On Modal Refinement and Consistency

Almost 20 years after the original conception, we revisit several fundamental questions about modal transition systems. First, we demonstrate the incompleteness of the standard modal refinement using a counterexample due to Hüttel. Deciding any refinement, complete with respect to the standard notions of implementation, is shown to be computationally hard (co-NP hard). Second, we consider four forms of consistency (existence of implementations) for modal specifications. We characterize each operationally, giving algorithms for deciding, and for synthesizing implementations, together with their complexities. 1 Background and Overview Modal transition systems (MTSs) are a generalization of labeled transition systems (LTSs). Similarly to LTSs modal transition systems use labeled transitions between states to model behaviors. Unlike LTSs, they distinguish allowed and required behaviors (overand under-approximations), which makes them a suitable semantic model for abstraction in program analysis and verification. MTSs, originally introduced by Larsen and Thomsen almost 20 years ago [1], have since been applied in program analysis [2, 3], model checking [4, 5], verification [6, 7], equation solving [8], interface theories [9], software product lines [9, 10] and model merging [11, 12]. Foundational work on modal transition systems included extensions to modal hybrid systems [13], timed modal specifications [14–16] and variants of disjunctive MTSs [8, 17, 18]. Surprisingly though, several fundamental questions about the theory of MTSs have never been addressed. Refinement relations for modal transition systems are defined contravariantly. If S refines T then all allowed behaviors of S need to be allowed in T , while all required behaviors of T need also be required by S. An implementation is an MTS that has been completely specified, i.e. all its allowed behavior is also required, leaving no further choice for refinement. One fundamental issue for a modal refinement is to see whether it characterizes the inclusion of implementation sets thoroughly: can one for an MTS S refining an MTS T imply that all implementations of S are also implementations of T ? And vice-versa? Standard modal refinement is sound, but not complete in this sense. Meaning that here exist MTSs for which implementation inclusion holds, but which do not refine each other. We show that deciding any sound and complete refinement, preserving the set of implementations of standard modal refinement or weak modal refinement is co-NP hard. We conjecture the same for may-weak modal refinement [9] and branching refinement [10]. Modal transition systems of [1] are syntactically consistent, meaning that any required transition must also be allowed. This effectively disallows reasoning about inconsistencies, which is necessary for proper treatment of logical connectives in the context of modal transition systems (for example one would like to be able to express a modal transition system expressing a conjunction of two other MTSs that represent contradictory specifications). On the other hand, in [9], we have observed that other, more behavioral, notions of consistency might be useful. We have shown that systems that are observationally consistent with respect to some set of hidden actions, can be decomposed using parallel decomposition. We used this observation to build a product line theory in which modal transition systems play the role of behavioral variability models. We believe that consistency should be decoupled from the basic definition of a modal transition system. In our opinion understanding a notion of consistency requires relating it to a notion of satisfiability, as typically done in logics. For example: a propositional formula is consistent if there exists a truth assignment on which the formula evaluates to true. In our context, modal transition systems play the role of formulæ, truth assignments are concrete implementations, and a refinement preorder is our satisfaction relation. Consequently, instead of proposing ad hoc criteria for consistency, we define consistency of a specification semantically as existence of a concrete implementation refining it. Altogether we discuss four modal refinements and their induced consistencies. For each of these we define consistency semantically and find a computable criterion (a consistency relation) for deciding it. Then we study the complexity of consistency and the criterion. The results are summarized in Table 1. Our choice of refinements and consistencies for this study is driven by existing work. We choose one known consistency (syntactic consistency) that have not been characterized using a refinement, and three known refinements (strong, may-weak and weak modal refinement) for which the related notions of consistency had never been formulated. However, we believe that consistency is not only of theoretical interest. Inconsistencies in specifications typically indicate modeling errors and thus procedures for detecting them find use in tools. The contents of this paper are: the definition of modal transition systems and their refinement (Section 2), complexity analysis of completeness of this refinement (Section 3), a discussion of consistency notions induced by four modal refinements (Sections 4–7), a summary and a list of open problems (Section 8). Table 1. Summary of consistency-related results. Modal refinement Consistency Lower bound Upper bound Section syntactic syntactic consistency [1] linear time linear time 4 strong [1] strong consistency NP-hard exponential time 5 weak [19] weak consistency NP-hard exponential time 6 may-weak [9] may-weak consistency NP-hard exponential time 7 2 Modal Transition Systems We introduce the basics following Larsen and Thomsen [1]. Assume a global set of actions act and write act τ for act ∪ {τ}, where τ is a distinct internal action, such that τ / ∈ act. A modal transition system is a triple S = (statesS ,−−→ , 99K), where statesS is a set of states, also known as specifications [1] or processes. Then −−→ ⊆ statesS × act τ × statesS is a must-transition relation representing required transitions, and 99K ⊆ statesS × act τ × statesS is a may-transition relation representing allowed transitions. In general the sets of states and transitions may be infinite, but we restrict ourselves to finite state systems with finite sets of actions in this paper. For simplicity we write s a −→s iff (s, a, s) ∈ −−→ , and s a 99Ks iff (s, a, s) ∈ 99K . Larsen and Thomsen originally designed modal transition systems to be syntactically consistent meaning that all required transitions are also allowed: −−→ ⊆ 99K . Already in [14] Larsen lifts this restriction, with the argument that any sufficiently expressive specification language needs to be able to specify inconsistent specifications. This means that our transition systems are very much like mixed transition systems of Dams [20]. In Section 3 we follow the syntactic consistency requirement, while we relax it in later sections, generalizing the notion of consistency to strong and weak behavioral preorders. Regardless whether the consistency assumption is in place or not, we always separate the two transition relations explicitly to avoid confusion. A solid arrow represents just a must transition, without the possible related may transition. We draw both arrows when talking about a syntactically consistent must transition. A modal transition system I is an implementation when the two transition relations coincide, −−→ = 99K . We use capital I to denote implementations and always state explicitly whenever a modal transition system is an implementation. The following is the standard notion of strong refinement for modal transition systems introduced in [1] and generally accepted ever since: Definition 1 (Modal Refinement). For a pair of modal transition systems S and T a binary relation R ⊆ statesS × statesT is a modal refinement between states of S and T iff for all (s, t) ∈ R and all actions a it holds that: for all t ∈ statesT such that t a −→ t there exists an s ∈ statesS such that s a −→s and (s, t) ∈ R, for all s ∈ statesS such that s a 99K s there exists a t ∈ statesT such that t a 99K T t and (s, t) ∈ R. We say that a state s ∈ statesS refines a state t ∈ statesT , written s ≤m t, iff there exists a modal refinement containing (s, t). If −−→ = ∅ then this refinement collapses to regular simulation [21, 22], while it coincides with bisimulation equivalence [23, 24] if S and T are implementations. 3 Non-thoroughness of Modal Refinement Already in the eighties there have been rumors of modal refinement being incomplete. However we were unable to find a published account of this fact, so we decided to include it here. We shall now define what we mean by completeness, proceeding to a counterexample witnessing the incompleteness of modal refinement. After this brief introduction we move to the first contribution of the paper: a discussion of the complexity class of a hypothetical complete refinement. For a state s ∈ statesS let JS, sK denote