Off-the-shelf automated analysis of liveness properties for just paths

We enrich the operational semantics of a simple process calculus with ACP-style communication with a concurrency relation, so that for every process expression there exists an associated notion of just path. We then present sufficient conditions on the communication function and the syntax of process expressions that facilitate the formulation of justness on the level of labels rather than on individual transitions, taking a designated set of signals into account. This paves the way for the formulation of liveness properties under justness assumptions in the modal μ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mu $$\end{document}-calculus and their verification on process specifications with the mCRL2 toolset.


Introduction
In recent work, van Glabbeek and coauthors suggest that the liveness property for Peterson's mutual exclusion algorithm [17], stating that any process that wants to enter the critical section will eventually enter it, cannot be analysed in CCS and related formalisms [4,7]. This article is the result of our attempt to understand the formal underpinning of this suggestion and its ramifications. In particular, we address the question whether it also implies that the liveness property for Peterson's algorithm cannot be convincingly established by means of a verification with the mCRL2 toolset [2], which has a process-algebra based specification formalism. Before we discuss our contributions, we briefly recap the arguments presented in [4].

Recap of the arguments in [4]
The authors of [4] note that every process-algebraic specification of a distributed algorithm or system includes unrealistic finite or infinite computations in which some component never makes progress. Since such unrealistic computations typically violate liveness properties, their mere existence is in the way of a proof that all realistic computations do satisfy these properties. Unrealistic computations are then often excluded from consideration by imposing B Bas Luttik s.p.luttik@tue.nl 1 Technische Universiteit Eindhoven, Eindhoven, Netherlands additional assumptions such as progress and fairness (see [8] for a comprehensive overview of such assumptions).
For the analysis of implementations of so-called fair schedulers-of which Peterson's algorithm is an example-one should, however, take care that the fairness assumptions are not too strong, since fair schedulers are, themselves, intended to realise fairness in a system. Van Glabbeek and Höfner [7] have proposed justness as a criterion that is just strong enough to exclude unrealistic computation of fair schedulers, but not too strong: Once a transition is enabled that stems from a set of parallel components, one (or more) of these components eventually partake in a transition. [8] It turns out, however, that the proposed notion of justness, when formalised in the context of CCS, still does not exclude certain unrealistic (or at least: unintended) computations of Peterson's algorithm, and some of these computations have liveness violations. The culprit is that in a process-algebraic specification shared variables are components (processes) themselves, and hence reading the value of a shared variable is modelled as an interaction of the component that reads and the component that models the variable. Hence, an infinite computation in which one component continuously wants to assign a new value to the variable, but never actually does, can, nevertheless, be just because another component time and again reads the value of the variable. Yet, in the context of Peterson's algorithm, reading the value of a variable should not be considered to really affect the component corresponding to that variable.
To counteract this problem, it is proposed in [4] to extend the syntax and semantics of CCS with a so-called signal emission operator, providing an alternative mechanism to communicate information about the state of a component (e.g., a variable) to other components. Although adding this operator does not increase the absolute expressiveness of the calculus, it does facilitate a refined definition of justness. In this refined definition, the reading of a signal is given special treatment by which computations such as the one described above are not considered just, and thus excluded from consideration. Assuming the refined definition of justness, it is proved in [4] that the specification of Peterson's algorithm in CCS extended with the signal emission operator satisfies the liveness property.

Our contributions
The signal emission operator is a non-standard process-algebraic construction. It is not part of the specification formalism of mCRL2, nor, to the best of our knowledge, of the specification formalism of any other process-algebra based automated verification tool. The question arises whether the addition of such an operator is essential. If so, a non-trivial overhaul of established verification tools is called for. Our first contribution is to show that it is not, if one is willing to pay a small price: there is no general formal definition of justness for the entire calculus; the formal definition must be tuned to the process expression under consideration. When aiming for an automated verification, this is indeed a negligible price, since one is just interested in the process expression that models the system under verification.
Semantically, the signal emission operator simply adds a self-loop labelled with a signal to the state representing the process expression to which it is applied. A signal is just a special type of label, so the self-loop can easily be specified by other means (e.g., using recursion) if a particular subset of the set of labels is designated as signals. Because the choice of an appropriate set of signals depends on how those labels are used in the process expression at hand, the formal definition of justness needs to be specific for a particular process expression.
In the absence of tools supporting the verification under justness of specifications such as Peterson's algorithm, establishing that a specification meets a property remains a manual activity. This is problematic, as the complexity of a typical specification easily leads to cases being missed in the analysis. Therefore, to conduct a convincing automated verification of a property of an algorithm, we not only need to specify the algorithm in a process-algebra based formalism; we also need to formulate the property in a suitable modal logic. Moreover, in the verification of the property, justness has to be taken into account. It is unclear, however, whether this can be achieved without changing the verification algorithms that are used to evaluate the validity of a modal-logic formula with respect to the labelled transition system associated with the process expression. A complication is, for instance, that the definition of justness refers to a notion of component, which naturally exists at the level of the syntactic representation of the system (i.e., the process expression), but not at the labelled transitionsystem level.
Our second contribution is derived from the observation that with the ACP-style communication mechanism [1] of mCRL2, which is more general than the communication mechanism of CCS, Peterson's algorithm can be specified in such a way that justness can be defined referring to labels rather than to components. The idea is to achieve a partitioning of the set of labels that reflects the component structure of the process expression. It is then possible to reformulate justness referring to labels, rather than to components. We generalise the observation regarding Peterson's algorithm and formulate general syntactic conditions that ensure that such a partitioning is possible.
Our third contribution is a template modal μ-calculus formula that expresses a typical liveness property, asserting that on all just paths, an action, say a, is eventually followed by another, say b. This template formula can easily be instantiated by a user wishing to carry out a liveness verification of an algorithm, and only requires information concerning which actions are designated as signals. As a result, standard, off-the-shelf tooling such as mCRL2 can be used to automatically verify liveness properties of algorithms such as Peterson's. In case such verifications fail, evidence [3,18] can be provided, helping the user to pinpoint the root cause. This paper is organised as follows. In Sect. 2, following [9], we take the notion of labelled transition system with concurrency (LTSC) as technical starting point, and present a definition of justness for it. In Sect. 3 we present a process calculus that is very similar to CCS, except that it has the more general ACP-style communication mechanism. Inspired by the LTSCsemantics that van Glabbeek gives for CCS and its extension with signals in [9], we propose an LTSC-semantics for the process calculus. Then, in Sect. 4 we recapitulate in more detail the argument presented in [4] that Peterson's algorithm cannot be rendered in the process calculus in such a way that all unrealistic paths are excluded by assuming justness. In Sect. 5 we then include a semantic treatment of special labels that take the role of signals. In Sect. 6, we define when an LTSC admits a label-based treatment of justness, proposing a subclass of LTSCs that have a concurrency-consistent labelling. In Sect. 7, we present sufficient conditions on process expressions ensuring that the associated LTSC has a concurrency-consistent labelling. Process expressions satisfying these syntactic conditions are amenable to verifications that take justness into account. In Sect. 8 we formalise a general liveness property under justness assumptions for an LTSC that has a concurrency-consistent labelling. In Sect. 9 we comment on the actual verification of the liveness property for Peterson's algorithm with the mCRL2 toolset. In Sect. 10 we present some conclusions.

Justness
We recap the definition of labelled transition system with concurrency and the associated notion of just path from [9].
We presuppose disjoint sets A and S of actions and signals, respectively, and let L = A ∪ S; elements of L are generally referred to as labels. A labelled transition system (LTS) is a tuple (St, Tr, src, target, ) with St and Tr sets of states and transitions, respectively, src, target : Tr → St and : Tr → L.
We call a transition t ∈ Tr a signal transition if its label is a signal and it does not change state, i.e., if (t) ∈ S and src(t) = target(t); otherwise, t is called an action transition.

Remark 1 Van
Glabbeek mentions in [9] that signal transitions are not supposed to change state, but does not include it as an explicit requirement. Rather, in his work, it is a consequence of the operational semantics of the process calculi under consideration that transitions labelled with signals indeed never change state. The syntax and operational semantics of our process calculus will, by design, admit process specifications that give rise to transitions labelled with signals that do change state. We prefer that such transitions are not treated as signal transitions in the notion of justness. To this end it is convenient to include the requirement explicitly.
Signal transitions are disregarded in the definition of the notion of path. A path in a transition system (St, Tr, src, target, ) is a finite or infinite alternating sequence s 0 t 1 s 1 t 2 s 2 · · · of states and action transitions, starting with a state and if it is finite also ending with a state, satisfying src(t i ) = s i−1 and target(t i ) = s i for all relevant i. We say that a state s is reachable from a state s if there exists a path that starts with s and ends with s . We say that a transition t is reachable from a state s if there exists a state s that is reachable from s and src(t) = s .
Labelled transition systems abstract entirely from the notion of component. For the definition of justness, the notion of component is relevant, at least to the extent that it should be possible to determine that, whenever some transition is enabled, eventually the component (or set of components) from which the transition stems, makes progress. For the formalisation of justness, it turns out to be sufficient to consider labelled transition systems enriched with a concurrency relation on transitions [9]. We first give the formal definition of labelled transition system with concurrency; the requirements on the concurrency relation are explained after the definition.
Definition 2 A labelled transition system with concurrency (LTSC) is a tuple (St, Tr, src, target, , • ) consisting of an LTS (St, Tr, src, target, ) and a concurrency relation • ⊆ Tr × Tr such that 1. • is irreflexive on action transitions (i.e., if t is an action transition, then t • t), and 2. if t is an action transition and π is a path from src(t) to s ∈ St such that t • v for all transitions v occurring on π, then there is an action transition u such that src(u) = s, (u) = (t) and t • u.
Intuitively, transitions are concurrent if they stem from different (sets of) components, and they interfere if they have a component in common. It is then natural to require that the concurrency relation on transitions is irreflexive: a transition cannot be concurrent with itself. Furthermore, if some component (or set of components) can perform some activity, represented by a transition t in the labelled transition system, then after executing transitions concurrent with t-which, by assumption, then stem from different components than t-it should still be possible for the component to perform that same activity. The activity can be represented by a different transition u in the labelled transition system, but this transition should not be concurrent with t (it should interfere with t, i.e., t • u) and should have the same label. As explained in [9], justness is a completeness criterion: it is used to specify which paths should be considered representing a complete computation of the system. For completeness one wants to distinguish between so-called blocking actions and non-blocking actions. Intuitively, a blocking action is not entirely under the control of the system that is being specified; it may depend on interaction with the environment. A non-blocking action is thought to be completely under control of the system. A complete computation may end in a state in which only blocking actions are enabled, but not in a state in which non-blocking actions are enabled. The definition of justness takes a set of blocking actions as parameter.
Definition 3 Let B ⊆ A be a set of blocking actions. A path π in an LTSC is B-just if for every action transition t with (t) / ∈ B and src(t) ∈ π, a transition u occurs in the suffix of π starting at src(t) such that t • u.
The example below illustrates the concept of justness.

Example 4
Consider a situation in which Alice drinks coffee and eats a croissant in a small cafe, and Bob is engaged in a series of phone calls. The situation can be modelled by the following LTSC: Suppose that all labels in the above LTSC are non-blocking actions. In case all actions only interfere with themselves, the infinite path consisting of only phone transitions from state s 0 is not ∅-just since the coffee transition is enabled in s 0 but no interfering transition is ever taken on this path. In case the phone transitions in s 0 , s 1 and s 2 do interfere with the coffee transition and the croissant transition-for instance because Bob is also the waiter who serves Alice, preferring to make phone calls instead of taking her orders-then the same infinite path is ∅-just.

Process calculus
In [4], the authors claim that information exchanged through signals is essential for the characterisation of just paths in the context of Peterson's algorithm; without signals, paths representing unrealistic executions of Peterson's algorithm are considered just. In [4], justifications for the claim are presented in the context of CCS. First, a version of CCS without signals is considered, Peterson's algorithm is modelled, and then it is shown that justness does not exclude all unrealistic computations. Then, Peterson's algorithm is modelled in a variant of CCS with signals, and it is shown that the corresponding notion of justness works well for Peterson's algorithm. We retrace their steps and in this section introduce a very simple process calculus to specify LTSCs that, as we show in the next section, indeed illustrates the phenomenon observed by the authors. In Sect. 5, we shall also introduce signals, but without changing the syntax of the calculus.
A special feature of our calculus, compared to CCS as considered in [4,9], is that it includes an ACP-style communication mechanism [1]: We presuppose a binary communication function on the set of labels L, i.e., a partial function is defined if, and only if, γ (λ 2 , λ 1 ) is defined, and if both are defined, then we have γ (λ 1 , λ 2 ) = γ (λ 2 , λ 1 ); and • associative: We proceed to introduce the syntax of our process calculus and associate an LTSC with it. The LTSC we get is in line with the LTSC that van Glabbeek associates with CCS in [9], though our way of defining it deviates somewhat from van Glabbeek's in [9], as we shall explain below. For now, we presuppose that the set of signals is empty, i.e., L = A. (In Sect. 5, we shall consider the general case in which the set of signals S is not empty and adapt the structural operational semantics accordingly.) For the purpose of recursion, we also presuppose a set I of agent identifiers. The set P of process expressions is generated by the following grammar (with A ranging over I, λ ranging over L, and H ranging over subsets of L): P, Q: The constructs 0, λ. and + are familiar from basic CCS, respectively denoting inaction, action prefix and non-deterministic choice. The construct stands for ACP-style parallel composition. It represents the arbitrary interleaving of the behaviours of its components, and additionally allows its components to execute communication steps in accordance with the communication function γ : if the left component of the parallel composition can execute label λ 1 and the right component can execute label λ 2 and γ (λ 1 , λ 2 ) is defined, then the parallel composition can execute γ (λ 1 , λ 2 ). The process calculus includes the encapsulation operator ∂ H (similar to the restriction operator in CCS) by which the execution of certain labels can be blocked, and thus communication between components can be enforced. The behaviour of the agent identifiers is defined through a recursive specification E, which is a set of defining equations with P a process expression, including precisely one such equation for every A ∈ I.
We now proceed to associate an LTSC (St, Tr, src, target, , • ) with our process calculus. The set of states St of this LTSC is the set of process expressions P, as usual. To define a suitable set Tr of transitions, as in [9], we take the collection of derivations in a formal proof system based on the structural operational semantics of the process calculus. We deviate from [9] in how we define the concurrency relation. In [9], van Glabbeek inductively associates a set of synchrons with a derivation, which can be thought of as extracting from the derivation all the required component information necessary to define a concurrency relation. We Table 1 Structural operational semantics prefer to annotate the transition relation defined by the structural operational semantics with component information directly.
First, we associate with a process expression P its static component architecture, which is determined by the top-level occurrences of and ∂ H in P. Let C = {l, r}; we shall refer to a component in a process expression P as a sequence in C * (the empty sequence will be denoted by ). We recursively associate with every process expression P a set of components C(P) ⊆ C * as follows: • if P = 0, P = λ.P (for some λ ∈ L), P = P 1 + P 2 , or P = A (for some A ∈ I), then C(P) = { }; • C(P 1 P 2 ) = l C(P 1 ) ∪ r C(P 2 ), and C(∂ H (P)) = C(P).
We keep track of which components contribute to a transition in the structural operational semantics for our process calculus, presented in Table 1. It defines a transition relation λ,α −→ on process expressions, which is not only endowed with a label λ ∈ L, but also with a set α ⊆ C * of components. The rule (Pref) expresses that a prefix λ.P can do a λ-labelled transition to P; furthermore, λ.P is by itself a component. So the set of components associated with the transition is { }. The rules (Sum-l) and (Sum-r) express that a non-deterministic choice P + Q can execute a λ-labelled transition from P or from Q. Also P + Q is by itself a component, denoted by . So the set of components associated with the transition is { }.
The rules (Par-l), (Par-r) and (Comm) express, respectively, that a parallel composition P Q can execute a transition of the components of P, a transition of the components of Q, or execute a transition in which both components of P and Q are involved. In the latter case, the communication function γ must be defined on the labels of the transitions of P and Q and the combined transition is labelled with the result of applying the communication function to these labels. In the case of an application of (Par-l) or (Par-r), the sets of components involved in the resulting transitions need to be updated by prefixing all components suitably with l or r, respectively. In the case of an application of (Comm), the involved components of P are prefixed with l, and the involved components of Q are prefixed with r. Finally, the rule (Enc) expresses that ∂ H blocks transitions labelled with λ ∈ H ; the set of components is simply inherited.
The example below illustrates the operational rules, and how they can be used to construct derivations.

Example 5
The recursive specification given below models the second situation of Example 4, i.e., the situation in which Alice orders coffee and a croissant, and Bob is her waiter.  The above derivation shows that both Alice and Bob contribute equally to the transition that results in Alice drinking a cup of coffee. Now we let Tr be the set of all derivations 1 that can be constructed using the structural operational rules in Table 1, and we define src, target and by stipulating that if t ∈ Tr is a derivation and P λ,α −→ P is its conclusion, then src(t) = P, target(t) = P and (t) = λ. Furthermore, we write comp(t) to denote the set of components α contributing to t.

Bob
It remains to define the concurrency relation • . We define that transitions t and u are concurrent (notation: t • u) if comp(t) ∩ comp(u) = ∅, i.e., if none of the components contributing to t are contributing to u. Proof By induction on v; see Lemma 44 in "Appendix A" for details.

Proposition 7
The structure P = (St, Tr, src, target, , • ) with components as defined above is an LTSC. Proof From the rules in Table 1 it is immediate that whenever P λ,α −→ P , then α / = ∅. So for every t ∈ Tr we have that comp(t) ∩ comp(t) = α / = ∅. It follows that t • t and hence • is irreflexive. That • also satisfies the second requirement of Definition 2 follows with a straightforward induction on the length of π using Lemma 6.

Modelling Peterson's algorithm
Peterson's algorithm for mutual exclusion provides a classical solution to enable two processes to use a shared resource in a mutually exclusive manner. In the algorithm, the shared resource is referred to as the critical section. The algorithm ensures that at all times only one of the two processes is in the critical section. A desired liveness property of a mutual exclusion algorithm is that whenever one of the two processes wishes to enter the critical section, then it will eventually do so. In this section, we shall discuss how Peterson's algorithm can be modelled in the process calculus introduced in the previous section. Then, we shall recap the argument, already presented in [4], that the notion of justness associated with the process calculus is too weak to exclude all unrealistic paths violating the liveness property. In the next section, we shall refine the definition of justness in order to facilitate an exhaustive verification under this notion of justness of the aforementioned liveness property using the mCRL2 toolset.
Peterson's algorithm is shown in Fig. 1. Processes A and B communicate via shared variables. By setting Boolean variables readyA and readyB, respectively, they signal to the other process their wish to enter the critical section. In addition, a shared variable turn is used to keep track of whose turn it is to enter the critical section next; the idea is that a process, before entering its critical section, courteously always first grants access to the other process. This way of using turn is essential for ensuring both deadlock freedom and mutual exclusion.
In a message-passing process calculus, global variables are modelled as separate processes with which other processes can interact. Processes modelling a variable keep track of the value of the variable and can communicate with other processes in read and write operations. In our model, to read a variable, the variable that is being read performs an action s_rd val var and the process that reads the variable performs an action r_rd val var . Together they communicate to a transition labelled with rd val var . A similar communication, labelled with asgn val var , is defined to write to a variable. To cover all the interactions with variables in Peterson's algorithm we define the communication function γ in such a way that it satisfies the following equations and is undefined otherwise: (2) We model the behaviour of the three variables readyA, readyB and turn with process identifiers RA b , RB b and T t (with the superscripts referring to the current value of the variable), defined by the following equations: . Our specification uses labels noncritA, noncritB, critA, critB, to represent exiting the noncritical and critical sections, respectively. Process identifiers procA and procB model the behaviour of processes A and B. They are defined by the following equations [using the abbreviation (λ 1 + λ 2 ).P for λ 1 , B}}, we can now specify Peterson's algorithm with the process expression Pet = ∂ H (procA (procB (RA false (RB false T A )))) .

Remark 8
Our specification of Peterson's algorithm is almost identical to the CCS model presented in [4]. The difference is in how communication is defined. CCS presupposes a standard communication function by which an action a can communicate with its co-named actionā, resulting in a special action τ . In our setting, the exact same behaviour as defined by the specification in [4] would be obtained by using, instead of the communication function γ defined above, a communication function γ CCS defined by To get an appropriate notion of just path starting from Pet, we define the set of blocking actions.
Let π denote the unique path starting with Pet such that if all states are omitted from it then we obtain the following sequence of labels: The path π violates the liveness criterion as process A wants to enter the critical section but is never able to, waiting to write to the variable readyA. It is deemed unrealistic, as process B reading readyA intuitively cannot prevent process A from writing it. To assess whether π is just we need to examine whether for every action transition t with (t) / ∈ B and src(t) ∈ π, a transition u occurs in the suffix of π starting at src(t) such that t • u. The only component of interest here is proc A as all other components partake in infinitely many transitions. Let t denote some transition labelled with asgn true RA , with src(t) ∈ π. There always exists a transition u labelled with rd f alse RA in the suffix of π starting at src(t). The components partaking in t are l and rrl and the components partaking in u are rl and rrl. Hence, due to the overlap, t • u; the path violating the liveness property is just.
A more refined definition of the concurrency relation is needed to specify that certain interactions, such as reading a variable, do not interfere with other interactions with the same component. This requires distinguishing between components contributing passively to a transition and components really affected by a transition.

Signals
In the previous section it was observed that the specification of Peterson's algorithm in the proposed process calculus does not yield the appropriate notion of just path, at least not with the given semantics. The culprit is a combination of two aspects. First, shared variables need to be modelled as separate processes. Second, the process calculus does not offer a facility to distinguish between the activities of reading and writing a variable while, intuitively, if some component reads the value of a variable then this should not prevent another process from writing a new value to it.
The solution proposed in [4] is to extend the syntax of CCS with a signal emission operator, in order to treat signals differently in the definition of the concurrency relation. A separate set S of signals is presupposed, and the signal emission operator adds a λ-labelled self-loop to a state if it can emit signal λ ∈ S. Variables, modelled as processes, then emit their values in the form of signals, and reading the value of a variable can then be treated as not affecting the variable. As a consequence, paths on which some component wants to write to a variable but never succeeds because the variable is perpetually read by some other component is not considered just.
Adding a signal emission operator solves the problem uniformly: with every process expression of the process calculus an appropriate notion of just path is associated: if a component only contributes to a transition by emitting a signal, then this contribution is considered passive. A disadvantage of the solution, however, is that it requires an addition to the syntax of the calculus. As a consequence, standard verification technology such as the mCRL2 toolset, which does not include a signal emission operator, cannot be used to perform verifications taking justness into account.
Here we opt for a different solution, which does not require an addition to the syntax of the process calculus. Instead, it suffices to distinguish a separate set of signals S and tune the notion of justness to take signals into account. We need to modify the structural operational semantics, giving signals a special status: whenever a transition labelled with a signal indeed does not change state, then it is considered to be a signal. But this modification of the structural operational semantics is only necessary to get an appropriate definition of the concurrency relation. In Sects. 6 and 7, we shall propose sufficient conditions on a process expression (and the underlying recursive specification) that ensure that all transitions labelled Table 2 Structural operational semantics taking signals into account with signals are indeed signal transitions. This, in combination with the use of an appropriate communication function that preserves component information, will eventually obviate the need for explicitly defining a concurrency relation on transitions, because it can be deduced from the labelling. Henceforth we allow S to be non-empty. The syntax of the process calculus [see (1) on p. 6] remains the same. In the structural operational semantics, however, we distinguish between components contributing actively and components contributing passively to a transition. A component contributes passively to a transition if another component reads one of its signals, i.e., the component participates with a transition that is labelled with a signal and this transition does not change the state of the component. The modified structural operational semantics in Table 2 defines a transition relation λ,α,ς −→ on process expressions, which is endowed with a label λ ∈ L, a set α ⊆ C * of active components and a set ς ⊆ C * of signalling components.
Note that λ.P / = P, and therefore a transition emanating from a prefix always changes state. Thus, according to the rule (Pref), the transition from a prefix has an active component and no signalling components.
If an identifier A is the source of a transition that has A also as its target, and this transition is labelled with a signal, then this transition has a signalling component and no active components; otherwise, the transition has an active component and no signalling components.
Due to the presence of recursion, it may also happen that P + Q is both the source and the target of a transition, and if such a transition is labelled with a signal, then we want to treat it as a signal transition. This is reflected in (Sum-l) and (Sum-r) by distinguishing whether the target of the transition equals P + Q and is labelled with a signal: if so, then the transition has no active components and a signalling component ; otherwise, the transition has an active component and no signalling components.
In an application of (Par-l), both the active and signalling components of the premise are prefixed with an l; in an application of (Par-r), they are prefixed with an r; in an application of (Comm) the components of the left premise are prefixed with an l and those of the right premise are prefixed with an r. In an application of (Enc), both the sets of active and signalling components are simply inherited from the premise. The component RA false contributes a signal transition, and hence does not actively contribute to the communication. As a consequence, the path we identified earlier as constituting a liveness violation of Peterson's algorithm is, with the revised semantics, no longer just.
We now associate a revised LTSC with our process calculus as follows. Its set of states St is again the set of process expressions. Its set of transitions Tr is the set of all derivations in accordance with the new structural operational semantics in Table 2. Again, if t ∈ Tr is a derivation with conclusion P λ,α,ς −→ P , then src(t) = P, target(t) = P and (t) = λ. We define the concurrency relation using a refined notion of component, in which we distinguish between necessary participants and affected components. The set of necessary participants of a transition t, denoted by npc(t), is defined as and the set of affected components of t, denoted by afc(t), is defined as We define that transitions t and u are concurrent (notation: t • u) if none of the components necessary for t are affected by u, i.e., if npc(t) ∩ afc(u) = ∅.
To satisfy the requirements on • that it is irreflexive on action transitions, it is important that the set of affected components afc(t) of an action transition t is non-empty, for otherwise npc(t) ∩ afc(t) = ∅. The following example illustrates that we need to formulate some mild restrictions on the communication function for this.

Example 10
Consider the recursive specification consisting of the following two defining equations: and suppose that γ is a communication function satisfying Furthermore, suppose that λ 1 , λ 2 ∈ S, while λ 3 ∈ A. Then we have the following derivation: Since λ 3 ∈ A, this derivation is an action transition, but the set of affected components is empty. The culprit in this example is that communication between the two signals λ 1 and λ 2 results in an action λ 3 .
We can exclude the situation as described in the preceding example by requiring that the communication of two signals never results in an action. It is convenient and natural to also require the converse: the communication of an action with another label should never result in a signal.

Lemma 12 If the communication function γ is signal-respecting, then a transition t is a signal transition if, and only if, afc(t) = ∅.
Proof By induction on t; see Lemma 45 in "Appendix A" for details.
In the following corollary, which is an immediate consequence of the preceding lemma, we establish that • satisfies condition 1 of Definition 2.

Corollary 13
If the communication function γ is signal-respecting, then • is irreflexive on action transitions, i.e., for all action transitions t we have t • t.

Lemma 14 For all transitions t and v, if src(t) = src(v) and npc(t) ∩ afc(v) = ∅, then there exists a transition u with src(u) = target(v), (u) = (t) and npc(u) = npc(t). If γ is signal-respecting and t is an action transition, then so is u.
Proof By induction on v; see Lemma 46 in "Appendix A" for details.
It follows from the preceding lemma that the relation • associated with our process calculus satisfies condition 2 of Definition 2, as established in the following corollary.

Corollary 15
If γ is signal-respecting, t is an action transition and π is a path from src(t) to some process expression P such that t • v for all transitions v occurring on π, then there is an action transition u such that src(u) = P, (u) = (t) and t • u.
Proof Straightforward induction on the length of π using Lemma 14.
From Corollaries 13 and 15 we get the following proposition.

Proposition 16
Let γ be signal-respecting, let St = P, let Tr be the set of all derivations of transitions in accordance with the operational semantics, stipulating that if t ∈ Tr is a derivation with conclusion P λ,α,ς −→ P , then src(t) = P, target(t) = P and (t) = λ, npc(t) = α ∪ ς and afc(t) = α, and defining • by t • u if, and only if, npc(t) ∩ afc(u) = ∅. Then is an LTSC.
Example 17 Returning to the running example of Peterson's algorithm we reconsider the path that violates liveness. First, we define the signal actions and check whether the communication function is signal-respecting.
, B}} It is easy to see that the communication function γ , defined in Eq. (2) on p. 9, is signalrespecting. Taking the LTSC as defined in Proposition 16 we re-examine the liveness violating path π presented at the end of Sect. 4, which gives rise to the following sequence of labels: Let t and u be any two transitions with labels asgn true RA and rd f alse RA , respectively. Then npc(t) = {l, rrl} and afc(u) = {rl}. Therefore npc(t) ∩ afc(u) = ∅ and thus t • u. We conclude that path π contains transition t, src(t) ∈ π, for which there does not exist a transition v in the suffix of π such that t • v. The path π is therefore not just and can be ruled out. Note that this does not constitute a proof of liveness, we have only reasoned about a single path. To prove liveness we need to prove that there does not exist another liveness violating path that is just.

Concurrency-consistent labelling
The semantics we associated with our process calculus in the previous section enables reasoning about just paths without the need for additional operators in the language. This allows one to manually analyse, e.g., the required liveness property of Peterson's algorithm in a standard process algebra, by reasoning directly about the relevant just paths in the LTSC under analysis. Our aim, however, is to facilitate the automated verification of liveness properties for just paths, using toolsets such as mCRL2. Such toolsets are based on labelled transition systems without a concurrency relation. Moreover, in these toolsets, properties need to be expressed in a modal logic that has modalities that refer to labels, and not to individual transitions.
Our specification of Peterson's algorithm is such that it allows a characterisation of its just paths in terms of labels rather than referring to individual transitions in the LTSC. This is possible, because the labelling of transitions reachable from Pet is consistent with the concurrency relation on those transitions.
In this section, we formally define when an LTSC has a concurrency-consistent labelling, and we prove that LTSCs with a concurrency-consistent labelling allow a characterisation of just paths in terms of labels instead of individual transitions. In the next section, we shall provide a sufficient syntactic criterion on specifications in our process calculus that ensure that the associated LTSC has a concurrency-consistent labelling, and we argue that our specification of Peterson's algorithm satisfies this syntactic criterion.

Definition 18
An LTSC (St, Tr, src, target, , • ) has a concurrency-consistent labelling if for every t ∈ Tr, (t) ∈ S implies src(t) = target(t), and there exists a binary relation • on the set of labels L such that for all transitions t, u ∈ Tr we have that t • u if, and only if, (t) • (u).
Clearly, there is no harm in the overloading of the symbol • . In an LTSC with a concurrency-consistent labelling the relation on L is uniquely determined by the relation on Tr. Furthermore, it will be clear from the context whether we mean the relation on transitions or the relation on labels. For an LTSC with concurrency-consistent labelling, we can reformulate the notion of B-justness referring to labels instead of transitions.
In an LTSC with a concurrency-consistent labelling, action transitions are not labelled by signals, so a non-blocking action transition is labelled by an element of the complement B = A\B of B relative to A.

Proposition 19
Let B ⊆ A be a set of blocking actions. If (St, Tr, src, target, , • ) has a concurrency-consistent labelling, then a path π is B-just if, and only if, for every state s on π and every λ ∈ B enabled in s, λ is eliminated in the suffix of π starting at s.
To prove the implication from left to right, suppose that π is B-just and suppose that λ ∈ B is enabled in some state s on π. Then there is an action transition t with src(t) = s and (t) = λ, so, by B-justness, a transition u occurs in the suffix of π starting at src(t) = s such that t • u. Since the LTSC has a concurrency-consistent labelling, it follows that λ = (t) • (u), and hence λ is eliminated on the suffix of π starting at s.
To prove the implication from right to left, let t be an action transition such that (t) / ∈ B and src(t) ∈ π. Then (t) is enabled and, since t is an action transition and the LTSC has a concurrency-consistent labelling, it follows that (t) ∈ B, so λ is eliminated in the suffix of π starting at src(t). So there is a transition u in the suffix of π starting at src(t) such that (t) • (u). Hence, since the LTSC has a concurrency-consistent labelling, t • u, confirming that π is B-just.

Specifying an LTSC with concurrency-consistent labelling
The LTSC P associated with the process calculus in Sect. 5 does not have a concurrencyconsistent labelling, simply because there exist process expressions (e.g., λ.0 with λ ∈ S) that give rise to state-changing transitions labelled with signals. In automated verification, however, we are often only interested in the restriction of P to the set of process expressions reachable from some initial process expression; for example, when verifying Peterson's algorithm we are only interested in states and transitions reachable from Pet. We shall now first formally define the LTSC associated with a process expression P, and then formulate sufficient syntactic conditions that guarantee that this LTSC has a concurrency-consistent labelling.
Definition 20 Let P be a process expression. The LTSC associated with P has as set of states the set of all process expressions reachable from P in P, as transitions the set of all transitions reachable from P, and functions src, target, and relation • obtained by restricting those of P to the set of transitions reachable from P.
In Sect. 5, the concurrency relation • on transitions was derived from assignments npc : Tr → 2 C * and afc : Tr → 2 C * of necessary participants and affected components to individual transitions. It is convenient to formulate sufficient conditions in terms of assignments npc : L → 2 C * and afc : L → 2 C * of necessary and affected components to labels, respectively, satisfying for every transition t npc(t) = npc ( (t)), and It is not possible to satisfy these equations in general: an appropriate assignment of components to labels largely depends on the process expression under consideration. Moreover, it may not even be possible to define npc : L → 2 C * and afc : L → 2 C * in such a way that the equations above are satisfied for all reachable transitions.

Example 21
Consider the specification Pet of Peterson's algorithm presented in Sect. 4, and consider the state reached from Pet by first executing noncritA and then executing noncritB.
In that state, two transitions are enabled: let us denote by t the transition corresponding to the activity of process A assigning the value true to the variable readyA (this is statement 2 in Fig. 1) and let us denote by u the transition corresponding to the activity of process B assigning the value true to the variable readyB (this is statement m 2 in Fig. 1). Then npc(t) = {l, rrl} and npc(u) = {rl, rrrl}. Now observe that, in the context of the CCS communication function γ CCS , defined in Eq. (3) on p. 10, we have that (t) = (u) = τ , and hence it is not possible to define a mapping npc : L → 2 C * satisfying (4). Note that with the communication function γ , defined in Eq. (2) on p. 9 the problem disappears, since t and u have distinct labels asgn true RA and asgn true RB , respectively.
The goal in this section is to formulate sufficient conditions on the communication function γ and a process expression P that allow us to define npc and afc satisfying (4) and (5) for all transitions t reachable from P. Furthermore, we show that our specification of Peterson's algorithm satisfies these restrictions.
We first formulate some basic requirements on npc and afc , expressing that the set of affected components associated with a label is included in the set of necessary components, and that signals do not have active components.
In the following example, we define a C(Pet)-assignment for our specification of Peterson's algorithm.

Example 23
Recall that the set of components C(Pet) associated with Pet is C(Pet) = {l, rl, rrl, rrrl, rrrr} .
To define the mappings npc , afc : L → 2 C(Pet) it is convenient to first associate with every component σ ∈ C(Pet) a set of labels L σ ⊆ L. We have On the other elements of L, the results of communications, npc and afc are defined as follows: It is easy to verify that (npc , afc ) satisfies the requirements of Definition 22 and hence is a We could now proceed to prove directly that the C(Pet)-assignment in the preceding example satisfies Eqs. (4) and (5) and conclude that the LTSC associated with Pet has a concurrency-consistent labelling. We prefer to proceed more generally, however, and define a subclass of process expressions together with assumptions on the underlying recursive specification that guarantee that an assignment satisfying Eqs. (4) and (5) exists. It will be easy to verify that Pet is a process expression in the subclass, and that the recursive specification E Pet satisfies the assumptions, from which it will follow that the C(Pet)-assignment above indeed satisfies Eqs. (4) and (5). In fact, it can be checked automatically whether a process expression is in the subclass and the underlying recursive specification satisfies the assumptions.
We consider parallel compositions of sequential components. These sequential components should have disjoint alphabets and respect the use of signals. Moreover, the communication function should support a consistent assignment of components to labels. Below, we shall first formulate sufficient conditions on a sequential process expression and its underlying sequential recursive specification that ensure that transitions labelled with signals do not change state in the LTSC associated with the process expression. Then, we associate with every sequential process expression its (reachable) alphabet and its (reachable) action alphabet, so that we can formulate the requirement that the alphabets of components are disjoint. And finally we shall define when an assignment is consistent with a communication function.

Sequential components
The set of sequential process expressions is generated by the following grammar (with A ranging over I and λ ranging over L): By a sequential recursive specification E we mean a set of defining equations with S A a sequential process expression, including precisely one such equation for every A ∈ I.
A sequential process expression S is syntactically guarded if all occurrences of process identifiers in S are within the scope of an action prefix. A sequential recursive specification E is syntactically guarded if for every defining equation A def = S A in E it holds that S A is syntactically guarded.
Respect for signals Let E be a sequential recursive specification, and let us denote, for all A ∈ I, by S A the right-hand side of the defining equation for A in E. We say that A ∈ I is signalling if S A has a subexpression λ.A with λ ∈ S. A process identifier A ∈ I is signal-respecting if 1. for every subexpression λ.S of S A with λ ∈ S it holds that S = A and the occurrence of the subexpression is not in the scope of another prefix, and 2. for every subexpression S 1 + S 2 of S A it holds that S 1 and S 2 are not signalling process identifiers.
E is signal-respecting if it is syntactically guarded and all process identifiers in I are signalrespecting. A sequential process expression S is signal-respecting with respect to a signalrespecting sequential recursive specification E if S does not have subexpressions of the form λ.S with λ ∈ S, and for every subexpression S 1 + S 2 it holds that S 1 and S 2 are not signalling process identifiers.

Example 24
It is straightforward to check that E Pet is a syntactically guarded sequential recursive specification and that it is signal-respecting.

Lemma 25 Let E be a signal-respecting recursive specification and let t be a transition such that src(t) is a signal-respecting sequential process expression. Then target(t) is again a signal-respecting sequential process expression, and t is a signal transition if, and only if, (t) ∈ S.
Proof To establish that target(t) is again a signal-respecting sequential process expression, we first note that if A def = S A is the equation in E defining some process identifier A, and S A λ,α,ς −→ S , then S is signal-respecting. For by syntactic guardedness, S is a subexpression of S A , by the first requirement satisfied by signal-respecting process identifiers S cannot have subexpressions of the form λ.S with λ ∈ S, and by the second requirement satisfied by signal-respecting process identifiers, whenever S 1 + S 2 is a subexpression of S , then S 1 and S 2 cannot be signalling process identifiers. We can now argue that target(t) is a signalrespecting sequential process expression with a straightforward induction on the structure of src(t).
It remains to show that t is a signal transition if, and only if, (t) ∈ S. For the implication from left to right, note that if t is a signal transition, then, by definition, For the converse implication, suppose that (t) ∈ S; we need to establish that src(t) = target(t). To this end, we first establish with induction on the structure of S that if S is a signal-respecting process expression, λ ∈ S and S λ,α,ς −→ S , then S = A for some process identifier A. Clearly, S cannot be 0. Furthermore, since signal-respecting sequential process expressions do not have subexpressions of the form λ.S with λ ∈ S, we cannot have that S = λ.S for some process expression S . Note that if we would have S = S 1 +S 2 , then either S 1 λ,α,ς −→ S or S 2 λ,α,ς −→ S , so by the induction hypothesis either S 1 or S 2 would be a signalling process identifier, contradicting the assumption that for every subexpression S 1 + S 2 of S it holds that S 1 and S 2 are not signalling process identifiers. It follows that S = A for some (signalling) process identifier A. Hence, assuming that (A def = S A ) ∈ E, t has a subderivation t with src(t ) = S A and (t ) ∈ S. From the first requirement satisfied by signal-respecting process identifiers it now follows that target(t) = target(t ) = A.
Alphabet We also wish to associate with each sequential process expression S its alphabet L(S) and its action alphabet A(S), the sets of labels of transitions and action transitions reachable from S, respectively. To this end, we first define L( A) for all process identifiers defined in E, using two auxiliary notions. First, we associate with every sequential process expression S its non-recursive alphabet L

Lemma 26 Let E be a sequential recursive specification and let S be a sequential process expression over E. If S is a sequential process expression reachable from S, then L(S ) ⊆ L(S) and A(S ) ⊆ A(S).
Proof We first consider the special case that there is a transition t with src(t) = S and target(t) = S and prove with induction on t that L(S ) ⊆ L(S). If the last rule applied in t is (Pref), then we have S = λ.S and hence L(S ) ⊆ {λ} ∪ L(S ) = L(S).
If the last rule applied in t is (Sum-l), then there exist S 1 and S 2 such that S = S 1 + S 2 , and t has a subderivation t with src(t ) = S 1 and target(t ) = S . By the induction hypothesis If the last rule applied in t is (Sum-r), then there exist S 1 and S 2 such that S = S 1 + S 2 , and t has a subderivation t with src(t ) = S 2 and target(t ) = S . By the induction hypothesis we have that L(S ) ⊆ L(S 2 ) ⊆ L(S 1 ) ∪ L(S 2 ) = L(S).
If the last rule applied in t is (Rec), then S = A for some process identifier A ∈ I with defining equation (A def = S A ) ∈ E, and t has a subderivation t with src(t ) = S A and target(t ) = S . By the induction hypothesis, L(S ) ⊆ L(S A ); it therefore remains to show that L(S A ) ⊆ L( A). We have:

[In the second equality we have used that A * A for all A such that A A . In the third equality we have used the definition of L( A).] Now, if S is reachable from S, then the statement of the lemma follows with a straightforward induction on the number of transitions in a path from S to S . Furthermore, it is then immediate from the definition of action alphabet that A(S ) ⊆ A(S).
Parallel-sequential processes Presupposing a signal-respecting sequential recursive specification E, a parallel-sequential process expression over E is a process expression generated by the following grammar (with S ranging over sequential process expressions and H ⊆ L): Lemma 27 Let E be a sequential recursive specification and let P be a parallel-sequential process expression over E. If P is reachable from P, then C(P ) = C(P) and P | σ is reachable from P| σ for all σ ∈ C(P).
Proof With induction on t it can be established that if t is a transition such that src(t) = P and target(t) = P , then C(P ) = C(P) and P | σ = P| σ for all σ ∈ C(P). The details are worked out in "Appendix B" (see Lemma 47).
Then, if P is reachable from P, the statement of the lemma follows with a straightforward induction on the number of transitions in a path from P to P . It is straightforward to prove, with induction on n ≥ 1, that for all λ 0 , . . . , λ n and for all 0 ≤ k < n that γ (γ (λ 0 , . . . , λ k ), γ (λ k+1 , . . . , λ n )) = γ (λ 0 , . . . , λ n ); we shall use this fact in the proof of the next lemma, which relates transitions of a parallel-sequential process with transitions of its components. t 0 ), . . . , (t n )] denotes the multiset over L consisting of (t 0 ), . . . , (t n )).

Proof We proceed by induction on t. If the last rule applied in t is (Pref), (Sum-l), (Sum-r), or (Rec), then npc(t) = { }, src(t) = src(t)| , and (t) = γ ([ (t)]). Moreover, from the syntax definition of parallelsequential processes it is clear that src(t) is a sequential process expression.
If the last rule applied in t is (Par-l), then t has a subderivation t such that npc(t) = l npc(t ), so there exist static components σ 0 , . . . , σ n such that σ i = lσ i for all 0 ≤ i ≤ n. By the induction hypothesis, t , and hence t, has subderivations t 0 , . . . , t n such that src(t i ) is a sequential process expression, If the last rule applied in t is (Par-r), then the proof proceeds analogously. If the last rule applied in t is (Comm), then t has subderivations t and t such that npc(t) = l npc(t ) ∪ r npc(t ). Since npc(t ) and npc(t ) cannot be empty, we have that n ≥ 1 and there exist static components σ 0 , . . . , σ n and a 0 ≤ k < n such that npc(t ) = {σ 0 , . . . , σ k } and npc(t ) = {σ k+1 , . . . , σ n }. By the induction hypothesis, t and t , and hence t, have subderivations t 0 , . . . , t n such that src(t i ) is a sequential process expression for all Finally, if the last rule applied in t is (Enc), then t has a subderivation t with npc(t ) = {σ 0 , . . . , σ n } and (t ) = (t), so it follows immediately by the induction hypothesis that there exist subderivations t 0 , . . . , t n of t and hence of t such that src(t i ) = src(t )| σ i = src(t)| σ i and (t) = (t ) = γ ([ (t 0 ), . . . , (t n )]).
Example 30 Consider the specification of Peterson's algorithm, it is straightforward to verify that the C(Pet)-assignment (npc , afc ) presented in Example 23 is consistent with the communication function γ . Consider, by way of example, the equation  (npc , afc ), then (npc , afc ) satisfies the requirements (4) and (5) for every transition t reachable from P.

Theorem 31 Let E be a signal-respecting sequential recursive specification, let P be a parallel-sequential process expression over E, and let (npc , afc ) be a C(P)-assignment. If L(P| σ ) ⊆ L({σ }) and A(P| σ ) ⊆ A({σ }) for all σ ∈ C(P) and γ is signal-respecting and consistent with
Proof Let t be a transition reachable from P. Then src(t) = P for some parallel-sequential process expression P reachable from P. By Lemma 27 we have C(P ) = C(P) and we have P | c is reachable from P| c for all c ∈ C(P). So, without loss of generality, we may assume that src(t) = P.
Let npc(t) = {σ 0 , . . . , σ n }. By Lemma 28, t has subderivations t 1 , . . . , t n such that src(t i ) is a sequential process expression and src( Since E is a signal-respecting recursive specification and src(t i ) is a signal-respecting sequential process expression, by Lemma 25 t i is a signal transition if, and only if, (t i ) ∈ S. Since, on the one hand, afc ( (t i )) = ∅ for all (t i ) ∈ S, and, on the other hand, This completes the proof of the theorem.
If E, P, γ and (npc , afc ) satisfy the requirements of the preceding theorem, then the relation • on labels by λ 1 • λ 2 if, and only if, npc (λ 1 ) ∩ afc (λ 2 ) = ∅ satisfies the requirements of Definition 18. So we get the following corollary.
Corollary 32 Let E be a signal-respecting sequential recursive specification, let P be a parallel-sequential process expression over E, and let (npc , afc ) be a C(P)-assignment such that L(P| σ ) ⊆ L({σ }) and A(P| α ) ⊆ A({σ }) for all σ ∈ C(P) and γ is signalrespecting and consistent with (npc , afc ). Then the LTSC associated with P has a concurrency-consistent labelling.

Example 33
In Example 30 we have established that all the conditions of Corollary 32 are satisfied for E Pet , γ , Pet and the C(Pet)-assignment (npc , afc ) defined in Example 23, so the LTSC associated with Pet has a concurrency-consistent labelling.

Expressing liveness
A mathematically rigorous method for establishing the correctness of a (finite model of a) system is by means of model checking. Given a process expression specifying a system, the behaviours of that system can be scrutinised by verifying which requirements, expressed in a modal logic, hold true and which ones fail to hold. Among the modal logics that can be used to express such requirements is the modal μ-calculus. This is one of the most expressive logics available, subsuming logics such as LTL, CTL and CTL * , and it is typically used in toolset for analysing labelled transition systems, such as the mCRL2 toolset [2] and CADP [6]. We introduce this logic in Sect. 8.1.
Liveness requirements typically assert that (conditionally or unconditionally) something good must inevitably happen. Phrasing such properties in the modal μ-calculus is rather standard, but it is less clear whether the logic permits expressing liveness properties restricted to just paths only. This is partly due to the fact that justness is a predicate on paths, whereas the modal μ-calculus is a state-based formalism, and partly due to the 'dynamic' nature of justness, which checks along a path for enabledness of actions and their future elimination. In particular this dynamic nature rules out a 'static' encoding such as the one presented in [5] for dealing with fairness, as it assumes an a priori fixed-i.e., static-collection of constraints that need to hold infinitely often for a path to be fair.
We show that liveness requirements of the form 'along every just path, every a action is inevitably followed by a b action' can indeed be expressed in the modal μ-calculus. Other path-based properties can be defined along the same lines. We discuss the liveness property in Sect. 8.2.

The modal -calculus
The modal μ-calculus can be viewed as a fixed point extension of Hennessy-Milner Logic (HML) [13]. In HML one can characterise the capabilities of a state to execute actions using modal operators [_]_ and _ _; essentially, this permits to reason about the transitions emanating from a state. Fixed points add the power of recursion to these basic facilities; this, intuitively, allows to reason about finite or infinite sequences or trees of transitions and the capabilities of the states visited along such sequences or trees. The resulting logic, i.e., HML with fixed points, is referred to as the modal μ-calculus (L μ ). For an in-depth treatment of this logic, we refer to, e.g. [14].
Our syntax of the modal μ-calculus is given in the context of a set of recursion variables V, in addition to a finite set of labels L. The set of formulas of L μ is generated by the following grammar (with X ranging over the set of variables V, and λ ranging over the finite set of labels L): The binding precedence of the operators is as usual, with the fixed point operators binding weakest. We permit ourselves to write λ∈A φ(λ) and λ∈A φ(λ) for a set of actions A, as generalisations of the binary conjunction and disjunction. Let (St, Tr, src, target, , • ) be a finite LTSC over L with a concurrency-consistent labelling. We proceed to give a denotational semantics for our logic by associating every formula ϕ with the subset ϕ ϑ ⊆ St of states in which it holds; since formulas may contain free variables, ϕ ϑ is relative to an assignment ϑ that provides an interpretation of recursion variables X ∈ V as subsets of St. We define · ϑ recursively as follows: Note that the structure (2 St , ⊆) is a complete lattice. For an endofunction T : 2 St → 2 St , we write μF. T (F) and νF. T (F) to denote the least and greatest fixed points of T , respectively. The interpretation of a formula ϕ is independent of the valuation ϑ in case it contains no unbound recursion variables (i.e., all occurrences of a recursion variable are within the scope of a least or greatest fixed point). We simply write ϕ when referring to the semantics of such a formula, as it yields the same set of states for every possible environment ϑ used to interpret ϕ.
Example 34 Greatest fixed point formulas typically characterise invariant properties, whereas least fixed point formulas characterise liveness properties. For instance, the L μ formula ν X . a X ∧ [b]⊥, asserts the existence of an infinite a-path along which no b-action can be executed; this is an invariant property along the path. On the other hand, the formula μX . a X ∨ b asserts that there is a finite path of a-labelled transitions, leading to a state in which a b-labelled transition is enabled.

Expressing liveness along just paths
We consider liveness properties of the kind 'whenever some non-blocking action a happens, then inevitably also b happens'; this property will be referred to as a-b-liveness and a state is said to satisfy a-b-liveness exactly when all paths emanating from that state satisfy ab-liveness. An L μ formula that asserts that this property holds along all paths in a given (deadlock-free) LTS is the following Restricting a-b-liveness to just paths requires that somehow the concept of justness is woven into this formula. We explain in several steps how this can be achieved.
In order to facilitate our reasoning, we consider the dual problem of characterising an ab-liveness violation along some just path. While this problem is technically equally difficult, it is conceptually simpler since we are now only concerned with constructing a formula that describes the existence of a just path. Notice that a just path constitutes a violation to a-bliveness precisely when (1) this path has a suffix starting at a state s , reached by an a-labelled transition, along which action b never takes place and (2) the path is just.
Our approach to characterising states that admit a violating path (should one exist) is based on the following observation. In our setting, any just path can be prefixed by an arbitrary finite path, resulting in a new just path (see Proposition 35 below). This means that we can characterise states that admit a just, b-free path. Given any such state, we can characterise the states reaching it via a path ending with an a-labelled transition.
For the remainder of this section we fix a finite LTSC (St, Tr, src, target, , • ) with a concurrency-consistent labelling. The justness rephrasing of Proposition 19 requires one to reason about the enabled actions of a state. Let En(s) be the set of enabled non-blocking actions: En(s) = {λ ∈ B | ∃t ∈ Tr : src(t) = s & (t) = λ}.  Proof Let π = s 0 t 1 s 1 t 2 . . . t n π be a path such that π is B-just, and let s π be the starting state of π. Suppose s is a state on π and λ ∈ En(s). We distinguish two cases.
• Case s does not occur in the prefix s 0 t 1 s 1 t 2 . . . t n . Then s occurs in π and since π is B-just, λ is eliminated in the suffix of π (and therefore also in the suffix of π ), starting in s. • Case s occurs in the prefix s 0 t 1 s 1 t 2 . . . t n . Towards a contradiction, assume that λ is not eliminated in the suffix of π starting in s. Let t be the transition such that (t) = λ and src(t) = s. Since λ is not eliminated in the suffix of π starting in s and s π is reachable from s, by condition 2 of Definition 2, there must be an action transition u such that src(u) = s π and (t) = λ = (u). But then λ ∈ En(s π ) and, since π is B-just, λ is eliminated in π. Contradiction. Consequently, λ is eliminated in the suffix of π starting in s.
The suffixes of a just path are again just. This is formalised by the following proposition.
Proposition 36 Let π = s 0 t 1 s 1 t 2 . . . be a finite or infinite path. If π is B-just then also any suffix of π is B-just.
Proof Let π be a B-just path and let π be a suffix of π. Pick some state s in π and an action λ ∈ En(s). Since s is in π , s is also in π. Consequently, λ must be eliminated by some action in the suffix of π starting at s. Since s is in π , the suffix of π starting at s also is a suffix of π .
We next lift the notion of just path to the level of states: a state is just whenever it is the start of a just path. Note that we are interested in characterising states that admit a just path that constitute an a-b-liveness violation; such paths must have suffixes that are void of b-actions. For this reason, we parameterise the notion of a just state with a set of actions K that limits the set of actions allowed to occur along the just paths.
Definition 37 Let K ⊆ L be a non-empty set of actions. We define J(K ) as follows: and (t) ∈ K for all transitions t on π} As we explained at the beginning of this section, we tackle our problem in two steps. First we show that formula invariant, see Table 3, characterises the states that admit a just path along which no b-action ever happens; i.e., those are essentially the states in the set J(A\{b}). Then we continue by characterising states that have a just path in which an a-action is never followed by a b-action. That is, we show that the formula that characterises the set of states that admit an a-b-liveness violation are exactly those states satisfying formula violate of Table 3.
Before we prove our claim that invariant exactly characterises states admitting just, b-free paths we first prove an auxiliary lemma. This auxiliary lemma claims that elim(λ) captures exactly those states that have a b-free path that eliminates action λ, and leads to a set of states represented by Y .
Lemma 38 For all environments ϑ, states s ∈ St, actions λ ∈ A and sets F ⊆ St, we have s ∈ elim(λ) ϑ[Y :=F] iff a state satisfying F can be reached from s via a finite b-free path ending with an action that eliminates λ.
Proof The construct is a standard construct in the modal μ-calculus; we refer to textbook proofs for the stated correspondence.
We continue by substantiating the claim that invariant characterises the states admiting just, b-free paths. For the sake of conciseness, let J be a shorthand for J(A\{b}). The following lemma states that invariant exactly characterises the set of states J .

Lemma 39 For all s ∈ St we have s ∈ J iff s ∈ invariant .
Proof Let ϑ be an arbitrary environment. We first show, by showing mutual set inclusion, that J is a fixed point of the transformer T invariant defined below: • Pick an arbitrary state s ∈ J . Let π be a path that witnesses s ∈ J . Pick an arbitrary action λ ∈ A and assume that λ ∈ En(s). We must show that s ∈ elim(λ) ϑ[Y :=J ] holds. From the fact that π witnesses s ∈ J , we obtain that there must be some transition t on π such that λ • (t), i.e., (t) ∈ #λ, and by Proposition 36, target(t) ∈ J . Hence we can conclude the desired s ∈ elim(λ) ϑ[Y :=J ] . • Pick a state s ∈ T invariant . Suppose En(s) = ∅. Then state s itself is a just path and hence s ∈ J . Next, suppose En(s) / = ∅ and let λ ∈ En(s). Then also s ∈ elim(λ) ϑ[Y :=J ] . By Lemma 38, there must be some b-free finite path s = s 0 t 0 s 1 t 1 . . . t j s j+1 such that transition t j eliminates λ and s j+1 ∈ J . By Proposition 35, then also the path witnessing s j+1 ∈ J , prefixed with s 0 t 0 s 1 t 1 . . . t j , is a just path witnessing s ∈ J .
We conclude that, indeed, J is a fixed point of T invariant . We next show that J is the greatest fixed point of T invariant ; that is, for any F satisfying T invariant (F) = F , we have F ⊆ J . Let F be a fixed point of T invariant , and choose s ∈ F . Our aim is to show that s ∈ J . First, observe that since F is a fixed point of T invariant and s ∈ F , we can conclude s ∈ T invariant (F).
We construct a just, b-free path starting in state s by eliminating all actions enabled in s in an arbitrary but fixed order as follows. Let L denote the set of enabled actions in s. In case L = ∅, the state s itself witnesses s ∈ J and we are done. Otherwise, fix a total ordering < on L. Pick the least action λ ∈ L. Since s ∈ T invariant (F), also s ∈ elim(λ) ϑ[Y :=F] holds. Consequently, by Lemma 38, there is a finite b-free path s 0 t 0 s 1 t 1 . . . t j s λ such that transition t j eliminates λ and s λ ∈ F . Denote the set of enabled actions in s λ by L λ . Note that L λ contains at least those actions of L that were not eliminated on some path from s to s λ [it may, however, contain actions that were already eliminated on some path from s to s λ , but, by Corollary 15, these actions were then not eliminated on all paths from s to s λ witnessing s ∈ elim(λ) ϑ[Y :=F] .] We now repeat this construction by choosing the least λ ∈ {λ ∈ L λ ∩ L | λ < λ }, leading to a state s λ , etcetera, until we have constructed a finite path that eliminates all obligations in L and ends in a state s ∈ F . Note that this construction terminates since |L| ≤ |L| < ∞.
This means that for any state s ∈ F , we can construct a finite path to another state in F such that all actions from En(s) are eliminated on that path. Since this holds invariantly for all states in F , this construction can be repeated to yield a finite b-free just path or (in case it can be continued indefinitely) an infinite b-free just path starting in s. Hence, s ∈ J and therefore F ⊆ J .
We illustrate the correspondence between invariant and J on the example we provided earlier.
Example 40 Reconsider Example 4, in which Alice drinks coffee and subsequently eats a croissant, Bob is engaged in a series of phone calls, and none of their activities interfere; see the following LTSC: Suppose we claim that whenever Alice orders coffee, she eventually also orders a croissant.
A counterexample to such a claim consists of a just path that contains a coffee event but is free of croissant actions following this coffee event. A state admits such a violating, coffee-less path iff it satisfies formula invariant. We argue that in this case, s 1 does not satisfy formula invariant. To this end, we first show that s 1 does not satisfy elim(croissant). Notice that the set #croissant\{croissant} is the empty set, while the set A\(#croissant ∪ {croissant}) is the set {coffee, phone}. Formula elim(croissant) therefore effectively holds in s 1 iff formula phone Q holds in state s 1 . Due to the self-loop, this is the case exactly when state s 1 satisfies elim(croissant). Since this chain of reasoning must be continued indefinitely and we are looking for the least solution to Q, we must conclude that s 1 does not satisfy elim(croissant). As an immediate consequence we find that s 1 also does not satisfy invariant since croissant is one of the enabled actions in that state. Observe that this is in line with the fact that s 1 / ∈ J ({coffee, phone}).
We now return to the original problem of characterising those states that have a just path that violates a-b-liveness. So far, we have established that formula invariant characterises those states that admit a b-free, just path. A state that admits a path violating a-b-liveness is therefore one that admits a finite path that, via an a-labelled transition, leads to a state satisfying invariant. Given the similarities with the formula for elim, we claim, without further proof, that formula violate indeed describes the set of states that admit an a-b-liveness violating just path. Example 42 We continue our previous example, showing that, indeed, the claim that whenever Alice orders coffee, she eventually also orders a croissant, holds true in state s 0 .
We find that s 0 satisfies violate if, and only if, it satisfies coffee invariant, coffee violate, phone violate, or croissant violate. Notice that there is no croissant action enabled in s 0 , so s 0 cannot satisfy croissant violate. In order for s 0 to satisfy phone violate, we require s 0 to again satisfy violate. Like before, such a cyclic chain of reasoning does not permit us to conclude that s 0 satisfies violate. Therefore, the only way to show that s 0 satisfies violate is to show that s 0 satisfies coffee invariant. But as we may conclude from our previous example, also this will fail since s 1 does not satisfy invariant, which is required when we are to conclude that s 1 satisfies invariant. We can therefore conclude that state s 0 does not satisfy violate. Since the LTSC has a concurrency-consistent labelling, we may conclude by Theorem 41 that our liveness claim holds and Alice enjoys a croissant after drinking coffee.

Example 43
In Example 30, we concluded that all the conditions of Corollary 32 are satisfied for E Pet , γ , Pet and the C(Pet)-assignment (npc , afc ), so the LTSC associated with Pet has a concurrency-consistent labelling. As a consequence, by Theorem 41 we can therefore conclude that the formula in Table 3, with B = {noncritA, noncritB}, a = noncritA and b = critA expresses noncritA-critA-liveness.

Automated liveness analysis in mCRL2
A complete mCRL2 specification of Peterson's algorithm is listed in "Appendix C". The recursive specification E Pet presented in Sect. 4 served as the starting point and the reader will easily recognise it under the mCRL2 keyword proc. That the mCRL2 specification looks somewhat more involved than the specification presented in Sect. 4 is because we have used some convenient extra features of mCRL2. Before we comment on these extra features, we emphasise that the use of these features is by no means essential. We could have also verified liveness for all just paths with the mCRL2 toolset with a specification that almost literally corresponds to the one presented in Sect. 4.
In an mCRL2 specification, labels can be parameterised with data, defined by means of an algebraic specification. In our specification we have included an enumerated type of which the elements correspond to the labels of Peterson's specification. This allows us to define, in a natural way, the functions npc and afc as mappings npc and afc, respectively, on the Label datatype. We then define a predicate interfere(a,a') that evaluates to true if, and only if, npc (a) ∩ afc (a') / = ∅ using the mappings npc and afc. In a similar vein, a predicate blocking(a) defines whether a is blocking or not.
The correspondence between labels and the data values representing them is achieved by turning the labels of Pet into multi-actions, 'labelling' the original actions with a parameterised action label(<action>), where <action> identifies the original action. For instance, we represent the label critA using data value a_critA. In the equation defining procA, we have, instead of the occurrence of critA appearing in procA in Sect. 4, a multi-action critA|label(a_critA). We can then choose to either hide the labels of the form label(<label>), or hide the labels representing those in the specification of Peterson's algorithm in Sect. 4. The former allows us to generate a labelled transition system that is identical to that associated with Pet; the latter yields a labelled transition system in which transitions are labelled with actions of the form label(<label>).
The toolset accepts the first-order modal μ-calculus of [12], which generalises the logic L μ . With the labels available as a datatype and using the predicates interfere and blocking, we can express the formula expressing liveness for all just paths as an almost direct instantiation (with noncritA for a and critA for b) of the formula in   Table 3. The formula we have used to verify that the mCRL2 specification of Peterson's algorithm satisfies the required liveness property is listed in "Appendix D". The extra features of mCRL2 described above facilitate writing the generalised disjunctions and conjunctions as existential and universal quantifications. Note, however, that, since the quantifications are over finite sets, they can be replaced by finite disjunctions and conjunctions.
Verifying whether the mCRL2 specification of Peterson's algorithm satisfies noncritA-critA-liveness requires under half a second using the toolset and results in an affirmative verdict. 2 This once more confirms the manual correctness proof of [4]. If we modify the specification of the mapping afc by including c_ReadyA in afc(a_read_readyA), c_ReadyB in afc(a_read_readyB), and c_Turn in both afc(a_read_turnA) and afc(a_read_turnB), then the toolset produces the counterexample shown in Fig. 2. Note that the modification corresponds to not treating these actions as signals and that the counterexample represents the non-just path discussed in Sect. 4.

Conclusions
To facilitate the automated verification of liveness properties, we have proposed a notion of concurrency-consistent labelling for labelled transition system with concurrency together with a formulation of justness in terms of states and actions. We have presented sufficient conditions on a process specification in a calculus with ACP-style communication that guarantee that the associated labelled transition system with concurrency has a concurrency-consistent labelling. Moreover, for LTSCs with a concurrency-consistent labelling we have shown how to formalise a liveness property under justness assumptions in the modal μ-calculus.
We have built on the firm foundation laid by van Glabbeek in [9], but had to slightly deviate from it to enable a special treatment of signal transitions in a regular process calculus. Furthermore, we essentially relied on the ACP-style communication mechanism in our calculus.
As an example of our theory, we have shown that Peterson's mutual exclusion algorithm can be specified in such a way that the associated LTSC has a concurrency-consistent labelling. Using the mCRL2 toolset we were able to verify that the specification satisfies the required liveness property for all just paths. We conjecture that similar specifications can be realised for the generalisation of Peterson's algorithm to N processes [17], and for Lamport's bakery algorithm [15]; it remains to confirm liveness properties for all just paths for these specifications with the mCRL2 toolset.
We see several directions in which our current work can be extended. For example, it would be useful to automate the verification of the syntactic conditions that guarantee that a specification induces an LTSC that has a concurrency-consistent labelling. A more challenging task is to identify to which extent the fragment of the process calculus can be extended without losing the guarantee that the LTSCs associated with expressions in that fragment have a concurrency-consistent labelling. We believe it may even be possible to check sufficient conditions for the LTSC to have a concurrency-consistent labelling by phrasing appropriate modal μ-calculus formulas. Finally, an open issue in the context of justness is the definition of behavioural equivalences, such as component-preserving variants of strong bisimilarity [16] or divergence-preserving branching bisimilarity [10]. The latter is a particularly interesting starting point because it deals with abstraction and is the coarsest congruence included in branching bisimilarity that distinguishes livelock from deadlock and is compatible with parallel composition [11].

Appendix A: Detailed proofs of lemmas in Sects. 3 and 5
In this "Appendix" we present elaborate proofs of Lemmas 6, 12 and 14, restated below as Lemmas 44, 45 and 46, respectively. Proof Let P = src(t) = src(v) and suppose that t • v, hence comp(t) ∩ comp(v) = ∅. We prove with induction on v that there exists a transition u with src(u) = target(v), (u) = (t) and comp(u) = comp(t).
If the last rule applied in v is (Pref), (Sum-l), (Sum-r) or (Rec), then comp(v) = { }, and, due to the syntactic form of P, the last rule applied in t must also be one of these rules, so comp(t) = { }. Thus, we find that comp(t) ∩ comp(v) = { }, contradicting the assumption of the lemma.
Suppose that the last rule applied in v is (Par-l). Then there exist P 1 and P 2 such that P = P 1 P 2 , and a subderivation v of v such that src . From the syntactic shape of src(t) = src(v) = P 1 P 2 we conclude that the last rule applied in t must be (Par-l), (Par-r) or (Comm). We distinguish these three cases: • If the last rule applied in t is (Par-l), then t has a subderivation t with src(t ) = P 1 and  (Par-r), then t has a subderivation t with src(t ) = P 2 and (t ) = (t). Then with an application of (Par-r) we can construct from t a derivation u with src(u) = target(v ) P 2 = target(v), (u) = (t ) = (t) and comp(u) = r comp(t ) = comp(t). • If the last rule applied in t is (Comm), then t has subderivations t 1 and t 2 with src(t 1 ) = P 1 , src(t 2 ) = P 2 , and γ ( (t 1 ), (t 2 )) = (t). From comp(t) = l comp(t 1 ) ∪ r comp(t 2 ) and comp(t) ∩ comp(v) = ∅, we conclude that comp(t 1 ) ∩ comp(v ) = ∅, so t 1 • v , and hence, by the induction hypothesis, there exists a derivation u 1 with src(u 1 ) = target(v ), (u 1 ) = (t 1 ) and comp(u 1 ) = comp(t 1 ). From u 1 and t 2 we can now, with an application of (Comm), construct a derivation u with src(u) = src(u 1 ) src( If the last rule applied in v is (Par-r), then the argument is symmetric to the argument for the case that the last rule applied in v is (Par-l).
Suppose last rule applied in v is (Comm). Then there exist subderivations v 1 and and comp(v) = l comp(v 1 ) ∪ r comp(v 2 ). From the syntactic shape of src(t) = src(v) = src(v 1 ) src(v 2 ), we conclude that the last rule applied in t must be (Par-l), (Par-r) or (Comm). We distinguish these three cases: • If the last rule applied in t is (Par-l), then t has a subderivation t with src(t ) = src(v 1 ) and and comp(t)∩comp(v) = ∅, we have that comp(t )∩comp(v 1 ) = ∅. So t • v 1 , and hence, by the induction hypothesis, there exists a transition u with src(u ) = target(v 1 ), (u ) = (t ) and comp(u ) = comp(t ). We can now construct from u with an application of (Par-l) a derivation u with src(u) = src(u ) target • If the last rule applied in t is (Par-r), then the argument is similar to the argument in the previous case, using the induction hypothesis for v 2 instead. • If the last rule applied in t is (Comm), then t has subderivations t 1 and t 2 with Hence, by the induction hypothesis, there exist action transitions u 1 and . We can now construct from u 1 and u 2 with an application of (Comm) a derivation u with src(u) = src(u 1 ) src( Suppose that the last rule applied in v is (Enc). Then there exists a subderivation v with . From the syntactic shape of src(t) = src(v) = ∂ H (src(v )) it follows that the last rule applied in t must be (Enc) too. So t has a subderivation t with src(t ) = src(v ) and (t ) = (t). Since If the last rule applied in t is (Par-l), then t has a subderivation t such that, for some process expression P, src(t) = src(t ) P, target(t) = target(t ) P and (t) = (t ).
On the one hand, if t is a signal transition, then from src(t) = target(t) it follows that src(t ) = target(t ) and (t ) = (t) ∈ S, so t is a signal transition too. By the induction hypothesis, afc(t ) = ∅, and, since afc(t) = l afc(t ), it follows that afc(t) = ∅. On the other hand, if afc(t) = ∅, then afc(t ) = ∅. So by the induction hypothesis it follows that t is a signal transition. So src(t ) = target(t ) and hence src(t) = target(t), and therefore t is a signal transition too.
If the last rule applied in t is (Par-r), then the argument is similar to the argument in the previous case.
If the last rule applied in t is (Enc), then there exists a subderivation t such that src(t) = ∂ H (src(t )) for some H ⊆ L, (t ) = (t) and target(t) = ∂ H (src(t )). Furthermore, note that afc(t ) = afc(t). On the one hand, if t is a signal transition, then t is a signal transition too, so by the induction hypothesis, afc(t ) = ∅. Since afc(t) = afc(t ), it follows that afc(t) = ∅. On the other hand, if afc(t) = ∅, then afc(t ) = ∅. So, by the induction hypothesis, t is a signal transition, and hence src(t ) = target(t ) and (t ) ∈ S. It follows that src(t) = target(t) and (t) ∈ S, so t is a signal transition.

Lemma 46 For all transitions t and v, if src(t) = src(v) and npc(t) ∩ afc(v) = ∅, then there exists a transition u with src(u) = target(v), (u) = (t) and npc(u) = npc(t). If γ is signal-respecting and t is an action transition, then so is u.
Proof Let P = src(t) = src(v) and suppose that npc(t) ∩ afc(v) = ∅. We prove with induction on v that there exists u with src(u) = target(v), (u) = (t) and npc(u) = npc(t).
If the last rule applied in v is (Pref), then there exist λ and P such that P = λ.P and afc(v) = { }. Due to the syntactic form of P, the last rule applied in t must also be (Pref) and therefore npc(t) = { }. Thus, we find that npc(t) ∩ afc(v) = { }, contradicting the assumption of the lemma.
If the last rule applied in v is (Sum-l) or (Sum-r). Then either then P = P 1 + P 2 , so the last rule applied in t is also (Sum-l) or (Sum-r). Since npc(t) = { } and npc(t)∩afc(v) = ∅, we have that afc(v) / = { }, and hence afc(v) = ∅. So, by Lemma 12, v is a signal transition, and hence λ ∈ S and P = P . Then we have that src(t) = src(v) = target(v), so we can take u = t to satisfy the requirements of the lemma. Clearly, if t is an action transition, then so is u.
If the last rule applied in v is (Rec), then P = A, so also the last rule applied in t is (Rec). Since npc(t) = { } and npc(t) ∩ afc(v) = ∅, it we have that afc(v) = ∅. So, by Lemma 12, v is a signal transition, and hence P = A and λ ∈ S. Then we have that src(t) = src(v) = target(v), so we can take u = t to satisfy the requirements of the lemma. Clearly, if t is an action transition, then u is an action transition too.
Suppose that the last rule applied in v is (Par-l). Then there exists a subderivation v of v and a process expression P such that src(v) = src(v ) P , (v) = (v ) and afc(v) = l afc(v ). From the syntactic shape of src(t) = src(v) = src(v ) P we conclude that the last rule applied in t must be (Par-l), (Par-r) or (Comm). We distinguish these three cases: • If the last rule applied in t is (Par-l), then t has a subderivation t with src(t ) = P 1 and (t ) = (t). Since npc(t) = l npc(t ) and afc(v) = l afc(v ), it follows from npc(t) ∩ afc(v) = ∅ that npc(t ) ∩ afc(v ) = ∅. Hence, by the induction hypothesis, there exists a transition u with src(u ) = target(v ), (u ) = (t ) and npc(u ) = npc(t ). We can now construct from u with an application of (Par-l) a derivation u with src(u) = target(v ) P 2 = target(v), (u) = (u ) = (t ) = (t) and npc(u) = l npc(u ) = l npc(t ) = npc(t).
It remains to argue that if γ is signal-respecting and t is an action transition, then u is an action transition too. To this end, first note that if γ signal-respecting and t is an action transition, then, by Lemma 12, afc(t) / = ∅, say lσ ∈ afc(t) for some σ ∈ C * . Then, since afc(t) = l afc(t ), it follows that σ ∈ afc(t ), so t is an action transition too. Then, by the induction hypothesis, also u is an action transition, so there exists σ ∈ afc(u ), and hence lσ ∈ afc(u), which therefore is also an action transition.
• If the last rule applied in t is (Par-r), then t has a subderivation t with src(t ) = P 2 and (t ) = (t). Then with an application of (Par-r) we can construct from t a derivation u with src(u) = target(v ) P 2 = target(v), (u) = (t ) = (t) and npc(u) = r npc(t ) = npc(t).
If t is an action transition, then, by Lemma 12, afc(t) / = ∅, and hence there exists σ ∈ C * such that rσ ∈ afc(t). From the construction of u it is then easy to see that also rσ ∈ afc(u), proving that u is an action transition too.
If γ is signal-respecting and t is an action transition, then, by Lemma 12, afc(t) / = ∅. Hence, since afc(t) = l afc(t 1 ) ∪ r afc(t 2 ), we have that afc(t 1 ) / = ∅ or afc(t 2 ) / = ∅. In the first case, t 1 is an action transition, so we get from the induction hypothesis that u 1 is an action transition. It follows that afc(u 1 ) / = ∅, and hence afc(u) / = ∅, so u is an action transition. In the second case, we simply get that r afc(t 2 ) ⊆ afc(u), so afc(u) / = ∅ and therefore u is an action transition.
If the last rule applied in v is (Par-r), then the argument is symmetric to the argument for the case that the last rule applied in v is (Par-l).
• If the last rule applied in t is (Par-r), then the argument is similar to the argument in the previous case, using the induction hypothesis for v 2 instead.
Suppose that the last rule applied in v is (Enc). Then there exists a subderivation v with src(v) = ∂ H (src(v )) for some H ⊆ L, (v ) = (v) / ∈ H and npc(v) = npc(v ). From the syntactic shape of src(t) = src(v) = ∂ H (src(v )) it follows that the last rule applied in t must be (Enc) too. So t has a subderivation t with src(t ) = src(v ) and (t ) = (t).
If γ is signal-respecting and t is an action transition, then, by Lemma 12 and afc(t ) = afc(t), t is an action transition too, so by the induction hypothesis also u is an action transition, and thus it follows, by Lemma 12 and afc(u) = afc(u ), that u is an action transition.

B Detailed proof of a lemma in Sect. 7
In this "Appendix", we present a detailed proof of Lemma 27, restated below as Lemma 47.
Lemma 47 Let E be a sequential recursive specification and let P be a parallel-sequential process expression over E. If P is reachable from P, then C(P ) = C(P) and P | σ is reachable from P| σ for all σ ∈ C(P).
Proof Let us first consider the special case that there is a transition t such that src(t) = P and target(t) = P . With induction on t we establish that C(P ) = C(P) and P | σ = P| σ for all σ ∈ C(P).
If the last rule applied in t is (Pref), (Sum-l), (Sum-r) or (Rec), then P is a sequential process expression and, since E is a sequential recursive specification, so is P . It follows that C(P ) = { } = C(P) and P | = P is reachable from P = P| .