UNITY and Büchi automata

UNITY is a model for concurrent specifications with a complete logic for proving progress properties of the form “P leads to Q”. UNITY is generalized to U-specifications by giving more freedom to specify the steps that are to be taken infinitely often. In particular, these steps can correspond to non-total relations. The generalization keeps the logic sound and complete. The paper exploits the generalization in two ways. Firstly, the logic remains sound when the specification is extended with hypotheses of the form “F leads to G”. As the paper shows, this can make the logic incomplete. The generalization is used to show that the logic remains complete, if the added hypotheses “F leads to G” satisfy “F unless G”. The main result extends the applicability and completeness of UNITY logic to proofs that a given concurrent program satisfies any given formula of LTL, linear temporal logic, without the next-operator which is omitted because it is sensitive to stuttering. For this purpose, the program, written as a UNITY program, is extended with a number of boolean variables. The proof method relies on implementing the LTL formula, i.e., restricting the specification in such a way that only those runs remain that satisfy the formula. This result is a variation of the classical construction of a Büchi automatonfor a given LTL formula that accepts precisely those runs that satisfy the formula.


Introduction
UNITY [CM88,Mis01] is a formalism to reason about never-terminating concurrent programs or distributed systems. Büchi automata are finite state machines to accept ω-regular languages, see e.g. [GPVW95] and references given there. Both kinds of systems are primarily transition systems. An execution of such a system is an infinite sequence of states in which every pair of subsequent states satisfies the next-state relation. For both kinds of systems, the semantics are given by the set of runs, where a run is defined to be an acceptable execution. The acceptance criterion will be discussed below.
The important part of UNITY is UNITY logic, a system for deriving assertions of the form P → Q, interpreted as "P leads to Q". UNITY logic is sound and complete for this interpretation. Soundness means that, if P → Q can be derived for a UNITY program, then, in all runs of it, every state where P holds and Q does not, is followed eventually by a state where Q holds. Completeness of UNITY logic means that, if, in all runs of some program, every state where P holds and Q does not, is followed eventually by a state where Q holds, P → Q is derivable in UNITY logic for this program.

Overview
Section 2 introduces the basic material: UNITY, U-specifications, UNITY logic, and the operational semantics. Section 3 treats the addition of leads-to hypotheses to the logic and the cases were the logic becomes incomplete or remains complete. Section 4 introduces linear temporal logic, the concept of implementation, and proves that the validity of an LTL formula on a U-specification can be proved by UNITY logic with an implementation of its negation. This section also contains the treatment of the Halting Problem. The construction of an implementation is done in Sect. 5. Conclusions are drawn in Sect. 6.

Mechanical verification
For the writer's confidence, almost everything in the paper has been mechanically verified with the proof assistant PVS. The dump file is available at [Hes20]. The verification was especially helpful because without intuitive understanding a handwritten formal proof is never completely convincing.

UNITY and U-specifications
This section contains a very brief introduction to UNITY programs in Sect. 2.1, followed by a more formal description of U-specifications and UNITY logic in Sect. 2.2. Some linear temporal logic is introduced in Sect. 2.3. Section 2.4 discusses stuttering. The operational semantics are described in Sect. 2.5. Recurring sets and B-specifications are investigated in Sect. 2.6.

UNITY programs
A UNITY program [CM88,Kna94] consists of state space X , given by a declaration of the available variables and their types, a predicate A that specifies the initial states, followed by an assignment section, which is a set W of commands R of the form Here B is the guard, the condition under which the assignment S is executed. If B is false, command R does nothing. Command R is identified with the relation that contains a pair (x , y) if and only if execution of R in state x can result in state y. The next-state relation of the program is N 1 X ∪ R∈W R, where 1 X {(x , x ) | x ∈ X }. Executing the program means a fair non-deterministic interleaving of the commands R ∈ W with optional skip steps of 1 X . The fairness condition is that every command R ∈ W is taken infinitely often. Note that each command R is total: if the present state x satisfies B , then S transforms x into the next state; otherwise the next state is x itself.
Example. Consider the UNITY program var k : int [] R 1 : k 17 → k : 4 [] R 2 : true → k : k + 1 If command R 1 is executed when k 17, nothing changes. It follows that the program has two kinds of runs. Those where k cycles infinitely often between 17 and 4, and those where k goes to infinity.
In the next section, non-total relations R ∈ W are allowed. If in the above program, R 1 is replaced by the non-total relation {(17, 4)}, the requirement that command R 1 be taken infinitely often implies that the executions where k goes to infinity are rejected. Then there are no runs that go beyond 17. ♣ Using the initial predicate A and the next-state relation N , the developer of a UNITY program proves a system invariant, say J . This is typically done before any progress of the system is considered, because mistakes in the invariant must be found as soon as possible, and because the progress assertions usually depend on it. Once a satisfactory system invariant has been found, the state space X can be replaced by J , i.e., by the set of the states that satisfy J . This has the effect that J need not be mentioned anymore but can be invoked whenever needed. This is a semantic way of postulating the substitution axiom of Chandy and Misra [CM88,Sect. 3.4].

U-specifications and UNITY logic
Generalizing UNITY programs, a U-specification is defined to be a triple (X , N , W), where N is a reflexive relation on X , and W is a countable set of relations on X . Relation N is called the step relation or next state relation. The set W is called the set of fairness relations. The g-unity specifications of [Hes13] are U-specifications with the additional requirement that R ⊆ N for all R ∈ W. This requirement is eliminated here, at the cost of occasionally replacing R by R ∩ N .
The generalization has several aspects. Non-trivial steps in N need not be subject to fairness (i.e. not in R∈W R), as in [CK97]. This is often necessary. For example, in the case of the dining philosophers, it is important that philosophers are allowed to remain thinking forever. Infinitely many fairness relations R are allowed, and they can be non-deterministic [GP89,Dij95]. The critical generalization is that the fairness relations need not be total [Hes13]. The U-specification is defined to be total iff the relation R ∩ N is total for all R ∈ W.
Let (X , N , W) be a U-specification. UNITY is unique in its logic for progress, which is called UNITY logic. This is a derivation system for the operator →, pronounced "leads to". If P and Q are predicates on the state, P → Q means that, if some run of the system has a state that satisfies P ∧ ¬ Q then it has a later state that satisfies Q. The validity of this interpretation is discussed in Sect. 2.5 below.
Recall that, for a relation R and a postcondition Q, the weakest precondition is Before defining →, one defines the relations co, unless, recurring, and ensures by where P ∈ recur.R ≡ ¬P ⊆ wp.R.P , P ensures Q ≡ P unless Q ∧ recurring (P ⇒Q) .
These notions are illustrated in the example below. Every predicate P satisfies P co P because N is reflexive. By definition, the total space X is recurring. Therefore, any inclusion P ⊆ Q implies that P ensures Q.
Remarks. Misra's book [Mis01] uses transient instead of recurring, where ¬P is transient iff P is recurring. Recurrence is preferred here because transience tends to introduce a confusing number of negations in the analysis.
If R is not total, P ∈ recur.R can hold while there is no pair (x , y) ∈ R with x ∈ P and y ∈ P . The "step" from ¬P to P is then called miraculous. In sequential programming, such steps were forbidden by Dijkstra's Law of the Excluded Miracle [Dij76]. Morris [Mor88] and other authors, however, have argued against this law, see [Hes92, Sect. 1.3] for this and further references. Miraculous steps cannot be expected from any implementation, but they are useful in the theory and do not endanger soundness. ♣ The leads-to operator → is defined [CM88,Mis01] as the least relation → on predicates P and Q that satisfies the progress rules Note that P ⊆ Q implies P → Q because of RuleP0. One says P ensures Q via R if P unless Q holds and R ∈ W and P ⇒Q ∈ recur(R ∩ N ).
As announced in Sect. 2.1, the step relation is N 1 X ∪ R 1 ∪ R 2 , where R 1 and R 2 are the binary relations corresponding to the guarded commands, labelled by R 1 , R 2 , respectively. The fairness relations are given by In order to prove that i and k grow arbitrarily large, one can proceed as follows. For arbitrary n, one proves that The definitions of ensures, unless, and co are used here. By RuleP0 and RuleP2, it follows that n ≤ i + k → n + 1 ≤ i + k . Using RuleP1 and induction, one then obtains n ≤ i + k → n + m ≤ i + k for all integer n and natural m. After an application of RuleP2, one gets true → n ≤ i + k . This means that i + k becomes arbitrary large. By similar arguments, one can prove that true → i ≤ k + 1, and that true → k ≤ i + 1. ♣

State sequences and properties
Unless stated otherwise, all sequences in a state space X are infinite sequences beginning at index 0. The set of these sequences is denoted X ω .
For a set U ⊆ X , the set of sequences that start in U is denoted [[ U ]]. For a relation R ⊆ X 2 , the set of the sequences that begin with an R step is denoted [[ R ]] 2 . One thus has For a sequence xs and a number k ∈ N, the k th suffix of xs is defined to be the sequence xs | k with (xs | k ) n xs k +n for all n ∈ N. For a subset ϕ ⊆ X ω , the sets Pϕ (always ϕ), and Qϕ (eventually ϕ) are defined by Writing ¬ ϕ for the complement of ϕ in X ω , it holds that Qϕ ¬ P¬ ϕ. Any subset ϕ of X ω is called a property on X . To distinguish the properties false and true from the predicates false and true, the properties are denoted by ⊥ and , respectively. The logical connectives ∨, ∧, ⇒ are used for properties, just as for predicates, with e.g. (ϕ⇒ψ) (¬ϕ ∨ ψ).

Stuttering, and good properties
A sequence ys is said to be a stuttering of a sequence xs iff xs can be obtained from ys by replacing some (possibly an infinite number of) finite nonempty constant subsequences of consecutive elements of ys with their first elements. For example, if a, b, c are different states, the infinite sequence (aabaaacc) ω is a stuttering of (abaac) ω .
According to Lamport's stutter principle (e.g., [Lam83,AL91]), the semantics of concurrent systems should be insensitive to stuttering. When discussing properties, one should therefore concentrate on good properties defined as follows.
A property ϕ ⊆ X ω is called good iff xs ∈ ϕ is equivalent to ys ∈ ϕ for every sequence xs and stuttering ys of xs. All properties constructed in this paper will be good. To avoid distracting proof obligations, however, the term "property" is not restricted to good properties.

Operational semantics
The operational semantics of the U-specifications of Sect. 2.2, and also of B-specifications (Sect. 2.6), Lspecifications (Sect. 3.1), and U*-specifications (Sect. 4.2) that will be introduced later, are all expressed by means of the following general semantical concept of specification.
A specification is a triple K (X , N , ϕ) where X is a set, the state space, N is a reflexive relation on X , and ϕ is property on X . For a specification K the set of runs is defined by run.K P[[ N ]] 2 ∩ ϕ. So, a run is a sequence xs with (xs i , xs i+1 ) ∈ N for all i ∈ N, that satisfies ϕ.
Remark. Abadi and Lamport [AL91] define a specification to be a tuple (X , N , A, ψ) where X is a set (the state space), N is a reflexive relation on X , A is a subset of X (of the initial states), and ψ is a good property. The set of behaviours of such an AL-specification is P[ An AL-specification induces the specification in our sense by taking ϕ [[ A ]] ∩ ψ. Conversely, if one ignores the requirement that ψ is good, a specification in our sense induces an AL-specification by taking A X and ψ ϕ. The only difference therefore is that goodness is ignored. For shortness, the word behaviour is replaced by run. ♣ A sequence xs with (xs i , xs i+1 ) ∈ N for all i ∈ N is called an execution. A nonempty finite sequence with the same property is called an incomplete execution. Specification K is said to be machine closed [AL91] iff every incomplete execution can be extended to a run. Note that an infinite execution need not be a run, because it need not satisfy ϕ.
Specification K is said to satisfy a property ψ, notation K | ψ, if and only if all its runs satisfy ψ. In other words, one has In [Hes13], the function LT is defined by LT.P .Q P ). One says that P leads-to Q if K | LT.P .Q.
The following lemma is a variant of the PSP rule of [Mis01]: Lemma 1 Let P , Q, A, B be predicates on X . Assume that P leads-to Q and that A : co : B . Then P ∧ B leads-to (Q ∨ ¬A) ∧ B .
Proof Let xs be a run with xs k ∈ P ∧ B . One has to prove that xs n ∈ (Q ∨ ¬A) ∧ B holds for some n ≥ k . Assume to the contrary that xs n ∈ ¬ ((Q ∨ ¬A) ∧ B ) for all n ≥ k . As ¬ ((Q ∨ ¬A) ∧ B ) ¬ B ∨ (A ∧ ¬ Q), one has xs n ∈ B ⇒ xs n ∈ A ∧ ¬ Q for all n ≥ k . It follows from the assumption A co B that xs n ∈ A implies xs n+1 ∈ B for all n. We have xs k ∈ B . By induction, it follows that xs n ∈ B for all n ≥ k , and hence that xs n ∈ ¬ Q for all n ≥ k . This contradicts the assumption P leads-to Q. ] + expresses that there are infinitely many indices n such that (xs n , xs n+1 ) ∈ R or (xs n , xs n ) ∈ R. This is called impartiality in [Hes13]. It is a variation of weak fairness. One can use a scheduler [Hes13,Sect. 4.1] to prove Proposition 2 Let A be a total U-specification. Then the associated specification σ.A is machine closed.
One can therefore argue that a U-specification is executable if and only if it is total.
The operational concept of leads-to of specification σ.A is lifted implicitly to the U-specification A. Then the operational interpretation of P → Q in Sect. 2 amounts to the assertion that P leads-to Q. Indeed, in [JKR89,Hes13], it is proved that Theorem 3 In every U-specification, P leads-to Q if and only if P → Q.
The assertion "if" is soundness of the logic, the "only if" is completeness.

Recurring sets
The expression for recur in Sect. 2.2 can be simplified. It is easy to verify that It follows that every set that contains a recurring set is recurring. Instead of imposing some relations to be impartial, one can choose to impose some predicates to be recurring. This is done in the concept of B-specification.
A B-specification is defined to be a triple K (X , N , V) where N is a a reflexive relation on X , and V is a countable set of sets. The associated specification is σ.
Remark. The B of B-specifications refers to Büchi. Indeed, the generalized Büchi automata of [GPVW95, Sect. 3] have the same acceptance condition, and are therefore B-specifications with an initialization and a finite state space. Ordinary Büchi automata, see e.g., [BK08,Hol04], are the special case where V consists of a single set. ♣ The following example shows that not every U-specification is equivalent to an B-specification: Example. Consider the U-specification K 0 of a ring of size n ≥ 3: where both commands R and L, to turn right or left, are treated impartially. Let cs be the execution in which command R is always executed and never L. This sequence satisfies PN , and PQ[[ P ]] for every nonempty set P , but it does not satisfy PQ[[ L ]] + , and it is not a run of K 0 . This proves that U-specification K 0 is not equivalent to any B-specification. Let K 1 be the B-specification (X , N , V) where N is as in K 0 , and V consists of the sets V that are recurring in K 0 . Then K 0 and K 1 have the same relation →, but K 1 has more runs that K 0 (e.g. cs). There exist properties ψ with K 0 | ψ and K 1 | ψ. Indeed, PQ[[ L ]] + is such a property. ♣

Adding leads-to hypotheses
Consider an assertion like Every run in which F leads to G, is such that P leads to Q, where F , G, P , and Q are predicates on the state. We do not write that F → G implies P → Q, because this would mean that, if F leads to G for every run of the system, then P leads to Q for every run of the system. A priori, implication (2) is stronger. Implication (2) is formalized by regarding F → G as a hypothesis that restricts the set of runs of the system. The aim then is to use this hypothesis to prove that P → Q holds for all (restricted) runs. One may want to add any number of such hypotheses. For example, in a threading system with mutual exclusion, one may want to investigate the hypothesis that every thread q in the entry protocol, will eventually be in the critical section, as formalized in The introduction of leads-to hypotheses is formalized by the concept of L-specifications in Sect. 3.1. In Sect. 3.2, it is shown that, in general, the resulting logic is incomplete. Section 3.3 shows that completeness is retained if the L-specification is very moderate. This result is generalized to moderate L-specifications in Sect. 3.4.

L-specifications
An L-specification extends a U-specification with a set of leads-to hypotheses L. It is defined to be a tuple is a U-specification and L is a countable set of pairs of predicates. The semantics is determined by the associated specification σ.K (X , N , ϕ) given by The first conjunct imposes impartiality of the members of W. The pairs (F , G) ∈ L are called leads-to hypotheses. The second conjunct restricts the runs to those that satisfy the leads-to hypotheses.
For an L-specification (X , N , W, L), the leads-to operator → is defined as the least relation on predicates P and Q that satisfies the rules RuleP0, RuleP1, RuleP2, as well as RuleP3 introduces the leads-to hypotheses of L. RuleP4 is justified by Lemma 1. It follows that the rules RuleP0, up to RuleP4 are sound in the sense that P → Q implies P leads-to Q for every pair of predicates P , Q.
In general, the rules are not complete as is shown in Sect. 3.2 below. In Sect. 3.4, it is proved that the rules are complete, if restricted to so-called moderate L-specifications.

Incompleteness with leads-to hypotheses
The following argument shows that, in general, the system of the UNITY rules RuleP0, . . . , RuleP4 is incomplete. Consider an L-specification with X as the only recurring set, and with four predicates P , Q, R, S , that satisfy ¬ P co ¬ P and the three leads-to hypotheses Every run that satisfies the first two hypotheses satisfies P co P , because ¬ P is stable and a state that satisfies P needs to toggle Q while remaining inside P . Therefore, the system satisfies P ∧ R leads-to P ∧ S . This consequence, however, is not derivable by means of the rules RuleP0, . . . , RuleP4.
In order to prove this, one considers a different model of the rules RuleP0, . . . , RuleP4 in which this consequence does not hold. This model consists of a state space X with a reflexive next state relation N . Relation unless is defined as in Sect. 2.2. The set X is the only recurring set. Therefore, P ensures Q is equivalent to P ⊆ Q. The relation → is defined by The rules RuleP0, RuleP1, RuleP2 hold trivially. An easy inductive argument shows that RuleP4 also holds. Now specialize to X {1, 2, 3}. Let N consist of the identity relation together with the three transitions 2 → 1, 1 → 2, and 2 → 3. Take P {1, 2}, Q R {2}, and S {3}. The safety property ¬ P co ¬ P holds because state 3 has no transitions to 1 or 2. The three hypotheses of (3) precisely correspond to the three transitions. Yet the consequence P ∧ R leads-to P ∧ S is false because P ∧ R {2} and P ∧ S is empty.

Very-moderate completeness
Let an L-specification (X , N , W, L) be called very-moderate if F X (i.e., the predicate true) for every pair (F , G) ∈ L.
Example. Consider the UNITY program with a single integer variable k , the assignment [] k : k + 1 , and the leads-to hypothesis true → k 7. This is a very-moderate L-specification.
Predicate A : 7 < k satisfies A co A. Therefore, RuleP4 implies A → false. On the other hand, by RuleP0, the incrementation of k gives k 7 → A. Finally, transitivity gives true → false. This means that the L-specification has no runs. Operationally, this is also obvious because in every run k goes beyond 7. It follows that the Lspecification is not machine-closed. Therefore, by Proposition 2, the L-specification is not equivalent to any total U-specification. ♣ A very-moderate L-specification K can be transformed into the U-specification in which the leads-to axioms X → G of K are replaced by making G recurring, i.e., by postulating that ρ.G Lemma 4 Let K be a very-moderate L-specification. Then the U-specification π.K has the same runs and the same relations → and leads-to as K . For both K and π.K , the relations → and leads-to are equal.
Proof First, K and π.K have the same runs because they have the same step relation N and LT.
It therefore remains to prove that ( → π.K ) ⊆ ( → K ). We first prove that As K and π.K have the same step relation N , they have the same unless relation. The antecedent of (4) therefore implies P unless K Q. It also implies that P ⇒Q ∈ recur.R for some R ∈ W . If R ∈ W, this implies that P ensures K Q and hence P → K Q.
The main case is therefore that R ρ.G for some pair (X , G) ∈ L. In this case, P ⇒Q ∈ recur.R is equivalent to P ∧ G ⊆ Q because of the definition of ρ.G. On the other hand, using RuleP4, the axiom X → K G, and P ∧ ¬Q co P ∨ Q because of P unless Q, one obtains This reduces to P ∨ Q → K (P ∧ G) ∨ Q. As P ∧ G ⊆ Q, this implies formula (4).
Relation → π.K is the least relation between predicates on the state space that satisfies RuleP0, RuleP1, RuleP2 using ensures π.K . As relation → K also satifies these rules, it follows that → π.K is contained in → K . P

Moderate completeness
An L-specification (X , N , W, L) is called moderate iff every pair (F , G) ∈ L satisfies F unless G. It follows that every very-moderate L-specification is moderate. It now remains to extend the result of the previous section from very-moderate L-specifications to moderate ones. The main idea is that any moderate leads-to formula F → G is equivalent to the very-moderate property X → ¬ F ∨ G. Something similar holds in the operational semantics. More precisely, in any L-specification K , it holds that The lefthand side equals F ∨ G, and is therefore implied by F . The righthand side reduces to G.
(c) Let xs ∈ LT.F .G. In order to prove xs ∈ LT.X .(¬ F ∨ G), assume xs n ∈ X for some index n. One has to prove that xs k ∈ ¬ F ∨ G for some k ≥ n. If xs n ∈ F , one can take k n. Otherwise, one uses xs ∈ LT.F .G to infer that xs k ∈ G for some k ≥ n.
(d) Let xs ∈ LT.X .(¬F ∨ G) ∧ run.K . In order to prove xs ∈ LT.F .G, let xs n ∈ F for some index n. One has to prove that xs k ∈ G for some k ≥ n. As F unless G holds and xs is a run of K , the sequence xs satisfies xs i ∈ F ⇒ xs i+1 ∈ F ∨ G for all indices i . It follows that either xs k ∈ G for some k ≥ n, or xs k ∈ F for all k ≥ n. Finally, use xs ∈ LT.X .(¬F ∨ G). P Given a moderate L-specification K (X , N , W, L), we construct the very-moderate L-specification ω.
The axioms X → ¬ F ∨ G of L-specification ω.K are derivable in K because of Lemma 5 (a). The axioms F → G of K are derivable in ω.K because of Lemma 5(b). It follows that L-specifications K and ω.K have the same relations ( → K ) ( → ω.K ).
One uses Lemma 5(c) and (d) to prove that the L-specifications K and ω.K have the same runs. This implies that leads-to K leads-to ω.K .

Lemma 6
Let K be a moderate L-specification. Then the L-specification ω.K has the same runs and the same relations → and leads-to as K .
As ω.K is very-moderate, Lemma 4 gives ( → ω.K ) (leads-to ω.K ). This proves moderate completeness: Theorem 7 For a moderate L-specification K , the relations → K and leads-to K are equal.

Validity and LTL formulas
As explained in the Introduction, validity of an LTL formula can be proved by means of an implementation of its negation. The proof of this result requires some heavy definitions, but then it is fairly simple. It is given in Sect.

4.2.
Roughly speaking, an implementation of a property ϕ on a U-specification A is a U-specification C with an initial predicate D such that every run of A that satisfies ϕ corresponds to a run of C that starts in D, and vice versa. The formal definition is given in Sect. 4.2.
The construction of implementations is postponed to Sect. 5. To give an impression how it is done, Sect. 4.3 describes an implementation of a property with three temporal operators. As a warning not to expect the impossible, this example is used to "solve" the Halting Problem in Sect. 4.4.
Section 4.5 defines linear temporal logic, LTL, with its operators for always, eventually, release, and until. LTL has two sides: a semantic side with LTL properties and a syntactic side with LTL formulas. The connection is that the formulas are interpreted as properties.

Action of functions
In this investigation, functional simulations are used, and not relational ones, because functions are simpler than relations, and are good enough for the purpose.
Let f be a function X → Y . This function transfers sequences in X ω to sequences in Y ω because a sequence xs in X is a function N → X , so that the composition f • ys : N → Y is a sequence in Y . The function transfers a predicate P on Y backwards to the predicate P • f on X . It also transfers relations and temporal properties backward. If R is a binary relation on Y , then f • R is the relation on X that contains the pairs (

U*-specifications
A U*-specification extends a U-specification with a temporal property ϕ. It is defined to be a tuple K (X , N , W, ϕ) such that (X , N , W) is a U-specification and ϕ is a property on X . The associated specification is If K is a specification of some kind, its constituents are denoted by X K , N K , W K , etc. In the remainder of this section, variables K and L range over arbitrary U*-specifications, and A, C , E range over U-specifications.
Given a U-specification A and a property ϕ on the state space X A of A, the U*-specification A * ϕ is defined by A  *  ϕ (X A , N A , W A , ϕ). Of course, every U*-specification K can be written K A * ϕ with a U-specification A in a unique way. The set of runs of A * ϕ is the conjunction run.A ∧ ϕ. It follows that A * ϕ | ψ is equivalent to A | (ϕ ⇒ψ). A U*-specification is called atomic iff ϕ is an atomic property, i.e., of the form [[ D ]] for some predicate D. The notation A * ϕ is convenient because the aim is to implement ϕ, i.e., to replace ϕ by an atomic property.
If f : X L → X K is a function between the state spaces of specifications L and K , it is convenient to speak of a function f : L → K by abuse of notation. A function f : L → K is defined to be a refinement function iff it satisfies ∀ ys ∈ run.L : f • ys ∈ run.K , and to be a corefinement function iff ∀ xs ∈ run.K : ∃ ys ∈ run.L : f • ys xs .
It is defined to be a birefinement function iff it is both a refinement and a corefinement function.
Remark. If f is a refinement mapping as defined by Abadi and Lamport [AL91], it is a refinement function. The converse implication does not hold.
The concept of birefinement function is not directly related to bisimulation between transition systems, because bisimulation works in branching temporal logic and compares computation trees, while birefinement functions work in linear temporal logic and compares runs. For every U-specification A and every LTL property ϕ, the U*-specification A * ϕ has an implementation. The proof of this fact is postponed to Theorem 21 in Sect. 5 below. At this point, we can show its relevance. It enables us to use UNITY logic to prove validity of ϕ, by means of the following result. Proof A | ϕ means that all runs of A satisfy ϕ. In other words, it means that A has no runs that satisfy ¬ϕ, or equivalently, that the U*-specification A * (¬ϕ) has no runs.  ((y, b 0 , b 1 , b 2 ), (y , b 0 , b 1 , b 2 y ∨ b 1 ∧ G.y )) .
Note that primes refer to the next state. The initial predicate D is The fairness set W E consists of the relations inherited from W C , augmented with ρ.(¬b 0 ) to make ¬b 0 recurring. This means that The reader is invited to try and prove that f : E * [[ D ]] → C * ϕ is birefinement function, i.e. maps runs of E * [[ D ]] to runs of C * ϕ and that every run of C * ϕ is obtained in this way.

Solving the halting problem!?
Let A (X , N , W) be a total U-specification. Let P be a stable predicate on the state space X . One can regard reaching P as termination. In other words, the Halting Problem is a special case of the problem to decide whether predicate P is reached or not.
To solve this problem, specification A is extended with a Boolean variable m to a total U-specification C . The Boolean m is a message that P will never be reached. The predicate m is made stable in C and, when it is false, it can become true non-deterministically. This is formalized in the step relation N 1 given by (m, m ) ∈ N 1 ≡ (m⇒m ). The full U-specification becomes C (Y , N , W) where Y X × B and ((x , m), (x , m )) ∈ N ≡ (x , x ) ∈ N ∧ (m, m ) ∈ N 1 , while the fairness set W is inherited from W. The first component of a run of C is just a run of A.
The idea that m determines non-termination is expressed in the LTL formula A run of C satisfies ϕ if and only if it always reaches a state where P ∨ m holds, and if m ever holds, then henceforth P is false. In other words, any run in ϕ halts after finitely many steps or sends a message m indicating that it will never halt. This property ϕ is a case of the LTL formula of Sect. 4.3 with H (P ∨ m), F ¬m, and G ¬P . One can therefore use its implementation f : E * [[ D ]] → C * ϕ. It is easy to verify that, for every x ∈ X , there exists z ∈ D with f . z (x , false).
The runs of E that start in D induce runs of C that satisfy ϕ, and all runs of C that satisfy ϕ are represented in this way. Assume that every state in D is the starting point of a run of E . Then, if one wants to know whether a computation of A with initial state x ∈ X terminates, one can submit it to the U*-specification E * [[ D ]]. Choose y ∈ D with f .y (x , false), extend y to a run of E , execute this run until P ∨ m holds. If P , the computation of A has terminated. If m, it will never terminate. This shows that U*-specification E * [[ D ]] solves the Halting Problem for A.
If A is undecidable, this is a contradiction. Therefore, the initial state y ∈ D that was used cannot be extended to a run of E . This implies that E is not machine closed. By Proposition 2, it follows that U-specification E is not total. As U-specification C is total, it follows that the nontotality was introduced by the construction of the implementation. Indeed, the constructions of Sect. 5.6 often give nontotal impartiality relations.

Linear temporal logic, LTL properties and formulas
Linear temporal logic, LTL, is defined as follows. The unary temporal operators Q and P are special cases of the binary operators U (until) and R (release) given by

Indeed, Qϕ
U ϕ and Pϕ ⊥ R ϕ. The operators U and R are dual in the sense that ϕ R ψ ¬(¬ϕ U ¬ψ). If ϕ and ψ are good properties, then ϕ U ψ and ϕ R ψ are good.
The set of LTL properties on a set X is defined inductively as the least set of properties on X such that for every pair ϕ, ψ ∈ . Remark. Traditionally (e.g. [MP83]), LTL has a next operator X, such that Xϕ means that ϕ holds after one step. As X is sensitive to stuttering, and insensitivity to stuttering is an essential feature of UNITY, this operator is not treated here. ♣ The LTL properties are tied to the state space X via the atomic properties. LTL formulas are introduced to abstract from the state space. They are obtained by replacing the atomic properties by symbols (i ) with i ∈ N. The set of LTL formulas is thus defined syntactically as the least set of formulas such that for every pair α, β ∈ .
To interpret an LTL formula α, a state space is needed where the symbols (i ) represent boolean variables and the symbols ∧, ∨, U, R have meaning as logical and temporal operators. The state space used here is the set of sets of natural numbers Z P(N). For any set (state space) X and any function f : X → Z , the interpretation of α on X via f is defined recursively as the property on X given by for all i , β, γ , and all operator symbols ⊕ ∈ {∧, ∨, R, U}. The index f is omitted if f is the identity function Z → Z .

Lemma 9 (a) For every LTL formula α and every function
(b) For every LTL property ϕ on X , there is an LTL formula α and a function f : Proof (a) This is straightforward by induction on the structure of α.
(b) One first proves that every LTL property ϕ has a finite expression by means of the atomic building blocks and the operators ∧, ∨, R, and U.

Constructing an implementation of an LTL property
As announced in Sect. 4.2, for every LTL property on a U-specification A, the U*-specification A * ϕ has an implementation. The present section is devoted to the proof of this and its contruction. This section contains more manipulation of subsets and boolean functions than elsewhere. Subsets are identified with boolean functions, and we write P .x or P (x ) or x ∈ P , all with the same meaning, for predicate (subset) P and state x .
For the construction, it is useful to regard the set Z P(N) of Sect. 4.5 as the state space of a trivial Uspecification A 0 (Z , Z 2 , ∅). The step relation of A 0 is Z 2 , which means that every step is possible. There are no fairness requirements. Therefore, every state sequence is a run of A 0 .
Consider a U*-specification A * ϕ where ϕ is an LTL-property on the state space X of A. The starting point of the construction is Lemma 9(b) that yields an LTL formula α and a function f : The subsequent construction of an implementation of A * ϕ is split into two parts: Part 1 is the difficult part, treated in the Subsects. 5.1 up to 5.7. Part 2 is treated in Sect. 5.8.

The construction of an automaton for an LTL formula
For every LTL formula there exists a Büchi automaton that accepts precisely those runs that satisfy it, as was shown in the mid eighties [Hol04,p. 141]. As observed in Sect. 2.6, a generalized Büchi automaton is the same as an initialized B-specification on a finite state space. For the construction of such an automaton, one can refer to Gerth et al. [GPVW95]. This construction has been verified mechanically in Isabelle/HOL by Schimpf et al. [SMS09]. To apply this construction in Theorem 8, however, one would have to translate this automaton into a U-specification.
Therefore, in this section a construction is proposed that serves the purpose. The construction gives a Bspecification, because this is simpler than a U-specification and is easily translated into a U-specification, see Sect. 2.6. The construction has a complete proof that has been mechanically verified in PVS.
The construction was conceived completely independent of the classical construction, indeed not at all thinking of automata. The design of the construction is focussed on the proof, not on the size of the resulting automaton. The recursive scheme of the construction differs completely from the one used by Gerth et al. [GPVW95]. It is therefore unlikely that knowledge of this classical construction would help to understand the present one.
For easy translation between the B-specification for an LTL formula and the B-specifications for its subformulas, all B-specifications in this section are constructed in a single state space, where countably many fresh boolean variables are available. For lack of better names, the kinds of specifications constructed in this state space are called skeletons, automata, houses, and star-houses.
The state space and the skeletons and automata in it are introduced in Sect. 5.2. Section 5.3 gives the recursive construction of the automaton for any LTL formula. The correctness proof of the construction begins with syntactic matters in Sect. 5.4, followed by semantic matters in Sect. 5.5. In Sect. 5.6, the specific constructions for release (R) and until (U) are treated. Section 5.7 concludes the correctness proof for the automaton construction.

Skeletons and automata
As explained in Sect. 4.5, LTL formulas are interpreted in the state space Z P(N), that is spanned by the propositional variables. Another sequence of boolean variables are added to make space for the B-specifications to be constructed. The state space used is thus the Cartesian product W P(N) × P(N). The elements of W are written as pairs (y, z ). The auxiliary variables B n and the propositional variables Q n are the boolean functions on W given by B n (y, z ) (n ∈ y) and Q n (y, z ) (n ∈ z ) for (y, z ) ∈ W , respectively. The natural projections on the first and second component are denoted p 1 : W → P(N) and p 2 : W → Z .
The first step in the construction of automata is formed by the skeletons, which are defined as follows. A skeleton is a tuple H (N , V, F ) where N is a reflexive relation on the state space W , and V is a finite set of predicates on W , and F is a finite set of natural numbers. Relation N is called the step relation, V is called the set of fairness sets, and F is called the frame. This frame will be used later to indicate which auxiliary variables are used.
H 3 H 4 m p q q + 1 A picture has been drawn to suggest the structure of the construction, and the reason for the nomenclature.
Remark. As P and Q are represented via Pϕ ⊥ R ϕ and Qϕ U ϕ, one may introduce the convention P 0 ∅, P 1 X . The symbols (0) and (1) then get the reserved meanings ⊥ and , and the base case of Auto is redefined as Auto((i ), m) (Triv, Q i , m) with Q i (i 0? ∅ : i 1? W : Q i ). ♣

Houses
The proof of correctness of the construction has two main aspects: the syntactic question of non-interference of the constructions for subformulas, and the semantic task of implementing a property. First non-interference. The frames of the skeletons are used to ensure that the constructions for the subformulas do not interfere.
For any finite set F ⊆ N, the subset j .F of W is defined by Note that in j .∅ the auxiliary variables are all false, but the propositional variables are still available. The natural projection function π F : W → W is defined by π F (y, z ) (y ∩F , z ). Note that π F •π G π F ∩G for subsets F and G of N.
]. In words, runs are required to remain in the subset j .F and to visit every V ∈ V infinitely often. It is convenient to note that ϕ 1 (ys) ≡ (ys π F • ys). For simplicity of notation, we define Proof Let xs ∈ run.H and k ∈ N. One needs to prove (xs | k ) ∈ ϕ. This holds, because (xs | k ) ∈ run.H in the absence of initialization. P A predicate P on W is defined to live on F , notation P ¡ F , iff P P • π F . In the same way, a binary relation R is said to live on F , notation R ¡ F , iff R π • F R, and a property ϕ is said to live on F , notation ϕ ¡ F , iff ϕ π • F ϕ (see Sect. 4.1). A skeleton (N , V, F ) is called a house iff all its components live on F , i.e., iff it satisfies An automaton (H , D) is called proper iff H is a house and D ¡ F for the frame F of H . The trivial skeleton Triv is a house. It is straightforward to verify the following result. Especially important is the join of houses with disjoint frames. Indeed, the next result shows that it is a kind of Cartesian product. Proof One first verifies that, if u ∈ j .F and v ∈ j .G have p 2 .u p 2 .v , there is a unique element w ∈ j (F ∪ G) with π F .w u and π G .w v . It follows that there is a unique sequence ws of states in j (F ∪ G) with π F • ws us and π G • ws vs. This is a run of H H because of Lemma 11. P The extension relation for skeletons is extended to star-houses in the following way. Star-house H * ϕ is defined to be extended by H * ψ, notation H * ϕ H * ψ iff

Star-houses
where F is the frame of house H , and where, as usual, ϕ⇒ψ is defined as ¬ϕ ∨ ψ. In condition (c), the operator P is needed, because it is needed in Formula (6) below. The relevance of relation is shown in the following result.
Lemma 13 (a) Assume that H * ϕ H * ψ and that F is the frame of H . Then function π F is a birefinement σ (H * ψ) → σ (H * ϕ). (b) Relation between star-houses is reflexive and transitive.
Proof (a) The proof is straightforward, but rather tedious.
(b) Reflexivity is easy. Transitivity is obvious for condition (a), and easy for (b). Condition (c) is proved as follows. Assume Let F and G be the frames of H 1 and H 2 , respectively. Let xs be a run of H 1 . By the first extension, H 2 has a run ys such that π F • ys π F • xs and ys ∈ P(¬ϕ ∨ ψ). The second extension implies that H has a run zs such that π G • zs π G • ys and zs ∈ P(¬ψ ∨ χ ). As F ⊆ G, it holds that π F • zs π F • ys π F • xs. It therefore suffices to prove that zs ∈ P(¬ϕ ∨ χ ).
A binary temporal operator ⊕ is defined to preserve frames iff, for every finite set F and all properties ϕ and ψ, it holds that The binary temporal operators ∧, ∨, U, R are all monotonic and preserve frames. This is used via the following result.
The proof of this result uses primarily Lemma 12. At a critical point, it needs Lemma 10. It is mainly a cumbersome verification.

Proofs for the constructions for release and until
This section contains and proves the results for the functions Release and Until, defined in Sect. 5.3. In either case, it concerns the automaton for the property obtained when the operator R or U is applied to atomic properties. As the predicates P and Q live on F , the property ϕ also lives on F . Therefore (H , ϕ) By induction, it follows that This proves that ys ∈ ϕ.
For part (c), consider a run xs of H . A run ys of H is constructed from xs by modifying the bits of the auxiliary variable B m . Let ys be the infinite sequence of states within j .(F ∪{m}) with π F •ys xs and B m (ys n ) ϕ(xs | n) for all n ∈ N. It is straightforward to prove that ys is an execution of H . As xs is a run of H , it follows that ys is a run of H . By construction it satisfies ys ∈ P(¬ϕ ∨   As ys ∈ PQ[[ ¬B m ]] (see Sect. 2.6), there is an index n with ¬B m (ys n ). It follows that ys k ∈ Q for some index k . Taking the smallest index k , one gets ys ∈ ϕ.
Conversely, let xs be a run of H . The corresponding run ys of H is constructed with π F • ys xs with B m (ys n ) ¬Q(xs n ) ∧ ϕ(xs | n) for all n ∈ N. One then verifies that ys is a run of H that satisfies ys ∈ P(¬ϕ ∨ Proof The proof is by induction over the structure of α. If α is a leaf, the assertion is trivial. Therefore, assume that α β ⊕ γ for one of the binary temporal operators ⊕.

Implementing a U*-specification
The first thing to be done is to translate the automaton constructed in the Theorem into a U-specification. Recall that A 0 is the trivial U-specification with state space Z P(N), which was introduced in the beginning of this section.

Corollary 18
Let α be an LTL formula with weight w .α r . Then there is a U-specification C with state space X B r × Z , and a predicate D on X , such that p 2 : ] is an implementation, where p 2 is the projection on the second component.
Proof Let (H , D , r ) Auto(α, 0). Then the frame of H is I (0, r ). By Lemma 13(a), the function π ∅ is a birefine- ]. The automaton (H , D ) is translated in a U-specification C on the state space X by means of the injection f : In general, the definition is as follows. If X 0 , X 1 , and X 2 are sets with functions f i : X i → X 0 , the fiber product of X 1 and X 2 over f 1 and f 2 is defined as the set X {(x 1 , x 2 ) ∈ X 1 × X 2 | f 1 .x 1 f 2 .x 2 }.
Let C i (X i , N i , W i ), with i 1, 2, be U-specifications on X 1 and X 2 , respectively. The fiber product of C 1 and C 2 over f 1 and f 2 is defined as the U-specification E (X , N , W) on the fiber product X given by N {(y, z ) ∈ X 2 | (y 1 , z 1 ) ∈ N 1 ∧ (y 2 , z 2 ) ∈ N 2 } , 1, 2 are the canonical projection functions. Note that f 1 • p 1 f 2 • p 2 holds by construction. One can say that the conjoined state space X is the consistent part of the Cartesian product of the component spaces, that the steps are done in parallel in both components, and that the fairness of the components is retained. It is easy to prove: Lemma 19 (a) The functions p i : E → C i (i 1 or 2) are refinement functions.
Let xs be a run of A * ϕ. As A 0 is the trivial U-specification, f •xs is a run of A 0 . Remark. In the construction of Corollary 18, the state space X 2 of C is a Cartesian product X 2 Y × Z and g : X 2 → Z is the projection onto the second factor. Therefore, the state space of the fiber product is in a natural way isomorphic to the Cartesian product X × Y , viz. via the projection λ x , (y, z ) : (x , y). In this way, the component Z is eliminated. It follows that one can give the U-specifcation E of the theorem the state space X × B r where r is the number of operators R and U that occur in ϕ. This has been done in the example in Sect. 4.3. ♣

Conclusions
It is striking how much smoother the UNITY theory becomes by postponing or omitting the initialization. Of course, in almost all applications, one begins with the determination of the inductive invariants, which requires the initialization as a starting point. UNITY is a powerful and flexible formalism, especially if one allows the fairness relations to be nontotal. In the completeness proof for L-specifications, the nontotal fairness relations only play an auxiliary role. They are, however, essential for the construction of implementations of LTL formulas.
The algorithm to construct a Büchi automaton for an LTL formula in Sect. 5.3 is shorter and clearer than Figure 1 of Gerth et al. [GPVW95], but it can make the state space bigger than necessary. The state space has a clear relationship with the LTL formula: there is precisely one boolean variable for each temporal operator. The termination of our algorithm is obvious, whereas Schimpf et al. [SMS09] need a page to discuss the proof of termination of the algorithm of Gerth et al.
The construction of an implementation of an LTL property in Sect. 5 uses auxiliary variables. This may remind the reader of the Completeness Theorem of Abadi and Lamport [AL91], which asserts that, under certain conditions, every simulation between specifications can be factored over an extension with history variables and prophecy variables followed by a refinement mapping. The three kinds of variables and their roles in the constructions, however, are totally different.
Points for future research. In view of the example in Sect. 2.6, the difference between U-specifications and B-specifications deserves further investigation. For Sect. 4, a useful application of Theorem 8 would be very illuminating. When such applications are found, it will be useful to investigate LTL formulas that have implementations simpler than the ones constructed in Theorem 21. It should be possible to extend LTL and the results of Sects. 4 and 5 with the infinitary operators for conjunction and disjunction and . It seems that, even after this extension, the set of formulas that can be subjected to Theorem 8 is not yet exhausted, but natural candidates are lacking.
Chandy, Dijkstra, and Sanders [CS95,DS97] extend UNITY logic with predicate transformers for 'to-stable' and 'to-always'. While 'to-always' has a natural interpretation in LTL, 'to-stable' seems to require a more expressive form of temporal logic, e.g., as CTL. Once the operational semantics has been clarified, it should not be too difficult to prove soundness of these predicate transformers. Their names are only justified, however, if their completeness can be proved.
Would it be possible to implement parts of branching temporal logic (e.g. CTL) in UNITY? This is related to the search for methods or rules to prove that a temporal property is invalid. Of course, a model checker may produce a counterexample, but should we be content with this?