Local model checking in the modal mu-calculus

Abstract

The modal mu-calculus, due to Prat t and Kozen [Pr, Ko], is a natural extension of dynamic logic. It is also one method of obtaining a branching time temporal logic from a modal logic [EL]. Furthermore, it extends Hennessy-Milner logic, thereby offering a natural temporal logic for Milner's CCS, and process systems in general. (Discussion of the uses of the mu-calculus for CCS can be found in [GS,Ho,La,St,Sti2].) Within this context we are especially interested in whether or not a particular state, or process, in a finite model satisfies a mu-calculus formula. This is a different enterprise from that addressed by Emerson and Lei [EL] who ask if a given formula is satisfiable in a given finite model. Their model checker appeals to standard approximation techniques for computing the set of states which satisfy a fixpoint formula. But then one has to compute all the states or processes in the model which satisfy that formula. In this paper we present a local model checker for the mu-calculus, as a tableau system. It checks whether or not a particular state satisfies a formula. Instead of using approximation techniques there is an implicit use of fixpoint induction (inspired by [La]). A maximal fixpoint formula, in effect, expresses a safety property. One shows that the assumption that a state has such a property leads to no unforeseen consequences. In contrast, a minimal fixpoint formula expresses a liveness property. Therefore one has to establish that the property holds of a particular state. Formulae involving alternating fixpoints [EL] introduce subtleties. However the resulting tableau system is natural and an equivalent version of it has been implemented by Rance Cleaveland [C1]. In section 2 we describe the syntax and semantics of the modal mu-calculus. A small extension to the calculus, the addition of propositional constants, is detailed in section 3. The model checker, presented as a tableau system, is given in section 4, while the proofs of its soundness, completeness and decidability are the topic of section 6. Finally, in section 5 we use the model checker to analyse a mutual exclusion algorithm when translated into CCS.