Skip to main content
Log in

Synthesising correct concurrent runtime monitors

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

This paper studies the correctness of automated synthesis for concurrent monitors. We adapt a subset of the Hennessy–Milner logic with recursion (a reformulation of the modal \(\mu \)-calculus) to specify safety properties for Erlang programs. We also define an automated translation from formulas in this sub-logic to concurrent Erlang monitors that detect formula violations at runtime. Subsequently, we formalise a novel definition for monitor correctness that incorporates monitor behaviour when instrumented with the program being monitored. Finally, we devise a sound technique that allows us to prove monitor correctness in stages; this technique is used to prove the correctness of our automated monitor synthesis.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. Due to \({\textsf {exit}}\) exceptions, variable bindings, \(x \,{\textsf {=}}\, e {\textsf {,}}\,d \) cannot be encoded as function applications, \( \uplambda x.d (e)\).

  2. In our formalisation, expressions are not allowed to evaluate under a spawn context, \({\textsf {spw}}\, [-] \); this aspect differs from standard Erlang semantics but allows a lightweight description of function application spawning. An adjustment in line with the actual Erlang spawning would be straightforward.

  3. Note that we do not show that sHML captures all the safety properties expressible in HMLwith recursion, and there are infact other formulas that specify safety properties such as \({\textsf {tt}}\).

  4. Due to asynchronous communication, even scoped actors can produce visible actions by sending messages to environment actors.

  5. One potential disadvantage of splitting formulas is that of increasing communication amongst monitors.

  6. In guarded sHML formulas, variables appear only as a sub-formula of a necessity formula.

  7. We elevate \({{\mathrm{tr}}}\) to basic action sequences \(s\) in pointwise fashion, \({{\mathrm{tr}}}(s)\), where \({{\mathrm{tr}}}(\epsilon )=\epsilon \).

References

  1. Aceto L, Ingólfsdóttir A (1999) Testing Hennessy–Milner logic with recursion. In: FoSSaCS’99. Springer, pp 41–55

  2. Aceto L, Ingólfsdóttir A, Larsen KG, Srba J (2007) Reactive systems: modelling. Specification and verification. Cambridge University Press, New York

    Book  Google Scholar 

  3. Armstrong J (2007) Programming Erlang. The Pragmatic Bookshelf, Armstrong

    Google Scholar 

  4. Bauer A, Falcone Y (2012) Decentralised LTL monitoring. In: Giannakopoulou D, Mry D (eds) FM. LNCS, vol 7436. Springer, pp 85–100

  5. Bauer A, Leucker M, Schallhar C (2011) Runtime verification for LTL and TLTL. ACM Trans Softw Eng Methodol 20:14:1–14:64

    Article  Google Scholar 

  6. Bocchi L, Chen T-C, Demangeon R, Honda K, Yoshida N (2013) Monitoring networks through multiparty session types. In: FMOODS/FORTE 2013. LNCS, vol 7892. Springer, pp 50–65.

  7. Cao T-D, Phan-Quang T-T, Felix P, Castanet R (2010) Automated runtime verification for web services. In: ICWS. IEEE, pp 76–82

  8. Carlsson R (2001) An introduction to Core Erlang. In: PLI’01 (Erlang Workshop)

  9. Cassar I, Francalanza A (2014) On synchronous and asynchronous monitor instrumentation for actor-based systems. In: FOCLASA, EPTCS (to appear)

  10. Cerone A, Hennessy M (2010) Process behaviour: formulae vs. tests. In: EXPRESS’10, vol 41 EPTCS, pp 31–45

  11. Cesarini F, Thompson S (2009) Erlang programming. O’Reilly, Sebastopol

    MATH  Google Scholar 

  12. Chang E, Manna Z, Pnueli A (1992) Characterization of temporal property classes. In: ALP. LNCS, vol 623. Springer-Verlag, pp 474–486

  13. Clarke E Jr, Grumberg O, Peled D (1999) Model checking. MIT Press, Cambridge

    Google Scholar 

  14. Colombo C, Francalanza A, Gatt R (2011) Elarva: a monitoring tool for Erlang. In: RV. LNCS, vol 7186. Springer, pp 370–374

  15. Colombo C, Francalanza A, Grima I (2012) Simplifying contract-violating traces. In: FLACOS, EPTCS, vol 94, pp 11–20

  16. Colombo C, Francalanza A, Mizzi R, Pace GJ (2012) polylarva: runtime verification with configurable resource-aware monitoring boundaries. In: SEFM, pp 218–232

  17. D’Angelo B, Sankaranarayanan S, Sánchez C, Robinson W, Finkbeiner B, Sipma HB, Mehrotra S, Manna Z. (2005) Lola: runtime monitoring of synchronous systems. In: TIME, IEEE

  18. Falcone Y, Jaber M, Nguyen T-H, Bozga M, Bensalem S. (2011) Runtime verification of component-based systems. In: SEFM. LNCS, vol 7041. Springer, pp 204–220

  19. Francalanza A, Seychell A (2013) Synthesising correct concurrent runtime monitors in Erlang. Technical Report CS2013-01, University of Malta. https://www.cs.um.edu.mt/svrg/papers.html. Accessed Jan

  20. Francalanza A, Gauci A, Pace GJ (2013) Distributed System contract monitoring. JLAP 82(5–7):186–215

    MATH  MathSciNet  Google Scholar 

  21. Francalanza A, Seychell A, Cassar I. DetectEr. https://bitbucket.org/casian/detecter2.0

  22. Fredlund L-Å (2001) A framework for reasoning about Erlang code. PhD thesis, Royal Institute of Technology, Stockholm, Sweden

  23. Geilen M (2001) On the construction of monitors for temporal logic properties. ENTCS 55(2):181–199

    Google Scholar 

  24. Hennessy M (2008) A distributed picalculus. Cambridge University Proess, Cambridge

    Google Scholar 

  25. Hennessy M, Milner R (1985) Algebraic laws for nondeterminism and concurrency. J ACM 32(1):137–161

  26. Hewitt C, Bishop P, Steiger R (1973) A universal modular actor formalism for artificial intelligence. In: IJCAI, Morgan Kaufmann, pp 235–245

  27. Kozen D (1983) Results on the propositional \(\mu \)-calculus. TCS 27:333–354

    Article  MATH  MathSciNet  Google Scholar 

  28. Manna Z, Pnueli A (1990) A hierarchy of temporal properties (invited paper, 1989). In: PODC, ACM, pp 377–410

  29. Meredith PO, Jin D, Griffith D, Chen F, Rosu G (2012) An overview of the MOP runtime verification framework. STTT 14(3):249–289

    Article  Google Scholar 

  30. Milner R (1989) Communication and concurrency. Prentice-Hall Inc, Upper Saddle River

    MATH  Google Scholar 

  31. Milner R, Parrow J, Walker D (1993) Modal logics for mobile processes. TCS 114:149–171

    Article  MATH  MathSciNet  Google Scholar 

  32. Nicola RD, Hennessy MCB (1984) Testing equivalences for processes, TCS, pp 83–133

  33. Rensink A, Vogler W (2007) Fair testing. Inf Comput 205(2):125–198

    Article  MATH  MathSciNet  Google Scholar 

  34. Sen K, Rosu G, Agha G (2004) Generating optimal linear temporal logic monitors by coinduction. In: ASIAN. LNCS, vol 2896. Springer-Verlag, pp 260–275

  35. Sen K, Vardhan A, Agha G, Roşu G (2004) Efficient decentralized monitoring of safety in distributed systems. ICSE, pp 418–427

  36. Svensson H, Fredlund L-Å, Benac Earle C (2010) A unified semantics for future erlang. In: Erlang Workshop, ACM, pp 23–32

Download references

Acknowledgments

The research work disclosed in this publication is partially funded by the Strategic Educational Pathways Scholarship Scheme (Malta). The scholarship is part nanced by the European Union European Social Fund.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Adrian Francalanza.

Auxiliary proofs

Auxiliary proofs

For the proofs in Sect. 7, we find it convenient to prove a technical result, Lemma 11, identifying the possible structures a monitor can be in after an arbitrary number of silent actions; the lemma also establishes that the only possible external action that a synthesised monitors can perform is the fail action: this property helps us to reason about the possible interactions that concurrent monitors may engage in.

Lemma 11

(Monitor Transitions and Structure) For all \({\varphi \in {\textsc {sHML}}}, {q \!\in \!(\textsc {Val})^*}\), \(\theta :{:} \textsc {LVar} \rightharpoonup {\textsc {sHML}} \), if \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } (\xrightarrow {\;\;})^n A \) then

  1. 1.

    \(A \xrightarrow {\;\;\alpha \;\;} B \)    implies   \(\alpha = {\textsf {{fail}}} {\textsf {!}} \) and;

  2. 2.

    \(A \) has the form \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\) or, depending on \(\varphi \):

    • \(\varphi = {\textsf {ff}} \): \(A \equiv i {\textsf {[}} {\textsf {{fail}}} {\textsf {!}} \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\)    or   \(A \equiv i {\textsf {[}} {\textsf {fail}} \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\)

    • \(\varphi = \mathbf {[}\alpha \mathbf {]}\psi \): \(A \equiv i {\textsf {[}} {\textsf {rcv}}\, \left( {{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\psi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,{\textsf {;}}\, \_ \,{{\rightarrow }}\, {\textsf {ok}} \right) \,{\textsf {end}} \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\)    or

      • \(\bigl (A \equiv B \) where \(i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, r {\textsf {]}}_{}^{\bullet } (\xrightarrow {\;\tau \;})^k B \) for some \(k< n\) and \(q ={{\mathrm{tr}}}(\alpha )\mathop {:}r \bigr )\)   or \(A \equiv i {\textsf {[}} {\textsf {ok}} \,\triangleleft \, r {\textsf {]}}_{}^{\bullet }\) where \(q =u \mathop {:}r \)

    • \(\varphi = \varphi _1 \mathbf {\wedge } \varphi _2 \): \(A \equiv i \;{\left[ \begin{array}{l} {\textit{y}} _1 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta ))\bigr ) {\textsf {,}}\, \\ \;\;{\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta ))\bigr ) {\textsf {,}}\, {\textsf {fork}}({\textit{y}} _1,{\textit{y}} _2) \end{array} \,\triangleleft \, q \right] }_{}^{\bullet }\)

      • or \(A \equiv (\upnu \, j _1) \left( \; i {\textsf {[}} e \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q _1 {\textsf {]}}_{}^{\bullet } \parallel B) \;\right) \) where

        • \(-\) \(e\) is \({\textit{y}} _1 \,{\textsf {=}}\, j _1{\textsf {,}}\,{\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta ))\bigr ) {\textsf {,}}\, {\textsf {fork}}({\textit{y}} _1,{\textit{y}} _2)\) or \(\quad {\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \left( [\![\varphi _2]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta ))\right) {\textsf {,}}\, {\textsf {fork}}(j _1,{\textit{y}} _2)\)

        • \(-j _1{\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet } \;(\xrightarrow {\;\tau \;})^k\; (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q _1 {\textsf {]}}_{}^{\bullet } \parallel B) \) for some \(k< n\)

        or \(A \equiv (\upnu \, j _1,j _2) \left( \; \begin{array}{l} i {\textsf {[}} {\textit{y}} _2 \,{\textsf {=}}\, j _2{\textsf {,}}\, {\textsf {fork}}(j _1,{\textit{y}} _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\\ \parallel \; (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q _1 {\textsf {]}}_{}^{\bullet } \parallel B) \;\parallel \; (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q _2 {\textsf {]}}_{}^{\bullet } \parallel C) \end{array} \;\right) \) where

        • \(-j _1{\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet } \;(\xrightarrow {\;\tau \;})^k\; (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q _1 {\textsf {]}}_{}^{\bullet } \parallel B) \) for some \(k< n\)

        • \(-j _2{\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet } \;(\xrightarrow {\;\tau \;})^l\; (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q _2 {\textsf {]}}_{}^{\bullet } \parallel C) \) for some \(l< n\)

        or \(A \!\equiv \!(\upnu \, j _1,j _2) \left( \; i {\textsf {[}} e \,\triangleleft \, r {\textsf {]}}_{}^{\bullet } \;\parallel \; (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \parallel (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \!\parallel \! C) \right) \) where

        • \(-\) \(e\) is either \( {\textsf {fork}}(j _1, j _2)\) or \(\bigl ({\textsf {rcv}}\, {\textit{z}} \,{{\rightarrow }}\, j _1 {\textsf {!}} {\textit{z}} {\textsf {,}}\,j _2 {\textsf {!}} {\textit{z}} \,{\textsf {end}}{\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \bigr )\)

        •     or \(j _1 {\textsf {!}} u {\textsf {,}}\,i _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2)\) or \(j _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2)\)

        • \(-j _1{\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q _1 {\textsf {]}}_{}^{\bullet } \;(\xrightarrow {\;\tau \;})^k\; (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \) for \(k< n\), \(q _1 < q \)

        • \(-j _2{\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q _2 {\textsf {]}}_{}^{\bullet } \;(\xrightarrow {\;\tau \;})^l\; (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \) for \(l< n\), \(q _2 < q \)

    • \(\varphi = X \): \(A \equiv i {\textsf {[}} y \,{\textsf {=}}\, {\textsf {lookUp}}('X ', {{\mathrm{enc}}}(\theta ')){\textsf {,}}\, y({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\) where \(\theta ' < \theta \) or

      • \(A \equiv i \;{\left[ y \,{\textsf {=}}\, \left( \begin{aligned} {\textsf {case}}\; {{\mathrm{enc}}}(\theta ') \;{\textsf {of}}\;&\{ 'X ', {\textit{z}} _{mon} \}\mathop {:} \_ \,{{\rightarrow }}\, {\textit{z}} _{mon} ; \\&\_ \mathop {:} {\textit{z}} _{tl} \,{{\rightarrow }}\, {\textsf {lookUp}}('X ', {\textit{z}} _{tl}) ; \\&{\textsf {nil}} \,{{\rightarrow }}\, {\textsf {exit}}; \\ {\textsf {end}}\end{aligned} \right) {\textsf {,}}\,\;\; y({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q \right] }_{}^{\bullet }\) where \(\theta ' < \theta \), or \(A \equiv B \) where

      • \(-i {\textsf {[}} y \,{\textsf {=}}\, [\![\psi ]\!]^\mathbf {m}{\textsf {,}}\, y({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \;(\xrightarrow {\;\tau \;})^k\; B \)

      • \(-\theta (X) = \psi \) or \(A \equiv i {\textsf {[}} y \,{\textsf {=}}\, {\textsf {exit}}{\textsf {,}}\, y({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\) or \(A \equiv i {\textsf {[}} {\textsf {exit}} \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\)

    • \(\varphi ={\textsf {max}}\mathbf {(}X,\psi \mathbf {)} \): \(A \equiv B \) where \(i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}({\textsf {\{}}'X',[\![\psi ]\!]^\mathbf {m}{\textsf {\}}}\mathop {:}{{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } (\xrightarrow {\;\tau \;})^k B \)

      • for \(k < n\).

Proof

The proof is by strong induction on \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } (\xrightarrow {\;\tau \;})^n A \). The inductive case involves a long and tedious list of case analysis exhausting all possibilities. \(\square \)

1.1 Proofs for establishing violation detection

Lemma 13 uses Lemma 12 which relates possible detections by monitors synthesised from subformulas to possible detections by monitors synthesised from conjunctions using these subformulas.

Lemma 12

For an arbitrary \(\theta \), \((\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (j _1) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} }\;\) implies \((\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1 \mathbf {\wedge } \varphi _2 ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} } \;\) for any \(\varphi _2 \in {\textsc {sHML}} \).

Proof

By Definition 7, we know that we can derive the sequence of reductions

$$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1 \mathbf {\wedge } \varphi _2 ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{\quad }\\&\qquad \ (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel (\upnu \, j,h) \bigl (i {\textsf {[}} {\textsf {fork}}(j,h) {\textsf {]}}^{\bullet }\parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet }\bigr ) \bigr ) \end{aligned}$$

We then prove, by induction on the structure of \(s\), the following (see [19] for details):

$$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{\bullet } \parallel i {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} }\quad \text {implies}\\&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel \\ (\upnu \, j,h) \bigl (i {\textsf {[}} {\textsf {fork}}(j,h) {\textsf {]}}^{\bullet }\parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\bigr ) \end{array}\right) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} } \end{aligned}$$

\(\square \)

Lemma 13

If \(A, s \models _{\text {v}}\varphi \theta \) and \(l _{\text {env}}= {{\mathrm{enc}}}(\theta )\) then

$$\begin{aligned} (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{\;{\textsf {{fail}}} {\textsf {!}} \;}. \end{aligned}$$

Proof

Proof by rule induction on \(A, s \models _{\text {v}}\varphi \theta \):

  • \(A, s \models _{\text {v}}{\textsf {ff}} \theta \): Using Definition 7 for the definition of \([\![{\textsf {ff}} ]\!]^\mathbf {m}\) and the rule \(\textsc {App}\) (and \(\textsc {Par}\) and \(\textsc {Scp}\)), we have

    $$\begin{aligned}&(\upnu \, i) (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![{\textsf {ff}} ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }) \\&\quad \mathop {\Longrightarrow }\limits ^{\quad } (\upnu \, i) (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} {\textsf {{fail}}} {\textsf {!}} {\textsf {]}}^{\bullet }) \end{aligned}$$

    The result follows trivially, since the process \(i \) can transition with a \({\textsf {{fail}}} {\textsf {!}} \) action in a single step using the rule \(\textsc {SndU}\).

  • \(A, s \models _{\text {v}}(\varphi _1 \mathbf {\wedge } \varphi _2)\theta \) because \(A, s \models _{\text {v}}\varphi _1\theta \): By \(A, s \models _{\text {v}}\varphi _1\theta \) and I.H. we have

    $$\begin{aligned}&(\upnu \, i) (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} } \end{aligned}$$

    The result thus follows from Lemma 12, which allows us to conclude that

    $$\begin{aligned} (\upnu \, i) (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1 \mathbf {\wedge } \varphi _2 ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} } \end{aligned}$$
  • \(A, s \models _{\text {v}}(\varphi _1 \mathbf {\wedge } \varphi _2)\theta \) because \(A, s \models _{\text {v}}\varphi _2\theta \): Analogous.

  • \(A, s \models _{\text {v}}(\mathbf {[}\alpha \mathbf {]}\varphi )\theta \) because \(s =\alpha t , A \mathop {\Longrightarrow }\limits ^{\;\alpha \,\;} B \text { and } B, t \models _{\text {v}}\varphi \theta \): Using the rule \(\textsc {App}\)  Scp and Definition 7 for the property \(\mathbf {[}\alpha \mathbf {]}\varphi \) we derive (37), by executing mLoop— see Definition 7 — we obtain (38), and then by rule Rd1 we derive (39) below.

    $$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(\alpha t) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \xrightarrow {\;\;\tau \;\;}\end{aligned}$$
    (37)
    $$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(\alpha t ) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} {\textsf {rcv}}\, ({{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) \,{\textsf {;}}\, \_ \,{{\rightarrow }}\, {\textsf {ok}}) \,{\textsf {end}} {\textsf {]}}^{\bullet } \bigr ) \mathop {\Longrightarrow }\limits ^{\quad }\end{aligned}$$
    (38)
    $$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t ) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} {\textsf {rcv}}\, ({{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) \,{\textsf {;}}\, \_ \,{{\rightarrow }}\, {\textsf {ok}}) \,{\textsf {end}} \,\triangleleft \, {{\mathrm{tr}}}(\alpha ) {\textsf {]}}_{}^{\bullet } \bigr ) \xrightarrow {\;\;\tau \;\;}\\&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t ) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \bigr ) \nonumber \end{aligned}$$
    (39)

    By \(B, t \models _{\text {v}}\varphi \theta \) and I.H. we obtain

    $$\begin{aligned} (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} } \end{aligned}$$

    and, thus, the result follows by (37), (38) and (39).

  • \(A, s \models _{\text {v}}({\textsf {max}}\mathbf {(}X,\varphi \mathbf {)})\theta \) because \(A, s \models _{\text {v}}\varphi \{{\textsf {max}}\mathbf {(}X,\varphi \mathbf {)}/X \}\theta \): By Definition 7 and \(\textsc {App}\) for process \(i \), we derive

    $$\begin{aligned} (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![{\textsf {max}}\mathbf {(}X,\varphi \mathbf {)} ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{\quad }\nonumber \\ \qquad (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({\textsf {\{}} 'X ', [\![\varphi ]\!]^\mathbf {m} {\textsf {\}}}\mathop {:}l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \end{aligned}$$
    (40)

    Assuming the appropriate \(\alpha \)-conversion for \(X \) in \({\textsf {max}}\mathbf {(}X,\varphi \mathbf {)}\), we note that from \(l _{\text {env}}= {{\mathrm{enc}}}(\theta )\) and Definition 8 we obtain

    $$\begin{aligned} {{\mathrm{enc}}}(\{{\textsf {max}}\mathbf {(}X,\varphi \mathbf {)}/X \}\theta ) = {\textsf {\{}} 'X ', [\![\varphi ]\!]^\mathbf {m} {\textsf {\}}}\mathop {:}l _{\text {env}} \end{aligned}$$
    (41)

    By \(A, s \models _{\text {v}}\varphi \{{\textsf {max}}\mathbf {(}X,\varphi \mathbf {)}/X \}\rho \), (41) and I.H. we obtain

    $$\begin{aligned} (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s ) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({\textsf {\{}} 'X ', [\![\varphi ]\!]^\mathbf {m} {\textsf {\}}}\mathop {:}l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} } \end{aligned}$$
    (42)

    The result follows from (40) and (42). \(\square \)

Lemma 16 relies on a technical result, Lemma 15 which allows us to recover a violating reduction sequence for a subformula \(\varphi _1\) or \(\varphi _2\) from that of the synthesised monitor of a conjunction formula \(\varphi _1 \mathbf {\wedge } \varphi _2\). Lemma 15 relies on Lemma 14.

Lemma 14

For some \(l\le n\):

$$\begin{aligned} (\upnu \, j,h) \left( i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, q _{\text {frk}} \right] }_{}^{\bullet }\parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, r {\textsf {]}}_{}^{\bullet } \right) (\xrightarrow {\;\;\tau \;\;})^n {\mathop {\longrightarrow }^{\textsf {fail!}}}\\ \text {implies}\quad (\upnu \, j) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (j) \,\triangleleft \, q _{\text {frk}} {\textsf {]}}_{}^{*} \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}}\\ \text {or}\quad (\upnu \, h) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (h) \,\triangleleft \, q _{\text {frk}} {\textsf {]}}_{}^{*} \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, r {\textsf {]}}_{}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

Proof

By induction on the structure of the mailbox \(q _{\text {frk}}\) at actor \(i\). \(\square \)

Lemma 15

For some \(l \le n\)

$$\begin{aligned}&(\upnu \, i) \left( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel (\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \right) \\&\qquad (\xrightarrow {\;\;\tau \;\;})^k{\mathop {\longrightarrow }^{\textsf {fail!}}}\\&\quad \text {implies}\quad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}}\\&\quad \text {or}\quad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

Proof

Proof by induction on the structure of \(s \).

  • \(s =\epsilon \): From the structure of mLoop, we know that after the function application, the actor \(i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) {\textsf {]}}^{*}\) is stuck. Thus we conclude that it must be the case that

    $$\begin{aligned} (\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^k{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

    where \(k=n\) or \(k=n-1\). In either case, the required result follows from Lemma 14.

  • \(s =\alpha s '\): We have two subcases:

    • If

      $$\begin{aligned} (\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array} \right) (\xrightarrow {\;\;\tau \;\;})^k{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

      for some \(k\le n\) then, by Lemma 14 we obtain

      $$\begin{aligned} (\upnu \, j) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (j) \,\triangleleft \, {{\mathrm{tr}}}(t) {\textsf {]}}_{}^{*} \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}}\\ \text {or}\quad (\upnu \, h) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (h) \,\triangleleft \, {{\mathrm{tr}}}(t) {\textsf {]}}_{}^{*} \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

      for some \(l\le k\). By Lemma 8 we thus obtain

      $$\begin{aligned} (\upnu \, j) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (j) \,\triangleleft \, {{\mathrm{tr}}}(t s) {\textsf {]}}_{}^{*} \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}}\\ \text {or}\quad (\upnu \, h) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (h) \,\triangleleft \, {{\mathrm{tr}}}(t s) {\textsf {]}}_{}^{*} \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

      as required.

    • Otherwise, it must be the case that

      $$\begin{aligned}&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^k\end{aligned}$$
      (43)
      $$\begin{aligned}&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s ') {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j,h) \left( i \;{\left[ e _{\text {fork}} \,\triangleleft \, q \mathop {:}{{\mathrm{tr}}}(\alpha ) \right] }_{}^{\bullet } \parallel A \right) \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{n-k} {\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$
      (44)

      For some \(k=3+k_1\) where

      $$\begin{aligned} \begin{aligned}&(\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{k_1}\\&(\upnu \, j,h) \left( i \;{\left[ e _{\text {fork}} \,\triangleleft \, q \right] }_{}^{\bullet } \parallel A \right) \end{aligned} \end{aligned}$$
      (45)

      By (45) and Lemma 8 we obtain

      $$\begin{aligned}&(\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t)\mathop {:}{{\mathrm{tr}}}(\alpha ) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{k_1}\nonumber \\&(\upnu \, j,h) \left( i \;{\left[ e _{\text {fork}} \,\triangleleft \, q \mathop {:}{{\mathrm{tr}}}(\alpha ) \right] }_{}^{\bullet } \parallel A \right) \end{aligned}$$

      and by (44) we can construct the sequence of transitions:

      $$\begin{aligned} (\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s ') {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t)\mathop {:}\alpha \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{n-3}{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

      Thus, by I.H. we obtain, for some \(l\le n-3\)

      $$\begin{aligned}&(\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t \alpha s ') {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}}\\&\text {or}\quad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t \alpha s ') {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

      The result follows since \(s =\alpha s '\). \(\square \)

Equipped with Lemma 15, we can now prove Lemma 16.

Lemma 16

If \(A \mathop {\Longrightarrow }\limits ^{\;\;s \;\;} \), \(l _{\text {env}}\!=\!{{\mathrm{enc}}}(\theta )\) and \((\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} }\) then \(A, s \models _{\text {v}}\varphi \theta \), whenever \({{\mathrm{fv}}}(\varphi ) \subseteq {{\mathrm{dom}}}(\theta )\).

Proof

By strong induction on the number of transitions n, leading to the action \({\textsf {{fail}}} {\textsf {!}} \)

  • \((\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^n{\mathop {\longrightarrow }^{\textsf {fail!}}}\)

  • \(n = 0\): By inspection of the definition for mLoop, and by case analysis of \( [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}})\) from Definition 7, it can never be the case that

    $$\begin{aligned} (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) {\mathop {\longrightarrow }^{\textsf {fail!}}}. \end{aligned}$$

    Thus the result holds trivially.

  • \(n = k + 1\): We proceed by case analysis on \(\varphi \).

    • \(\varphi = {\textsf {ff}} \): The result holds immediately for any \(A\) and \(s\) by Definition 3.

    • \(\varphi = \mathbf {[}\alpha \mathbf {]}\psi \): By Definition 7, we know that

      $$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\mathbf {[}\alpha \mathbf {]}\psi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^{k_1}\end{aligned}$$
      (46)
      $$\begin{aligned}&\;(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\mathbf {[}\alpha \mathbf {]}\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _1) {\textsf {]}}_{}^{\bullet }\bigr ) \xrightarrow {\;\;\tau \;\;}\end{aligned}$$
      (47)
      $$\begin{aligned}&\quad (\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*} \parallel \\ i \;{\left[ {\textsf {rcv}}\, \left( \begin{array}{l} {{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,{\textsf {;}}\, \\ \_ \,{{\rightarrow }}\, {\textsf {ok}} \end{array}\right) \,{\textsf {end}} \,\triangleleft \, {{\mathrm{tr}}}(s _1) \right] }_{}^{\bullet }\end{array}\right) (\xrightarrow {\;\tau \;})^{k_2}{\mathop {\longrightarrow }^{\textsf {fail!}}}\end{aligned}$$
      (48)
      $$\begin{aligned}&\text {where } k+1 = k_1 + k_2+1 \text { and } s =s _1s _2 \end{aligned}$$
      (49)

      From the analysis of the code in (48), the only way for the action \({\textsf {{fail}}} {\textsf {!}} \) to be triggered is by choosing the guarded branch \({{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}})\) in actor \(i\). This means that (48) can be decomposed into the following reduction sequences.

      $$\begin{aligned}&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*} \parallel \\ i \;{\left[ {\textsf {rcv}}\, \left( {{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,{\textsf {;}}\, \_ \,{{\rightarrow }}\, {\textsf {ok}} \right) \,{\textsf {end}} \,\triangleleft \, {{\mathrm{tr}}}(s _1) \right] }_{}^{\bullet } \end{array}\right) (\xrightarrow {\;\tau \;})^{k_3}\end{aligned}$$
      (50)
      $$\begin{aligned}&\;\,(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*} \parallel \\ i \;{\left[ {\textsf {rcv}}\, \left( {{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,{\textsf {;}}\, \_ \,{{\rightarrow }}\, {\textsf {ok}} \right) \,{\textsf {end}} \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3) \right] }_{}^{\bullet } \end{array}\right) \xrightarrow {\;\;\tau \;\;}\end{aligned}$$
      (51)
      $$\begin{aligned}&\quad (\upnu \, i) i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*} \parallel i \;{\left[ [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _5) \right] }_{}^{\bullet } (\xrightarrow {\;\;\tau \;\;})^{k_4}{\mathop {\longrightarrow }^{\textsf {fail!}}}\end{aligned}$$
      (52)
      $$\begin{aligned}&\text {where } {k_2} = k_3 + k_4+1 \text { and } s _1s _3=\alpha s _5 \text { and }s _2=s _3s _4 \end{aligned}$$
      (53)

      By (49) and (53) we derive

      $$\begin{aligned} s =\alpha t \text { where }t =s _5s _4 \end{aligned}$$
      (54)

      From the definition of mLoop we can derive

      $$\begin{aligned} (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \bigr ) (\xrightarrow {\;\;\tau \;\;})^{k_5}\nonumber \\ (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*} \parallel i \;{\left[ [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _5) \right] }_{}^{\bullet }\bigr ) \end{aligned}$$
      (55)

      where \(k_5\le k_1+k_3\). From (54) we can split \(A \mathop {\Longrightarrow }\limits ^{\;\;s \;\;}\) as \(A \mathop {\Longrightarrow }\limits ^{\;\;\alpha \;\;}A '\mathop {\Longrightarrow }\limits ^{\;\;t \;\;}\) and from (55), (52), the fact that \(k_5+k_4 < k+1=n\) from (49) and (53), and I.H. we obtain

      $$\begin{aligned}&A ', t \models _{\text {v}}\psi \theta \end{aligned}$$
      (56)

      From (56), \(A \mathop {\Longrightarrow }\limits ^{\;\;\alpha \;\;}A '\) and Definition 3 we thus conclude \(A, s \models _{\text {v}}\bigl (\mathbf {[}\alpha \mathbf {]}\psi \bigr )\theta \).

    • \(\varphi \) = \(\varphi _1 \mathbf {\wedge } \varphi _2\) From Definition 7, we can decompose the transition sequence as follows

      $$\begin{aligned}&(\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1 \mathbf {\wedge } \varphi _2 ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k_1}\end{aligned}$$
      (57)
      $$\begin{aligned}&\;\;(\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1 \mathbf {\wedge } \varphi _2 ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _1) {\textsf {]}}_{}^{\bullet }\bigr ) \xrightarrow {\;\;\tau \;\;}\end{aligned}$$
      (58)
      $$\begin{aligned}&\quad (\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*}\\ \parallel i \;{\left[ \begin{array}{l} {\textit{y}} _1 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\, \\ {\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\, {\textsf {fork}}({\textit{y}} _1,{\textit{y}} _2)\end{array} \,\triangleleft \, {{\mathrm{tr}}}(s _1) \right] }_{}^{\bullet }\end{array} \right) (\xrightarrow {\;\tau \;})^{k_2}\end{aligned}$$
      (59)
      $$\begin{aligned}&\quad (\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*}\\ \parallel i \;{\left[ \begin{array}{l} {\textit{y}} _1 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\,\\ {\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\, {\textsf {fork}}({\textit{y}} _1,{\textit{y}} _2)\end{array} \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3) \right] }_{}^{\bullet }\end{array} \right) (\xrightarrow {\;\tau \;})^2\end{aligned}$$
      (60)
      $$\begin{aligned}&\quad (\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j) \left( \begin{array}{l} i \;{\left[ \!\begin{array}{l} {\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\,\\ {\textsf {fork}}(j,{\textit{y}} _2)\end{array}\! \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{k_3} {\mathop {\longrightarrow }^{\textsf {fail!}}}\end{aligned}$$
      (61)
      $$\begin{aligned}&\text {where } k+1 = k_1+1+k_2+2+k_3, s =s _1s _2 \text { and }s _2=s _3s _4 \end{aligned}$$
      (62)

      From (61) we can deduce that there are two possible transition sequences how action \({\textsf {{fail}}} {\textsf {!}} \) was reached:

      1. 1.

        If \({\textsf {{fail}}} {\textsf {!}} \) was reached because \(j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } (\xrightarrow {\;\;\tau \;\;})^{k_4} {\mathop {\longrightarrow }^{\textsf {fail!}}}\) on its own, for some \(k_4\le k_3\) then, by Par and Scp we deduce

        $$\begin{aligned} (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^{k_4} {\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

        From (62) we know that \(k_4< k+1=n\), and by the premise \(A \mathop {\Longrightarrow }\limits ^{\;\;s \;\;}\) and I.H. we obtain \(A, s \models _{\text {v}}\varphi _1\theta \). By Definition 3 we then obtain \(A, s \models _{\text {v}}\bigl (\varphi _1 \mathbf {\wedge } \varphi _2 \bigr )\theta \)

      2. 2.

        Alternatively, (61) can be decomposed further as

        $$\begin{aligned}&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j) \left( \begin{array}{l} i \;{\left[ \!\begin{array}{l} {\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\,\\ {\textsf {fork}}(j,{\textit{y}} _2)\end{array}\! \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{k_4}\end{aligned}$$
        (63)
        $$\begin{aligned}&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _6) {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j) \left( \begin{array}{l} i \;{\left[ \!\begin{array}{l} {\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\,\\ {\textsf {fork}}(j,{\textit{y}} _2)\end{array}\! \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3s _5) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \end{array}\right) (\xrightarrow {\;\tau \;})^2\end{aligned}$$
        (64)
        $$\begin{aligned}&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _6) {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3s _5) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{k_5}{\mathop {\longrightarrow }^{\textsf {fail!}}}\end{aligned}$$
        (65)
        $$\begin{aligned}&\text {where } k_3 = k_4+2+k_5 \text { and }s _4=s _5s _6 \end{aligned}$$
        (66)

        From (65) and Lemma 15 we know that, for some \(k_6\le k_5\) either

        $$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3s _5s _6) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^{k_6}{\mathop {\longrightarrow }^{\textsf {fail!}}}\\&\quad \text {or }\quad (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3s _5s _6) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \bigr ) (\xrightarrow {\;\;\tau \;\;})^{k_6}{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

        From (62) and (66) we know that \(s =s _1s _3s _5s _6\) and that \(k_6 < k+1 = n\). By I.H., we obtain either \(A, s \models _{\text {v}}\varphi _1\theta \) or \(A, s \models _{\text {v}}\varphi _2\theta \) and, in either case, by Definition 3 we deduce \(A, s \models _{\text {v}}\bigl (\varphi _1 \mathbf {\wedge } \varphi _2 \bigr )\theta \).

    • \(\varphi \) = \(X\) By Definition 7, we can deconstruct

      $$\begin{aligned} (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![X ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k+1}{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

      as

      $$\begin{aligned}&(\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![X ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{\quad }\xrightarrow {\;\tau \;}\end{aligned}$$
      (67)
      $$\begin{aligned}&\quad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} y \,{\textsf {=}}\, {\textsf {lookUp}}('X ', l _{\text {env}}){\textsf {,}}\, y(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _1) {\textsf {]}}_{}^{\bullet }\bigr ) \nonumber \\&\qquad \mathop {\Longrightarrow }\limits ^{\quad }\xrightarrow {\;\tau \;}\end{aligned}$$
      (68)
      $$\begin{aligned}&\qquad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} y \,{\textsf {=}}\, v {\textsf {,}}\, y(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3) {\textsf {]}}_{}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{\quad }\xrightarrow {\;\tau \;}\end{aligned}$$
      (69)
      $$\begin{aligned}&\qquad \quad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _6) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} v (l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3s _5) {\textsf {]}}_{}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{\quad }\xrightarrow {\;{\textsf {{fail}}} {\textsf {!}} \;}\\&\text {where }s =s _1s _2, s _2=s _3s _4 \text { and }s _4=s _5s _6 \nonumber \end{aligned}$$
      (70)

      Since \(X \in {{\mathrm{dom}}}(\theta )\), we know that \(\theta (X)=\psi \) for some \(\psi \). By the assumption \(l _{\text {env}}= {{\mathrm{enc}}}(\theta )\) and Lemma 6 we obtain that \(v =[\![\psi ]\!]^\mathbf {m}\). Hence, by (67), (68), (69) and (70) we can reconstruct

      $$\begin{aligned}&(\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k_1}\nonumber \\&\quad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _6) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3s _5) {\textsf {]}}_{}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k_2}\xrightarrow {\;{\textsf {{fail}}} {\textsf {!}} \;}\nonumber \\ \end{aligned}$$
      (71)

      where \(k_1 + k_2 < k+1=n\). By (71) and I.H. we obtain \(A, s \models _{\text {v}}\psi \), which is the result required, since by \(\theta (X)=\psi \) we know that \(X \theta = \psi \).

    • \(\varphi \) = \({\textsf {max}}\mathbf {(}X,\psi \mathbf {)}\) By Definition 7, we can deconstruct

      $$\begin{aligned} (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![{\textsf {max}}\mathbf {(}X,\psi \mathbf {)} ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k+1}{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

      as follows:

      $$\begin{aligned}&(\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![{\textsf {max}}\mathbf {(}X,\psi \mathbf {)} ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k_1}\xrightarrow {\;\tau \;}\\&\quad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}( {\textsf {\{}}'X ', \psi {\textsf {\}}}\mathop {:}l _{\text {env}} ) \,\triangleleft \, {{\mathrm{tr}}}(s _1) {\textsf {]}}_{}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k_2}{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$

      from which we can reconstruct the transition sequence

      $$\begin{aligned} (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}( {\textsf {\{}}'X ', \psi {\textsf {\}}}\mathop {:}l _{\text {env}} ) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k_1+k_2} {\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$
      (72)

      By the assumption \(l _{\text {env}}=\Gamma (\theta )\) we deduce that \({\textsf {\{}}'X ', \psi {\textsf {\}}}\mathop {:}l _{\text {env}} = {{\mathrm{enc}}}(\{{\textsf {max}}\mathbf {(}X,\psi \mathbf {)}/\}\theta )\) and, since \(k_1+k_2 < k+1 = n\), we can use (72), \(A \mathop {\Longrightarrow }\limits ^{\;\;s \;\;}\) and I.H. to obtain \(A, s \models _{\text {v}}{\psi \{{\textsf {max}}\mathbf {(}X,\psi \mathbf {)}/X \}\theta }\). By Definition 3 we then conclude \(A, s \models _{\text {v}}{\textsf {max}}\mathbf {(}X,\psi \mathbf {)} \theta \).\(\square \)

1.2 Proofs for establishing Detection Preservation

Lemma 18 relies heavily on Lemma 17.

Lemma 17

(Translation Confluence) For all \({\varphi \in {\textsc {sHML}}}, {q \in (\textsc {Val})^*}\) and \({\theta :{:} \textsc {LVar} \rightharpoonup {\textsc {sHML}}}\)\(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \mathop {\Longrightarrow }\limits ^{\;\quad \;} A \) implies \({{\mathrm{cnf}}}(A)\).

Proof

Proof by strong numerical induction on n in \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } (\xrightarrow {\;\tau \;})^n A \).

  • \(n = 0\): The only possible \(\tau \)-action that can be performed by \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\) is that for the function application of the monitor definition, i.e.

    $$\begin{aligned} i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \xrightarrow {\;\;\tau \;\;} i {\textsf {[}} e \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \text { for some }e. \end{aligned}$$
    (73)

    Apart from that \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\) can also only perform input action at \(i\), i.e.

    $$\begin{aligned} i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \xrightarrow {\;\;i \mathtt {?}v \;\;} i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q \mathop {:}v {\textsf {]}}_{}^{\bullet } \end{aligned}$$

    On the one hand, we can derive \(i {\textsf {[}} e \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \xrightarrow {\;\;i \mathtt {?}v \;\;} i {\textsf {[}} e \,\triangleleft \, q \mathop {:}v {\textsf {]}}_{}^{\bullet }\). Moreover, from (73) and Lemma 8 we can deduce \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q \mathop {:}v {\textsf {]}}_{}^{\bullet } \xrightarrow {\;\;\tau \;\;} i {\textsf {[}} e \,\triangleleft \, q \mathop {:}v {\textsf {]}}_{}^{\bullet }\) which allows us to close the confluence diamond.

  • \(n = k + 1\): We proceed by case analysis on the property \(\varphi \), using Lemma 11 to infer the possible structures of the resulting process. Again, most involving cases are those for conjunction translations, as they generate more than one concurrent actor; we discuss one of these below:

    • \(\varphi = \varphi _1 \mathbf {\wedge } \varphi _2 \): By Lemma 11, \(A\) can have any of 4 general structures, one of which is

      $$\begin{aligned} A&\equiv (\upnu \, j _1, j _2) \left( \; i {\textsf {[}} j _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \end{array}\;\right) \end{aligned}$$
      (74)

      where

      $$\begin{aligned}&j _1{\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, q _1 {\textsf {]}}_{}^{\bullet } \;(\xrightarrow {\;\tau \;})^k\; (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \text { for }k< n, q _1 < q \end{aligned}$$
      (75)
      $$\begin{aligned}&j _2{\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, q _2 {\textsf {]}}_{}^{\bullet } \;(\xrightarrow {\;\tau \;})^l\; (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \text { for }l< n, q _2 < q \end{aligned}$$
      (76)

      By Lemma 11, (75) and (76) we also infer that the only external action that can be performed by the processes \((\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \) and \((\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \) is \({\textsf {{fail}}} {\textsf {!}} \). Moreover by (75) and (76) we can also show that

      $$\begin{aligned} {{\mathrm{fId}}}\Bigl ((\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \Bigr )&= \{j _1\}&{{\mathrm{fId}}}\Bigl ((\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \Bigr )&= \{j _2\} \end{aligned}$$

      Thus these two subactors cannot communicate with each other or send messages to actor \(i \). This also means that the remaining possible actions that \(A \) can perform are:

      $$\begin{aligned}&A \;\xrightarrow {\;\;\tau \;\;}\; (\upnu \, j _1, j _2) \left( \! i {\textsf {[}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2\mathop {:}u {\textsf {]}}_{}^{\bullet } \parallel C) \end{array}\!\right) \quad \text {or}\end{aligned}$$
      (77)
      $$\begin{aligned}&A \;\xrightarrow {\;\;\tau \;\;}\; (\upnu \, j _1, j _2) \left( \! i {\textsf {[}} j _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1 ') (j _1{\textsf {[}} e '_{1} \,\triangleleft \, q ''_1 {\textsf {]}}_{}^{\bullet } \parallel B ') \\ \parallel (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \end{array}\!\right) \nonumber \\&\text {because } (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \;\xrightarrow {\;\;\tau \;\;}\; (\upnu \, ~\widetilde{h}_1 '~) (j _1{\textsf {[}} e '_{1} \,\triangleleft \, q ''_1 {\textsf {]}}_{}^{\bullet } \parallel B ') \qquad \text {or}\end{aligned}$$
      (78)
      $$\begin{aligned}&A \;\xrightarrow {\;\;\tau \;\;}\; (\upnu \, j _1, j _2) \left( \; i {\textsf {[}} j _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2 ') (j _2{\textsf {[}} e '_{2} \,\triangleleft \, q ''_2 {\textsf {]}}_{}^{\bullet } \parallel C ') \end{array}\;\right) \nonumber \\&\text {because } (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \;\xrightarrow {\;\;\tau \;\;}\; (\upnu \, ~\widetilde{h}_2 '~) (j _2{\textsf {[}} e '_{2} \,\triangleleft \, q ''_2 {\textsf {]}}_{}^{\bullet } \parallel C ') \qquad \text {or}\end{aligned}$$
      (79)
      $$\begin{aligned}&A \;\xrightarrow {\;i \mathtt {?}v \;\;}\; (\upnu \, j _1, j _2) \left( \;\begin{array}{l} i {\textsf {[}} j _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q \mathop {:}v {\textsf {]}}_{}^{\bullet }\\ \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \parallel (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \end{array}\;\right) \end{aligned}$$
      (80)

      We prove confluence for the pair of actions (77) and (79) and leave the other combinations for the interested reader. From (79) and Lemma 8 we derive

      $$\begin{aligned} (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2\mathop {:}u {\textsf {]}}_{}^{\bullet } \parallel C) \;\xrightarrow {\;\;\tau \;\;}\; (\upnu \, ~\widetilde{h}_2 '~) (j _2{\textsf {[}} e '_{2} \,\triangleleft \, q ''_2\mathop {:}u {\textsf {]}}_{}^{\bullet } \parallel C ') \end{aligned}$$

      and by Par and Scp we obtain

      $$\begin{aligned} (\upnu \, j _1, j _2) \left( \; i {\textsf {[}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2\mathop {:}u {\textsf {]}}_{}^{\bullet } \parallel C) \end{array}\;\right) \;\xrightarrow {\;\;\tau \;\;}\; \nonumber \\ (\upnu \, j _1, j _2) \left( \; i {\textsf {[}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2 ') (j _2{\textsf {[}} e '_{2} \,\triangleleft \, q ''_2\mathop {:}u {\textsf {]}}_{}^{\bullet } \parallel C ') \end{array}\;\right) \nonumber \\ \end{aligned}$$
      (81)

      Using Com, Str, Par and Scp we can derive

      $$\begin{aligned} (\upnu \, j _1, j _2) \left( \; i {\textsf {[}} j _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2 ') (j _2{\textsf {[}} e '_{2} \,\triangleleft \, q ''_2 {\textsf {]}}_{}^{\bullet } \parallel C ') \end{array}\;\right) \;\xrightarrow {\;\;\tau \;\;}\; \nonumber \\ (\upnu \, j _1, j _2) \left( \; i {\textsf {[}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2 ') (j _2{\textsf {[}} e '_{2} \,\triangleleft \, q ''_2\mathop {:}u {\textsf {]}}_{}^{\bullet } \parallel C ') \end{array}\;\right) \nonumber \\ \end{aligned}$$
      (82)

      thus we close the confluence diamond by (81) and (82). \(\square \)

Lemma 18

(Weak Confluence) For all \(\varphi \in {\textsc {sHML}} \), \(q \in \textsc {Val} ^*\)

$$\begin{aligned} i_{\text {mtr}} {\textsf {[}} {\textsf {Mon}} (\varphi ) \,\triangleleft \, q {\textsf {]}}_{}^{*} \mathop {\Longrightarrow }\limits ^{\;\quad \;} A \;\text { implies }\; {{\mathrm{cnf}}}(A) \end{aligned}$$

Proof

By strong induction on n, the number of transitions in \(i_{\text {mtr}} {\textsf {[}} {\textsf {Mon}} (\varphi ) \,\triangleleft \, q {\textsf {]}}_{}^{*} \;(\xrightarrow {\;\;\tau \;\;})^n \; A \).

  • \(n = 0\) We know \(A =i_{\text {mtr}} {\textsf {[}} {\textsf {Mon}} (\varphi ) \,\triangleleft \, q {\textsf {]}}_{}^{*}\). It is confluent because it can perform either of two actions, namely a \(\tau \)-action for the function application (see \(\textsc {App}\) in Fig. 2), or else an external input at \(i_{\text {mtr}}\), (see RcvU in Fig. 2). The matching moves can be constructed by RcvU on the one hand, and by Lemma 8 on the other, analogously to the base case of Lemma 17.

  • \(n = k + 1\) By performing an analysis similar to that of Lemma 11, but for \(i_{\text {mtr}} {\textsf {[}} {\textsf {Mon}} (\varphi ) \,\triangleleft \, q {\textsf {]}}_{}^{*}\) instead, we can determine that this actor can only weakly transition to either of the forms below whereby, for cases (ii) to (v), we obtain \(B\) as a result of \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, r {\textsf {]}}_{}^{\bullet } \mathop {\Longrightarrow }\limits ^{\;\;\;\;} B \) for some \(r \):

    1. (i)

      \(A =i_{\text {mtr}} {\textsf {[}} M \,{\textsf {=}}\, {\textsf {spw}}\, ([\![\varphi ]\!]^\mathbf {m}({\textsf {nil}})) {\textsf {,}}\, {\textsf {mLoop}} (M) \,\triangleleft \, q {\textsf {]}}_{}^{*}\)

    2. (ii)

      \(A \equiv (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \)

    3. (iii)

      \(A \equiv (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {rcv}}\, {\textit{z}} \,{{\rightarrow }}\, i {\textsf {!}} {\textit{z}} \,{\textsf {end}}{\textsf {,}}\, {\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \)

    4. (iv)

      \(A \equiv (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \)

    5. (v)

      \(A \equiv (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \)

    We here focus on the \(4\text {th}\) case of monitor structure; the other cases are analogous. From \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, r {\textsf {]}}_{}^{\bullet } \mathop {\Longrightarrow }\limits ^{\;\;\;\;} B \) and Lemma 11 we know that

    $$\begin{aligned}&B \xrightarrow {\;\;\gamma \;\;} \quad \text { implies } \gamma ={\textsf {{fail}}} {\textsf {!}} \text { or } \gamma =\tau \\&B \equiv (\upnu \, {h}) \bigl (i {\textsf {[}} e \,\triangleleft \, r {\textsf {]}}_{}^{\bullet }\parallel C \bigr ) \quad \text { where }{{\mathrm{fId}}}(B)=i \end{aligned}$$

    This means that \((\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \) can only exhibit the following actions:

    $$\begin{aligned} \begin{array}{l} \displaystyle (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \;\xrightarrow {\;i_{\text {mtr}} \mathtt {?}u \;}\;\\ \displaystyle \qquad \qquad \qquad \qquad (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q \mathop {:}u {\textsf {]}}_{}^{*} \parallel B \bigr ) \end{array} \end{aligned}$$
    (83)
    $$\begin{aligned}&\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \;\xrightarrow {\;\tau \;}\; \\&\qquad \qquad \qquad \qquad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel (\upnu \, {\mathbf {h}}) \bigl (i {\textsf {[}} e \,\triangleleft \, r \mathop {:}v {\textsf {]}}_{}^{\bullet }\parallel C \bigr ) \bigr ) \end{aligned}\end{aligned}$$
    (84)
    $$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \;\xrightarrow {\;\tau \;}\; (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B ' \bigr ) \end{aligned}$$
    (85)

    Most pairs of action can be commuted easily by Par and Scp as they concern distinct elements of the actor system. The only non-trivial case is the pair of actions (84) and (85), which can be commuted using Lemma 8, in analogous fashion to the base case. \(\square \)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Francalanza, A., Seychell, A. Synthesising correct concurrent runtime monitors. Form Methods Syst Des 46, 226–261 (2015). https://doi.org/10.1007/s10703-014-0217-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-014-0217-9

Keywords

Navigation