Towards a Symbolic Modal Logic for LOTOS

We present a version of HML [7], adapted to allow description of properties of Full LOTOS [8] specifications using symbolic values and conditions in modal formulae as well as concrete data values. In modifying HML we especially consider the features of LOTOS which distinguish it from other process algebras and discuss how these alter the requirements of the logic, and how this in turn is reflected in the semantics of the logic. 
 
Our logic is given in relation to a late symbolic semantics for Full LOTOS, clearly separating the process reasoning from the data reasoning. 
 
This work is motivated by our experiences of using LOTOS in several different applications [10, 15], in which we have identified a clear need for temporal reasoning about symbolic, and possibly partial, LOTOS specifications.


Introduction
The use of modal and/or temporal logics to describe abstract properties of systems is well established, as is their use in conjuction with more concrete process algebra descriptions of the same system.See, for example, [7,13,9].In these cases, either the process algebra concerned does not involve data values, or concrete data values are used, either implicitly (e.g. in CCS) or explicitly (e.g. in LOTOS).
Full LOTOS [8] is a process algebra with algebraic data types and multi-way synchronisation 1 .Although LOTOS 2 allows data type process parameters, and data type expressions as process guards and structured event offers, the standard semantics of LOTOS does not give meaning to open specifications, that is, processes with uninstantiated data.(This is similar to the way CCS handles data values.)Thus, we cannot reason about the temporal behaviour of open specifications.
Open processes arise in two ways: because data variables may be formal parameters to processes, or because they are essentially "input" variables in structured events.For example, in the LOTOS process P(x)[g] := g?y:nat[y>2];g!x+y; ...
x is a formal parameter; y is an input variable; y>2 is a condition on the input, and x+y is a single (symbolic) output value.
But, often it is desirable to be able reason about such specifications, since they pervade any realistic system description.For example, in a telephone network, it is useful to be able to reason about (temporal) properties of the system which are independent of the data, as well as being able to reason about concrete properties and properties which do depend on the data values.Examples of data independent properties include after a user dials a number, it is possible that the user will become connected to that number and after a user dials a number, the user will always become connected to that number.
Carron Kirkwood is now Carron Shankland and can be contacted at: Department of Computing Science and Mathematics, University of Stirling, Scotland 1 See [12] for an introduction to the language. 2In the remainder of this paper "LOTOS" is used to refer to Full LOTOS.Basic LOTOS refers to the process part only.

Towards a Symbolic Modal Logic for LOTOS
The traditional handling of temporal properties of LOTOS processes is best represented in the toolset CADP [3] in which LOTOS specifications (with some syntactic restrictions) are translated into labelled transition systems, instantiating free variables by all possible data values; the validity of alternation-free modal -calculus [11] formulae is checked with respect to that labelled transition system.No symbolic values are permitted in the logical formulae.
Clearly, although a desirable and powerful logic is used here, the specifications do not retain their symbolic nature, nor can the logic express it.For example, we cannot express the ability of a process to perform the action g!x+y without instantiating x and y, nor can we express a property concerning g?y without instantiating y.These problems are overcome, to some extent, in Eludo [4].Here, the validity of CTL [2] formulae are checked with respect to LOTOS specifications.Variables in the LOTOS remain symbolic, including unmatched query variables (i.e. they have not been matched with !offers), predicates about the variables are built up as the model is explored, and narrowing is used to obtain concrete values where possible.However, CTL cannot describe the cyclical properties we ultimately desire, and the (non-standard) semantics of LOTOS used here has not yet been formalised (other than by the Prolog rules of the implementation) nor compared with the standard semantics.
A third approach is described in [6], in which symbolic data values are allowed in the modal logic and the semantics of the logic is based on symbolic transition systems.The message-passing process algebra used is similar to CCS.This work is not applicable to LOTOS because it relies on features of CCS which are quite different from those in LOTOS: in particular conditions on input variables and multi-way synchronisation (N.B. synchronisation is two-way in CCS and results in an unobservable event.In LOTOS, multi-way synchronisation requires the result of two-way synchronisation to be observable and available for synchronisation with another process.This fundamentally affects the treatment of symbolic values, since in LOTOS we cannot assume that each ?offer matches with exactly one !offer.).We diverge significantly from this approach.
Two main technical developments are described in this paper: a symbolic modal logic for LOTOS and a corresponding proof system.Although every logic is symbolic, we call our logic symbolic to highlight the fact that the data is symbolic.Note that the logic used is an extended form of HML [7].Although this logic is weaker than CTL, our intention is to build on the work presented here by adding fixed points to the logic, yielding something more closely related to the modal -calculus, which will eventually give us the expressive power we desire.
Both the logic and the proof system are defined with reference to a late symbolic semantics for LOTOS which, unlike the standard semantics of LOTOS but similarly to the semantics of [5], clearly separates the process and the data.Conditions concerning the data control the exploration of the transition system; in the proof system these (data) proof obligations are discharged using a separate data reasoning system.
The paper is organised as follows.We begin with motivation in the form of an example which illustrates some of the requirements of the logic.The syntax and semantics of the logic itself are presented in Section 3 together with related topics: a late symbolic semantics of LOTOS in Section 3.1 and a discussion of important semantic issues in Section 3.4.
The proof system is presented in Section 3.5, and used in Section 4 to prove the validity of the properties described informally in Section 2. Finally, we conclude and discuss further work.

An Example
As motivation, consider a simple example of a LOTOS specification and some typical temporal properties.While the example is clearly contrived (LOTOS is typically used to describe communications protocols and system architectures c.f. [10,15]) it does provide a simple, intuitive example of the issues to be addressed.
The example is given in Figure 1 and concerns user behaviour in a telephone network where users are forbidden to make and receive calls from particular users.Each user process is parameterised by the user id the list of prohibited incoming callers the list of prohibited outgoing numbers.
Telephone processes will synchronise with each other on the con (connect) and discon (disconnect) events, that is the entire network of users will be the (synchronised) parallel composition of several instantiations of the parameterised process Tel.The synchronising (structured) events are of the form gate!x!y, where x and y are the originating and terminating users, respectively.For example, discon!x!y denotes the event of disconnecting the  call from user x to user y3 .Note that in Tel, conditions are used both to guard processes (within a choice) and to qualify structured input events.For brevity, details of the datatype userid and idlist have been omitted.
We might desire the following, informally stated, properties to hold of Tel.
1. it is possible to dial a number which is not in the bar out list, 2. after dialling a number, it is possible that the user hears an unobt tone, 3. after dialling 999, it is possible that the user is connected to 999, 4. after dialling a number which is in the bar out list, the user can only hear the unobt tone.
5. after dialling a number which is in the bar out list, it is not possible for the user to connect to the number dialled, 6. after dialling a number which is not in the bar out list, it is possible that the user is connected to the number dialled, 7. after dialling a number, it is possible that after either 1 or 2 events, the user puts the handset on, Note: it is assumed that 999 is not a member of the list bar out.These properties refer to concrete values, e.g.999, and also to symbolic values, e.g. a number.Thus, the modalities of the logic should include symbolic data values in addition to concrete ones.Moreover, events are qualified by predicates over the data, e.g. a number which is not in the bar out list, thus the logic should also include similar qualification of events.
Having a concrete idea of the sorts of properties to be described will help us develop the logic and its semantics.

A Symbolic Modal Logic
In this section we present the syntax (Section 3.2) and semantics (Section 3.3) of the logic.The semantics of the logic is based on a symbolic semantics for LOTOS, an overview of which is given in Section 3.1.It is beyond the scope of this paper to give the full details of that semantics, see [1] for further information.In Section 3.4 we give a detailed insight into the important semantic issues considered during the development of the logic.Finally, we present the proof system.We begin with the symbolic semantics of LOTOS.
Towards a Symbolic Modal Logic for LOTOS

Symbolic LOTOS
The standard LOTOS semantics [8] is given by structured labelled transition systems.This symbolic semantics (presented in [1]) enhances those transition systems in two ways.First, we allow variables in both states and labels.
Second, we add an extra component to transitions.
In the symbolic semantics, transitions take the form S D gE -S 0 where S and S 0 are states, D is a boolean condition based on the data type language of the LOTOS description, and gE is a transition label consisting of g, a gate name, and a list of event offers E = d 1 : : :d n , where d i = ?ei or !e i .Informally, D describes the "leaving" conditions for a state and is a condition on data only.When D is unsatisfiable, the associated transition and destination state are considered to be unreachable, or "imaginary".To illustrate the semantics a pictorial representation of the semantics of the telephone process of Figure 1 is given in Figure 2. Note that while states in the diagram have been identified for ease of interpretation (e.g.state U2), state equivalence is not formally defined.State equivalence becomes more important when fixed point operators are to be introduced to the logic (a topic not considered here).
We now present the syntax of the logic, followed by its semantics (which is based on this symbolic semantics of LOTOS).

Syntax
The syntax of our logic is based on that of HML as presented in [13].Here, the sets permitted in the modalities are enriched by allowing structured events and conditions, both of which may involve variables.BCS-FACS Northern Formal Methods Workshop, 1996 a list of event offers, i.e. data type expressions prefixed by ! or ?, and R is a condition over some variables (typically those in E).The logic must share the appropriate LOTOS abstract data types with the process definition (otherwise formulation of R is impossible).
Braces in formulae are typically omitted.Other standard useful abbreviations are also adopted.For example, h?i to denote hG figi and h?Ki to denote h(G fig) ?Ki; similarly for ?] and ?K].
To give meaning to the above syntax it must be related to the (symbolic) semantics of processes (as given in Section 3.1.

Semantics of Symbolic Modal Logic
We define k k C , the set of processes satisfying a modal formula in context C, where a context is a collection of conditions, inductively over the syntax of the logic by the following equations: Note that P is taken to be the set of all LOTOS processes.The last two equations require some explanation.In each case, we match the event offers in E with those in E 0 by a substitution , allowing the !'s and ?'s to match in any combination.Furthermore, the matching is done with respect to the equivalence of the underlying data type.These, and other, features are more fully explained in Section 3.4.
In order to express that a particular process P satisfies a modal formula we show P 2 k k P tt which we also write more conveniently as

P j =
The set k k P tt can always be constructed if the underlying data type theory is complete; however, in general we cannot necessarily determine the validity of the data conditions.

Semantic Issues
A number of semantic issues arise from the introduction of symbolic values and qualifying conditions on events: the difference between ! and ?event offers, qualification of event offers by conditions, "symbolic event matching", i.e. under what conditions does a (symbolic) label in the transition system satisfy a (symbolic) event in the logic?interpretation of the modal operators hgE j Ri and gE j R].

BCS-FACS Northern Formal Methods Workshop, 1996
Towards a Symbolic Modal Logic for LOTOS These issues are significant because the decisions made affect the expressiveness of the logic.
When considering these issues our guiding principle is that the semantics satisfies (P j = ) , (8 :P j = ) where provides a concrete instantiation of P. In other words, if the symbolic P satisfies then there should be no instantiation of P which does not satisfy , and vice versa.

Structured and Qualified Events
Here we are concerned with the difference between ! and ?event offers; in particular, what are the consequences of allowing uninstantiated variables in offers?The standard semantics [8] of LOTOS gives the following interpretation to structured events.A g!e event corresponds to one transition labelled by g v where v is the valuation of e (where e is not an open term).A g?x:S event corresponds to many (possibly infinite) transitions, one for each value in S. In addition, the ? is a binding occurrence of an identifier, while the ! is a using occurrence.
In the symbolic semantics, there is one (symbolic) transition corresponding to g?x:S labelled by g x, which corresponds to a set of transitions in the standard transition system.Under this interpretation, conditions on input event offers become simply restrictions on the sets of the underlying events, and therefore transitions.Similarily, there is one (symbolic) transition corresponding to g!e, where e may be an open term.

Symbolic Event Matching
How do we match events in the logic with labels in the transition system?
In Basic LOTOS simple event names (gates) appear as transition labels and in the modalities; therefore event matching is trivial -they must by syntactically equal.In Full LOTOS we must not only match gate names, but also event offers (i.e.data expressions).Moreover, we must also take into account the equivalence induced by the data theory and any conditions imposed on the logical events and any conditions imposed on the process input variables.For example, when does g!x match g!y? Can g!x match g?z? Can g?x [x<10] match g?y [y>10]?
Our initial observation is that when matching symbolic event offers it does not matter which kind of event offer we have, i.e. ! or ?, since they both relate to sets of (concrete) events.Thus we cannot distinguish between, say, !x and ?x, since both are offering a set of values denoted by x.We can therefore ignore the !and ?when matching; the data expressions and the conditions alone determine matching.
Let us consider some simple concrete examples in which neither the transition label nor the logical event involves conditions.These are given in the top left portion of the table in Figure 3. Possible transition labels (drawn mainly from Tel) appear in the left hand column, and possible logical events from a logical formula appear across the top.In the example, we assume the usual theory of numbers (e.g. 2 6 3).
In these simple cases, the transition label satisfies the logical event when their respective offers, i.e. data expressions, can be matched (modulo the underlying data theory).For example dial?x is matched by dial?y because x y , where renames y by x.In other words, both of these are event offers which could be understood to stand for the same set of transitions (assuming x and y are of the same type and therefore range over the same possible data values).On the other hand, dial?x cannot be matched by dial!2 because there is no substitution which allows us to replace 2 by x.We cannot allow matching in the opposite "direction" (i.e.match transition label to logical event) because then there could be instantiations of x which might not satisfy the whole property, thus violating our guiding principle.Now consider the more complex case where we also have conditions on the events (in either the transition system or the logic).The rest of the table in Figure 3 illustrates such situations.For convenience we use 2 for list membership rather than the more cumbersome mem of the LOTOS description.Again, we assume the usual theory of numbers, but make no assumptions about the sets bar out and bar in.Thus, we are left with some unreduced formulae (e.g. The relation between conditions over the logical events and conditions over the process events can perhaps be best understood in terms of the underlying correspondence with sets of concrete events.If the logical event relates to a set A of concrete events and the process event to a set B of events, should we, when matching, insist that A = B or A B or B A? Alternatively, this can be expressed in terms of the conditions by C , R, C ) R or R ) C.
Again, we use our guiding principle to help us decide, i.e. it doesn't matter what concrete values we give P in place of the symbolic values, the resulting process still satisfies the formula.This means we must require that the logical property is a looser specification of events than the process, i.e. we require C ) R.  For example, intuitively we expect dial!2; exit j = hdial?xitt,because the logic allows many more events than the process.Similarly, we expect dial?x nastychatline(x)]; unobt; exit j = hdial?uju 2 bar outitt, assuming every number to a nasty chat line is in the bar out list.
On the other hand, since dial?x; exit allows more events than hdial!yjy 6 2 bar outitt, we do not have dial?x;exit j = hdial!yjy6 2 bar outitt.For example, we could instantiate x by a value v which is in bar out, and then dial?v; exit 6 j = hdial!yjy6 2 bar outitt.
The result of this discussion is that symbolic event matching depends not only on syntactic matching of event offers, modulo the underlying data theory, but also on the implication C ) R, i.e. the process condition is stronger than the logical condition.

Modal Operators
The final issue to be considered relates to the interpretation of the modal operators in the new setting.
In the semantics of HML [7] the hgi operator is interpreted as being satisfied by just one branch from the current state with label g.In our new logic this interpretation does not change.We require that the event labelling the transition matches the event in the logic, and that the transition condition implies the logical condition (if there is one).If such a condition exists then we will eventually choose it.
On the other hand, the box operator permits more scope for alternative interpretations.Consider the following process: In the semantics of HML [7] the g] operator is interpreted as being satisfied by all branches from the current state with label g.Given the introduction of conditions, there are more interpretations of the set of transitions which satisfy gEjR].First we must select the set of transitions of interest; we can have either all transitions with labels matched by gE, or all transitions whose labels match gE and whose conditions satisfy R, i.e.C ) R.
Having chosen our set we must then check that the conditions on each transition in the set satisfies R. (For the latter choice of set obviously this is trivially true.) The different interpretations can be illuminated by considering the above example: Under the first interpretation the set of interest contains the transitions labelled g!5, g!6 and g!1.The h branch is excluded because the gate name does not match and the g!0 branch is excluded because there is no substitution such that 0 = (x + 1) (assuming we are dealing with natural numbers).Given this set, the property g!x + 1 j x > 2] g!x + 2]tt fails to hold because, although the g!1 branch matches g!x + 1 with x=0], the condition is not satisfied, i.e. 0 6 > 2).We conclude that the first interpretation is too weak; too many undesirable branches are included.
Under the second interpretation the troublesome branch would be excluded from the set of interest, therefore the condition would succeed (with branches g!5 and g!6).

Towards a Symbolic Modal Logic for LOTOS
A further variation in interpretation may be given by asking: should the same substitution be used to match transition labels in each branch with the logical event, or can we allow the substitutions for each branch to be different?
In our example it seems clear that it is desirable to allow different matching for each branch; in the first branch x is instantiated by 5 and in the second it is instantiated by 6.If we did not allow this then the property would fail.Insisting on the same matching for each is too strong.
Each of the possible interpretations described above could be valid; we have chosen one which appears neither too strong nor too weak (i.e.choose all branches whose labels match a, allowing different matching for each branch, and whose conditions imply the logical conditions).The others give a slightly different flavour to the logic (a topic for future research might be to investigate the difference in expressive power between each of the possible interpretations of the box operator).

Proof System
The semantics given in Section 3.3 is not very useful to us when trying to show a particular process P satisfies a property ; it is too expensive to build the set of all processes which satisfy and then check if P 2 k k tt .Instead, we would like a proof system which allows us derive P `with reference only to the particular in which we are interested.Such a system (for HML) is presented in Stirling and Walker [14].The proof system presented here is derived from that of [14], but has two important differences: Firstly, we assume the existence of a separate proof system for the data which we can use as an "oracle" during the proof process.In reality, the oracle will be implemented by an auxiliary proof system.
Secondly, our proof system fulfills two roles.The first is to determine the satisfaction relation between a process, under some initial conditions, and a formula.We refer to this as (unconditional) satisfaction.This is described in more detail in Section 3.5.1,and the rules are given in Figure 4.The second is the synthesis of additional conditions which, if imposed on the process, would make the satisfaction relation hold, should it not hold for the given conditions.We call this (conditional) satisfaction.This is described in more detail in Section 3.5.2,and the rules are given by adding the rules in Figure 5 to those of Figure 4. We have combined both roles in one system and therefore proofs are carried out with respect to a process (state) P, an initial condition C and a set of additional conditions A.
Conditions which are imposed by the process are collected in C as the proof progesses.Additional conditions, A, come from the logical formula and may only be introduced in the (conditional) rules for gEjR] and hgEjRi.Additional conditions take the form of R.
Sequents of the form (P; C; A) `appear in the rules of Figure 4 and Figure 5.We may read this as "P satisfies given that the context C ^A is valid".By an abuse of notation we allow A in the conjunction to mean V fAg.We also take V fg to be equivalent to tt.
To prove (P; C; A) `holds a successful tableau which has (P; tt; tt) `as the root goal must be constructed.
Of course, we want our proof system to be compatible with the semantics given in Section 3.3, therefore we require (P; tt; tt) `, P j = This holds (the proof is trivial) for (unconditional) satisfaction.

(Unconditional) Satisfaction
(Unconditional) satisfaction means that we can build a successful tableau without having to synthesise extra conditions in A. Formally, P 2 k k C , i.e. (P; C) j = , then we prove (P; C; tt) `as follows.
We must construct an (unconditionally) successful tableau which has this sequent as the root goal.An (unconditionally) successful tableau is a finite proof tree in which all leaves are (unconditionally) successful.A leaf is (unconditionally) successful if 1. it has the form (P 0 ; C 0 ; tt) ` K] and none of the (unconditional) rules of figure 4 can be applied.2. it has the form (P 0 ; C 0 ; tt) `tt.where C is the data condition generated by the proof system (from the process conditions).
All other leaves are unsuccessful.Note that for (unconditional) satisfaction, we must always apply the uncondional form of the box and diamond rules.Application of the rules, even by hand, is fairly mechanical; only the _ and hKi rules give a choice as to the next level of the tableau, making tableau construction nondeterministic.

BCS-FACS Northern Formal Methods Workshop, 1996
If a proof tree has any unsuccessful leaves then the tableau is unsuccessful and the original sequent may not hold.We can backtrack from an unsuccessful leaf to a choice point and choose a different path (which we hope may lead to success).In proving the validity of a formula the important point is the existence of a successful tableau, not the non-existence of an unsuccessful tableau.
When the reason for failure is that there are leaves with additional conditions in A, then we may try to prove (conditional) satisfaction.

(Conditional) Satisfaction
When P 6 2 k k C , i.e. (P; C; tt) 6 `, we may try to generate the additional conditions A such that P 2 k k C^A , or, put another way, discover how to modify P into P 0 such that P 0 2 k k C .
In either case, we try to synthesise sets of conditions during the proof process which if we choose to enforce them, either by modifying the process or the initial conditions, the satisfaction relation will hold.For example, if the formula has the form hdial?uju 2 bar outi and there is a transition P tt dial?x -P 0 then we want to record that the formula holds, only if the process imposes the stronger condition x 2 bar out.
(P; C; tt) `conditionally when a (conditionally) successful tableau can be constructed which has this sequent as the root goal.A (conditionally) successful tableau is a finite proof tree in which all leaves are (conditionally or unconditionally) successful and there is at least one leaf which is (conditionally) successful.A leaf is (conditionally) successful if 1. it has the form (P 0 ; C 0 ; A) ` K], and none of the rules of Figure 4 or Figure 5 can be applied.
2. it has the form (P 0 ; C 0 ; A) `tt.Similar clauses in terms of hKi and ff identify unsuccessful leaves.

The Proof System in Action
In this section we introduce a second specification of the telephone user, we formalise the example properties from Section 2, and then we consider the satisfaction of those properties by the two specifications.
The second user process specification is given in Figure 6; its underlying (symbolic) lts is given in Figure 7.The difference between Tel and Tel II is essentially the points at which choices are made, rather than the criteria involved in those choices.
process Tel_II[dial,con,discon,unobt,busy] (id:userid,bar_in:idlist,bar_out:idlist) :noexit :=  The properties informally described in Section 2 are formalised below.Note that in the logic we have to be more precise about the scope of the modal operators than in natural language.In the informal descriptions, only one quantifier (e.g."it is possible" or "always") appeared in each of the formula, the scope of which is not completely clear.Since the purpose of this paper is not to explore rigorously the formalisation of informal properties, we have simply chosen a reasonable formalisation, in each case.
For each formula above we try to derive (Tel; tt; tt) `and (Tel II; tt; tt) `first using the unconditional notion of satisfaction, and, if that fails, using the conditional notion of satisfaction.The results are as follows: 1. Tel fails to satisfy the formula unconditionally because the side conditions require that tt ) x 6 2 bar out (which does not hold).At first glance this is a rather surprising result; however, this result is consistent with our guiding principle.While the transition system does allow us to dial some numbers which do not belong to bar out, it does not prevent us from dialling numbers which are in bar out, e.g.nastychatline(x).There are therefore other instantiations of x which will not satisfy the formula.
We can show conditional satisfaction, generating the additional condition x 6 2 bar out.
Tel II satisfies the formula unconditionally (because there are several dial actions, one of which has the condition x 6 2 bar out as required).
2. Both Tel and Tel II satisfy the formula unconditionally, generating no conditions.
3. For Tel no successful tableau can be found for unconditional satisfaction.This is because there is no substitution to allow us to match x = 999 .Again, the failure to prove unconditional satisfaction arises because there may be other instantiations of Tel which do not satisfy the formula.Tel satisfies the formula conditionally, given the substitution x = 999 (note that conditional satisfaction allows unification).
Tel II fails to unconditionally satisfy this property for the same reasons as above; however, Tel II also fails to conditionally satisfy the property.This is because the semantics of the box operator requires that all possible transitions dial!999 are examined.There are four such transitions in Tel II, and only one of those leads to a state in which the con action is possible.

4.
Tel only satisfies the formula conditionally (the failure of the unconditional proof is for the same reasons as in property 1).The leaves of the proof are: (U 2; tt; x 2 bar out) `tt and (U 3; tt; x 2 bar out) ` ?unobt]ff.
Tel II satisfies the property unconditionally.
5. This property does not hold of Tel under unconditional satifaction (as above) but does hold conditionally, with leaf (U 3; tt; x 2 bar out) ` con!id!xjtt]ff (no transitions are possible because the condition x 6 2 bar out ) x 2 bar out does not hold).
Tel II satisfies the property unconditionally (again, because we finish with the leaf (U 3; x 2 bar out; tt) ` con!id!xjtt]ff and no transitions are possible).6. Tel satisfies the formula conditionally with leaf (U 4; x 6 2 bar out; x 6 2 bar out) `tt and Tel II satisfies the formula unconditionally with leaf (U 7; x 6 2 bar out; tt) `tt.
7. Both Tel and Tel II satisfy the formula unconditionally.

BCS-FACS Northern Formal Methods Workshop, 1996
Towards a Symbolic Modal Logic for LOTOS In two of the above cases a formula which we might intuitively expect to have been valid was not.This is because of certain decisions made in developing the semantics of the logic.Another interpretation would make these properties hold, but would probably also make other, currently valid properties fail.There is no middle line.What we would like, however, is for such failed proofs to give us more information.For example, the first property fails because we insist that the value of x belongs to bar out.We could use this information to refine either the process or the formula.This information about conditions is gained through the conditional proof.

Conclusions and Further Work
In this paper we have presented a symbolic modal logic which can be used to describe properties of a LOTOS specification.There was some scope for alternative formulations of the logic: in particular, the satisfaction of structured events and conditions, and the interpretation of the operator.We tried to make clear the motivation behind our design decisions, where possible.The semantics of the logic is tied to a late symbolic semantics of LOTOS (developed in [1]).We also presented a proof system in which LOTOS processes can be shown to satisfy logical formulae.By use of example properties we demonstrated the logic and the proof system.
Our approach may be viewed as a hybrid of two of the approaches described in Section 1, providing the flexibility of symbolic data values of Eludo [4] in a formal framework, as in [6].It may also be the case that the semantics outlined in Section 3.1 provides a formal basis for the Eludo work (though we have not fully explored this).
It is interesting to consider the role of the initial data condition in the tableaux (and in the semantics).As described here, the initial data context is always simply tt; however, when considering partial specifications we may want to reason from a more complex context.The proof system allows this, although we did not demonstrate that feature here.Moreover, in the examples, we also identified the possibility of synthesising additional data conditions which might be used to refine the process under consideration, or to constrain the input values, in the case that the formula does not hold.
Further developments of this work are to show that the semantics and logic are downwards compatible, that is they preserve the standard semantics and modal logics of, say, [9].Also, as stated in the introduction, we wish to increase the expressive power of the logic to the level of the modal -calculus by adding fixed point operators.In order to do this we must also consider the way we deal with recursion in our symbolic semantics, and define state equivalence for (symbolic) LOTOS states in the semantics.

Figure 3 :
Figure 3: Matching Logical Events with Transition Labels