Abstract
This paper studies the correctness of automated synthesis for concurrent monitors. We adapt a subset of the Hennessy–Milner logic with recursion (a reformulation of the modal \(\mu \)-calculus) to specify safety properties for Erlang programs. We also define an automated translation from formulas in this sub-logic to concurrent Erlang monitors that detect formula violations at runtime. Subsequently, we formalise a novel definition for monitor correctness that incorporates monitor behaviour when instrumented with the program being monitored. Finally, we devise a sound technique that allows us to prove monitor correctness in stages; this technique is used to prove the correctness of our automated monitor synthesis.
Similar content being viewed by others
Notes
Due to \({\textsf {exit}}\) exceptions, variable bindings, \(x \,{\textsf {=}}\, e {\textsf {,}}\,d \) cannot be encoded as function applications, \( \uplambda x.d (e)\).
In our formalisation, expressions are not allowed to evaluate under a spawn context, \({\textsf {spw}}\, [-] \); this aspect differs from standard Erlang semantics but allows a lightweight description of function application spawning. An adjustment in line with the actual Erlang spawning would be straightforward.
Note that we do not show that sHML captures all the safety properties expressible in HMLwith recursion, and there are infact other formulas that specify safety properties such as \({\textsf {tt}}\).
Due to asynchronous communication, even scoped actors can produce visible actions by sending messages to environment actors.
One potential disadvantage of splitting formulas is that of increasing communication amongst monitors.
In guarded sHML formulas, variables appear only as a sub-formula of a necessity formula.
We elevate \({{\mathrm{tr}}}\) to basic action sequences \(s\) in pointwise fashion, \({{\mathrm{tr}}}(s)\), where \({{\mathrm{tr}}}(\epsilon )=\epsilon \).
References
Aceto L, Ingólfsdóttir A (1999) Testing Hennessy–Milner logic with recursion. In: FoSSaCS’99. Springer, pp 41–55
Aceto L, Ingólfsdóttir A, Larsen KG, Srba J (2007) Reactive systems: modelling. Specification and verification. Cambridge University Press, New York
Armstrong J (2007) Programming Erlang. The Pragmatic Bookshelf, Armstrong
Bauer A, Falcone Y (2012) Decentralised LTL monitoring. In: Giannakopoulou D, Mry D (eds) FM. LNCS, vol 7436. Springer, pp 85–100
Bauer A, Leucker M, Schallhar C (2011) Runtime verification for LTL and TLTL. ACM Trans Softw Eng Methodol 20:14:1–14:64
Bocchi L, Chen T-C, Demangeon R, Honda K, Yoshida N (2013) Monitoring networks through multiparty session types. In: FMOODS/FORTE 2013. LNCS, vol 7892. Springer, pp 50–65.
Cao T-D, Phan-Quang T-T, Felix P, Castanet R (2010) Automated runtime verification for web services. In: ICWS. IEEE, pp 76–82
Carlsson R (2001) An introduction to Core Erlang. In: PLI’01 (Erlang Workshop)
Cassar I, Francalanza A (2014) On synchronous and asynchronous monitor instrumentation for actor-based systems. In: FOCLASA, EPTCS (to appear)
Cerone A, Hennessy M (2010) Process behaviour: formulae vs. tests. In: EXPRESS’10, vol 41 EPTCS, pp 31–45
Cesarini F, Thompson S (2009) Erlang programming. O’Reilly, Sebastopol
Chang E, Manna Z, Pnueli A (1992) Characterization of temporal property classes. In: ALP. LNCS, vol 623. Springer-Verlag, pp 474–486
Clarke E Jr, Grumberg O, Peled D (1999) Model checking. MIT Press, Cambridge
Colombo C, Francalanza A, Gatt R (2011) Elarva: a monitoring tool for Erlang. In: RV. LNCS, vol 7186. Springer, pp 370–374
Colombo C, Francalanza A, Grima I (2012) Simplifying contract-violating traces. In: FLACOS, EPTCS, vol 94, pp 11–20
Colombo C, Francalanza A, Mizzi R, Pace GJ (2012) polylarva: runtime verification with configurable resource-aware monitoring boundaries. In: SEFM, pp 218–232
D’Angelo B, Sankaranarayanan S, Sánchez C, Robinson W, Finkbeiner B, Sipma HB, Mehrotra S, Manna Z. (2005) Lola: runtime monitoring of synchronous systems. In: TIME, IEEE
Falcone Y, Jaber M, Nguyen T-H, Bozga M, Bensalem S. (2011) Runtime verification of component-based systems. In: SEFM. LNCS, vol 7041. Springer, pp 204–220
Francalanza A, Seychell A (2013) Synthesising correct concurrent runtime monitors in Erlang. Technical Report CS2013-01, University of Malta. https://www.cs.um.edu.mt/svrg/papers.html. Accessed Jan
Francalanza A, Gauci A, Pace GJ (2013) Distributed System contract monitoring. JLAP 82(5–7):186–215
Francalanza A, Seychell A, Cassar I. DetectEr. https://bitbucket.org/casian/detecter2.0
Fredlund L-Å (2001) A framework for reasoning about Erlang code. PhD thesis, Royal Institute of Technology, Stockholm, Sweden
Geilen M (2001) On the construction of monitors for temporal logic properties. ENTCS 55(2):181–199
Hennessy M (2008) A distributed picalculus. Cambridge University Proess, Cambridge
Hennessy M, Milner R (1985) Algebraic laws for nondeterminism and concurrency. J ACM 32(1):137–161
Hewitt C, Bishop P, Steiger R (1973) A universal modular actor formalism for artificial intelligence. In: IJCAI, Morgan Kaufmann, pp 235–245
Kozen D (1983) Results on the propositional \(\mu \)-calculus. TCS 27:333–354
Manna Z, Pnueli A (1990) A hierarchy of temporal properties (invited paper, 1989). In: PODC, ACM, pp 377–410
Meredith PO, Jin D, Griffith D, Chen F, Rosu G (2012) An overview of the MOP runtime verification framework. STTT 14(3):249–289
Milner R (1989) Communication and concurrency. Prentice-Hall Inc, Upper Saddle River
Milner R, Parrow J, Walker D (1993) Modal logics for mobile processes. TCS 114:149–171
Nicola RD, Hennessy MCB (1984) Testing equivalences for processes, TCS, pp 83–133
Rensink A, Vogler W (2007) Fair testing. Inf Comput 205(2):125–198
Sen K, Rosu G, Agha G (2004) Generating optimal linear temporal logic monitors by coinduction. In: ASIAN. LNCS, vol 2896. Springer-Verlag, pp 260–275
Sen K, Vardhan A, Agha G, Roşu G (2004) Efficient decentralized monitoring of safety in distributed systems. ICSE, pp 418–427
Svensson H, Fredlund L-Å, Benac Earle C (2010) A unified semantics for future erlang. In: Erlang Workshop, ACM, pp 23–32
Acknowledgments
The research work disclosed in this publication is partially funded by the Strategic Educational Pathways Scholarship Scheme (Malta). The scholarship is part nanced by the European Union European Social Fund.
Author information
Authors and Affiliations
Corresponding author
Auxiliary proofs
Auxiliary proofs
For the proofs in Sect. 7, we find it convenient to prove a technical result, Lemma 11, identifying the possible structures a monitor can be in after an arbitrary number of silent actions; the lemma also establishes that the only possible external action that a synthesised monitors can perform is the fail action: this property helps us to reason about the possible interactions that concurrent monitors may engage in.
Lemma 11
(Monitor Transitions and Structure) For all \({\varphi \in {\textsc {sHML}}}, {q \!\in \!(\textsc {Val})^*}\), \(\theta :{:} \textsc {LVar} \rightharpoonup {\textsc {sHML}} \), if \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } (\xrightarrow {\;\;})^n A \) then
-
1.
\(A \xrightarrow {\;\;\alpha \;\;} B \) implies \(\alpha = {\textsf {{fail}}} {\textsf {!}} \) and;
-
2.
\(A \) has the form \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\) or, depending on \(\varphi \):
-
\(\varphi = {\textsf {ff}} \): \(A \equiv i {\textsf {[}} {\textsf {{fail}}} {\textsf {!}} \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\) or \(A \equiv i {\textsf {[}} {\textsf {fail}} \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\)
-
\(\varphi = \mathbf {[}\alpha \mathbf {]}\psi \): \(A \equiv i {\textsf {[}} {\textsf {rcv}}\, \left( {{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\psi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,{\textsf {;}}\, \_ \,{{\rightarrow }}\, {\textsf {ok}} \right) \,{\textsf {end}} \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\) or
-
\(\bigl (A \equiv B \) where \(i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, r {\textsf {]}}_{}^{\bullet } (\xrightarrow {\;\tau \;})^k B \) for some \(k< n\) and \(q ={{\mathrm{tr}}}(\alpha )\mathop {:}r \bigr )\) or \(A \equiv i {\textsf {[}} {\textsf {ok}} \,\triangleleft \, r {\textsf {]}}_{}^{\bullet }\) where \(q =u \mathop {:}r \)
-
-
\(\varphi = \varphi _1 \mathbf {\wedge } \varphi _2 \): \(A \equiv i \;{\left[ \begin{array}{l} {\textit{y}} _1 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta ))\bigr ) {\textsf {,}}\, \\ \;\;{\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta ))\bigr ) {\textsf {,}}\, {\textsf {fork}}({\textit{y}} _1,{\textit{y}} _2) \end{array} \,\triangleleft \, q \right] }_{}^{\bullet }\)
-
or \(A \equiv (\upnu \, j _1) \left( \; i {\textsf {[}} e \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q _1 {\textsf {]}}_{}^{\bullet } \parallel B) \;\right) \) where
-
\(-\) \(e\) is \({\textit{y}} _1 \,{\textsf {=}}\, j _1{\textsf {,}}\,{\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta ))\bigr ) {\textsf {,}}\, {\textsf {fork}}({\textit{y}} _1,{\textit{y}} _2)\) or \(\quad {\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \left( [\![\varphi _2]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta ))\right) {\textsf {,}}\, {\textsf {fork}}(j _1,{\textit{y}} _2)\)
-
\(-j _1{\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet } \;(\xrightarrow {\;\tau \;})^k\; (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q _1 {\textsf {]}}_{}^{\bullet } \parallel B) \) for some \(k< n\)
or \(A \equiv (\upnu \, j _1,j _2) \left( \; \begin{array}{l} i {\textsf {[}} {\textit{y}} _2 \,{\textsf {=}}\, j _2{\textsf {,}}\, {\textsf {fork}}(j _1,{\textit{y}} _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\\ \parallel \; (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q _1 {\textsf {]}}_{}^{\bullet } \parallel B) \;\parallel \; (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q _2 {\textsf {]}}_{}^{\bullet } \parallel C) \end{array} \;\right) \) where
-
\(-j _1{\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet } \;(\xrightarrow {\;\tau \;})^k\; (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q _1 {\textsf {]}}_{}^{\bullet } \parallel B) \) for some \(k< n\)
-
\(-j _2{\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet } \;(\xrightarrow {\;\tau \;})^l\; (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q _2 {\textsf {]}}_{}^{\bullet } \parallel C) \) for some \(l< n\)
or \(A \!\equiv \!(\upnu \, j _1,j _2) \left( \; i {\textsf {[}} e \,\triangleleft \, r {\textsf {]}}_{}^{\bullet } \;\parallel \; (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \parallel (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \!\parallel \! C) \right) \) where
-
\(-\) \(e\) is either \( {\textsf {fork}}(j _1, j _2)\) or \(\bigl ({\textsf {rcv}}\, {\textit{z}} \,{{\rightarrow }}\, j _1 {\textsf {!}} {\textit{z}} {\textsf {,}}\,j _2 {\textsf {!}} {\textit{z}} \,{\textsf {end}}{\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \bigr )\)
-
or \(j _1 {\textsf {!}} u {\textsf {,}}\,i _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2)\) or \(j _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2)\)
-
\(-j _1{\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q _1 {\textsf {]}}_{}^{\bullet } \;(\xrightarrow {\;\tau \;})^k\; (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \) for \(k< n\), \(q _1 < q \)
-
\(-j _2{\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q _2 {\textsf {]}}_{}^{\bullet } \;(\xrightarrow {\;\tau \;})^l\; (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \) for \(l< n\), \(q _2 < q \)
-
-
-
\(\varphi = X \): \(A \equiv i {\textsf {[}} y \,{\textsf {=}}\, {\textsf {lookUp}}('X ', {{\mathrm{enc}}}(\theta ')){\textsf {,}}\, y({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\) where \(\theta ' < \theta \) or
-
\(A \equiv i \;{\left[ y \,{\textsf {=}}\, \left( \begin{aligned} {\textsf {case}}\; {{\mathrm{enc}}}(\theta ') \;{\textsf {of}}\;&\{ 'X ', {\textit{z}} _{mon} \}\mathop {:} \_ \,{{\rightarrow }}\, {\textit{z}} _{mon} ; \\&\_ \mathop {:} {\textit{z}} _{tl} \,{{\rightarrow }}\, {\textsf {lookUp}}('X ', {\textit{z}} _{tl}) ; \\&{\textsf {nil}} \,{{\rightarrow }}\, {\textsf {exit}}; \\ {\textsf {end}}\end{aligned} \right) {\textsf {,}}\,\;\; y({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q \right] }_{}^{\bullet }\) where \(\theta ' < \theta \), or \(A \equiv B \) where
-
\(-i {\textsf {[}} y \,{\textsf {=}}\, [\![\psi ]\!]^\mathbf {m}{\textsf {,}}\, y({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \;(\xrightarrow {\;\tau \;})^k\; B \)
-
\(-\theta (X) = \psi \) or \(A \equiv i {\textsf {[}} y \,{\textsf {=}}\, {\textsf {exit}}{\textsf {,}}\, y({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\) or \(A \equiv i {\textsf {[}} {\textsf {exit}} \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\)
-
-
\(\varphi ={\textsf {max}}\mathbf {(}X,\psi \mathbf {)} \): \(A \equiv B \) where \(i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}({\textsf {\{}}'X',[\![\psi ]\!]^\mathbf {m}{\textsf {\}}}\mathop {:}{{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } (\xrightarrow {\;\tau \;})^k B \)
-
for \(k < n\).
-
-
Proof
The proof is by strong induction on \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } (\xrightarrow {\;\tau \;})^n A \). The inductive case involves a long and tedious list of case analysis exhausting all possibilities. \(\square \)
1.1 Proofs for establishing violation detection
Lemma 13 uses Lemma 12 which relates possible detections by monitors synthesised from subformulas to possible detections by monitors synthesised from conjunctions using these subformulas.
Lemma 12
For an arbitrary \(\theta \), \((\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (j _1) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} }\;\) implies \((\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1 \mathbf {\wedge } \varphi _2 ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} } \;\) for any \(\varphi _2 \in {\textsc {sHML}} \).
Proof
By Definition 7, we know that we can derive the sequence of reductions
We then prove, by induction on the structure of \(s\), the following (see [19] for details):
\(\square \)
Lemma 13
If \(A, s \models _{\text {v}}\varphi \theta \) and \(l _{\text {env}}= {{\mathrm{enc}}}(\theta )\) then
Proof
Proof by rule induction on \(A, s \models _{\text {v}}\varphi \theta \):
-
\(A, s \models _{\text {v}}{\textsf {ff}} \theta \): Using Definition 7 for the definition of \([\![{\textsf {ff}} ]\!]^\mathbf {m}\) and the rule \(\textsc {App}\) (and \(\textsc {Par}\) and \(\textsc {Scp}\)), we have
$$\begin{aligned}&(\upnu \, i) (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![{\textsf {ff}} ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }) \\&\quad \mathop {\Longrightarrow }\limits ^{\quad } (\upnu \, i) (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} {\textsf {{fail}}} {\textsf {!}} {\textsf {]}}^{\bullet }) \end{aligned}$$The result follows trivially, since the process \(i \) can transition with a \({\textsf {{fail}}} {\textsf {!}} \) action in a single step using the rule \(\textsc {SndU}\).
-
\(A, s \models _{\text {v}}(\varphi _1 \mathbf {\wedge } \varphi _2)\theta \) because \(A, s \models _{\text {v}}\varphi _1\theta \): By \(A, s \models _{\text {v}}\varphi _1\theta \) and I.H. we have
$$\begin{aligned}&(\upnu \, i) (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} } \end{aligned}$$The result thus follows from Lemma 12, which allows us to conclude that
$$\begin{aligned} (\upnu \, i) (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1 \mathbf {\wedge } \varphi _2 ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} } \end{aligned}$$ -
\(A, s \models _{\text {v}}(\varphi _1 \mathbf {\wedge } \varphi _2)\theta \) because \(A, s \models _{\text {v}}\varphi _2\theta \): Analogous.
-
\(A, s \models _{\text {v}}(\mathbf {[}\alpha \mathbf {]}\varphi )\theta \) because \(s =\alpha t , A \mathop {\Longrightarrow }\limits ^{\;\alpha \,\;} B \text { and } B, t \models _{\text {v}}\varphi \theta \): Using the rule \(\textsc {App}\) Scp and Definition 7 for the property \(\mathbf {[}\alpha \mathbf {]}\varphi \) we derive (37), by executing mLoop— see Definition 7 — we obtain (38), and then by rule Rd1 we derive (39) below.
$$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(\alpha t) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \xrightarrow {\;\;\tau \;\;}\end{aligned}$$(37)$$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(\alpha t ) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} {\textsf {rcv}}\, ({{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) \,{\textsf {;}}\, \_ \,{{\rightarrow }}\, {\textsf {ok}}) \,{\textsf {end}} {\textsf {]}}^{\bullet } \bigr ) \mathop {\Longrightarrow }\limits ^{\quad }\end{aligned}$$(38)$$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t ) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} {\textsf {rcv}}\, ({{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) \,{\textsf {;}}\, \_ \,{{\rightarrow }}\, {\textsf {ok}}) \,{\textsf {end}} \,\triangleleft \, {{\mathrm{tr}}}(\alpha ) {\textsf {]}}_{}^{\bullet } \bigr ) \xrightarrow {\;\;\tau \;\;}\\&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t ) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \bigr ) \nonumber \end{aligned}$$(39)By \(B, t \models _{\text {v}}\varphi \theta \) and I.H. we obtain
$$\begin{aligned} (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} } \end{aligned}$$ -
\(A, s \models _{\text {v}}({\textsf {max}}\mathbf {(}X,\varphi \mathbf {)})\theta \) because \(A, s \models _{\text {v}}\varphi \{{\textsf {max}}\mathbf {(}X,\varphi \mathbf {)}/X \}\theta \): By Definition 7 and \(\textsc {App}\) for process \(i \), we derive
$$\begin{aligned} (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![{\textsf {max}}\mathbf {(}X,\varphi \mathbf {)} ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{\quad }\nonumber \\ \qquad (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({\textsf {\{}} 'X ', [\![\varphi ]\!]^\mathbf {m} {\textsf {\}}}\mathop {:}l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \end{aligned}$$(40)Assuming the appropriate \(\alpha \)-conversion for \(X \) in \({\textsf {max}}\mathbf {(}X,\varphi \mathbf {)}\), we note that from \(l _{\text {env}}= {{\mathrm{enc}}}(\theta )\) and Definition 8 we obtain
$$\begin{aligned} {{\mathrm{enc}}}(\{{\textsf {max}}\mathbf {(}X,\varphi \mathbf {)}/X \}\theta ) = {\textsf {\{}} 'X ', [\![\varphi ]\!]^\mathbf {m} {\textsf {\}}}\mathop {:}l _{\text {env}} \end{aligned}$$(41)By \(A, s \models _{\text {v}}\varphi \{{\textsf {max}}\mathbf {(}X,\varphi \mathbf {)}/X \}\rho \), (41) and I.H. we obtain
$$\begin{aligned} (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s ) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({\textsf {\{}} 'X ', [\![\varphi ]\!]^\mathbf {m} {\textsf {\}}}\mathop {:}l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} } \end{aligned}$$(42)
Lemma 16 relies on a technical result, Lemma 15 which allows us to recover a violating reduction sequence for a subformula \(\varphi _1\) or \(\varphi _2\) from that of the synthesised monitor of a conjunction formula \(\varphi _1 \mathbf {\wedge } \varphi _2\). Lemma 15 relies on Lemma 14.
Lemma 14
For some \(l\le n\):
Proof
By induction on the structure of the mailbox \(q _{\text {frk}}\) at actor \(i\). \(\square \)
Lemma 15
For some \(l \le n\)
Proof
Proof by induction on the structure of \(s \).
-
\(s =\epsilon \): From the structure of mLoop, we know that after the function application, the actor \(i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) {\textsf {]}}^{*}\) is stuck. Thus we conclude that it must be the case that
$$\begin{aligned} (\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^k{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$where \(k=n\) or \(k=n-1\). In either case, the required result follows from Lemma 14.
-
\(s =\alpha s '\): We have two subcases:
-
If
$$\begin{aligned} (\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array} \right) (\xrightarrow {\;\;\tau \;\;})^k{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$for some \(k\le n\) then, by Lemma 14 we obtain
$$\begin{aligned} (\upnu \, j) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (j) \,\triangleleft \, {{\mathrm{tr}}}(t) {\textsf {]}}_{}^{*} \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}}\\ \text {or}\quad (\upnu \, h) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (h) \,\triangleleft \, {{\mathrm{tr}}}(t) {\textsf {]}}_{}^{*} \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$for some \(l\le k\). By Lemma 8 we thus obtain
$$\begin{aligned} (\upnu \, j) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (j) \,\triangleleft \, {{\mathrm{tr}}}(t s) {\textsf {]}}_{}^{*} \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}}\\ \text {or}\quad (\upnu \, h) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (h) \,\triangleleft \, {{\mathrm{tr}}}(t s) {\textsf {]}}_{}^{*} \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$as required.
-
Otherwise, it must be the case that
$$\begin{aligned}&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^k\end{aligned}$$(43)$$\begin{aligned}&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s ') {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j,h) \left( i \;{\left[ e _{\text {fork}} \,\triangleleft \, q \mathop {:}{{\mathrm{tr}}}(\alpha ) \right] }_{}^{\bullet } \parallel A \right) \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{n-k} {\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$(44)For some \(k=3+k_1\) where
$$\begin{aligned} \begin{aligned}&(\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{k_1}\\&(\upnu \, j,h) \left( i \;{\left[ e _{\text {fork}} \,\triangleleft \, q \right] }_{}^{\bullet } \parallel A \right) \end{aligned} \end{aligned}$$(45)$$\begin{aligned}&(\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t)\mathop {:}{{\mathrm{tr}}}(\alpha ) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{k_1}\nonumber \\&(\upnu \, j,h) \left( i \;{\left[ e _{\text {fork}} \,\triangleleft \, q \mathop {:}{{\mathrm{tr}}}(\alpha ) \right] }_{}^{\bullet } \parallel A \right) \end{aligned}$$and by (44) we can construct the sequence of transitions:
$$\begin{aligned} (\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s ') {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(t)\mathop {:}\alpha \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{n-3}{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$Thus, by I.H. we obtain, for some \(l\le n-3\)
$$\begin{aligned}&(\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t \alpha s ') {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}}\\&\text {or}\quad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t \alpha s ') {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^l{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$The result follows since \(s =\alpha s '\). \(\square \)
-
Equipped with Lemma 15, we can now prove Lemma 16.
Lemma 16
If \(A \mathop {\Longrightarrow }\limits ^{\;\;s \;\;} \), \(l _{\text {env}}\!=\!{{\mathrm{enc}}}(\theta )\) and \((\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{{\textsf {{fail}}} {\textsf {!}} }\) then \(A, s \models _{\text {v}}\varphi \theta \), whenever \({{\mathrm{fv}}}(\varphi ) \subseteq {{\mathrm{dom}}}(\theta )\).
Proof
By strong induction on the number of transitions n, leading to the action \({\textsf {{fail}}} {\textsf {!}} \)
-
\((\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^n{\mathop {\longrightarrow }^{\textsf {fail!}}}\)
-
\(n = 0\): By inspection of the definition for mLoop, and by case analysis of \( [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}})\) from Definition 7, it can never be the case that
$$\begin{aligned} (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) {\mathop {\longrightarrow }^{\textsf {fail!}}}. \end{aligned}$$Thus the result holds trivially.
-
\(n = k + 1\): We proceed by case analysis on \(\varphi \).
-
\(\varphi = {\textsf {ff}} \): The result holds immediately for any \(A\) and \(s\) by Definition 3.
-
\(\varphi = \mathbf {[}\alpha \mathbf {]}\psi \): By Definition 7, we know that
$$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\mathbf {[}\alpha \mathbf {]}\psi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^{k_1}\end{aligned}$$(46)$$\begin{aligned}&\;(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\mathbf {[}\alpha \mathbf {]}\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _1) {\textsf {]}}_{}^{\bullet }\bigr ) \xrightarrow {\;\;\tau \;\;}\end{aligned}$$(47)$$\begin{aligned}&\quad (\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*} \parallel \\ i \;{\left[ {\textsf {rcv}}\, \left( \begin{array}{l} {{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,{\textsf {;}}\, \\ \_ \,{{\rightarrow }}\, {\textsf {ok}} \end{array}\right) \,{\textsf {end}} \,\triangleleft \, {{\mathrm{tr}}}(s _1) \right] }_{}^{\bullet }\end{array}\right) (\xrightarrow {\;\tau \;})^{k_2}{\mathop {\longrightarrow }^{\textsf {fail!}}}\end{aligned}$$(48)$$\begin{aligned}&\text {where } k+1 = k_1 + k_2+1 \text { and } s =s _1s _2 \end{aligned}$$(49)From the analysis of the code in (48), the only way for the action \({\textsf {{fail}}} {\textsf {!}} \) to be triggered is by choosing the guarded branch \({{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}})\) in actor \(i\). This means that (48) can be decomposed into the following reduction sequences.
$$\begin{aligned}&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*} \parallel \\ i \;{\left[ {\textsf {rcv}}\, \left( {{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,{\textsf {;}}\, \_ \,{{\rightarrow }}\, {\textsf {ok}} \right) \,{\textsf {end}} \,\triangleleft \, {{\mathrm{tr}}}(s _1) \right] }_{}^{\bullet } \end{array}\right) (\xrightarrow {\;\tau \;})^{k_3}\end{aligned}$$(50)$$\begin{aligned}&\;\,(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*} \parallel \\ i \;{\left[ {\textsf {rcv}}\, \left( {{\mathrm{tr}}}(\alpha ) \,{{\rightarrow }}\, [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,{\textsf {;}}\, \_ \,{{\rightarrow }}\, {\textsf {ok}} \right) \,{\textsf {end}} \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3) \right] }_{}^{\bullet } \end{array}\right) \xrightarrow {\;\;\tau \;\;}\end{aligned}$$(51)$$\begin{aligned}&\quad (\upnu \, i) i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*} \parallel i \;{\left[ [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _5) \right] }_{}^{\bullet } (\xrightarrow {\;\;\tau \;\;})^{k_4}{\mathop {\longrightarrow }^{\textsf {fail!}}}\end{aligned}$$(52)$$\begin{aligned}&\text {where } {k_2} = k_3 + k_4+1 \text { and } s _1s _3=\alpha s _5 \text { and }s _2=s _3s _4 \end{aligned}$$(53)$$\begin{aligned} s =\alpha t \text { where }t =s _5s _4 \end{aligned}$$(54)From the definition of mLoop we can derive
$$\begin{aligned} (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(t) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \bigr ) (\xrightarrow {\;\;\tau \;\;})^{k_5}\nonumber \\ (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*} \parallel i \;{\left[ [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _5) \right] }_{}^{\bullet }\bigr ) \end{aligned}$$(55)where \(k_5\le k_1+k_3\). From (54) we can split \(A \mathop {\Longrightarrow }\limits ^{\;\;s \;\;}\) as \(A \mathop {\Longrightarrow }\limits ^{\;\;\alpha \;\;}A '\mathop {\Longrightarrow }\limits ^{\;\;t \;\;}\) and from (55), (52), the fact that \(k_5+k_4 < k+1=n\) from (49) and (53), and I.H. we obtain
$$\begin{aligned}&A ', t \models _{\text {v}}\psi \theta \end{aligned}$$(56)From (56), \(A \mathop {\Longrightarrow }\limits ^{\;\;\alpha \;\;}A '\) and Definition 3 we thus conclude \(A, s \models _{\text {v}}\bigl (\mathbf {[}\alpha \mathbf {]}\psi \bigr )\theta \).
-
\(\varphi \) = \(\varphi _1 \mathbf {\wedge } \varphi _2\) From Definition 7, we can decompose the transition sequence as follows
$$\begin{aligned}&(\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1 \mathbf {\wedge } \varphi _2 ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k_1}\end{aligned}$$(57)$$\begin{aligned}&\;\;(\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1 \mathbf {\wedge } \varphi _2 ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _1) {\textsf {]}}_{}^{\bullet }\bigr ) \xrightarrow {\;\;\tau \;\;}\end{aligned}$$(58)$$\begin{aligned}&\quad (\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*}\\ \parallel i \;{\left[ \begin{array}{l} {\textit{y}} _1 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\, \\ {\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\, {\textsf {fork}}({\textit{y}} _1,{\textit{y}} _2)\end{array} \,\triangleleft \, {{\mathrm{tr}}}(s _1) \right] }_{}^{\bullet }\end{array} \right) (\xrightarrow {\;\tau \;})^{k_2}\end{aligned}$$(59)$$\begin{aligned}&\quad (\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*}\\ \parallel i \;{\left[ \begin{array}{l} {\textit{y}} _1 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\,\\ {\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\, {\textsf {fork}}({\textit{y}} _1,{\textit{y}} _2)\end{array} \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3) \right] }_{}^{\bullet }\end{array} \right) (\xrightarrow {\;\tau \;})^2\end{aligned}$$(60)$$\begin{aligned}&\quad (\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j) \left( \begin{array}{l} i \;{\left[ \!\begin{array}{l} {\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\,\\ {\textsf {fork}}(j,{\textit{y}} _2)\end{array}\! \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{k_3} {\mathop {\longrightarrow }^{\textsf {fail!}}}\end{aligned}$$(61)$$\begin{aligned}&\text {where } k+1 = k_1+1+k_2+2+k_3, s =s _1s _2 \text { and }s _2=s _3s _4 \end{aligned}$$(62)From (61) we can deduce that there are two possible transition sequences how action \({\textsf {{fail}}} {\textsf {!}} \) was reached:
-
1.
If \({\textsf {{fail}}} {\textsf {!}} \) was reached because \(j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } (\xrightarrow {\;\;\tau \;\;})^{k_4} {\mathop {\longrightarrow }^{\textsf {fail!}}}\) on its own, for some \(k_4\le k_3\) then, by Par and Scp we deduce
$$\begin{aligned} (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^{k_4} {\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$From (62) we know that \(k_4< k+1=n\), and by the premise \(A \mathop {\Longrightarrow }\limits ^{\;\;s \;\;}\) and I.H. we obtain \(A, s \models _{\text {v}}\varphi _1\theta \). By Definition 3 we then obtain \(A, s \models _{\text {v}}\bigl (\varphi _1 \mathbf {\wedge } \varphi _2 \bigr )\theta \)
-
2.
Alternatively, (61) can be decomposed further as
$$\begin{aligned}&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j) \left( \begin{array}{l} i \;{\left[ \!\begin{array}{l} {\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\,\\ {\textsf {fork}}(j,{\textit{y}} _2)\end{array}\! \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{k_4}\end{aligned}$$(63)$$\begin{aligned}&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _6) {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j) \left( \begin{array}{l} i \;{\left[ \!\begin{array}{l} {\textit{y}} _2 \,{\textsf {=}}\, {\textsf {spw}}\, \bigl ( [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}})\bigr ) {\textsf {,}}\,\\ {\textsf {fork}}(j,{\textit{y}} _2)\end{array}\! \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3s _5) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \end{array}\right) (\xrightarrow {\;\tau \;})^2\end{aligned}$$(64)$$\begin{aligned}&(\upnu \, i) \left( \begin{array}{l} i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _6) {\textsf {]}}_{}^{*}\\ \parallel (\upnu \, j,h) \left( \begin{array}{l} i \;{\left[ {\textsf {fork}}(j,h) \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3s _5) \right] }_{}^{\bullet }\\ \parallel j {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \parallel h {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \end{array}\right) \end{array}\right) (\xrightarrow {\;\;\tau \;\;})^{k_5}{\mathop {\longrightarrow }^{\textsf {fail!}}}\end{aligned}$$(65)$$\begin{aligned}&\text {where } k_3 = k_4+2+k_5 \text { and }s _4=s _5s _6 \end{aligned}$$(66)From (65) and Lemma 15 we know that, for some \(k_6\le k_5\) either
$$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3s _5s _6) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\;\tau \;\;})^{k_6}{\mathop {\longrightarrow }^{\textsf {fail!}}}\\&\quad \text {or }\quad (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3s _5s _6) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet } \bigr ) (\xrightarrow {\;\;\tau \;\;})^{k_6}{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$From (62) and (66) we know that \(s =s _1s _3s _5s _6\) and that \(k_6 < k+1 = n\). By I.H., we obtain either \(A, s \models _{\text {v}}\varphi _1\theta \) or \(A, s \models _{\text {v}}\varphi _2\theta \) and, in either case, by Definition 3 we deduce \(A, s \models _{\text {v}}\bigl (\varphi _1 \mathbf {\wedge } \varphi _2 \bigr )\theta \).
-
1.
-
\(\varphi \) = \(X\) By Definition 7, we can deconstruct
$$\begin{aligned} (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![X ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k+1}{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$as
$$\begin{aligned}&(\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![X ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{\quad }\xrightarrow {\;\tau \;}\end{aligned}$$(67)$$\begin{aligned}&\quad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} y \,{\textsf {=}}\, {\textsf {lookUp}}('X ', l _{\text {env}}){\textsf {,}}\, y(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _1) {\textsf {]}}_{}^{\bullet }\bigr ) \nonumber \\&\qquad \mathop {\Longrightarrow }\limits ^{\quad }\xrightarrow {\;\tau \;}\end{aligned}$$(68)$$\begin{aligned}&\qquad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _4) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} y \,{\textsf {=}}\, v {\textsf {,}}\, y(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3) {\textsf {]}}_{}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{\quad }\xrightarrow {\;\tau \;}\end{aligned}$$(69)$$\begin{aligned}&\qquad \quad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _6) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} v (l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3s _5) {\textsf {]}}_{}^{\bullet }\bigr ) \mathop {\Longrightarrow }\limits ^{\quad }\xrightarrow {\;{\textsf {{fail}}} {\textsf {!}} \;}\\&\text {where }s =s _1s _2, s _2=s _3s _4 \text { and }s _4=s _5s _6 \nonumber \end{aligned}$$(70)Since \(X \in {{\mathrm{dom}}}(\theta )\), we know that \(\theta (X)=\psi \) for some \(\psi \). By the assumption \(l _{\text {env}}= {{\mathrm{enc}}}(\theta )\) and Lemma 6 we obtain that \(v =[\![\psi ]\!]^\mathbf {m}\). Hence, by (67), (68), (69) and (70) we can reconstruct
$$\begin{aligned}&(\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k_1}\nonumber \\&\quad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _6) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, {{\mathrm{tr}}}(s _1s _3s _5) {\textsf {]}}_{}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k_2}\xrightarrow {\;{\textsf {{fail}}} {\textsf {!}} \;}\nonumber \\ \end{aligned}$$(71)where \(k_1 + k_2 < k+1=n\). By (71) and I.H. we obtain \(A, s \models _{\text {v}}\psi \), which is the result required, since by \(\theta (X)=\psi \) we know that \(X \theta = \psi \).
-
\(\varphi \) = \({\textsf {max}}\mathbf {(}X,\psi \mathbf {)}\) By Definition 7, we can deconstruct
$$\begin{aligned} (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![{\textsf {max}}\mathbf {(}X,\psi \mathbf {)} ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k+1}{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$as follows:
$$\begin{aligned}&(\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![{\textsf {max}}\mathbf {(}X,\psi \mathbf {)} ]\!]^\mathbf {m}(l _{\text {env}}) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k_1}\xrightarrow {\;\tau \;}\\&\quad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s _2) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}( {\textsf {\{}}'X ', \psi {\textsf {\}}}\mathop {:}l _{\text {env}} ) \,\triangleleft \, {{\mathrm{tr}}}(s _1) {\textsf {]}}_{}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k_2}{\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$from which we can reconstruct the transition sequence
$$\begin{aligned} (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, {{\mathrm{tr}}}(s) {\textsf {]}}_{}^{*} \parallel i {\textsf {[}} [\![\psi ]\!]^\mathbf {m}( {\textsf {\{}}'X ', \psi {\textsf {\}}}\mathop {:}l _{\text {env}} ) {\textsf {]}}^{\bullet }\bigr ) (\xrightarrow {\;\tau \;})^{k_1+k_2} {\mathop {\longrightarrow }^{\textsf {fail!}}} \end{aligned}$$(72)By the assumption \(l _{\text {env}}=\Gamma (\theta )\) we deduce that \({\textsf {\{}}'X ', \psi {\textsf {\}}}\mathop {:}l _{\text {env}} = {{\mathrm{enc}}}(\{{\textsf {max}}\mathbf {(}X,\psi \mathbf {)}/\}\theta )\) and, since \(k_1+k_2 < k+1 = n\), we can use (72), \(A \mathop {\Longrightarrow }\limits ^{\;\;s \;\;}\) and I.H. to obtain \(A, s \models _{\text {v}}{\psi \{{\textsf {max}}\mathbf {(}X,\psi \mathbf {)}/X \}\theta }\). By Definition 3 we then conclude \(A, s \models _{\text {v}}{\textsf {max}}\mathbf {(}X,\psi \mathbf {)} \theta \).\(\square \)
-
1.2 Proofs for establishing Detection Preservation
Lemma 18 relies heavily on Lemma 17.
Lemma 17
(Translation Confluence) For all \({\varphi \in {\textsc {sHML}}}, {q \in (\textsc {Val})^*}\) and \({\theta :{:} \textsc {LVar} \rightharpoonup {\textsc {sHML}}}\), \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \mathop {\Longrightarrow }\limits ^{\;\quad \;} A \) implies \({{\mathrm{cnf}}}(A)\).
Proof
Proof by strong numerical induction on n in \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } (\xrightarrow {\;\tau \;})^n A \).
-
\(n = 0\): The only possible \(\tau \)-action that can be performed by \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\) is that for the function application of the monitor definition, i.e.
$$\begin{aligned} i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \xrightarrow {\;\;\tau \;\;} i {\textsf {[}} e \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \text { for some }e. \end{aligned}$$(73)Apart from that \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\) can also only perform input action at \(i\), i.e.
$$\begin{aligned} i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \xrightarrow {\;\;i \mathtt {?}v \;\;} i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q \mathop {:}v {\textsf {]}}_{}^{\bullet } \end{aligned}$$On the one hand, we can derive \(i {\textsf {[}} e \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \xrightarrow {\;\;i \mathtt {?}v \;\;} i {\textsf {[}} e \,\triangleleft \, q \mathop {:}v {\textsf {]}}_{}^{\bullet }\). Moreover, from (73) and Lemma 8 we can deduce \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}({{\mathrm{enc}}}(\theta )) \,\triangleleft \, q \mathop {:}v {\textsf {]}}_{}^{\bullet } \xrightarrow {\;\;\tau \;\;} i {\textsf {[}} e \,\triangleleft \, q \mathop {:}v {\textsf {]}}_{}^{\bullet }\) which allows us to close the confluence diamond.
-
\(n = k + 1\): We proceed by case analysis on the property \(\varphi \), using Lemma 11 to infer the possible structures of the resulting process. Again, most involving cases are those for conjunction translations, as they generate more than one concurrent actor; we discuss one of these below:
-
\(\varphi = \varphi _1 \mathbf {\wedge } \varphi _2 \): By Lemma 11, \(A\) can have any of 4 general structures, one of which is
$$\begin{aligned} A&\equiv (\upnu \, j _1, j _2) \left( \; i {\textsf {[}} j _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \end{array}\;\right) \end{aligned}$$(74)where
$$\begin{aligned}&j _1{\textsf {[}} [\![\varphi _1]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, q _1 {\textsf {]}}_{}^{\bullet } \;(\xrightarrow {\;\tau \;})^k\; (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \text { for }k< n, q _1 < q \end{aligned}$$(75)$$\begin{aligned}&j _2{\textsf {[}} [\![\varphi _2]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, q _2 {\textsf {]}}_{}^{\bullet } \;(\xrightarrow {\;\tau \;})^l\; (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \text { for }l< n, q _2 < q \end{aligned}$$(76)By Lemma 11, (75) and (76) we also infer that the only external action that can be performed by the processes \((\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \) and \((\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \) is \({\textsf {{fail}}} {\textsf {!}} \). Moreover by (75) and (76) we can also show that
$$\begin{aligned} {{\mathrm{fId}}}\Bigl ((\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \Bigr )&= \{j _1\}&{{\mathrm{fId}}}\Bigl ((\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \Bigr )&= \{j _2\} \end{aligned}$$Thus these two subactors cannot communicate with each other or send messages to actor \(i \). This also means that the remaining possible actions that \(A \) can perform are:
$$\begin{aligned}&A \;\xrightarrow {\;\;\tau \;\;}\; (\upnu \, j _1, j _2) \left( \! i {\textsf {[}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet }\begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2\mathop {:}u {\textsf {]}}_{}^{\bullet } \parallel C) \end{array}\!\right) \quad \text {or}\end{aligned}$$(77)$$\begin{aligned}&A \;\xrightarrow {\;\;\tau \;\;}\; (\upnu \, j _1, j _2) \left( \! i {\textsf {[}} j _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1 ') (j _1{\textsf {[}} e '_{1} \,\triangleleft \, q ''_1 {\textsf {]}}_{}^{\bullet } \parallel B ') \\ \parallel (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \end{array}\!\right) \nonumber \\&\text {because } (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \;\xrightarrow {\;\;\tau \;\;}\; (\upnu \, ~\widetilde{h}_1 '~) (j _1{\textsf {[}} e '_{1} \,\triangleleft \, q ''_1 {\textsf {]}}_{}^{\bullet } \parallel B ') \qquad \text {or}\end{aligned}$$(78)$$\begin{aligned}&A \;\xrightarrow {\;\;\tau \;\;}\; (\upnu \, j _1, j _2) \left( \; i {\textsf {[}} j _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2 ') (j _2{\textsf {[}} e '_{2} \,\triangleleft \, q ''_2 {\textsf {]}}_{}^{\bullet } \parallel C ') \end{array}\;\right) \nonumber \\&\text {because } (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \;\xrightarrow {\;\;\tau \;\;}\; (\upnu \, ~\widetilde{h}_2 '~) (j _2{\textsf {[}} e '_{2} \,\triangleleft \, q ''_2 {\textsf {]}}_{}^{\bullet } \parallel C ') \qquad \text {or}\end{aligned}$$(79)$$\begin{aligned}&A \;\xrightarrow {\;i \mathtt {?}v \;\;}\; (\upnu \, j _1, j _2) \left( \;\begin{array}{l} i {\textsf {[}} j _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q \mathop {:}v {\textsf {]}}_{}^{\bullet }\\ \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \parallel (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2 {\textsf {]}}_{}^{\bullet } \parallel C) \end{array}\;\right) \end{aligned}$$(80)We prove confluence for the pair of actions (77) and (79) and leave the other combinations for the interested reader. From (79) and Lemma 8 we derive
$$\begin{aligned} (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2\mathop {:}u {\textsf {]}}_{}^{\bullet } \parallel C) \;\xrightarrow {\;\;\tau \;\;}\; (\upnu \, ~\widetilde{h}_2 '~) (j _2{\textsf {[}} e '_{2} \,\triangleleft \, q ''_2\mathop {:}u {\textsf {]}}_{}^{\bullet } \parallel C ') \end{aligned}$$and by Par and Scp we obtain
$$\begin{aligned} (\upnu \, j _1, j _2) \left( \; i {\textsf {[}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2) (j _2{\textsf {[}} e _{2} \,\triangleleft \, q '_2\mathop {:}u {\textsf {]}}_{}^{\bullet } \parallel C) \end{array}\;\right) \;\xrightarrow {\;\;\tau \;\;}\; \nonumber \\ (\upnu \, j _1, j _2) \left( \; i {\textsf {[}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2 ') (j _2{\textsf {[}} e '_{2} \,\triangleleft \, q ''_2\mathop {:}u {\textsf {]}}_{}^{\bullet } \parallel C ') \end{array}\;\right) \nonumber \\ \end{aligned}$$(81)Using Com, Str, Par and Scp we can derive
$$\begin{aligned} (\upnu \, j _1, j _2) \left( \; i {\textsf {[}} j _2 {\textsf {!}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2 ') (j _2{\textsf {[}} e '_{2} \,\triangleleft \, q ''_2 {\textsf {]}}_{}^{\bullet } \parallel C ') \end{array}\;\right) \;\xrightarrow {\;\;\tau \;\;}\; \nonumber \\ (\upnu \, j _1, j _2) \left( \; i {\textsf {[}} u {\textsf {,}}\, {\textsf {fork}}(j _1, j _2) \,\triangleleft \, q {\textsf {]}}_{}^{\bullet } \begin{array}{l} \parallel (\upnu \, \widetilde{h}_1) (j _1{\textsf {[}} e _{1} \,\triangleleft \, q '_1 {\textsf {]}}_{}^{\bullet } \parallel B) \\ \parallel (\upnu \, \widetilde{h}_2 ') (j _2{\textsf {[}} e '_{2} \,\triangleleft \, q ''_2\mathop {:}u {\textsf {]}}_{}^{\bullet } \parallel C ') \end{array}\;\right) \nonumber \\ \end{aligned}$$(82)thus we close the confluence diamond by (81) and (82). \(\square \)
-
Lemma 18
(Weak Confluence) For all \(\varphi \in {\textsc {sHML}} \), \(q \in \textsc {Val} ^*\)
Proof
By strong induction on n, the number of transitions in \(i_{\text {mtr}} {\textsf {[}} {\textsf {Mon}} (\varphi ) \,\triangleleft \, q {\textsf {]}}_{}^{*} \;(\xrightarrow {\;\;\tau \;\;})^n \; A \).
-
\(n = 0\) We know \(A =i_{\text {mtr}} {\textsf {[}} {\textsf {Mon}} (\varphi ) \,\triangleleft \, q {\textsf {]}}_{}^{*}\). It is confluent because it can perform either of two actions, namely a \(\tau \)-action for the function application (see \(\textsc {App}\) in Fig. 2), or else an external input at \(i_{\text {mtr}}\), (see RcvU in Fig. 2). The matching moves can be constructed by RcvU on the one hand, and by Lemma 8 on the other, analogously to the base case of Lemma 17.
-
\(n = k + 1\) By performing an analysis similar to that of Lemma 11, but for \(i_{\text {mtr}} {\textsf {[}} {\textsf {Mon}} (\varphi ) \,\triangleleft \, q {\textsf {]}}_{}^{*}\) instead, we can determine that this actor can only weakly transition to either of the forms below whereby, for cases (ii) to (v), we obtain \(B\) as a result of \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, r {\textsf {]}}_{}^{\bullet } \mathop {\Longrightarrow }\limits ^{\;\;\;\;} B \) for some \(r \):
-
(i)
\(A =i_{\text {mtr}} {\textsf {[}} M \,{\textsf {=}}\, {\textsf {spw}}\, ([\![\varphi ]\!]^\mathbf {m}({\textsf {nil}})) {\textsf {,}}\, {\textsf {mLoop}} (M) \,\triangleleft \, q {\textsf {]}}_{}^{*}\)
-
(ii)
\(A \equiv (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} {\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \)
-
(iii)
\(A \equiv (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} {\textsf {rcv}}\, {\textit{z}} \,{{\rightarrow }}\, i {\textsf {!}} {\textit{z}} \,{\textsf {end}}{\textsf {,}}\, {\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \)
-
(iv)
\(A \equiv (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \)
-
(v)
\(A \equiv (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \)
We here focus on the \(4\text {th}\) case of monitor structure; the other cases are analogous. From \(i {\textsf {[}} [\![\varphi ]\!]^\mathbf {m}(l _{\text {env}}) \,\triangleleft \, r {\textsf {]}}_{}^{\bullet } \mathop {\Longrightarrow }\limits ^{\;\;\;\;} B \) and Lemma 11 we know that
$$\begin{aligned}&B \xrightarrow {\;\;\gamma \;\;} \quad \text { implies } \gamma ={\textsf {{fail}}} {\textsf {!}} \text { or } \gamma =\tau \\&B \equiv (\upnu \, {h}) \bigl (i {\textsf {[}} e \,\triangleleft \, r {\textsf {]}}_{}^{\bullet }\parallel C \bigr ) \quad \text { where }{{\mathrm{fId}}}(B)=i \end{aligned}$$This means that \((\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \) can only exhibit the following actions:
$$\begin{aligned} \begin{array}{l} \displaystyle (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \;\xrightarrow {\;i_{\text {mtr}} \mathtt {?}u \;}\;\\ \displaystyle \qquad \qquad \qquad \qquad (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q \mathop {:}u {\textsf {]}}_{}^{*} \parallel B \bigr ) \end{array} \end{aligned}$$(83)$$\begin{aligned}&\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \;\xrightarrow {\;\tau \;}\; \\&\qquad \qquad \qquad \qquad (\upnu \, i) \bigl ( i_{\text {mtr}} {\textsf {[}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel (\upnu \, {\mathbf {h}}) \bigl (i {\textsf {[}} e \,\triangleleft \, r \mathop {:}v {\textsf {]}}_{}^{\bullet }\parallel C \bigr ) \bigr ) \end{aligned}\end{aligned}$$(84)$$\begin{aligned}&(\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B \bigr ) \;\xrightarrow {\;\tau \;}\; (\upnu \, i) \bigl (i_{\text {mtr}} {\textsf {[}} i {\textsf {!}} v {\textsf {,}}\,{\textsf {mLoop}} (i) \,\triangleleft \, q {\textsf {]}}_{}^{*} \parallel B ' \bigr ) \end{aligned}$$(85)Most pairs of action can be commuted easily by Par and Scp as they concern distinct elements of the actor system. The only non-trivial case is the pair of actions (84) and (85), which can be commuted using Lemma 8, in analogous fashion to the base case. \(\square \)
-
(i)
Rights and permissions
About this article
Cite this article
Francalanza, A., Seychell, A. Synthesising correct concurrent runtime monitors. Form Methods Syst Des 46, 226–261 (2015). https://doi.org/10.1007/s10703-014-0217-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10703-014-0217-9