Here P and Q are the same program over a one letter alphab et except for

the liveness condition the program P accepts if the Buc hi condition fq g is

satised ie if the state q o ccurs innitely often and the program Q accepts if

the states p and q o ccur almost always ie if from some p oint on the state r

is not encountered It can b e seen that neither the observer nor the resp onder

has a winning memoryless strategy In fact the observer do es have a winning

strategy namely at p pick the choice q or r that is the opp osite of what the

resp onder last did but this is not a memoryless strategy Thus P and Q are

not live equivalent

For general systems that are live equivalent we shall show that a natural

notion of progress bisimilarity can b e formalized for their nite computations

if the liveness conditions are Borel If nite computations u and v of P and Q

are progress bisimilar wemust express by a progress value how close they

are to b eing either b oth live or b oth nonlive Since we assumed that Live is

Borel it is b oth analytic and coanalytic Thus there is a pair of

P P

progress approximations suchthatLive is the set of innite state sequences

that satisfy WF and also the set of sequences that satisfy WF For no

P P

tational simplicitywe assume that these approximations are dened on nite

computations We then dene an op eration merge on progress approximations

suchthatmerge sp ecies the joint state sequences that are b oth live

P Q

or b oth nonlive

A progress bisimulation R u v isnow a relation that for some xed well

founded T relates a nite computation u of P a nite computation v of Qand

an emb edding of merge u v in T such that

P Q

if R u v andu u then there is v and such that v v

P Q

R u v and and

and such that vice versa if R u v andv v then there is u

u u R u v and

Q WF

Our second main result is

General Progress Bisimulation Theorem

If Borel programs P and Q are bisimilar then

P and Q are live equivalent

if and only if

P and Q allow a progress bisimulation

This result follows from a very deep result in descriptive set theory by Martin

that all innite games with Borel winning conditions are determined ie it is

always the case that one player has a winning strategy Since determinacy of

games with arbitrary winning conditions contradicts the Axiom of Choice

the General Progress Bisimulation Theory is hard to generalize In fact the

study of the Determinacy Axiom is an imp ortant part of mathematical logic

Note however that only b ounded memory ab out the past is necessary to sp ecify

the observers moves This is a general phenomenon as shown in games based

on Bo olean combinations of Buc hi conditions have b oundedmemory strategies also

known as forgetful strategies For Rabin conditions which are sp ecial disjunctive

normal forms memoryless strategies do exist

Denitions

Programs and Simulations Assume a nite or countable alphab et of ac

tions A program P P p Liveover consists of a state space P a

transition relation P P an initial state p anda liveness sp eci

cation Live which sp ecies a set of innite state sequences The program P is

deterministic if for all p and a there is at most one p suchthatp p A

computation over an innite word a a is an innite state sequence p p

if it satises such that p p and p p for all i A computation is live

i i

LiveA nite computation u P is a prex of some innite computation The

transition relation is extended to nite computations in the natural way u v

if for someu pandp u u p v u p and p p The set of all words

allowing some computation is denoted LP and is called the language of P

The subset of words in LP that allow a live computation is denoted L P

and called the live language of P

A simulation h P Q is a partial function that maps the initial state of

P to that of Q and resp ects the transition relation

hp s and

a a

p domh and p p implies p domh and s s

P Q

Note that if P and Q are deterministic with LP LQ then a progress

simulation exists provided that P has no reachable state that has no successor

Also h can b e uniformly computed from eective representations of P and Q

Pointer Trees A pointer tree or simply tree T is a prexclosed countable

subset of where is the set of natural numb ers Each sequence t

t t in T represents a node whichhaschildren t d T Here d is the

pointer to t d from tIft is a prex of t T then t is called an ancestor of t

We visualize p ointer trees as growing upwards as in

level

h i

level

h i

level

where children are depicted from left to right in descending order Any sequence

of p ointers t t nite or innite denotes a path t t t nite or

innite in T provided each t t T The level jtj of a no de t t t is

the number the level of is T is nitepath or or wel lfounded if there are

no innite paths in T This is also denoted WF T

Awellfounded tree T is rankable if there is an assignment of ordinals to

the no des of T such that the ro ot has rank and if a no de t has rank then

every child of t has rank less than

WF Limit Representations

In this section weshowhow to represent analytic and coanalytic sets by limits

For a sequence of p ointer trees we dene lim as

i i

t lim if and only if for almost all i t

i i

It is not hard to see that lim is a tree whichwe call the limit tree To

i i

ess approximation that assigns characterize nite computations we use a progr

a nite p ointer tree utoeach nite word u Thus we assume here that the

underlying program is the transition system that has as its state space and

where the transition relation is dened so that the current state is the sequence

of actions encountered With this representation the live languages lim

and lim are dened by for a word a a

lim if and only if WF lim u and

lim if and only if WF lim u

where u denotes that u takes the values a a a

The class of analytic sets and the class of coanalytic sets can b e

describ ed by limits

Theorem Representation Theorem The limit operators lim and

lim dene the classes and ie S S lim and

WF WF

S S lim

Pro of The pro of uses the classic representation involving pro jections of trees

As with the usual representations see wehave

Theorem Boundedness Theorem for sets Let C lim beaco

analytic set If thereisacountable ordinal such that for al l C lim u

is rankable then C is Borel

We p ostp one the pro of of Theorem to Section

In the following wesaythatananalytic program P is of the form P

p WF and that a coanalytic program is of the form P p WF where

is a progress approximation that assigns a p ointer tree to each state in P

WF Relation and Measure

We use tree emb eddings to measure progress of computations towards dening

a nitepath tree in the limit Let T b e a xed tree An embedding of a tree in

T is an injective mapping T suchthat and for all t d there

is d with t dt d Note that jtj jtj in fact is just a structure

preserving relab eling of Also note that dom is the tree and that rng

is the image in T of

We can now dene the WF relation whichwe denote by

Denition WF Relation if for all s dom dom s

n n n n

s where is dened by d d e e if either d d e e

or there is a level n such that d e and for all d e

Intuitively holds if for anynodes in b oth dom and dom the

image in T of s under is the same as or to the right of the image under

assuming that p ointer trees are depicted as explained earlier Although

isnotawellfounded relation it ensures wellfoundedness in the limit provided

T is wellfounded

Lemma WF Relation Lemma If WF T and then

WF WF

WF lim dom

i i

This lemma is an immediate consequence of

Proposition Let T beaxedtreeandlet beanin

WF WF

nite relatedsequenceofembeddings in T Then there is an embedding of

lim dom in lim rng

i i i i

measures progress of p ointer trees towards Hence if T is wellfounded

dening a wellfounded tree To state this more forcefullywe need some deni

tions

Denition Let G V E b e a countable directed graph and let be a

progress approximation on V Wesay that an innite path v v satises

the WF condition of and write v v WF ifWF lim v A graph G

i i

satises the WF condition of and we write G WF ifevery innite path in

G satises the WF condition

Denition A WF progress measure T for G is a nitepath tree T

and a mapping v V v T such that

v isanemb edding of v inT and

resp ects the edge relation of Gieu v E implies u v

Theorem Graph Result G WF if and only if G has a WF progress

measure

Pro of Thisfollows from the WF Relation Lemma

The pro of consists of a transnite construction of and T

Progress Simulations

In this section we present the General Progress Simulation Theorem Let

P P p WF b e an analytic implementationand Q Q

P P Q

q WF a coanalytic sp ecication To prove that L P L Q we need

to combine the progress approximations

Denition Given nite trees and theset merge consisting

n n n n n

and of no des d e d e and d e e d where n d d

e e is called the ormerge of and

It is not hard to see that merge is a tree The ormerge has the following

prop erties

Proposition Let and be innite sequences of trees

a WF lim merge if and only if WF lim or WF lim

i i i i i

i i

b If lim merge is rankable and WF lim then lim is rankable

i i i i

i i

Given a simulation h PQwe measure progress towards Live Live

P Q

as follows

Denition A progress simulation h T from P to Q relativetoh is a

WF progress measure for V Ep merge p hp where V P

P S

are the states of P reachable by some nite computation and p p E if and

only if p p for some a

Theorem Progress Simulation Theorem Assume we have analytic

coanalytic Q Q q WF and simulation P P p WF

P Q Q P

h PQ Then L P L Q if and only if thereisaprogress simulation

from P to Q relative to h

Pro of The pro of follows from the WF Relation Lemma Prop osition and

Theorem

Suslins Theorem

Corol lary Suslins Theorem Let L be a set of innite sequences over

that is both analytic and coanalytic Then L is Borel

Finite ArgumentTheorem

A progress simulation can b e viewed as an argumentforwhy a program sat

ises a sp ecication Weshow that for eective descriptions of program sp ec

ication and simulation there is an eective description of the progress mea

sure More precisely let a WF semimeasure T b e a WF progress measure

except that there is no requirementthat T be wellfounded Then there is a

total recursive function calculating an index of a WF semimeasure T for

merge p hp given indices for P Q and h moreover h T isa

P S

progress simulation ie T is wellfounded if and only if P satises Q

Theorem Finite Argument Theorem Aprogress simulation can be

obtained uniformly from indices of P Qandh

Pro of By analyzing the pro of of Theorem for computational contents one

can obtain an explicit algorithm for calculating and T

Intuitively the Finite Argument Theorem shows that there is a systematic in

fact computable way of getting a nite argument of correctness ab out nite

computations from the program and the sp ecication if a simulation exists for

example by assuming that program and sp ecication are deterministic

The verication metho d based on WF progress measures is optimal in the

following sense For sp ecications that are itis complete to determine

program satises the sp ecication For example determining whether a

whether LP LQ where P and Q are recursively represented nondeter

ministic transition systems is complete It is hardly imaginable that a

reasonable verication metho d would not b e in which allows one to guess

relations and verify that they are wellfounded But even a metho d cannot

p ossible solvethe complete verication problem for sets In this sense the

preceding results are optimal

Finallywe observe that just as Suslins Theorem is a consequence of Theo

rem the Finite Argument Theorem implies Kleenes Theorem which states

that there is a uniform way of obtaining an index in the hyp erarithmetical hier

archy ofaset L froma and a index of L

Borel Programs

To describ e Borel sets in terms that are useful for verication of programs we

intro duce a class of programs whose acceptance conditions are innitary tem

p oral logic formulas This will also allowustoprove the Boundedness Theorem

for sets

where Denition By transnite induction we dene a ranked formula

is a countable ordinal to b e either a temporal predicate innitely often

or almost alw ays where is a predicate on V or a disjunction

W V

or a conjunction are ranked formulas where

A sequence v v satises written v v according to

j j

v v if and only if H h H v

j j

v v if and only if H hH v

j j

v v if and only if v v

j j

v v if and only if v v

Denition A Borel program P P p consists of a countable set

of states P a deterministic transition relation P P an initial state

p and a ranked formula

Proposition The class of live languages acceptedbyBorel programs is the

class of Borel sets

Pro of of the Boundedness Theorem of Section

Borel Sets Are Analytic and Coanalytic

Weshowhow to translate the temp oral logic acceptance condition of a Borel

program intoaWForWF condition of a progress approximation dened on

By this translation program verication with temp oral logic can take place

by measuring progress using Theorem or Theorem The translation also

proves that all Borel sets are analytic and coanalytic

Theorem Let P be a Borel program Then there exist progress approxima

tions and on such that

L P lim

lim L P

It is usually not p ossible to dene as a function of the current state Instead

the whole history of states or actions must b e used In particular a nitestate

Borel program b ecomes innitestate In contrast note that Buc hi conditions

allow certain restricted third level prop erties to b e expressed without going to

innitestate systems

In order to prove this theorem weneedtwo lemmas They showhowtomerge

countably many sequences of nite trees into one such sequence that satises the

WF condition if and only if all resp ectively one of the original sequences satisfy

the WF condition

Lemma Thereisanoperation merge that merges any list of nite trees

into a nite tree such that for any col lection j ofsequences of nite

trees

i i

WF lim merge

if and only if

j WF lim

Lemma Thereisanoperation merge that merges any list of nite trees

into a nite tree such that for any col lection j ofsequences of nite

trees

i i

WF lim merge

if and only if

j WF lim

By Prop osition wehave

Corol lary Borel sets are analytic and coanalytic

Progress Bisimulations

The full pap er contains a formalization of the game outlined in Section By

Martins result one of the players has a winning strategy If the resp on

der has a winning strategy then it can b e describ ed by a relation over nite

computations and a progress measure for Live Live This progress mea

P Q

sure is formulated for the progress approximation merge u v which

P Q

is dened as merge merge u u merge u u

P Q P Q

Conclusion

Wehave used a limit view of nite computations to show that concepts of sim

ulation and bisimulation can b e b e generalized to account also for very general

liveness prop erties The two generalized concepts establish a strong connection

to two ma jor theorems in descriptive set theory The limit conditions presented

e only theoretical interest however here probably hav

In practice the mathematical challenge needed to establish even simple

bisimulations for transitions systems with Buc hi acceptance conditions seems

quite dicult Further investigation may reveal whether the concepts presented

in this article may b e suciently simplied for nitestate systems to b e of use

in practice

Acknowledgements

Thanks to Dexter Kozen and Moshe Vardi for valuable comments on an earlier

version of this article

References

M Abadi and L Lamp ort The existence of renement mappings Theoretical

Computer Science

B Alp ern and FB Schneider Recognizing safety and liveness Distributed Com

puting

B Alp ern and FB Schneider Verifying temp oral prop erties without temp oral

logic ACM Transactions on Programming Languages and Systems

January

KR Apt and ER Olderog Pro of rules and transformations dealing with fairness

Science of Computer Programming

I Dayan and D Harel Fair termination with cruel schedulers Fundamenta In

formatica

N Francez and D Kozen Generalized fair termination In Proc th POPL Salt

Lake CityACM January

O Grumberg N Francez JA Makowsky and WPdeRoev er A pro of rule for

fair termination of guarded commands Information and Control

Y Gurevich and L Harrington Trees automata and games In Proceedings th

Symp on Theory of ComputingACM

D Harel Eective transformations on innite trees with applications to high

undecidabi li ty dominos and fairness Journal of the ACM

N Klarlund Liminf progress measures In Proc of Mathematical Foundations of

Programming Semantics LNCS

N Klarlund Progress measures and stack assertions for fair termination In Proc

Eleventh Symp on Princ of Distributed Computing pages IEEE

N Klarlund Progress measures immediate determinacy and a subset construc

tion for tree automata In Proc Seventh Symp on Logic in Computer Science

N Klarlund and D Kozen Rabin measures and their applicatio ns to fairness and

automata theoryInProc Sixth Symp on Logic in Computer Science IEEE

N Klarlund and FB Schneider Proving nondeterministi call y sp ecied safety

prop erties using progress measures Information and Computation

Nils Klarlund Progress Measures and Finite Arguments for Innite Computations

PhD thesis TR Cornell University August

D Lehmann A Pnueli and J Stavi Impartiality justice and fairness the ethics

of concurrent termination In Proc th ICALP LNCS SpringerVerlag

eness Z Manna and A Pnueli Adequate pro of principles for invariance and liv

prop erties of concurrent programs Science of Computer Programming

Z Manna and A Pnueli Sp ecication and verication of concurrent programs

by automata In Proc Fourteenth Symp on the Principles of Programming

Languages pages ACM

DA Martin Borel determinacy Ann Math

Yiannis N Moschovakis Descriptive Set Theoryvolume of Studies in Log

and the Found of Math NorthHolland

L Priese Fairness EATCS Bul letin

R Rinat N Francez and O Grumberg Innite trees markings and well

foundedness Information and Computation

Hartley Rogers Jr TheoryofRecursive Functions and Eective Computability

McGrawHill Bo ok Company

AP Sistla A complete pro of system for proving correctness of nondeterministic

safety sp ecications Technical rep ort Computer and Intelligent Systems Lab ora

tory GTE Lab oratories Inc

AP Sistla On verifying that a concurrent program satises a nondeterministic

sp ecication Information Processing Letters July

L Staiger Recursive automata on innite words In P Enjalb ert A Finkel and

KW Wagner editors Proc th Annual Symp on Theoretical Computer Science

STACS LNCS Springer Verlag

W Thomas Automata on innite ob jects In J van Leeuwen editor Handbook

of Theoretical Computer Sciencevolume B pages MIT PressElsevier

M Vardi Verication of concurrent programs The automatatheoretic framework

Annals of Pure and AppliedLogic

M Vardi Private communication Recent Publications in the BRICS Report Series

RS-94-5 Peter D. Mosses. Unified Algebras and Abstract Syntax. March 1994, 21 pp. To appear in: Recent Trends in Data Type Specification (ed. F. Orejas), LNCS 785, 1994. RS-94-6 Mogens Nielsen and Christian Clausen. Bisimulations, Games and Logic. April 1994, 37 pp. Full version of paper appearing in: New Results and Trends in Computer Science, pages 289Ð305, LNCS 812, 1994. RS-94-7 Andre« Joyal, Mogens Nielsen, and Glynn Winskel. Bisimulation from Open Maps. May 1994, 42 pp. Journal version of LICS ’93 paper. RS-94-8 Javier Esparza and Mogens Nielsen. Decidability Issues for Petri Nets. May 1994, 23 pp. Appears in EATCS Bulletin 52, pages 245Ð262, 1994. RS-94-9 Gordon Plotkin and Glynn Winskel. Bistructures, Bido- mains and Linear Logic. May 1994, 16 pp. To appear in the proceedings of ICALP ’94, LNCS, 1994. RS-94-10 Jakob Jensen, Michael J¿rgensen, and Nils Klarlund. Monadic Second-order Logic for Parameterized Verifica- tion. May 1994, 14 pp.

RS-94-11 Nils Klarlund. A Homomorphism Concept for -Regu- larity. May 1994, 16 pp. RS-94-12 Glynn Winskel and Mogens Nielsen. Models for Con- currency. May 1994, 144 pp. To appear as a chapter in the Handbook of Logic and the Foundations of Computer Science, Oxford University Press. RS-94-13 Glynn Winskel. Stable Bistructure Models of PCF. May 1994, 26 pp. Preliminary draft. Invited lecture for MFCS ’94. To appear in the proceedings of MFCS ’94, LNCS, 1994. RS-94-14 Nils Klarlund. The Limit View of Inﬁnite Computations. May 1994, 16 pp. To appear in the LNCS proceedings of Concur ’94, LNCS, 1994.