Keywords

figure a
figure b

1 Introduction

Fig. 1.
figure 1

A specification of mutual exclusion \(\textsf{Mx}\), and Peterson’s protocol \(\textsf{Pe}\).

Many verification tasks can be understood along the lines of “how equivalent” two models are. Figure 1 replicates a standard example, known for instance from the textbook Reactive Systems [3]: A specification of mutual exclusion \(\textsf{Mx}\) as two alternating users A and B entering their critical section \( ec_A / ec_B \) and leaving \( lc_A / lc_B \) before the other may enter; and the transition system of Peterson’s [28] mutual exclusion algorithm \(\textsf{Pe}\), minimized by weak bisimilarity, with internal steps due to the coordination that needs to happen. For \(\textsf{Pe}\) to faithfully implement mutual exclusion, it should behave somewhat similarly to \(\textsf{Mx}\).

Semantics in concurrent models must take nondeterminism into account. Setting the degree to which nondeterminism counts induces equivalence notions with subtle differences: \(\textsf{Pe}\) and \(\textsf{Mx}\) weakly simulate each other, meaning that a tree of options from one process can be matched by a similar tree of the other. This implies that they have the same weak traces, that is, matching paths. However, they are not weakly bi-similar, which would require a higher degree of symmetry than mutual simulation, namely, matching absence of options. There are many more such notions. Van Glabbeek’s linear-time–branching-time spectrum [21] (cf.  Fig. 3) brings order to the hierarchy of equivalences. But it is notoriously difficult to navigate. In our example, one might wonder: Are there notions relating the two besides mutual simulation?

Our recent algorithm for linear-time–branching-time spectroscopy by Bisping, Nestmann, and Jansen [7, 9] is capable of answering equivalence questions for finite-state systems by deciding the spectrum of behavioral equivalences in one go. In theory, that is. In practice, the algorithm of [7] runs out of memory when applied to the weak transition relation of even small examples like \(\textsf{Pe}\). The reason for this is that saturating transition systems with the closure of weak steps adds a lot of nondeterminism. For instance, \(\textsf{Pe}\) may reach 10 different states by internal steps (). The spectroscopy algorithm of [7] builds a bisimulation game where the defender wins if the game starts at a pair of equivalent processes. To allow all attacks relevant for the spectrum, the [7]-game must consider partitionings of state sets reached through nondeterminism. There are 115,975 ways of partitioning 10 objects. As a consequence, the game graph of [7] comparing \(\textsf{Pe}\) and \(\textsf{Mx}\) has 266,973 game positions. On top of each postion, [7] builds sets of distinguishing formulas of Hennessy–Milner modal logic (HML) [21, 24] with minimal expressiveness. These sets may grow exponentially. Game over!

Contributions. In this paper, we adapt the spectroscopy approach of [7, 9] to render small verification instances like \(\textsf{Pe}/\textsf{Mx}\) feasible. The key ingredients that will make the difference are: understanding the spectrum purely through depth-properties of HML formulas; using multidimensional energy games [15] instead of reachability games; and exploiting the considered spectrum to drastically reduce the branching-degree of the game as well as the height of the energy lattice. Figure 2 lays out the algorithm with pointers to key parts of this paper.

Fig. 2.
figure 2

Overview of the computations \(\rightarrow \) and correspondences \(\sim \) we will discuss.

  • Subsection 2.2 explains how the linear-time–branching-time spectrum can be understood in terms of six dimensions of HML expressiveness, and Subsect. 3.1 introduces a class of declining energy games fit for our task.

  • In Subsect. 3.2, we describe the novel spectroscopy energy game, and, in Subsect. 3.3, prove it to characterize all notions of equivalence definable by the six dimensions.

  • Subsection 3.4 shows that a more clever game with only linear branching-factor still covers the spectrum.

  • Subsection 4.1 provides an algorithm to compute winning initial energy levels for declining energy games with \(\texttt{min}_{\{\!\dots \!\}}\), which enables decision of the whole considered spectrum in \(\smash {2^{\mathcal {O}(|\mathord {\mathcal {P}}|)}}\) for systems with \(|\mathord {\mathcal {P}}|\) processes (Subsect. 4.2).

  • In Subsect. 4.3, we add fine print on how to obtain equivalences and distinguishing formulas in the algorithm.

  • Section 5 compares to [7] and [29] through experiments with the widely used VLTS benchmark suite [18]. The experiments also reveal insights about the suite itself.

2 Distinctions and Equivalences in Transition Systems

Two classic concepts of system analysis form the background of this paper: Hennessy–Milner logic (HML) interpreted over transition systems goes back to Hennessy and Milner [24] investigating observational equivalence in operational semantics. Van Glabbeek’s linear-time–branching-time spectrum [21] arranges all common notions of equivalence as a hierarchy of HML sublanguages.

2.1 Transition Systems and Hennessy–Milner Logic

Definition 1

(Labeled transition system). A labeled transition system is a tuple \(\mathcal {S}=(\mathcal {P},\varSigma ,\mathrel {\smash {\xrightarrow {}}})\) where \(\mathcal {P}\) is the set of processes, \(\varSigma \) is the set of actions, and \({\mathrel {\smash {\xrightarrow {}}}}\subseteq \mathcal {P}\times \varSigma \times \mathcal {P}\) is the transition relation.

By \(\mathcal {I}(p)\) we denote the actions enabled initially for a process \(p \in \mathcal {P}\), that is, \(\mathcal {I}(p) \mathrel {\mathrel {{:}{=}}} \{a \in \varSigma \mid \exists p' .p \mathrel {\smash {\xrightarrow {a}}} p'\}\). We lift the steps to sets with \(P \mathrel {\smash {\xrightarrow {a}}} P'\) iff \(P' = \{p' \mid \exists p \in P .p \mathrel {\smash {\xrightarrow {a}}} p' \}\).

Hennessy–Milner logic expresses observations that one may make on such a system. The set of formulas true of a process offers a denotation for its semantics.

Fig. 3.
figure 3

Hierarchy of equivalences/preorders becoming finer towards the top.

Definition 2

(Hennessy–Milner logic). The syntax of Hennessy–Milner logic over a set \(\varSigma \) of actions, \(\textsf{HML}[\varSigma ]\), is defined by the grammar:

$$\begin{aligned} \varphi {} \,\,{:}{:}\!= {}&\langle a\rangle \varphi&\text {with } a \in \varSigma \\ | \quad&{\bigwedge }\{\psi , \psi , ...\} \\ \psi {} \,\,{:}{:}\!= {}&\lnot \varphi \mid \varphi . \end{aligned}$$

Its semantics \(\;\smash {{\llbracket \;\cdot \; \rrbracket }^{\mathcal {S}}_{}}\) over a transition system \(\mathcal {S}=(\mathcal {P},\varSigma ,\mathrel {\smash {\xrightarrow {}}})\) is given as the set of processes where a formula “is true” by:

figure e

HML basically extends propositional logic with a modal observation operation. Conjunctions then bound trees of future behavior. Positive conjuncts mean lower bounds, negative ones impose upper bounds. For the scope of this paper, finite bounds suffice, i.e. , conjunctions are finite-width. The empty conjunction \(\textsf{T}\mathrel {{:}{=}}{\bigwedge }\varnothing \) is usually omitted in writing.

We use Hennessy–Milner logic to capture differences between program behaviors. Depending on how much of its expressiveness we use, different notions of equivalence are characterized.

Definition 3

(Distinguishing formulas and preordering languages). A formula \(\varphi \in \textsf{HML}[\varSigma ]\) is said to distinguish two processes \(p,q \in \mathcal {P}\) iff \(p \in {\llbracket \varphi \rrbracket }^{\mathcal {S}}_{}\) and \(q \notin \smash {{\llbracket \varphi \rrbracket }^{\mathcal {S}}_{}}\). A sublanguage of Hennessy–Milner logic, \(\mathcal {O}_{\textrm{ X }} \subseteq \textsf{HML}[\varSigma ]\), either distinguishes two processes, \(p \not \preceq _{\textrm{ X }} q\), if it contains a distinguishing formula, or preorders them otherwise. If processes are preordered in both directions, \(p \preceq _{\textrm{ X }} q\) and \(q \preceq _{\textrm{ X }} p\), then they are considered \(X\!\)-equivalent, \(p \sim _{\textrm{ X }} q\).

Fig. 3 charts the linear-time–branching-time spectrum. If processes are preordered/equated by one notion of equivalence, they also are preordered/equated by every notion below. We will later formally characterize the notions through Proposition 1. For a thorough presentation, we point to [23]. For those familiar with the spectrum, the following example serves to refresh memories.

Fig. 4.
figure 4

Example system of internal decision against an action \(\mathrel {\smash {\xrightarrow { ec_A }}}\).

Example 1

Fig. 4 shows a tiny slice of the weak-step-saturated version of our initial example from Fig. 1 that is at the heart of why \(\textsf{Pe}\) and \(\textsf{Mx}\) are not bisimulation-equivalent. The difference between \(\textsf{S}\) and \(\mathsf {S'}\) is that \(\textsf{S}\) can internally transition to \(\textsf{Div}\) (labeled ) without ever performing an \( ec_A \) action. We can express this difference by the formula \(\varphi _\textsf{S} \mathrel {{:}{=}}\langle \tau \rangle {\bigwedge }\{\lnot \langle ec_A\rangle \}\), meaning “after \(\tau \), \( ec_A \) may be impossible.” It is true for \(\textsf{S}\), but not for \(\mathsf {S'}\). Knowing a distinguishing formula means that \(\textsf{S}\) and \(\mathsf {S'}\) cannot be bisimilar by the Hennessy–Milner theorem. The formula \(\varphi _\textsf{S}\) is called a failure (or refusal) as it specifies a set of actions that are disabled after a trace. In the other direction of comparison, the negation \(\varphi _\mathsf {S'} \mathrel {{:}{=}}{\bigwedge }\{ \lnot \langle \tau \rangle {\bigwedge }\{ \lnot \langle ec_A\rangle \} \}\) distinguishes \(\mathsf {S'}\) from \(\textsf{S}\). The differences between the two processes cannot be expressed in HML without negation. Therefore the processes are simulation-equivalent, or similar, as similarity is characterized by the positive fragment of HML.

2.2 Price Spectra of Behavioral Equivalences

For algorithms exploring the linear-time–branching-time spectrum, it is convenient to have a representation of the spectrum in terms of numbers or “prices” of formulas as in [7]. We, here, use six dimensions to characterize the notions of equivalence depicted in Fig. 3. The numbers define the HML observation languages that characterize the very preorders/equivalences. Intuitively, the colorful numbers mean: () Formula modal depth of observations. () Formula nesting depth of conjunctions. () Maximal modal depth of deepest positive clauses in conjunctions. () Maximal modal depth of the other positive clauses in conjunctions. () Maximal modal depth of negative clauses in conjunctions. () Formula nesting depth of negations. More formally:

Definition 4

(Energies). We denote as energies, \(\textbf{En}\), the set of N-dimensional vectors \((\mathbb {N})^N\), and as extended energies, \(\textbf{En}_\infty \), the set \((\mathbb {N}\cup \{\infty \})^N\).

We compare energies component-wise, i.e. , \(({e}_1,\ldots ,{e}_{N}) \le ({f}_1,\ldots ,{f}_{N})\) iff \(e_i \le f_i\) for each i. Least upper bounds \(\sup \) are defined as usual as component-wise supremum, as are greatest lower bounds \(\inf \).

Fig. 5.
figure 5

Pricing e of formula \(\langle \tau \rangle {\bigwedge }\{\langle ec_A\rangle \langle lc_A\rangle \textsf{T}, \langle \tau \rangle \textsf{T}, \lnot \langle ec_B\rangle \textsf{T}\}\).

Definition 5

(Formula prices). The expressiveness price \(\textsf{expr}:\textsf{HML}[\varSigma ]\rightarrow (\mathbb {N})^6\) of a formula interpreted as 6-dimensional energies is defined recursively by:

figure n

Figure 5 gives an example how the prices compound. The colors of the lines match those used for the dimensions and their updates in the other figures. Circles mark the points that are counted. The formula itself expresses a so-called ready-trace observation: We observe a trace \(\tau \cdot ec_A \cdot lc_A \) and, along the way, may check what other options would have been enabled or disabled. Here, we check that \(\tau \) is enabled and \( ec_B \) is disabled after the first \(\tau \)-step. With the pricing, we can characterize all standard notions of equivalence:

Proposition 1

On finite systems, the languages of formulas with prices below the coordinates given in Fig. 3 characterize the named notions of equivalence, that is, \(p \preceq _{\textrm{ X }} q\) with respect to equivalence X, iff no \(\varphi \) with \(\textsf{expr}(\varphi ) \le e_X\) distinguishes p from q.

Fig. 6.
figure 6

Cut through the price lattice with dimensions 2 (conjunction nesting) and 5 (negated observation depth).

Example 2

The formulas of Example 1 have prices: \(\textsf{expr}(\langle \tau \rangle {\bigwedge }\{\lnot \langle ec_A\rangle \}) = (2,2,0,0,1,1)\) for \(\varphi _\textsf{S}\) and \(\textsf{expr}({\bigwedge }\{ \lnot \langle \tau \rangle {\bigwedge }\{ \lnot \langle ec_A\rangle \} \}) = (2,3,0,0,2,2)\) for \(\varphi _\mathsf {S'}\). The prices of the two are depicted as red marks in Fig. 6. This also visualizes how \(\varphi _\mathsf {S'}\) is a counterexample for bisimilarity and how \(\varphi _\textsf{S}\) is a counterexample for failure and finer preorders. Indeed the two preorders are coarsest ways of telling the processes apart. So, \(\textsf{S}\) and \(\mathsf {S'}\) are equated by all preorders below the marks, i.e. similarity, \(\textsf{S} \sim _{\textrm{1S}} \mathsf {S'}\), and coarser preorders (\(\textsf{S} \sim _{\textrm{T}} \mathsf {S'}\), \(\textsf{S} \sim _{\textrm{E}} \mathsf {S'}\)). This carries over to the initial example of Peterson’s mutex protocol from Fig. 1, where weak simulation, \(\textsf{Pe} \sim _{\textrm{1WS}} \textsf{Mx}\), is the most precise equivalence. Practically, this means that the specification \(\textsf{Mx}\) has liveness properties not upheld by the implementation \(\textsf{Px}\).

Remark 1

Definition 5 deviates from our previous formula pricing of [7] in a crucial way: We only collect the maximal depths of positive clauses, whereas [7] tracks numbers of deep and flat positive clauses (where a flat clause is characterized by an observation depth of 1). Our change to a purely “depth-guided” spectrum will allow us to characterize the spectrum by an energy game and to eliminate the Bell-numbered blow up from the game’s branching-degree. The special treatment of the deepest positive branch is necessary to address revival, failure trace, and ready trace semantics, which are popular in the CSP community [17, 31].

3 An Energy Game of Distinguishing Capabilities

Conventional equivalence problems ask whether a pair of processes is related by a specific equivalence. These problems can be abstracted into a more general “spectroscopy problem” to determine the set of equivalences from a spectrum that relate two processes as in [7]. This section captures the spectrum of Fig. 3 by one rather simple energy game.

3.1 Energy Games

Multidimensional energy games are played on graphs labeled by vectors to be added to (or subtracted from) a vector of “energies” where one player must pay attention to the energies not being exhausted. We plan to encode the distinction capabilities of the semantic spectrum as energy levels in an energy game enriched by \(\texttt{min}_{\{\!\dots \!\}}\)-operations that takes minima of components. This way, energy levels where the defender has a winning strategy will correspond to equivalences that hold. We will just need updates decrementing or maintaining energy levels.

Definition 6

(Energy updates). The set of energy updates, \(\textbf{Up}\), contains vectors \(({u}_1,\ldots ,{u}_{N}) \in \textbf{Up}\) where each component is of the form

  • \(u_k \in \{-1, 0\}\), or

  • \(u_k = \texttt{min}_D\) where \(D \subseteq \{1, \ldots , N\}\) and \(k \in D\).

Applying an update to an energy, \(\textsf{upd}(e, u)\), where \(e = ({e}_1,\ldots ,{e}_{N}) \in \textbf{En}\) (or \(\textbf{En}_\infty \)) and \(u = ({u}_1,\ldots ,{u}_{N}) \in \textbf{Up}\), yields a new energy vector \(e'\) where kth components \(e'_k \mathrel {{:}{=}}e_k + u_k\) for \(u_k \in \mathbb {Z}\) and \(e'_k \mathrel {{:}{=}}\min _{d\in D} e_d\) for \(u_k = \texttt{min}_D\). Updates that would cause any component to become negative are illegal.

Definition 7

(Games). An N-dimensional declining energy game is played on a directed graph uniquely labeled by energy updates consisting of

  • a set of game positions G, partitioned into

    • a set of defender positions \(G_{{\text {d}}}\subseteq G\)

    • a set of attacker positions \(G_{{\text {a}}}\mathrel {{:}{=}}G \setminus G_{{\text {d}}}\),

  • a relation of game moves ,

  • a weight function for the moves ,

  • an initial position \(g_{0}\in G\), and

  • an initial energy budget vector \(e_{0} \in \textbf{En}_\infty \).

The notation stands for and \(w(g,g') = u\).

Definition 8

(Plays, energies, and wins). We call the (finite or infinite) paths \(\rho = g_{0}g_{1}\ldots \in G^{\infty }\) with plays of \(\mathcal {G}[g_{0},e_{0}]\).

The energy level of a play \(\rho \) at round i, \(\textsf{EL}_{\rho }(i)\), is recursively defined as \(\textsf{EL}_{\rho }(0) \mathrel {{:}{=}}e_0\) and otherwise as \(\textsf{EL}_{\rho }(i+1) \mathrel {{:}{=}}\textsf{upd}(\textsf{EL}_{\rho }(i), u_i)\). If we omit the index, \(\textsf{EL}_{\rho }\), this refers to the final energy level of a finite run \(\rho \), i.e. , \(\textsf{EL}_{\rho }(|\mathord {\rho }| - 1)\).

Plays where energy levels become undefined (negative) are won by the defender. So are infinite plays. If a finite play is stuck (i.e. , ), the stuck player loses: The defender wins if \(g_{n}\in G_{{\text {a}}}\), and the attacker wins if \(g_{n}\in G_{{\text {d}}}\).

Proposition 2

In this model, energy levels can only decline.

  1. 1.

    Updates may only decrease energies, \(\textsf{upd}(e, u) \le e\).

  2. 2.

    Energy level changes are monotonic: If \(\textsf{EL}_{\rho g} \le \textsf{EL}_{\sigma g}\) and then \(\textsf{EL}_{\rho g g'} \le \textsf{EL}_{\sigma g g'}\).

  3. 3.

    If \(e_0 \le e'_0\) and \(\mathcal {G}[g_0, e_0]\) has non-negative play \(\rho \), then \(\mathcal {G}[g_0, e'_0]\) also has non-negative play \(\rho \).

Definition 9

(Strategies and winning budgets). An attacker strategy is a map from play prefixes ending in attacker positions to next game moves \(s :(G^* \times G_{{\text {a}}}) \rightarrow G\) with . Similarly, a defender strategy names moves starting in defender states. If all plays consistent with a strategy s ensure a player to win, s is called a winning strategy for this player. The player with a winning strategy for \(\mathcal {G}[g_{0},e_0]\) is said to win \(\mathcal {G}\) from position \(g_{0}\) with initial energy budget \(e_0\). We call \(\textsf{Win}_{{\text {a}}}(g) = \{e \mid \mathcal {G}[g, e] \text { is won by the attacker}\}\) the attacker winning budgets.

Proposition 3

The attacker winning budgets at positions are upward-closed with respect to energy, that is, \(e \in \textsf{Win}_{{\text {a}}}(g)\) and \(e \le e'\) implies \(e' \in \textsf{Win}_{{\text {a}}}(g)\).

This means we can characterize the set of winning attacker budgets in terms of minimal winning budgets \(\textsf{Win}_{{\text {a}}}^{\scriptscriptstyle \min }(g) = \textrm{Min}(\textsf{Win}_{{\text {a}}}(g))\), where \(\textrm{Min}(S)\) selects minimal elements \(\{ e \in S \mid \not \exists e' \in S .e' \le e \wedge e' \ne e \}\). Clearly, \(\textsf{Win}_{{\text {a}}}^{\scriptscriptstyle \min }\) must be an antichain and thus finite due to the energies being well-partially-ordered [26]. Dually, we may consider the maximal energy levels winning for the defender, \(\textsf{Win}_{{\text {d}}}^{\scriptscriptstyle \max }:G \rightarrow \textbf{2}^{\textbf{En}_\infty }\) where we need extended energies to bound won half-spaces.

3.2 The Spectroscopy Energy Game

Let us now look at the “spectroscopy energy game” at the center of our contribution. Figure 7 gives a graphical representation. The intuition is that the attacker shows how to construct formulas that distinguish a process p from every q in a set of processes Q. The energies limit the expressiveness of the formulas. The first dimension bounds for how many turns the attacker may challenge observations of actions. The second dimension limits how often they may use conjunctions to resolve nondeterminism. The third, fourth, and fifth dimensions limit how deeply observations may nest underneath a conjunction, where the fifth stands for negated clauses, the third for one of the deepest positive clauses and the fourth for the other positive clauses. The last dimension limits how often the attacker may use negations to enforce symmetry by swapping sides. The moves closely match productions in the grammar of Definition 2 and prices in Definition 5.

Definition 10

(Spectroscopy energy game). For a system \(\mathcal {S}=(\mathcal {P},\varSigma ,\mathrel {\smash {\xrightarrow {}}})\), the 6-dimensional spectroscopy energy game consists of

  • attacker positions ,

  • attacker clause positions ,

  • defender conjunction positions ,

where \(p, q \in \mathcal {P}\) and \(Q, Q_* \in \textbf{2}^{\mathcal {P}}\), and six kinds of moves:

figure ab
Fig. 7.
figure 7

Schematic spectroscopy game \(\mathcal {G}_\triangle \) of Definition 10.

The spectroscopy energy game is a bisimulation game in the tradition of Stirling [33].

Lemma 1

(Bisimulation game, proof see [5]).\(p_0\) and \(q_0\) are bisimilar iff the defender wins for every initial energy budget \(e_0\), i.e. if .

In other words, if there are initial budgets winning for the attacker, then the compared processes can be told apart. For \(\mathcal {G}_\triangle \), the attacker “unknown initial credit problem” in energy games [34] coincides with the “apartness problem” [20] for processes.

Fig. 8.
figure 8

Example 3 spectroscopy energy game, minimal attacker winning budgets, and distinguishing formulas/clauses. (In order to reduce visual load, only the first components of the updates are written next to the edges. The other components are 0.)

Example 3

Figure 8 shows the spectroscopy energy game starting at from Example 1. The lower part of each node displays the node’s \(\textsf{Win}_{{\text {a}}}^{\scriptscriptstyle \min }\). The magenta HML formulas illustrate distinctions relevant for the correctness argument of the following Subsect. 3.3. Section 4 will describe how to obtain attacker winning budgets and equivalences. The blue “symmetric” positions are definitely won by the defender—we omit the game graph below them. We also omit the move —it can be ignored as will be discussed in Subsect. 3.4.

3.3 Correctness: Tight Distinctions

We will check that winning budgets indeed characterize what equivalences hold by constructing price-minimal distinguishing formulas from attacker budgets.

Definition 11

(Strategy formulas). Given the set of winning budgets \(\textsf{Win}_{{\text {a}}}\), the set of attacker strategy formulas \(\textsf{Strat}\) for a position with given energy level e is defined inductively as follows:

  • if , , \(p \mathrel {\smash {\xrightarrow {b}}} p'\), \(Q \mathrel {\smash {\xrightarrow {b}}} Q'\), and ,

  • if , , and ,

  • if and for each \(q \in Q\),

  • if , and for each \(q \in Q\), and if , , and is an observation,

  • if , and is an observation, and

  • if , and is an observation.

Because of the game structure, we actually know the u needed in each line of the definition. It is \(u = (-1,0,0,0,0,0)\) in the first case; \((0,-1,0,0,0,0)\) in the second; \((0,0,0,\texttt{min}_{\{\!3,4\!\}},0,0)\) in the third; \((0,0,0,\texttt{min}_{\{\!3,4\!\}},0,0)\) and \((\texttt{min}_{\{\!1,3\!\}},0,0,0,0,0)\) in the fourth; \((\texttt{min}_{\{\!1,4\!\}},0,0,0,0,0)\) in the fifth; and \((\texttt{min}_{\{\!1,5\!\}},0,0,0,0,-1)\) in last case. can contain negative clauses, which form no proper formulas on their own.

Lemma 2

(Price soundness). implies that \(\textsf{expr}(\varphi ) \le e\) and that .

Proof

By induction on the structure of \(\varphi \) with arbitrary pQe, exploiting the alignment of the definitions of winning budgets and formula prices. Full proof in [5].

Lemma 3

(Price completeness). implies there are elements in .

Proof

By induction on the tree of winning plays consistent with some attacker winning strategy implied by . Full proof in [5].

Lemma 4

(Distinction soundness). Every distinguishes p from every \(q \in Q\).

Proof

By induction on the structure of \(\varphi \) with arbitrary pQe, exploiting that \(\textsf{Strat}\) can only construct formulas with the invariant that they are true for p and false for each \(q \in Q\). Full proof in [5].

Lemma 5

(Distinction completeness). If \(\varphi \) distinguishes p from every \(q \in Q\), then .

Proof

By induction on the structure of \(\varphi \) with arbitrary pQ, exploiting the alignment of game structure and HML semantics and the fact that \(\textsf{expr}\) cannot “overtake” inverse updates. Full proof in [5].

Theorem 1

(Correctness). For any equivalence X with coordinate \(e_X\), \(p \preceq _{\textrm{X}} q\), precisely if all are above or incomparable, \(e_{pq} \not \le e_X\).

Proof

By contraposition, in both directions.

  • Assume \(p \not \preceq _{\textrm{ X }} q\). This means some \(\varphi \) with \(\textsf{expr}(\varphi ) \le e_X\) distinguishes p from q. By Lemma 5, . Then either \(\textsf{expr}(\varphi )\) or a lower price \(e_{pq} \le \textsf{expr}(\varphi )\) are minimal winning budgets, i.e. , and \(e_{pq} \le e_X\).

  • Assume there is with \(e_{pq} \le e_X\). By Lemma 3, there is . Due to Lemma 4, \(\varphi \) must be distinguishing for p and q, and due to Lemma 2, \(\textsf{expr}(\varphi ) \le e_{pq} \le e_X\).

The theorem basically means that by fixing an initial budget in \(\mathcal {G}_\triangle \), we can obtain a characteristic game for any notion from the spectrum.

3.4 Becoming More Clever by Looking One Step Ahead

The spectroscopy energy game \(\mathcal {G}_\triangle \) of Definition 10 may branch exponentially with respect to \(|\mathord {Q}|\) at conjunction challenges after . For the spectrum we are interested in, we can drastically limit the sensible attacker moves to four options by a little lookahead into the enabled actions \(\mathcal {I}(q)\) of \(q \in Q\) and \(\mathcal {I}(p)\).

Definition 12

(Clever spectroscopy game). The clever spectroscopy game, \(\mathcal {G}_\blacktriangle \), is defined exactly like the previous spectroscopy energy game of Definition 10 with the restriction of the conjunction challenges

figure bv

to situations where \(Q_*\! \in \! \{ \varnothing , \{ q \in Q \mid \mathcal {I}(q) \subseteq \mathcal {I}(p) \},\;\; \{ q \in Q \mid \mathcal {I}(p) \subseteq \mathcal {I}(q) \}, \{ q \in Q \mid \mathcal {I}(p) = \mathcal {I}(q) \} \}.\)

Theorem 2

(Correctness of cleverness). Assume modal depth of positive clauses \(e_4 \in \{0, 1, \infty \}\), \(e_4 \le e_3\), and that modal depth of negative clauses \(e_5 > 1\) implies \(e_3 = e_4\). Then, the attacker wins precisely if they win .

Proof

The implication from the clever spectroscopy game \(\mathcal {G}_\blacktriangle \) to the full spectroscopy game \(\mathcal {G}_\triangle \) is trivial as the attacker moves in are a subset of those in and the defender has the same moves in both games. For the other direction, we have to show that any move winning at energy level e can be simulated by a winning move . Full proof in [5].

4 Computing Equivalences

The previous section has shown that attacker winning budgets in the spectroscopy energy game characterize distinguishable processes and, dually, that the defender’s wins characterize equivalences. We now examine how to actually compute the winning budgets of both players.

4.1 Computation of Attacker Winning Budgets

The winning budgets of the attacker (Definition 9) are characterized inductively:

  • Where the defender is stuck, \(g \in G_{{\text {d}}}\) and , the attacker wins with any budget, \((0,0,0,0,0,0) \in \textsf{Win}_{{\text {a}}}^{\scriptscriptstyle \min }(g)\).

  • Where the defender has moves, \(g \in G_{{\text {d}}}\) and (for some indexing \(i \in I\) over all possible moves), the attacker wins if they have a budget equal or above to all budgets that might be necessary after the defender’s move: If \(\textsf{upd}(e, u_i) \in \textsf{Win}_{{\text {a}}}(g'_i)\) for all \(i \in I\), then \(e \in \textsf{Win}_{{\text {a}}}(g)\).

  • Where the attacker moves, \(g \in G_{{\text {a}}}\) and , \(\textsf{upd}(e, u) \in \textsf{Win}_{{\text {a}}}(g')\) implies \(e \in \textsf{Win}_{{\text {a}}}(g)\).

By Proposition 3, it suffices to find the finite set of minimal winning budgets, \(\textsf{Win}_{{\text {a}}}^{\scriptscriptstyle \min }\). Turning this into a computation is not as straightforward as in other energy game models. Due to the \(\texttt{min}_D\)-updates, the energy update function \(\textsf{upd}(\cdot , u)\) is neither injective nor surjective.

We must choose an inversion function \(\textsf{upd}^{-1}\) that picks minimal solutions and that minimally “casts up” inputs that are outside the image of \(\textsf{upd}(\cdot , u)\), i.e., such that \(\textsf{upd}^{-1}(e', u) = \inf \{ e \mid e' \le \textsf{upd}(e, u) \}\). We compute it as follows:

Definition 13

(Inverse update). The inverse update function is defined as \(\textsf{upd}^{-1}(e', u) \mathrel {\mathrel {{:}{=}}} \sup (\{ e \} \cup \{ m(i) \mid \exists D .u_i = \texttt{min}_D \})\) with \(e_i = e'_i - u_i\) for all i where \(u_i \in \{0,-1\}\) and \(e_i = e'_i\) otherwise, and with \((m(i))_j = e'_i\) for \(u_i = \texttt{min}_D\) and \(j \in D\), and \((m(i))_j = 0\) otherwise, for all ij.

Example 4

Let \(u \mathrel {{:}{=}}(\texttt{min}_{\{\!1,3\!\}},\texttt{min}_{\{\!1,2\!\}},-1,-1)\). \((3,4,0,1) \notin \textrm{img}(\textsf{upd}(\cdot , u))\), but:

$$\begin{aligned} \smash {\textsf{upd}^{-1}((3,4,0,1), u)}&= \sup \{ (3,4,1,2), (3,0,3,0), (4,4,0,0) \} = (4,4,3,2) \\ \smash {\textsf{upd}((4,4,3,2), u)}&= (3,4,2,1) \ge (3,4,0,1)\\ \smash {\textsf{upd}^{-1}((3,4,2,1), u)}&= \sup \{ (3,4,3,2), (3,0,3,0), (4,4,0,0) \} = (4,4,3,2) \end{aligned}$$
figure cf

With \(\textsf{upd}^{-1}\!\), we only need to find the \(\textsf{Win}_{{\text {a}}}^{\scriptscriptstyle \min }\) relation as a least fixed point of the inductive description. This is done by Algorithm 1. Every time a new way of winning a position for the attacker is discovered, this position is added to the \(\textsf{todo}\). Initially, these are the positions where the defender is stuck. The update at an attacker position in Line 8 takes the inversely updated budgets (\(\textsf{upd}^{-1}\)) of successor positions to be tentative attacker winning budgets. At a defender position, the attacker only wins if they have winning budgets for all follow-up positions (Line 12). Any supremum of such budgets covering all follow-ups will be winning for the attacker (Line 13). At both updates, we only select the minima as a finite representation of the infinitely many attacker budgets.

4.2 Complexity and How to Flatten It

For finite games, Algorithm 1 is sure to terminate in exponential time of game graph branching degree and dimensionality.

Lemma 6

(Winning budget complexity, proof see [5]). For an N-dimensional declining energy game with of branching degree o, Algorithm 1 terminates in time, using \(\mathcal {O}(|\mathord {G}|^{N})\) space for the output.

Lemma 7

(Full spectroscopy complexity). Time complexity of computing winning budgets for the full spectroscopy energy game \(\mathcal {G}_\triangle \) is in \(2^{\mathcal {O}(|\mathord {\mathcal {P}}| \cdot 2^{|\mathord {\mathcal {P}}|})}\).

Proof

Out-degrees o in \(\mathcal {G}_\triangle \) can be bounded in \(\mathcal {O}(2^{|\mathord {\mathcal {P}}|})\), the whole game graph , and game positions \(|\mathord {G_\triangle }| \in \mathcal {O}(|\mathord {\mathcal {P}}| \cdot 3^{|\mathord {\mathcal {P}}|})\). Insert with \(N=6\) in Lemma 6. Full proof in [5].

We thus have established the approach to be double-exponential. The complexity of the previous spectroscopy algorithm [7] has not been calculated. One must presume it to be equal or higher as the game graph has Bell-numbered branching degree and as the algorithm computes formulas, which entails more options than the direct computation of energies. This is what lies behind the introduction’s observation that moderate nondeterminism already renders [7] unusable.

Our present energy game reformulation allows us to use two ingredients to do way better than double-exponentially when focussing on the common linear-time–branching-time spectrum:

First, Subsect. 3.4 has established that most of the partitionings in attacker conjunction moves can be disregarded by looking at the initial actions of processes.

Second, Fahrenberg et al. [15] have shown that considering just “capped” energies in a grid \(\textbf{En}_K = \{0,\ldots ,K\}^N\) can reduce complexity. Such a flattening of the lattice turns the space of possible energies into constant factor \((K+1)^N\) (with \((K+1)^{N-1}\)-sized antichains) independent of input size. For Algorithm 1, space complexity needed for \(\mathsf {attacker\_win}\) drops to \(\mathcal {O}(|\mathord {G}|)\) and time complexity to . If we are only interested in finitely many notions of equivalence as in the case of Fig. 3, we can always bound the energies to range to the maximal appearing number plus one. The last number represents all numbers outside the bound up to infinity.

Lemma 8

(Clever spectroscopy complexity). Time complexity of computing winning budgets for the clever spectroscopy energy game \(\mathcal {G}_\blacktriangle \) with capped energies is in \(2^{\mathcal {O}(|\mathord {\mathcal {P}}|)}\).

Proof

Out-degrees o in \(\mathcal {G}_\blacktriangle \) can be bounded in \(\mathcal {O}(|\mathord {\mathcal {P}}|)\), the whole game graph , and game positions \(|\mathord {G_\blacktriangle }| \in \mathcal {O}(|\mathord {\mathcal {P}}| \cdot 2^{|\mathord {\mathcal {P}}|})\). Inserting in the flattened version of Lemma 6 yields:

figure cl

Deciding trace equivalence in nondeterministic systems is PSPACE-hard and will thus take at least exponential time. Therefore, the exponential time of the “clever” spectroscopy algorithm restricted to a finite spectrum is about as good as it may get, asymptotically speaking.

4.3 Equivalences and Distinguishing Formulas from Budgets

For completeness, let us briefly flesh out how to actually obtain equivalence information from the minimal attacker winning budgets we compute.

Definition 14

For an antichain \( Mn \subseteq \textbf{En}\) characterizing an upper part of the energy space, the complement antichain \(\overline{ Mn } \mathrel {{:}{=}}\textrm{Min}\; ( \textbf{En}_\infty \cap (\{ (\sup E') - (1,\ldots ,1) \mid E' \subseteq Mn \} \cup \{ e(i) \in \textbf{En}_\infty \mid (e(i))_i = (\inf Mn )_i - 1 \wedge \forall j \ne i .(e(i))_j = \infty \}) )\) has the complement energy space as its downset.

characterizes all preordering formula languages and thus equivalences defined in terms of expressiveness prices for p and q. This might contain multiple, incomparable, notions from the spectrum. Taking both directions, , will thus characterize the finest intersection of equivalences to equate p and q.

If we just wonder which of the equivalences from the spectrum hold, we may establish this more directly by checking which of them are not dominated by attacker wins.

From the information, we can also easily build witness relations to certify that we return sound equivalence results. In particular, the pairs won with arbitrary attacker budgets, are a bisimulation. Similarly, the strategy formulas of Definition 9 can directly be computed to explain inequivalence.

If we use symbolic winning budgets capped as proposed at the end of Subsect. 4.2, the formula reconstruction will be harder and the might be below the maximal defender winning budgets if these exceed the bound. But this will not matter as long as we choose a cap beyond the natural numbers that characterize our spectrum.

5 Exploring Minimizations

Our algorithm can be used to analyze the equivalence structure of moderately-sized real-world transition systems. In this section, we take a brief look at its performance on the VLTS (“very large transition systems”) benchmark suite [18] and return to our initial Peterson example.

The energy spectroscopy algorithm has been added to the Linear-Time–Branching-Time Spectroscope of [7] and can be tried on transition systems at https://equiv.io/.

Table 1 reports the results of running the implementation of [7] and this paper’s implementation in variants using the spectroscopy energy game \(\mathcal {G}_\triangle \) and the clever spectroscopy energy game \(\mathcal {G}_\blacktriangle \). We tested on the VLTS examples of up to 25,000 states and the Peterson example (Fig. 1). The table lists the \(\mathcal {P}\)-sizes of the input transition systems and of their bisimilarity quotient system \(\mathcal {P}_{/\sim _{\textrm{B}}}\). The spectroscopies have been performed on the bisimilarity quotient systems by constructing the game graph underneath positions comparing all pairs of enabledness-equivalent states. The middle three groups of columns list the resource usage for the three implementations using: the [7]-spectroscopy, the energy game \(\mathcal {G}_\triangle \), and the clever game \(\mathcal {G}_\blacktriangle \). For each group, the first column reports traversed game size, and the second gives the time the spectroscopy took in seconds. Where the tests ran out of memory or took longer than five minutes (in the Java Virtual Machine with 8 GB heap space, at 4 GHz, single-threaded), the cells are left blank. The last three columns list the output sizes of state spaces reduced with respect to enabledness \(\sim _{\textrm{E}}\), traces \(\sim _{\textrm{T}}\), and simulation \(\sim _{\textrm{1S}}\)—as one would hope, all three algorithms returned the same results.

From the output, we learn that the VLTS examples, in a way, lack diversity: Bisimilarity \(\sim _{\textrm{B}}\) and trace equivalence \(\sim _{\textrm{T}}\) mostly coincide on the systems (third and penultimate column).

Concerning the algorithm itself, the experiments reveal that the computation time grows mostly linearly with the size of the game move graph. Our algorithm can deal with bigger examples than [7] (which fails at peterson, vasy_10_56 and cwi_1_2, and takes more than 500 s for vasy_8_24). Even where [7] has a smaller game graph (e.g. cwi_3_14), the exponential formula construction renders it slower. Also, the clever game graph indeed is much smaller than for examples with a lot of nondeterminism such as peterson.

Table 1. Sample systems, sizes, and benchmark results.

Of those terminating, the heavily nondeterministic cwi_1_2 is the most expensive example. As many coarse notions must record the nondeterministic options, this blowup is to be expected. If we compare to the best similarity algorithm by Ranzato and Tapparo [29], they report their algorithm SA to tackle cwi_1_2 single-handedly. Like our implementation, the prototype of SA [29] ran out of memory while determining similarity for vasy_18_73. This is in spite of SA theoretically having optimal complexity and similarity being less complex (cubic) than trace equivalence, which we need to cover. The benchmarks in [29] failed at vasy_10_56, and vasy_25_25, which might be due to 2010’s tighter memory requirements (they used 2 GB of RAM) or the degree to which bisimilarity and enabledness in the models is exploited.

6 Conclusion and Related Work

This paper has connected two strands of research in the field of system analysis: The strand of equivalence games on transition systems starting with Stirling’s bisimulation game [7, 12, 32, 33] and the strand of energy games for systems of bounded resources [2, 10, 11, 14,15,16, 27, 30, 34].

The connection rests on the insight that levels of equivalence correspond to resources available to an attacker who tries to tell two systems apart. This parallel is present in recent work within the security domain [25] just as much as in the first thoughts on observable nondeterminism by Hennessy and Milner [24].

The paper has not examined the precise relationship of the games of Sect. 3 to the whole zoo of VASS, energy, mean-payoff, monotonic [1], and counter games. The spectroscopy energy game deviates slightly from common multi-energy games due to \(\texttt{min}_D\)-updates and due to the attacker being energy-bound (instead of the defender). As the energies cannot be exhausted by defender moves, the game can also be interpreted as a VASS game [2, 10] where the attacker is stuck if they run out of energy. Our algorithm complexity matches that of general lower-bounded N-dimensional energy games [15]. Links between our declining energy games and other games from the literature might enable slight improvements of the algorithm. For instance, reachability in VASS games can turn polynomial [11].

In the strand of generalized game characterizations for equivalences [7, 12, 32], this paper extends applicability for real-world systems. The implementation performs on par with the most efficient similarity algorithm [29]. Given that among the hundreds of equivalence algorithms and tools most primarily address bisimilarity [19], a tool for coarser equivalences is a worthwhile addition. Although our previous algorithm [7] is able to solve the spectroscopy problem, its reliance on super-exponential partitions of the state space makes it ill-fit for transition systems with significant nondeterminism. In comparison, our new algorithm also needs one less layer of complexity because it determines equivalences without constructing distinguishing formulas.

These advances enable a spectroscopy of systems saturated by weak transitions. We can thus analyze weak equivalences such as in the example of Peterson’s mutex. For special weak equivalences without a strong counterpart such as branching bisimilarity [22], deeper changes to the modal logic are necessary [6].

The increased applicability has allowed us to exhaustively consider equivalences on the smaller systems of the widely-used VLTS suite [18]. The experiments reveal that the spectrum between trace equivalence and bisimilarity mostly collapses for the examined systems. It may often be reasonable to specify systems in such a way that the spectrum collapses. In a benchmark suite, however, a lack of semantic diversity can be problematic: For instance, otherwise sensible techniques like polynomial-time reductions [13] will not speed up language inclusion testing, and nuances of the weak equivalence spectrum [8] will falsely seem insignificant. One may also overlook errors and performance degradations that appear only for transition systems where equal traces do not imply equivalent branching behavior. We hope this blind spot does not affect the validity of any of the numerous studies relying on VLTS benchmarks.