Categorical Liveness Checking by Corecursive Algebras Natsuki Urabe∗ Masaki Hara Ichiro Hasuo Dept. Computer Science, The University of Tokyo, Japan National Institute of Informatics, Japan {urabenatsuki, qnighy}@is.s.u-tokyo.ac.jp [email protected] ∗JSPS Research Fellow Abstract—Final coalgebras as “categorical greatest fixed using a ranking function [4]. For a two-player game, a ranking points” play a central role in the theory of coalgebras. Somewhat function is typically defined as a function b : X → N∞, from analogously, most proof methods studied therein have focused the state space X to the set N = N ∪ {∞}, that satisfies on greatest fixed-point properties like safety and bisimilarity. ∞ Here we make a step towards categorical proof methods for the following conditions: (i) for each non-accepting state x of ′ least fixed-point properties over dynamical systems modeled as the angelic player, there exists a successor state x such that coalgebras. Concretely, we seek a categorical axiomatization of b(x) ≥ b(x′)+1; and (ii) for each non-accepting state y of the well-known proof methods for liveness, namely ranking functions demonic player, we have b(y) ≥ b(y′)+1 for each successor (in nondeterministic settings) and ranking supermartingales (in state y′ of y. It is known that soundness holds: existence probabilistic ones). We find an answer in a suitable combination of coalgebraic simulation (studied previously by the authors) and of a ranking function b such that b(x) < ∞ implies that, corecursive algebra as a classifier for (non-)well-foundedness. regardless of the demonic player’s choice, the angelic player can construct a path x = x0 →x1 →· · · that eventually reaches I. INTRODUCTION an accepting state. The well-foundedness of N is crucial here: A. Backgrounds we have b(xi) >b(xi+1) for each i before an accepting state is reached; and an infinite descending chain is impossible in N. Verification of liveness, much like that of safety, is a For example, in the two-player game in (2), the ranking func- prototypical problem that underlines verification of more com- tion b = [x0 7→ 5, x1 7→ 0, x2 7→ 4, x3 7→ 1, x4 7→ 3, x5 7→ 2] plex alternating fixed-point specifications. Liveness means that ensures that x1 is reachable from x0. Intuitively, the value b(x) something “good” eventually occurs, while safety means that bounds the number of steps from x to an accepting state. anything “bad” never occurs. 2) Ranking Supermartingales: One can ✉x1 x1 x3 x5 1 O 1) Ranking Functions: As an exam- 1 ✉o ÈÉ o ÈÉ consider liveness checking problems also for 2 ple, suppose that we are given a transition O O 2 probabilistic systems. A typical example is ÈÉ x0 (3) ; O system as in the figure (1). Here x1 is / ÈÉ / ÈÉ / ÈÉ (1) the almost-sure reachability problem: let us an accepting state that represents a good x0 x2 x4 consider the probabilistic transition system (PTS) as in the event. The reachability problem—a typical example of liveness figure (3). In the almost-sure reachability problem, we want checking problems—asks the following: “Does there exist a to know if the accepting state x1 is reached with probability path from the initial state x0 to x1?” The answer is yes: x1 1. In the PTS in (3), the answer is yes, though there exists is reachable by the path → x0 → x2 → x3 → x1. Note that the a path that does not visit any accepting state at all (namely path does not refer to the states x4 and x5. arXiv:1704.04872v1 [cs.LO] 17 Apr 2017 x x x → x0 → x0 → · · · , but this occurs with probability 0). In the example above, we assumed ✉1 ÈÉ 3 ÈÉ 5 o O o O A notion analogous to that of ranking function is also that the system is controlled in an an- known for probabilistic systems, namely ranking supermartin- gelic manner: we can choose the next / ÈÉ / / ÈÉ (2) gales [5], [6]. For a fixed positive real ε> 0, an (ε-additive) state to eventually reach a good state. x0 x2 x4 ranking supermartingale is a function b′ : X → [0, ∞], from However, real-world systems often contain demonic branching, the state space X to the set [0, ∞] of extended non-negative too, where the next state is chosen to avoid a good state. real numbers, that satisfies the following condition. Such a system can be modeled as a two-player game played by angelic and demonic players. The figure (2) illustrates an ′ ′ ′ ′ ∀x ∈ X \ Acc. b (x) ≥ x′∈X Prob(x→x ) · b (x ) + ε example. At the state x the next move is chosen by the 2 demonic player. The answer to the reachability problem is Here Prob(x → x′) denotesP the probability with which the ′ again yes: no matter if x3 or x4 is chosen as the successor of system makes a transition from x to x . This means that for ′ x2, the angelic player can force reaching x1 (by → x3 → x1 each state x ∈ X, the expected value of b decreases by at least and → x4 → x5 → x3 → x1). ε after a transition. The existence of a ranking supermartingale Numerous methods are known for such liveness checking b′ such that b′(x) < ∞ implies that the expected value of problems (e.g. [1], [2], [3]). A well-known method is the one the number of steps from x to an accepting state is finite functor F c : X → F X represents ( )Σ × {0, 1} deterministic automaton coalgebra-algebra homomorphism (|c|)r (see the diagram). P2( ) × {0, 1} two-player game Corecursive algebras have been previously used to describe D( ) × {0, 1} probabilistic transition system (PTS) general structured corecursion [13] (see also Rem. II.17). Our Fig. 1. Coalgebraic representations of transition systems. Here P and D use of them in this paper seems novel: r being corecursive denote the powerset and the distribution functors respectively (Def. II.15). means that the function Φc,r : f 7→ r◦Ff ◦c has a unique fixed point; in particular its least and greatest fixed points coincide1; (specifically it is no bigger than b′(x)/ε). From this it easily we find this feature of corecursive algebras suited for their use follows that an accepting state is visited almost surely. as categorical “classifiers” for (non-)well-foundedness. 3) Coalgebras and Algebras: This paper aims to under- 2) Modalities and Least Fixed-Point Properties: Liveness stand, in the categorical terms of (co)algebra, essences of properties such as reachability and termination are all instances liveness checking methods like ranking functions and ranking of least fixed-point properties: once a proper modality ♥σ is supermartingales. Coalgebras are commonly used for mod- fixed, the property in question is described by a least fixed- eling state-based dynamics in the categorical language (see point formula µu. ♥σu. The way we categorically formulate e.g. [7], [8]). Formally, for an endofunctor F over a category these constructs, as shown below, is nowadays standard (see C, an F -coalgebra is an arrow c of the type c : X → FX. e.g. [17], [18]). As the base category C we use Sets in this We can regard X as a state space, F as a specification paper (although extensions e.g. to Meas would not be hard). of the branching type, and c : X → FX as a transition • We fix a domain Ω ∈ C of truth values (e.g. Ω= {0, 1}), function. By changing the functor F we can represent various and a property over X ∈ C is an arrow u: X → Ω. kinds of transition types (see Fig. 1). It is also known that, • A (state-based, dynamical) system is a coalgebra c: X → using coalgebras, we can generalize various automata-theoretic FX for a suitable functor F : C → C. 2 notions and techniques (such as behavioral equivalence [9], • A modality ♥σ is interpreted as an F -algebra σ : F Ω → bisimulation [10] and simulation [11]) to various systems (e.g. Ω over Ω (see Example III.4 and Prop. IV.2 for examples). nondeterministic, probabilistic, and weighted ones). • Assuming some syntax is given, we should be able to A dual notion, i.e. an arrow of type a : FX → X, is known derive the interpretation ♥σϕ c of a modal formula from as an F -algebra. In this paper, it is used to capture properties ϕ c. In the current (purelyJ semantical)K framework this (or predicates) over a system represented as a coalgebra. goesJ K as follows. Given a property u: X → Ω, we define the property Φc,σ(u): X → Ω by the composite B. Contributions c F u σ We contribute a categorical axiomatization of “ranking Φc,σ(u) = X → FX → F Ω → Ω . functions” that is behind the well-known methods that we have • Assuming a suitable order structure ⊑ on Ω and ad- corecursive algebras Ω sketched. It combines: as value domains ditional monotonicity requirements, the correspondence (that are, like N , suited to detect well-foundedness) and lax ∞ Φ : ΩX → ΩX has the least fixed point. It is denoted homomorphisms (like in coalgebraic simulations [11], [12]). c,σ by µσ : X → Ω; intuitively it is the interpretation Based on the axiomatization we develop a general theory; our c µu.J♥σKu c of the formula µu. ♥σu in the system c. main result is soundness, i.e. that existence of a categorical J K ranking function indeed witnesses liveness (identified with Concrete examples are in §III-B. Another standard categorical modeling of a modality (see e.g. [19]) is by a predicate lifting, a least fixed-point property).