We have shown that our general bisimulation-based scheme for model checking the logic of knowledge and linear time yields PSPACE complexity bounds in a number of interesting cases of the general problem (which has much higher complexity).
Our notion of bisimulation allows reductions on the temporal structure of environments, but we have not exploited this in our applications. It could be worth exploring this observation in practice. Experiments conducted by Fisler and Vardi (Fisler and Vardi 1999) suggest that bisimulation reduction is of limited utility for temporal logic model checking, but arguments of van der Meyden and Zhang (van der Meyden and Zhang 2007) suggest such reductions might be effective for the much larger search spaces produced when dealing with information flow properties.
The techniques are also applicable to show decidability for certain other classes of environments (with higher complexity bounds). We leave the details for elsewhere. We believe that the
techniques we have developed can also be adapted to deal with the combination of branching time and the logic of knowledge: we leave this for future work.
Wozna et al have studied model checking a logic of knowledge and branching time in a real time systems modelled using timed automata (Wozna, Lomuscio, and Penczek 2005). Their semantics is close to our clock semantics, but we note that their until operator is bounded to a specific interval, so the closest appropriate comparison is to our languageL{°,K1,...,Kn,C}. They
give decidability but not complexity results, but study bounded model checking techniques for their logic.
The Worker/Wrapper Transformation
T
HEworker/wrapper transformation has been formalised byGill and Hutton(2009) as a technique for changing “a computation of one type into a worker of a different type, together with a wrapper that acts as an impedance matcher between the original and new computations.” It is intended to be used in the optimising passes of compilers (Peyton Jones and Launchbury 1991), and also for high-level proofs in the style of thecalculating compilerswork ofMeijer(1992), and the broader Squiggol enterprise (Meijer et al. 1991). It has been used byGill and Farmer(2011) to “semi-formally” refine circuits described in a Lava style (§4.2.4) to hardware.
This appendix describes a mechanisation of the results ofGill and Hutton(2009). We also describe a correct fusion rule and prove its correctness in §B.3, and provide a new example in §B.4. This work was reported inGammie(2009) andGammie(2011c).
Here we use Isabelle/HOLCF, due toMüller, Nipkow, von Oheimb, and Slotosch(1999) and more recentlyHuffman(2012), which provides mechanical support for reasoning about denotational semantics through an embedding of Scott’s LCF logic in HOL. In particular, Λ_._ denotes continuous function abstraction, _·_ continuous function application and _oo_ continuous function composition. Thedomaincommand defines recursive datatypes. The other notation is close to mathematical practice.
B.1 Fixed-point theorems for program transformation
We begin with a pair of theorems from the early days of denotational semantics. The origins of these results are lost to history; the interested reader can find some of it inBeki´c(1984); de Bakker, de Bruin, and Zucker(1980);Greibach(1975);Harel(1980);Manna(1974);Plotkin (1983);Sangiorgi(2009);Stoy(1977);Winskel(1993).
Therolling rulecaptures what intuitively happens when we re-order a recursive computation
consisting of two parts. This theorem dates from the 1970s at the latest – seeStoy(1977, p210) andPlotkin(1983). The following proofs were provided byGill and Hutton(2009).
lemma rolling_rule_ltr: "fix·(g oo f) v g·(fix·(f oo g))" proof -
have "g·(fix·(f oo g)) v g·(fix·(f oo g))" by (rule below_refl) — reflexivity
hence "g·((f oo g)·(fix·(f oo g))) v g·(fix·(f oo g))" using fix_eq[where F="f oo g"] by simp — computation
hence "(g oo f)·(g·(fix·(f oo g))) v g·(fix·(f oo g))" by simp — re-associateop oo
thus "fix·(g oo f) v g·(fix·(f oo g))"
using fix_least_below by blast — induction
qed
lemma rolling_rule_rtl: "g·(fix·(f oo g)) v fix·(g oo f)" proof -
have "fix·(f oo g) v f·(fix·(g oo f))" by (rule rolling_rule_ltr) hence "g·(fix·(f oo g)) v g·(f·(fix·(g oo f)))"
by (rule monofun_cfun_arg) — g is monotonic
thus "g·(fix·(f oo g)) v fix·(g oo f)"
using fix_eq[where F="g oo f"] by simp — computation
qed
lemma rolling_rule: "fix·(g oo f) = g·(fix·(f oo g))"
by (rule below_antisym[OF rolling_rule_ltr rolling_rule_rtl])
Least-fixed-point fusionprovides a kind of induction that has proven to be very useful in calcula-
tional settings. Intuitively it lifts the step-by-step correspondence betweenfandhwitnessed by the strict functiongto the fixed points offandg:
⊥ ⊥ 6 g ∧ • • • • - h 6 g - f 6 g =⇒ fixh fixf 6g
Fokkinga and Meijer(1991), and also their later collaboration with Paterson [1991], made exten- sive use of this rule, as didTullsen(2002) in his program transformation tool PATH. This diagram is strongly reminiscent of the simulations used to establish refinement relations between imper- ative programs and their specifications (de Roever and Engelhardt 1998).
The following proof is close to the third variant ofStoy(1977, p215). We relate the two fixpoints using the ruleparallel_fix_ind:
adm (λx. P (fst x) (snd x)) P ⊥ ⊥ ^x y.
P x y P (F·x) (G·y) P (fix·F) (fix·G)
For a recursive definitioncomp=fixbody for somebody::A→A and a pair of functions
wrap::B→Aandunwrap::A→Bwherewrap◦unwrap=idA, we have:
comp=wrap work
work::B
work=fix(unwrap◦body◦wrap)
(the worker/wrapper transformation)
Also:
(unwrap◦wrap)work=work (worker/wrapper fusion)
Figure B.1: The worker/wrapper transformation and fusion rule ofGill and Hutton(2009).
lemma lfp_fusion: assumes "g·⊥ = ⊥"
assumes "g oo f = h oo g" shows "g·(fix·f) = fix·h"
proof(induct rule: parallel_fix_ind)
case 2 show "g·⊥ = ⊥" by fact
case (3 x y) from ‘g·x = y‘ ‘g oo f = h oo g‘ show "g·(f·x) = h·y" by (simp add: cfun_eq_iff)
qed simp
This lemma also goes by the name ofPlotkin’s axiom(Pitts 1996) oruniformity(Simpson and Plotkin 2000).