=Paper=
{{Paper
|id=Vol-2243/paper24
|storemode=property
|title=Relating some Logics for True Concurrency
|pdfUrl=https://ceur-ws.org/Vol-2243/paper24.pdf
|volume=Vol-2243
|authors=Tommaso Padoan
|dblpUrl=https://dblp.org/rec/conf/ictcs/Padoan18
}}
==Relating some Logics for True Concurrency==
<pdf width="1500px">https://ceur-ws.org/Vol-2243/paper24.pdf</pdf>
<pre>
                        Relating some Logics
                        for True Concurrency

                                  Tommaso Padoan

          Dipartimento di Matematica, Università di Padova, Padua, Italy
                             padoan@math.unipd.it



      Abstract. We study some logics for true concurrency recently defined
      by several authors to characterise a number of known or meaningful
      behavioural equivalences, with special interest in history-preserving bisi-
      milarity. All the considered logics are event-based, naturally interpreted
      over event structures or any formalism which can be given a causal se-
      mantics, like Petri nets. Operators of incomparable expressiveness from
      different logics can be combined into a single logic, more powerful than
      the original ones. Since the event structure associated with a system is
      typically infinite (even if the system is finite state), already the known de-
      cidability results of model-checking in the original logics are non-trivial.
      Here we show, using a tableaux-based approach, that the model-checking
      problem for the new logic is still decidable over a class of event structures
      satisfying a suitable regularity condition, referred to as strong regularity.


1   Introduction
In the analysis and verification of concurrent and distributed systems partial or-
der semantics can be an appropriate choice since they provide a precise account
of the possible steps in the evolution of the system and of their dependencies, like
causality and concurrency. This approach is normally referred to as true concur-
rency and it is opposed to the so-called interleaving approach, where concurrency
of actions is reduced to the non-deterministic choice among their possible sequen-
tializations. In the true concurrent world, a widely used foundational model is
given by Winskel’s event structures [1]. They describe the behaviour of a system
in terms of events in computations and two dependency relations: a partial order
modelling causality and an additional relation modelling conflict.
    Several true concurrent behavioural equivalences have been defined which
allow to abstract operational models taking into account different concurrency
features of computations (see, e.g., [2]). On the logical side, various behavioural
logics have been proposed capable of expressing causal properties of computa-
tions (see, e.g., [3,4,5,6,7,8]) and some verification techniques have been con-
sidered (see, e.g., [9,10,11]). Recently, event-based logics have been introduced
[12,13], capable of uniformly characterising a relevant part of the true concur-
rent spectrum. Some of these logics, together with those in [10,11], are among
the most expressive true concurrent logics for which verification techniques have
been proved to be decidable over suitable classes of true concurrent models.
Interestingly, these logics provides the logical characterisation of a number of
different meaningful behavioural equivalences, some of them incomparable.
     The logic referred to as Lhp , corresponding to a classical equivalence in the
spectrum, i.e., history-preserving (hp-)bisimilarity [14,15,16], is a fragment of
the more general logic in [12], representing instead hereditary history-preserving
(hhp-)bisimilarity [4]. Lhp allows to predicate over executability of events in
computations and their dependency relations (causality and concurrency). For-
mulae include variables which can be bound to events in computations. The
logic includes two modalities, diamond and box, which allows to explicitly as-
sert the dependency relations between the computational steps. The formula
h|x, y < a z|iϕ declares that is possible to execute an a-labelled event, which
causally depends on the event bound to the variable x and is concurrent with
the event bound to y, and, binding such an event to z, the formula ϕ holds. In
general, x and y can be replaced by (possibly empty) tuples of variables. The
presence of least and greatest fixpoint operators, in mu-calculus style, allows one
to express properties of infinite computations. Recent results [17,18] proved that
the model-checking problem for Lhp is decidable over a class of event structures
satisfying a suitable regularity condition [19] referred to as strong regularity.
    In [10] two true concurrent logics have been introduced, namely separation
fixpoint logic (SFL) and trace fixpoint logic (Lµ ). Both are based on a core logic
with modalities that allow to express properties about causality and concurrency.
The difference w.r.t. Lhp is that such modalities can only express causality and
concurrency between consecutive steps. For example, the formula hainc ϕ decla-
res the possibility to execute an a-labelled event, which is concurrent with (not
caused by) the one executed before. The logics SFL and Lµ differ for the way in
which they capture the duality between concurrency and conflict, relying on ope-
rators on conflict-free sets of events. SFL uses a separating operator ∗ (dual ./)
that behaves as a structural conjunction, allowing for local reasoning on conflict-
free sets of executable events. The formula ϕ ∗ ψ requires the existence of two
concurrent disjunct subsets of the executable events, such that the subformula ϕ
(resp. ψ) holds on the first (resp. second) subset. Lµ instead has a second-order
modality h⊗i (dual [⊗]) that recognises maximal concurrent subsets of the exe-
cutable events. The formula h⊗iϕ requires that the subformula ϕ holds when
restricting, locally, the computation of the system to a set of events that can
actually execute all concurrently. The two logics have incomparable expressive
power, as they characterise incomparable behavioural equivalences [10], in turn
incomparable with hp-bisimilarity. Also in this case, model-checking has been
proved decidable for both logics [10] over regular trace event structures [19].
     In [13] the authors propose an extension of Hennessy-Milner logic called
event identifier logic (EIL). The logic is again an event-based modal logic, but
this time reverse as well as forward modalities are allowed. The two modalities,
i.e., hx : aii (forward) and hhxi (backward), are not capable to assert explicitly
the dependency relations between the computational steps, which are instead
captured by a proper sequencing of such operators. The meaning of the two
operator is quite clear: hx : aiiϕ declares the executability of an a-labelled event,


                                         2
which is bound to x, and then ϕ holds; hhxiϕ requires that the event bound
to x can be undone and then ϕ holds. There is also a third operator (x : a)ϕ
which states that there is an a-labelled event executed in the past, such that,
binding it to x, ϕ holds. The expressiveness of such logic is sufficient to provide
a logical characterisation of hhp-bisimilarity, intuitively because the possibility
of performing backward steps can be a mean of exploring alternative different
futures. Moreover, a fragment of the logic, referred to as EILh , where forward
modalities are no longer allowed after backward modalities, corresponds to hp-
bisimilarity. In the spirit of the paper we will focus on EILh . The corresponding
model-checking problem has not yet been investigated and it will be proved to
be decidable here as a secondary result, for strongly regular event structures.
    In this work we study the mentioned logics, comparing their expressive power.
The focus will be on the logic Lhp , used as a benchmark. We will study a logic,
L∗⊗
  hp , which combines the operators of Lhp , SFL, and Lµ . The logic EILh will
be shown to be encodable in L∗⊗                  ∗⊗
                                    hp . Hence, Lhp is more powerful than all the
considered logics (Lhp , SFL, Lµ , EILh ). Still, we conjecture that the logical
equivalence for L∗⊗                                                       ∗⊗
                   hp is coarser than hhp-bisimilarity and thus that Lhp is less
expressive than the full logic EIL.
    We also show the decidability of model-checking in L∗⊗   hp , providing a local
model-checking procedure for strongly regular event structures. The problem is
not obvious since event structure models are infinite even for finite state systems
and the possibility of expressing properties that depends on the past often leads
to undecidability [20]. Indeed, even the results for the three original logics com-
bined together in L∗⊗hp are non-trivial. The model-checking procedure is given in
the form of a tableau system along the lines of [17] originally inspired by [21]. In
order to check whether a system model satisfies a formula, a set of proof trees is
constructed by applying suitable rules that reduce the satisfaction of a formula
in a given state to the satisfaction of proper subformulae.

2    Event Structures
Prime event structures [1] are a widely known model of concurrency. They des-
cribe the behaviour of a system in terms of events and dependency relations
between such events. Throughout the paper E is a fixed countable set of events,
Λ a finite set of labels ranged over by a, b, . . . and λ : E → Λ a labelling function.
Definition 1 (prime event structure). A (Λ-labelled) prime event structure
( pes) is a tuple E = hE, ≤, #i, where E ⊆ E is the set of events and ≤, # are
binary relations on E, called causality and conflict respectively, such that:
1. ≤ is a partial order and dee = {e0 ∈ E | e0 ≤ e} is finite for all e ∈ E;
2. # is irreflexive, symmetric and hereditary with respect to ≤, i.e., for all
   e, e0 , e00 ∈ E, if e#e0 ≤ e00 then e#e00 .
    In the following, we will assume that the components of a pes E are named
as in the definition above, possibly with subscripts. The concept of (concurrent)
computation for event structures is captured by the notion of configuration.

                                          3
                                                                         a1      b1
 b1                                    b1
                                                                         a0      b0
 a0      b0                     a0     a1       b0                 c0
    (a) E1                           (b) E2                             (c) E3

             Fig. 1. Some examples of finite (a)(b) and infinite (c) pess.

Definition 2 (configuration). A configuration of a pes E is a finite set of
events C ⊆ E consistent (i.e., ¬(e#e0 ) for all e, e0 ∈ C) and causally closed
(i.e., dee ⊆ C for all e ∈ C). The set of configurations of E is denoted by C(E).
   The evolution of a system can be represented by a transition system where
configurations are states.
Definition 3 (transition system). Let E be a pes and let C ∈ C(E). Given
e ∈ E r C such that C ∪ {e} ∈ C(E) and X, Y ⊆ C with X ⊆ dee, Y ∩ dee = ∅, we
         X,Y < e
write C −−−−−→λ(e) C ∪ {e}. The set of enabled events at a configuration C is
defined as en(C) = {e ∈ E r C | C ∪ {e} ∈ C(E)}. The pes is called k-bounded
for some k ∈ N (or simply bounded) if |en(C)| ≤ k for all C ∈ C(E).
   Transitions are labelled by the executed event e, and they can report its label
λ(e), a subset of causes X and a set of events Y ⊆ C concurrent with e.
   For any configuration it is possible to identify the substructure of the pes
corresponding to the transition system rooted in such configuration.
Definition 4 (residual). Let E be a pes. For a configuration C ∈ C(E), the
residual of E after C, is defined as E[C] = {e | e ∈ E rC ∧ C ∪{e} consistent}.
     The residual of E can be seen as a pes, endowed with the restrictions of
causality and conflict of E. Intuitively, it represents the pes that remains to be
executed after the computation expressed by C.
     Some simple pess are depicted in Fig. 1. Graphically, curly lines represent
immediate conflicts and the causal partial order proceeds upwards along the
straight lines. Events are denoted by their labels, possibly with superscripts. For
instance, in E3 , the event c0 , labelled by c, causes a0 and it is concurrent with
b0 . Events a0 and b0 are in conflict.

3     True Concurrent Logics
In this section we introduce the syntax and the semantics of the logic L∗⊗
                                                                        hp which
arises as a join of the logics for true concurrency Lhp [12], SFL and Lµ [10].
The logic has formulae that predicate over executability of events in computati-
ons and their dependency relations (causality, concurrency), and provide second
order power on conflict-free sets of events in two different flavours.


                                            4
3.1   Syntax
As already mentioned, formulae of Lhp include event variables, and so do for-
mulae of L∗⊗hp . They belong to a fixed denumerable set Var , denoted by x, y, . . ..
Tuples of variables like x1 , . . . , xn will be denoted by the corresponding boldface
letter x and, abusing the notation, tuples will be often used as sets. The logic, in
positive form, includes the diamond and box modalities from Lhp , the separating
operators from SFL, and the second-order modalities from Lµ , described before.
    Fixpoint operators resort to propositional variables, expressed by abstract
propositions to let them interact correctly with event variables. Abstract pro-
positions belong to a fixed denumerable set X a , ranged over by X, Y, . . .. Each
abstract proposition X has an arity ar (X) and represents a formula with ar (X)
(unnamed) free event variables. For y such that |y| = ar (X), X(y) indicates the
abstract proposition X whose free event variables are named y. We call X(y) a
proposition and denote by X the set of all propositions.
Definition 5 (syntax). The syntax of L∗⊗   hp over the sets of event variables Var ,
abstract propositions X a and labels Λ is defined as follows:
ϕ ::= Z(y) | T | ϕ ∧ ϕ | h|x, y < a z|i ϕ | ϕ ∗ ϕ | h⊗i ϕ | (νZ(x).ϕ)(y)
           | F | ϕ ∨ ϕ | [[x, y < a z]] ϕ | ϕ ./ ϕ | [⊗] ϕ | (µZ(x).ϕ)(y)
     The free event variables of a formula ϕ are denoted fv (ϕ) and defined in
the obvious way. Just note that the modalities act as binders for the variable
representing the event executed, hence fv (h|x, y < a z|i ϕ) = fv ([[x, y < a z]] ϕ) =
(fv (ϕ) r {z}) ∪ x ∪ y. The free propositions in ϕ, not bound by ν or µ, are
denoted by fp(ϕ). Hereafter α ranges over {ν, µ}. For formulae (αZ(x).ϕ)(y) we
require that fv (ϕ) = x. Intuitively, the fixpoint part αZ(x).ϕ defines a recursive
formula Z(x) whose free variables are then instantiated with y. The formula
(αZ(x).ϕ)(x) will be abbreviated as αZ(x).ϕ. When both fv (ϕ) and fp(ϕ) are
empty we say that ϕ is closed. When x or y are empty they are omitted, e.g.,
we write h|a z|iϕ for h|∅, ∅ < a z|iϕ and αZ.ϕ for (αZ(∅).ϕ)(∅).
     For example, the formula ϕ1 = h|c x|i(h|x < a y|iT ∧ h|x < b z|iT) requires
that, after the execution of a c-labelled event, one can choose between a causally
dependent a-labelled event and a concurrent b-labelled event. This is satisfied
by E3 in Fig. 1c. Instead, ϕ2 = h⊗i(F ./ F) requiring the existence of a maximal
conflict-free set of enabled events which cannot be further separated, is false.
Moving to infinite computations, consider ϕ3 = [[b x]] νZ(x).(h|c y|iT ∗ (h|x <
b z|iT ∧ [[x < b w]]Z(w))), expressing that all non-empty causal chains of b-
labelled events reach a state where the system can be separated into two parallel
components, one continuing the chain of b events, while the other can execute a
c-labelled event. Then, ϕ3 is satisfied by E3 .

3.2   Semantics
Before defining the semantics of L∗⊗
                                   hp , we need some notions, taken from [10],
about conflict-free sets of enabled events, providing specific kinds of second-
order quantification over them. The most general is the concept of support set.


                                          5
Definition 6 (support set). Given a pes E and a configuration C ∈ C(E), a
support set R for C is either the set of enabled events en(C) or a non-empty
conflict-free set of enabled events, either way R ⊆ en(C).
                                                      S    We call R(C) the set
of all support sets for a configuration C, and RE = C∈C(E) R(C) the set of all
support sets for all possible configurations of a pes E.
    Support sets are used in the logic for local reasoning on executable events.
According to the definition they can be conflict-free sets, where local reasoning
becomes possible since they can be decomposed into smaller ones with the same
property. Alternatively a support set can contain conflicts when it is the whole
set of enabled events. In the latter case proper maximal conflict-free subsets can
be isolated using so-called complete supsets.
Definition 7 (complete supset). Let E be a pes and C ∈ C(E) be a configu-
ration. Given a support set R ∈ R(C), a complete supset M of R, denoted by
M v R, is a conflict-free support set M ∈ R(C) such that M ⊆ R and for all
e ∈ R r M there exists e0 ∈ M s.t. e#e0 . We call M(R) the set of all complete
supsets of a support set R.
    Intuitively, to decompose conflict-free sets into smaller ones means to separate
different parallel components of systems, to allow local reasoning on them. This
decomposition is captured by the notion of separation.
Definition 8 (separation). Let E be a pes and C ∈ C(E) be a configuration.
Given a support set R ∈ R(C), a separation (R1 , R2 ) of R is a pair of support
sets R1 , R2 ∈ R(C) such that R1 ∩ R2 = ∅ and R1 ∪ R2 ∈ M(R). We call Sep(R)
the set of all possible separations of a support set R.
    For instance, consider E3 in Fig. 1c. For the initial configuration ∅ we have
three possible support sets R1 = {b0 , c0 }, R2 = {b0 }, and R3 = {c0 }. Among
those only R1 admits a separation (just one), i.e., Sep(R1 ) = {(R2 , R3 )}.
    Since the logic L∗⊗
                     hp is interpreted over pess, the satisfaction of a formula
ϕ is defined w.r.t. a configuration C, a support set R for C, and a (total)
function η : Var → E, called an environment, that binds free variables in
ϕ to events in C. Namely, if Env E denotes the set of environments, the se-
mantics of a formula will be a set of triples in C(E) × RE × Env E . Given
S ⊆ C(E) × RE × Env E and two tuples of variables x and y, with |x| = |y|,
we define S[yx] = {(C, R, η 0 ) | ∃ (C, R, η) ∈ S ∧ η(x) = η 0 (y)}. The seman-
tics of L∗⊗
         hp also depends on a proposition environment π : X → 2
                                                                    C(E)×RE ×Env E

providing an interpretation for propositions. To ensure that the semantics of
a formula depends only on the events associated with its free variables and is
independent on the naming of the variables, it is required that for all tuples of
variables x, y with |x| = |y| = ar (X) it holds π(X(y)) = π(X(x))[yx]. We
denote by PEnv E the set of proposition environments, ranged over by π.
    With η[x 7→ e] we indicate the updated environment obtained from η where x
is mapped to the event e. Similarly, for S ⊆ C(E)×RE ×Env E , we write π[Z(x) 7→
S] for the corresponding update of π. For a triple (C, R, η) ∈ C(E) × RE × Env E
and variables x, y, z, we define the (x, y < az)-successors of (C, R, η), as

                                         6
                                                                                    η(x),η(y) < e
SuccEx,y<az (C, R, η) = {(C 0 , en(C 0 ), η[z 7→ e]) | e ∈ R ∧ C −−−−−−−−→a C 0 }.

Definition 9 (semantics). Let E be a pes. The denotation of a formula ϕ in
L∗⊗                                E    ∗⊗
  hp is given by the function {|·|} : Lhp → PEnv E → 2
                                                            C(E)×RE ×Env E
                                                                           defined
                                            E                 E
inductively as follows, where we write {|ϕ|}π instead of {|ϕ|} (π):
               {|T|}Eπ = C(E) × RE × Env E             {|F|}Eπ = ∅      {|Z(y)|}Eπ = π(Z(y))
        {|ϕ1 ∧ ϕ2 |}Eπ = {|ϕ1 |}Eπ ∩ {|ϕ2 |}Eπ                       {|ϕ1 ∨ ϕ2 |}Eπ = {|ϕ1 |}Eπ ∪ {|ϕ2 |}Eπ
 {|h|x, y < a z|i ϕ|}Eπ = {(C, R, η) | Succx,y<az
                                            E        (C, R, η) ∩ {|ϕ|}Eπ 6= ∅}
                       E                    x,y<az
  {|[[x, y < a z]] ϕ|}π = {(C, R, η) | SuccE         (C, R, η) ⊆ {|ϕ|}Eπ }
          {|ϕ1 ∗ ϕ2 |}Eπ = {(C, R, η) | ∃ (R1 , R2 ) ∈ Sep(R).           (C, Ri , η) ∈ {|ϕi |}Eπ }
                                                                   V
                                                                i∈{1,2}
         {|ϕ1 ./ ϕ2 |}Eπ = {(C, R, η) | ∀ (R1 , R2 ) ∈ Sep(R).           (C, Ri , η) ∈ {|ϕi |}Eπ }
                                                                   W
                                                                     i∈{1,2}
           {|h⊗i ϕ|}Eπ = {(C, R, η) | ∃ M ∈ M(R). (C, M, η) ∈ {|ϕ|}Eπ }
         {|[⊗] ϕ|}Eπ = {(C, R, η) | ∀ M ∈ M(R). (C, M, η) ∈ {|ϕ|}Eπ }
 {|(νZ(x).ϕ)(y)|}Eπ = ν(fϕ,Z(x),π )[yx]       {|(µZ(x).ϕ)(y)|}Eπ = µ(fϕ,Z(x),π )[yx]

where fϕ,Z(x),π : 2C(E)×RE ×Env E → 2C(E)×RE ×Env E is the semantic function
of ϕ, Z(x), π defined by fϕ,Z(x),π (S) = {|ϕ|}Eπ[Z(x)7→S] and ν(fϕ,Z(x),π ) (resp.
µ(fϕ,Z(x),π )) denotes the corresponding greatest (resp. least) fixpoint. We say
that a pes E satisfies ϕ if (∅, en(∅), η) ∈ {|ϕ|}Eπ for all environments η and π.

    The semantics of boolean operators is as usual. The formula h|x, y < a z|iϕ
holds in (C, R, η) when an a-labelled event e included in the set R (hence enabled
in configuration C), that causally depends on (at least) the events bound to the
variables in x and is concurrent with (at least) those bound to the variables in
y, can be executed producing a new configuration C 0 = C ∪ {e} which, together
with the events enabled in C 0 and the environment η 0 = η[z 7→ e], satisfies the
formula ϕ. Dually, [[x, y < a z]]ϕ holds when all a-labelled events in R, caused
by x and concurrent with y bring to a configuration where ϕ is satisfied.
    The formula ϕ1 ∗ ϕ2 is satisfied by (C, R, η) if there is a separation (R1 , R2 )
of R such that each formula ϕi holds in the corresponding Ri with the same
configuration C and environment η. Dually, ϕ1 ./ ϕ2 holds if in all the possible
separations of R at least one component satisfies the corresponding subformula.
    The operator h⊗iϕ is satisfied by (C, R, η) simply when the formula ϕ holds
after restricting R to one of its complete supsets M . Similarly, the dual [⊗]ϕ
requires that ϕ holds for all possible restrictions of R to complete supsets.
    The fixpoints corresponding to the formulae (αZ(x).ϕ)(y) are guaranteed to
exist by Knaster-Tarski theorem, since the set 2C(E)×RE ×Env E ordered by subset
inclusion is a complete lattice and the functions fϕ,Z(x),π are monotonic.
    Hereafter we assume that in every formula different bound propositions have
different names, so that we can refer to the fixpoint subformula quantifying an
abstract proposition. This requirement can always be fulfilled by alpha-renaming.
    Fragments of L∗⊗hp can be easily identified which correspond to the three
original logics. Hence L∗⊗
                         hp is indeed more powerful than all of them.


                                                   7
3.3      Encoding EILh

Here we prove that EILh [13] can be encoded in L∗⊗
                                                hp which is thus more expressive
than such logic. More precisely, we show that EILh can be encoded in Lhp . This
also implies that the model-checking in EILh is decidable by reduction to Lhp .
    The encoding uses functions to remember the variables bound by forward mo-
dalities, their causal dependency with past variables, and their labels. Function
γ : Var → 2Var associates variables with the set of past variables causing them.
Function l : Var → Λ associates variables with their labels. γ and l are ac-
tually partial functions defined only on a subset of variables, denoted by their
dominion. Then, the procedure is as follows:

            [T](γ, l) = T                                        [F](γ, l) = F
       [ϕ ∧ ψ](γ, l) = [ϕ](γ, l) ∧ [ψ](γ, l)           [ϕ ∨ ψ](γ, l) = [ϕ](γ, l) ∨ [ψ](γ, l)
                            W
    [hx : aii ϕ](γ, l) =         h|y, yc < a x|i [ϕ](γ[x 7→ y], l[x 7→ a])
                         y⊆dom(γ)
                            V
    [[x : a]] ϕ](γ, l) =         [[y, yc < a x]] [ϕ](γ[x 7→ y], l[x 7→ a])
                           y⊆dom(γ)

                                             [ϕ[zx]](γ, l)
                                    W
     [(x : a) ϕ](γ, l) =
                           z∈dom(γ).l(z)=a
                           (
                               [ϕ](γ|{x}c , l|{x}c )                      / γ(z) and fv (ϕ) ⊆ {x}c
                                                       if ∀ z ∈ dom(γ). x ∈
       [hhxi ϕ](γ, l) =
                               F                       otherwise

where V c = dom(γ) r V , for a set of variables V , and ϕ[zx] is the formula ϕ
where all free occurrences of the variable x are substituted with variable z.
    We assume that in every formula of EILh different bound variables have
different names. This requirement can always be fulfilled by alpha-renaming.
    The procedure allows for the encoding of any closed formula ϕ of EILh by
computing [ϕ](∅, ∅). The correctness of the encoding can be proved by induction
on the formula ϕ, observing that the necessary properties are preserved at each
step and they vacuously hold when γ = l = ∅. Thus, we obtain the following.

Proposition 1 (encoding EILh ). Let E be a pes and let ϕ be a closed formula
of EILh , E satisfies ϕ iff it satisfies [ϕ](∅, ∅).


4      Model Checking L∗⊗
                       hp


In this section we provide a model-checking procedure for L∗⊗
                                                            hp , showing that it is
sound and complete over a class of pes satisfying a suitable regularity condition.
    In many model-checking algorithms (e.g., [22,21]) the finiteness of the model
is an essential ingredient that concurs to termination or correctness of the met-
hod. We will work on a subclass of pess identified by finitarity requirements on
the possible substructures. Given a configuration C ∈ C(E) and a subset X ⊆ C,
we denote by E[C] ∪ X the pes obtained from the residual E[C] by adding the
events in X with the causal dependencies they had in the original pes E.


                                                        8
               C, R, η, ∆ |=E ϕ ∧ ψ                          C, R, η, ∆ |=E ϕ1 ∨ ϕ2
(∧)                                                    (∨)                               i ∈ {1, 2}
      C, R, η, ∆ |=E ϕ C, R, η, ∆ |=E ψ                         C, R, η, ∆ |=E ϕi

                  C, R, η, ∆ |=E h|x, y < a z|i ϕ                     η(x),η(y) < e
           (♦)                                         e ∈ R and C −−−−−−−−→a C 0
                  C 0 , en(C 0 ), η[z 7→ e], ∆ |=E ϕ

                                       C, R, η, ∆ |=E [[x, y < a z]] ϕ
                  ()
                        C1 , en(C1 ), η1 , ∆ |=E ϕ . . . Cn , en(Cn ), ηn , ∆ |=E ϕ
          where {(C1 , en(C1 ), η1 ), . . . , (Cn , en(Cn ), ηn )} = Succx,y<az
                                                                         E      (C, R, η)

                              C, R, η, ∆ |=E ϕ ∗ ψ
            (∗)                                                   (R0 , R00 ) ∈ Sep(R)
                  C, R0 , η, ∆ |=E   ϕ    C, R00 , η, ∆ |=E ψ

                                         C, R, η, ∆ |=E ϕ1 ./ ϕ2
                     (./)
                            C, R1p1 , η, ∆ |=E               pn
                                               ϕp1 . . . C, Rn  , η, ∆ |=E ϕpn
          where {(R11 , R12 ), . . . , (Rn
                                         1    2
                                           , Rn )} = Sep(R) and ∀ i ∈ [1, n]. pi ∈ {1, 2}

                                    C, R, η, ∆ |=E h⊗i ϕ
                            (h⊗i)                            M ∈ M(R)
                                     C, M, η, ∆ |=E ϕ

                      C, R, η, ∆ |=E [⊗] ϕ
  ([⊗])                                                       where {M1 , . . . , Mn } = M(R)
          C, M1 , η, ∆ |=E ϕ . . . C, Mn , η, ∆ |=E ϕ

                     C, R, η, ∆ |=E (αZ(x).ϕ)(y)
             (Int)                                       ∆0 = ∆[Z(x) 7→ αZ(x).ϕ]
                         C, R, η, ∆0 |=E Z(y)

                         C, R, η, ∆ |=E Z(y)
           (Unfα )                                      ¬γ and ∆(Z(x)) = αZ(x).ϕ
                     C, R, η[x 7→ η(y)], ∆ |=E ϕ

                         Table 1. The tableau rules for logic L∗⊗
                                                               hp .


Definition 10 (strong regularity). A pes E is called strongly regular when
it is bounded and for each k ∈ N the set {E[C] ∪ {e1 , . . . , ek } | C ∈ C(E) ∧
e1 , . . . , ek ∈ C} is finite up to isomorphism of pess.

    Strong regularity [17] is obtained from the notion of regularity in [19], by
replacing residuals with residuals extended with a bounded number of events
from the past. Intuitively, this is important since we are interested in history
dependent properties. Clearly, each strongly regular pes is regular. In [18] it is
shown that the pess associated with finite safe Petri nets are strongly regular.
    The model-checking procedure is given in the form of a tableau system. It
follows closely the lines of [17]. The tableau rules are reported in Table 1.
    Sequents contain a context C, R, η, ∆ and a formula ϕ of L∗⊗    hp which they
assert to be satisfied by such context. C, R, η are the usual elements from the
semantics, while ∆ is a finite set of definitions Z(x) = ψ. In such case ∆(Z(x))


                                                  9
denotes the formula ψ. In a tableau built starting from a closed formula, ∆
associates a free proposition with the fixpoint subformula where it is quantified.
Intuitively, ∆ is like a proposition environment at syntax level. ∆[Z(x) 7→ ψ]
denotes the updated definition set obtained from ∆ by removing the previous
definition of Z, if any, and adding Z(x) = ψ. ∆ is updated every time a fixpoint
formula is encountered, i.e., when rule (Int) is applied. In such case we say that
the sequent introduces the corresponding proposition. Then, given a sequent, if
Z(x) = ψ is in ∆, we denote by ∆↑ (Z) the closest ancestor introducing Z.
    We next clarify when a fully constructed tableau is considered successful.
Definition 11 (successful tableau). A successful tableau is a finite tableau
where no more rules can be applied and every leaf is labelled by a sequent
C, R, η, ∆ |=E ϕ such that one of the following holds:
 1. ϕ = T                   3. ϕ = ψ1 ./ ψ2
 2. ϕ = [[x, y < a z]] ψ    4. ϕ = Z(y) and ∆(Z(x)) = νZ(x).ψ.
    Note the absence of the case ϕ = [⊗]ψ because every support set R has at
least one complete supset, i.e., M(R) 6= ∅, hence the sequent could not be a leaf.
    For checking whether a closed formula ϕ of L∗⊗   hp is satisfied by a strongly
regular pes E, one must build a tableau for the formula, i.e., a successful tableau
rooted in the sequent ∅, en(∅), η, ∅ |=E ϕ (where η is irrelevant since ϕ is closed).
Theorem 1 (tableau system). Given a strongly regular pes E and a closed
formula ϕ of L∗⊗
              hp , E satisfies ϕ iff ϕ admits a successful tableau for E.

    Here we just sketch the main ingredients of the proof.
    Tableaux are guaranteed to be finitely branching by finitarity of the formu-
lae of the logic and the fact that strongly regular pess are bounded. However,
tableaux could contain infinite paths because of repeated applications of the
rule (Unfα ), which unfolds propositions according to their definition in ∆. To
avoid this, rule (Unfα ) has a side condition involving an unspecified part γ, the
so-called stop condition. It is intended to prevent the unfolding of a proposition
when a context is reached that is equivalent, in a suitable sense to be defined,
to a context occurring in an ancestor sharing the same formula.
    Intuitively, two contexts are equivalent for a formula if they share the satis-
faction of the formula. Recall that properties of L∗⊗
                                                    hp predicate over executability
of events and their dependency relations while imposing some second-order con-
straints. The notion below captures exactly the properties that two contexts
must meet to be deemed equivalent.
Definition 12 (isomorphism of pointed supported residuals). Given a
pes E, and two contexts C, R, η, ∆ and C 0 , R0 , η 0 , ∆0 for a formula ϕ, we say
that they have isomorphic pointed supported residuals, written E[hC, R, η|fv (ϕ) i] ≈
E[hC 0 , R0 , η 0 |fv (ϕ) i], if there is an isomorphism of pess ι : E[C] → E[C 0 ] such that
R0 = ι(R) and for all x ∈ fv (ϕ), e ∈ E[C] we have η(x) ≤ e iff η 0 (x) ≤ ι(e).
   It can be shown that two contexts with isomorphic pointed supported resi-
duals for a formula either both satisfy it or none of them does. These results
motivate the definition of the stop condition.


                                             10
Definition 13 (stop condition). The stop condition γ for rule (Unfα ) in
Table 1 is as follows: there is an ancestor of the premise C, R, η, ∆ |=E
Z(z) labelled C 0 , R0 , η 0 , ∆0 |=E Z(y), such that ∆↑ (Z) = ∆0↑ (Z) and
E[hC, R, η[x 7→ η(z)]|x i] ≈ E[hC 0 , R0 , η 0 [x 7→ η 0 (y)]|x i].
    Informally, the stop condition holds when in a previous step of the con-
struction of the tableau an instance of the same abstract proposition has been
unfolded in an equivalent context, without being reintroduced. Then we can sa-
fely avoid to continue along this path because it would not add new information.
    Now, a crucial observation is that, for strongly regular pess, the number of
pointed supported residuals is finite up to isomorphism. From this and the previ-
ous facts it can be shown that all tableaux are finite and the number of possible
tableaux for a sequent is also finite. Moreover, we can prove the correctness of
the tableau system, relying on the reduction of the semantics of fixpoint formulae
to that of finite approximants and the backwards soundness of the rules.

5    Conclusions
We studied some expressive logics for true concurrency, proposed by several
authors in the literature and we showed how they can be combined into a single,
more powerful logic L∗⊗  hp . We showed also that EILh can be encoded in Lhp .
Except for fixpoint operators, we conjecture that also Lhp is encodable in EILh .
    We proved the decidability of the model-checking problem for L∗⊗         hp over
strongly regular pess, providing a decision procedure in the form of a tableau
system, which is correct and terminating. A concrete procedure requires the ef-
fectiveness of the transition relation over configurations and of the equivalence
of pointed supported residuals, that we have if we focus on regular trace pess,
which are known to be included in (but possibly equal to) strongly regular pess.
    In [11] another logic for concurrency, called monadic trace logic (Mtl), is pro-
posed as a fragment of monadic second-order logic (Msol), where second-order
quantification is allowed only on conflict-free sets of events. Still, the possibility
of directly observing conflicts and thus of distinguishing behaviourally equiva-
lent pess (e.g., those consisting of a single or two conflicting copies of an event),
and the presence in L∗⊗ hp of propositions which are non-monadic with respect to
event variables, make these logics not immediate to compare. Nevertheless, some
investigations point us to conjecture that they are in fact incomparable.
    The intimate relation between L∗⊗  hp and Lhp , one of the logics combined into
  ∗⊗
Lhp , suggests that the model-checking procedure based on automata proposed
for Lhp in [18] could be adapted for the model-checking in L∗⊗     hp . Furthermore,
also the tool implementing such technique, presented in the same work, could
be adjusted to allow the verification of L∗⊗hp properties. However, some conside-
rations on the equivalence of pointed supported residuals lead us to think that a
naive implementation would have a too high complexity to be useful in practice.

Acknowledgements. I am grateful to Paolo Baldan for insightful discussions and
inspiring suggestions and to the anonymous reviewers for their comments.


                                         11
References
 1. Winskel, G.: Event Structures. In Brauer, W., Reisig, W., Rozenberg, G., eds.: Pe-
    tri Nets: Applications and Relationships to Other Models of Concurrency. Volume
    255 of LNCS., Springer (1987) 325–392
 2. van Glabbeek, R., Goltz, U.: Refinement of actions and equivalence notions for
    concurrent systems. Acta Informatica 37(4/5) (2001) 229–327
 3. De Nicola, R., Ferrari, G.: Observational logics and concurrency models. In Nori,
    K.V., Madhavan, C.E.V., eds.: FSTTCS’90. Volume 472 of LNCS., Springer (1990)
    301–315
 4. Bednarczyk, M.A.: Hereditary history preserving bisimulations or what is the
    power of the future perfect in program logics. Technical report, Polish Academy
    of Sciences (1991)
 5. Pinchinat, S., Laroussinie, F., Schnoebelen, P.: Logical characterization of truly
    concurrent bisimulation. Technical Report 114, LIFIA-IMAG, Grenoble (1994)
 6. Penczek, W.: Branching time and partial order in temporal logics. In: Time and
    Logic: A Computational Approach, UCL Press (1995) 179–228
 7. Nielsen, M., Clausen, C.: Games and logics for a noninterleaving bisimulation.
    Nordic Journal of Computing 2(2) (1995) 221–249
 8. Bradfield, J., Fröschle, S.: Independence-friendly modal logic and true concurrency.
    Nordic Journal of Computing 9(1) (2002) 102–117
 9. Alur, R., Peled, D., Penczek, W.: Model-checking of causality properties. In:
    Proceedings of LICS’95, IEEE Computer Society (1995) 90–100
10. Gutierrez, J.: On bisimulation and model-checking for concurrent systems with
    partial order semantics. PhD thesis, University of Edinburgh (2011)
11. Madhusudan, P.: Model-checking trace event structures. In: Proceedings of LICS
    2013, IEEE Computer Society (2003) 371–380
12. Baldan, P., Crafa, S.: A logic for true concurrency. J. ACM 61(4) (2014) 24:1–24:36
13. Phillips, I., Ulidowski, I.: Event identifier logic. Mathematical Structures in Com-
    puter Science 24(2) (2014) 1–51
14. Best, E., Devillers, R., Kiehn, A., Pomello, L.: Fully concurrent bisimulation. Acta
    Informatica 28 (1991) 231–261
15. Rabinovich, A.M., Trakhtenbrot, B.A.: Behaviour structures and nets. Funda-
    menta Informaticae 11 (1988) 357–404
16. Degano, P., De Nicola, R., Montanari, U.: Partial orderings descriptions and obser-
    vations of nondeterministic concurrent processes. In de Bakker, J.W., de Roever,
    W.P., Rozenberg, G., eds.: REX’88. Volume 354 of LNCS., Springer (1988) 438–466
17. Baldan, P., Padoan, T.: Local model checking in a logic for true concurrency. In
    Esparza, J., Murawski, A.S., eds.: FoSSaCS’17. Volume 10203 of LNCS., Springer
    (2017) 407–423
18. Baldan, P., Padoan, T.: Automata for true concurrency properties. In Baier, C.,
    Dal Lago, U., eds.: FoSSaCS’18. Volume 10803 of LNCS., Springer (2018) 165–182
19. Thiagarajan, P.S.: Regular event structures and finite Petri nets: A conjecture.
    In Brauer, W., Ehrig, H., Karhumäki, J., Salomaa, A., eds.: Formal and Natural
    Computing. Volume 2300 of LNCS., Springer (2002) 244–256
20. Jurdzinski, M., Nielsen, M., Srba, J.: Undecidability of domino games and hhp-
    bisimilarity. Information and Computation 184(2) (2003) 343–368
21. Stirling, C., Walker, D.: Local model checking in the modal mu-calculus. Theore-
    tical Computer Science 89(1) (1991) 161–177
22. Clarke, E.M., Schlingloff, B.H.: Model checking. In Robinson, A., Voronkov, A.,
    eds.: Handbook of Automated Reasoning. Elsevier (2001)



                                           12

</pre>