Computation Tree Logic with Deadlock Detection

We study the equivalence relation on states of labelled transition systems of satisfying the same formulas in Computation Tree Logic without the next state modality (CTL-X). This relation is obtained by De Nicola&Vaandrager by translating labelled transition systems to Kripke structures, while lifting the totality restriction on the latter. They characterised it as divergence sensitive branching bisimulation equivalence. We find that this equivalence fails to be a congruence for interleaving parallel composition. The reason is that the proposed application of CTL-X to non-total Kripke structures lacks the expressiveness to cope with deadlock properties that are important in the context of parallel composition. We propose an extension of CTL-X, or an alternative treatment of non-totality, that fills this hiatus. The equivalence induced by our extension is characterised as branching bisimulation equivalence with explicit divergence, which is, moreover, shown to be the coarsest congruence contained in divergence sensitive branching bisimulation equivalence.


Introduction
CTL * [7] is a powerful state-based temporal logic combining linear time and branching time modalities; it generalises the branching time temporal logic CTL [6]. CTL * is interpreted in terms of Kripke structures, directed graphs together with a labelling function assigning to every node of the graph a set of atomic propositions. As the next state modality X is incompatible with abstraction of the notion of state, it is often excluded in high-level specifications. By CTL * −X we denote CTL * without this modality. To characterise the equivalence induced on states of Kripke structures by validity of CTL * −X formulas, Browne, Clarke & Grumberg [3] defined the notion of stuttering equivalence. They proved that two states in a finite Kripke structure are stuttering equivalent if and only if they satisfy the same CTL * −X formulas, and moreover, they established that this is already the case if and only if the two states satisfy the same CTL −X formulas.
There is an intuitive correspondence between the notions of stuttering equivalence on Kripke structures and branching bisimulation equivalence [10] on labelled transition systems (LTSs), directed graphs of which the edges are labelled with actions. De Nicola & Vaandrager [5] have provided a framework for constructing natural translations between LTSs and Kripke structures in which this correspondence can be formalised. Stuttering equivalence corresponds in their framework to a divergence sensitive variant of branching bisimulation equivalence, and conversely, branching bisimulation equivalence corresponds to a divergence blind variant of stuttering equivalence. The latter characterises the equivalence induced on states of Kripke structures by a divergence blind variant of validity of CTL * −X formulas.
In [6,7,3] and other work on CTL * , Kripke structures are required to be total, meaning that every state has an outgoing transition. These correspond with LTSs that are deadlockfree. In the world of LTSs requiring deadlock-freeness is considered a serious limitation, as deadlock is introduced by useful process algebraic operators like the restriction of CCS and the synchronous parallel composition of CSP. Conceptually, a deadlock may arise as the result of an unsuccessful synchronisation attempt between parallel components, and often one wants to verify that the result of a parallel composition is deadlock-free. This is, of course, only possible when working in a model of concurrency where deadlocks can be expressed.
Through the translations of [5] it is possible to define the validity of CTL * −X formulas on states of LTSs. To apply CTL * −X -formulas to LTSs that may contain deadlocks, De Nicola & Vaandrager [5] consider Kripke structures with deadlocks as well, and hence lift the requirement of totality. They do so by using maximal paths instead of infinite paths in the definition of validity of CTL * −X formulas. Without further changes, this amounts to the addition of a self-loop to every deadlock state. As a consequence, CTL * −X formulas cannot see the difference between a state without outgoing transitions (a deadlock ) and one whose only outgoing transition constitutes a self-loop (a livelock ), and accordingly a deadlock state is stuttering equivalent to a livelock state that satisfies the same atomic propositions. This paper will challenge the wisdom of this set-up.
We observe that for systems with deadlock, the divergence sensitive branching bisimulation equivalence of [5] fails to be a congruence for interleaving operators. We characterise the coarsest congruence contained in divergence sensitive branching bisimulation equivalence as the branching bisimulation equivalence with explicit divergence introduced in [10]. This equivalence differs from divergence sensitive branching bisimulation equivalence in that it distinguishes deadlock and livelock. For deadlock-free systems the equivalences coincide.
Having established that the framework of [5] turns CTL * −X into a logic on LTSs that induces an equivalence under which interleaving parallel composition fails to be compositional, we propose two adaptations to this framework that both make CTL * −X induce branching bisimulation equivalence with explicit divergence and thus restore compositionality. Our first adaptation preserves the treatment of non-totality of [5] as well as their translations between LTSs and Kripke structures, but extends the language CTL * −X so that it can distinguish deadlock from successful termination. Our second adaptation preserves the totality requirement on Kripke structures but modifies the translation from LTSs to Kripke structures. One of our main results is that both adaptations are equivalent in the sense that they induce equally expressive logics on LTSs. In the following two paragraphs we discuss these adaptations in more detail.
That divergence sensitive branching bisimulation equivalence is not a congruence for interleaving operators means that there are properties of concurrent systems, pertaining to their deadlock behaviour, that (in the framework of [5]) cannot be expressed in CTL * −X , but that can be expressed in terms of the validity of a CTL * −X formula on the result of putting these systems in a given context involving an interleaving operator. We find this unsatisfactory, and therefore propose an extension of CTL * −X in which this type of property can be expressed directly. We obtain that two states are branching bisimulation equivalent with explicit divergence if and only if they satisfy the same formulas in the resulting logic. Treating CTL −X in the same way leads either to an extension of CTL −X or, equivalently, to a modification of its semantics. The new semantics we propose for CTL −X is a valid extension of the original semantics [6] to non-total Kripke structures. It slightly differs from the semantics of [5] and it is arguably better suited to deal with deadlock behaviour.
Instead of extending CTL * −X or modifying CTL −X we also achieve the same effect by amending the translation from LTSs to Kripke structures in such a way that every LTS maps to a total Kripke structure. This amended translation consist of any of the translations in the framework of [5] followed by a postprocessing stage introducing a fresh state s δ , labelled by a fresh atomic proposition expressing the property of having deadlocked, and a transition from all deadlock states, and s δ itself, to s δ . Adding self-loops and a fresh atomic proposition expressing deadlock (or just a fresh atomic proposition expressing deadlock) to deadlock states themselves does not have the desired effect, for it yields logics that are too expressive.
From the point of view of practical applications our work allows the rich tradition of verification by equivalence checking to be combined with the full expressive power of CTL * −X . In equivalence checking, three properties of the chosen equivalence have been found indispensable [2]: compositionality-in particular parallel composition being a congruence-is a crucial requirement to combat the state explosion problem; the ability to represent deadlock is crucial in ascertaining deadlock-freedom; and abstraction from internal activity-and thus from the concept of a "next state"-is crucial to get a firm grasp of correctness. Our work is the first that allows specification by arbitrary CTL * −X formulas to be incorporated in this framework, without giving up any of these essential properties.
Given the existence of adequate translations between LTSs and Kripke structures, we could have presented the results of this paper entirely within the framework of Kripke structures, or entirely within the framework of LTSs. Using Kripke structures only would entail defining a parallel composition on Kripke structures-which is possible by lifting the parallel composition on LTSs through the appropriate translations. However, Kripke structures are traditionally used for global descriptions of systems; building system descriptions modularly by parallel composition, while worrying about deadlocks that may be introduced in this process, would be a novel approach in itself. For establishing the results of this paper it is much more appropriate to build on the rich tradition of composing LTSs by parallel composition, and the known importance of deadlock behaviour within this framework.
Using just LTSs, on the other hand, would require lifting CTL * −X to the world of LTSs. 1 Here we could build on the work of De Nicola and Vaandrager [4], who defined the logic ACTL * on LTSs and showed that it corresponds neatly, through the translations of [5], 1 A tempting alternative appears to be to use the weak modal µ-calculus [15] instead of CTL * −X . This is the modal µ-calculus of Kozen [12] with weak action modalities α and [[a]] instead of a and [a] in order to abstract from internal activity. However, as observed in [15], this logic cannot distinguish states that are weakly bisimilar, and hence, contrary to what is suggested in the introduction of [15], lacks the expressiveness of CTL * −X .
with CTL * on Kripke structures. However, whereas abstracting from the notion of state in CTL * can be done elegantly by removing the next state modality X from the language, in ACTL * this additionally requires parametrising the until-modality by two action formulas [4]. Doing this would make the resulting logic ACTL * −X appear less than a wholly canonical action-based incarnation of CTL * −X , and the reader might wonder whether the failure of ACTL * −X to generate an equivalence on LTSs that is a congruence for parallel composition would be due to it being an imperfect rendering of CTL * −X in the action-based world. By presenting our analysis directly for CTL * −X , we make clear that this is not the case, and the problem stems from CTL * −X itself. Having to work in both LTSs and Kripke structures, with translations between them, appears to be a small price to pay. In addition, we feel that in many applications, such as process algebra with data, in may be preferable to work directly in a model of concurrency that features both state and action labels, and thus benefits from the ability to smoothly combine LTSs and Kripke structures [16].
Nevertheless, all our work applies just as well to ACTL * −X , with the very same problems and the very same solutions.
At the end of the paper we briefly consider Linear Temporal Logic without the next state modality (LTL −X ). The equivalence induced by the validity of LTL −X -formulas is not a congruence for interleaving parallel composition either. The coarsest coarsest congruence included in the equivalence induced by the validity of LTL −X -formulas is obtained much in the same way as the coarsest congruence included in the equivalence induced by the validity of CTL −X -formulas. Adding the ∞-modality to LTL −X , however, yields a logic that induces a strictly finer equivalence than the obtained congruence.
2. CTL * −X and stuttering equivalence We presuppose a set AP of atomic propositions. A Kripke structure is a tuple (S, L, →) consisting of a set of states S, a labelling function L : S → 2 AP and a transition relation → ⊆ S × S. For the remainder of the section we fix a Kripke structure (S, L, →).
A finite path from s is a finite sequence of states s 0 , . . . , s n such that s = s 0 and s k − → s k+1 for all 0 ≤ k < n. An infinite path from s is an infinite sequence of states s 0 , s 1 , s 2 , . . . such that s = s 0 and s k − → s k+1 for all k ∈ ω. A path is a finite or infinite path. A maximal path is an infinite path or a finite path s 0 , . . . , s n such that ¬∃s ′ . s n − → s ′ . We write π ¤ π ′ if the path π ′ is a suffix of the path π, and π £ π ′ if π ¤ π ′ and π = π ′ .
Temporal properties of states in S are defined using CTL * −X formulas. Definition 2.1. The classes Φ of CTL * −X state formulas and Ψ of CTL * −X path formulas are generated by the following grammar: In case the cardinality of the set of states of our Kripke structure is less than some infinite cardinal κ, 2 we may require that |Φ ′ | < κ and |Ψ ′ | < κ in conjunctions, thus obtaining a set of formulas rather than a proper class. Normally, S is required to be finite, and accordingly CTL * −X admits finite conjunctions only. 2 In fact it suffices to require that for every state s the cardinality of the set of states reachable from s is less than κ.  Definition 2.2. We define when a CTL * −X state formula ϕ is valid in a state s (notation: s |= ϕ) and when a CTL * −X path formula ψ is valid on a maximal path π (notation: π |= ψ) by simultaneous induction as follows: − s |= ∃ψ iff there exists a maximal path π from s such that π |= ψ; − π |= ϕ iff s is the first state of π and s |= ϕ; − π |= ¬ψ iff π |= ψ; − π |= Ψ ′ iff π |= ψ for all ψ ∈ Ψ ′ ; and − π |= ψ U ψ ′ iff there exists a suffix π ′ of π such that π ′ |= ψ ′ , and π ′′ |= ψ for all π ¤ π ′′ £ π ′ . A formula ψ U ψ ′ says that, along a given path, ψ holds until ψ ′ holds. One writes ⊤ for the empty conjunction (which is always valid), Fψ for ⊤ U ψ ("ψ will hold eventually") and Gψ for ¬F¬ψ ("ψ holds always (along a path)").
The above is the standard interpretation of CTL * −X [7,3], but extended to Kripke structures that are not required to be total. Following [5], this is achieved by using maximal paths in the definition of validity of CTL * −X formulas, instead of the traditional use of infinite paths [7,3]. The resulting definition generalises the traditional one, because for total Kripke structures a path is maximal iff it is infinite.
An equivalent way of thinking of this generalisation of CTL * −X to non-total Kripke structures is by means of a transformation that makes a Kripke structure K total by the addition of a self-loop s − → s to every deadlock state s, together with the convention that a formula is valid in a state of K iff it is valid in the same state of the total Kripke structure obtained by this transformation. It is not hard to check that this yields the same notion of validity as our Definition 2.2.
The divergence blind interpretation of [5] (notation: s |= db ϕ and π |= db ψ) is obtained by dropping the word "maximal" in the fourth clause of Definition 2.2. In contrast, we call the the standard interpretation divergence sensitive, because it does not abstract from divergences, i.e., infinite paths consisting of states with the same label. For instance, in Figure 1a we have t |= ∃Gp, due to the divergence t, t, t, . . . , whereas u |= ∃Gp. Under the divergence blind interpretation there is no formula distinguishing these two states. Definition 2.3. A colouring is a function C : S → C, for C any set of colours.
Given a colouring C and a (finite or infinite) path π = s 0 , s 1 , s 2 , . . . from s, let C(π) be the sequence of colours obtained from C(s 0 ), C(s 1 ), C(s 2 ), . . . by contracting all its (finite or infinite) maximal consecutive subsequences C, C, C, . . . to C. The sequence C(π) is called a C-coloured trace of s; it is complete if π is maximal.
A colouring C is [fully] consistent if two states of the same colour always satisfy the same atomic propositions and have the same [complete] C-coloured traces. Two states s and t are divergence blind stuttering equivalent, notation s ≈ dbs t, if there exists a consistent colouring C such that C(s) = C(t). They are (divergence sensitive) stuttering equivalent, notation s ≈ s t, if there exists a fully consistent colouring C such that C(s) = C(t). The difference between ≈ dbs and ≈ s is illustrated in the following example.
Example 2.4. Consider the Kripke structure and its colouring depicted in Figure 1a. This colouring is consistent, implying s ≈ dbs t ≈ dbs u and x ≈ dbs y, but it is not fully consistent because state t has a complete trace while u does not. Note that t has, due to the self-loop, a complete coloured trace that consists of just the colour of a p-labelled state, whereas the unique complete coloured trace of u contains the colour of a q-labelled state too. Since a consistent colouring assigns different colours to states with different labels, every fully consistent colouring must assign different colours to states t and u, i.e. it must be that t ≈ s u. One such colouring is given in Figure 1b. This colouring shows that x ≈ s y.
Lemma 2.5. Let C be a colouring such that two states with the same colour satisfy the same atomic propositions and have the same C-coloured traces of length two. Then C is consistent.
Proof. Suppose C(s 0 ) = C(t 0 ) and C 0 , C 1 , C 2 , . . . is an infinite coloured trace of s 0 . Then, for i > 0, there are states s i and finite paths π i from s i−1 to s i , such that C(π i ) = C i−1 , C i . With induction on i > 0 we find states t i with C(s i ) = C(t i ) and finite paths ρ i from t i−1 to t i such that C(ρ i ) = C i−1 , C i . Namely, the assumption about C allows us to find ρ i given t i−1 , and then t i is defined as the last state of ρ i . Concatenating all the paths ρ i yields an infinite path ρ from t 0 with C(ρ) = C 0 , C 1 , C 2 , . . . .
The case that C(s 0 ) = C(t 0 ) and C 0 , . . . , C n is a finite coloured trace of s 0 goes likewise.
Lemma 2.6. Let C be a colouring such that two states with the same colour satisfy the same atomic propositions and have the same C-coloured traces of length two, and the same complete C-coloured traces of length one. Then C is fully consistent.
Proof. Suppose C(s) = C(t) and σ is a complete C-coloured trace of s. Then σ = C(π) for a maximal path π from s. By Lemma 2.5, σ is also a C-coloured trace of t. It remains to show that it is a complete C-coloured trace of t. Let ρ be a path from t with C(ρ) = σ. If ρ is infinite, we are done. Otherwise, let t ′ be the last state of ρ. Then C(t ′ ) is the last colour of σ. Therefore, there is a state s ′ on π such that the suffix π ′ of π starting from s ′ is a maximal path with C(π ′ ) = C(s ′ ) = C(t ′ ). By the assumption about C, C(t ′ ) must also be a complete C-coloured trace of t ′ , i.e. there is a maximal path ρ ′ from t ′ with C(ρ ′ ) = C(t ′ ). Concatenating ρ and ρ ′ yields a maximal path ρ ′′ from t with C(ρ ′′ ) = σ.
The following two theorems were proved in [5] and [3], respectively, for states s and t in a finite Kripke structure. Here we drop the finiteness restriction.
Proof. "Only if": Let C be a consistent colouring. With structural induction on ϕ and ψ we show that The case ϕ = p for p ∈ AP follows immediately from Definition 2.3. The cases ϕ = ¬ϕ ′ and ϕ = Φ ′ follow immediately from the induction hypothesis. Suppose C(s) = C(t) and s |= db ∃ψ. Then there exists a path π from s such that π |= db ψ. C(π) is a coloured trace of s, and hence of t. Thus there must be a path ρ from t with C(π) = C(ρ). By induction, ρ |= db ψ. Hence, t |= db ∃ψ.
The case ψ ∈ Φ follows since the first states of two paths with the same colour also have the same colour. The cases ψ = ¬ψ ′ and ψ = Ψ ′ follow immediately from the induction hypothesis.
Finally, suppose C(π) = C(ρ) and π |= db ψ U ψ ′ . Then there exists a suffix π ′ of π such that π ′ |= db ψ ′ and π ′′ |= db ψ for all π ¤ π ′′ £ π ′ . As C(π) = C(ρ), there must be a suffix ρ ′ of ρ such that C(π ′ ) = C(ρ ′ ) and for every path Trivially, s and t satisfy the same atomic propositions. By Lemma 2.5 it remains to show that s and t have the same coloured traces of length two. Suppose s has a coloured trace C, D. Let s 0 , . . . , s k be a path from s such that C( For every u ∈ U pick a CTL * −X formula ϕ u ∈ C − C(u) (using negation on a formula in . Thus, there is a path t 0 , . . . , t ℓ from t such that t ℓ |= db v∈V ϕ ′ v and t j |= db u∈U ϕ u for 0 ≤ j < ℓ. It follows that t ℓ ∈ V and t j ∈ U for 0 ≤ j < ℓ. Hence C(t ℓ ) = D and C(t j ) = C for 0 ≤ j < ℓ, so C, D is also a coloured trace of t.
Only if" goes exactly as in the previous proof, reading |= for |= db , but requiring C to be fully consistent and, in the second paragraph, the paths π and ρ to be maximal and C(π) to be a complete coloured trace of s and t.
"If" goes as in the previous proof, but this time we have to show that C is fully consistent. Thus, applying Lemma 2.6, and assuming C(s) = C(t), we additionally have to show that s and t have the same complete coloured traces of length one. Let π be a maximal path from s with C(π) = C. Let U = {u | there is a path from t to u and C(u) = C}.
For every u ∈ U pick a CTL * −X formula ϕ u ∈ C − C(u). Now s |= ∃G( u∈U ϕ u ) and, as C(s) = C(t), also t |= ∃G( u∈U ϕ u ). Thus, there is a maximal path ρ from t such that t ′ |= u∈U ϕ u for all states t ′ in ρ. It follows that t ′ ∈ U. Hence C(t ′ ) = C and thus C(ρ) = C.
Since ⇔ is an equivalence relation on predicates, we obtain the following corollary to Theorems 2.7 and 2.8. Corollary 2.9. ≈ dbs and ≈ s are equivalence relations.
Note that, for any colouring C, the C-coloured traces of a state s are completely determined by the complete C-coloured traces of s, namely as their prefixes. Hence, any colouring that is fully consistent is certainly consistent, and thus ≈ s is a finer (i.e. smaller, more discriminating) equivalence relation than ≈ dbs .
Above, the divergence blind interpretation of CTL * −X is defined by using paths instead of maximal paths. It can equivalently be defined in terms of a transformation on Kripke structures, namely the addition of a self-loop s − → s for every state s. 3 Now s ≈ dbs t holds in a certain Kripke structure iff s ≈ s t holds in the Kripke structure obtained by adding all these self-loops. This is because the colour of a path doesn't change when self-loops are added to it, and up to self-loops any path is maximal. Likewise, s |= db ϕ in the original Kripke structure iff s |= ϕ in the modified one.
Just like ≈ dbs can be expressed in terms of ≈ s by means of a transformation on Kripke structures, by means of a different transformation, at least for finite Kripke structures, ≈ s can be expressed in terms of ≈ dbs . This is done in [5], Definitions 3.2.6 and 3.2.7.

Branching bisimulation equivalence in terms of coloured traces
We presuppose a set A of actions with a special element τ ∈ A. A labelled transition system (LTS) is a structure (S, →) consisting of a set of states S and a transition relation → ⊆ S × A × S. For the remainder of the section we fix an LTS (S, →). We write s a − → s ′ for (s, a, s ′ ) ∈ →.
A path from s is an alternating sequence s 0 , a 1 , s 1 , a 2 , . . . of states and actions, ending with a state if the sequence is finite, such that s = s 0 and s k−1 a k − − → s k for all relevant k > 0. A maximal path is an infinite path or a finite path s 0 , a 1 , s 1 , a 2 , . . . , a n , s n such that ¬∃a, s ′ . s n a − → s ′ . We write π ¤ π ′ if the path π ′ is a suffix of the path π, and π £ π ′ if π ¤ π ′ and π = π ′ . Definition 3.1. A colouring is a function C : S → C, for C any set of colours.
For π = s 0 , a 1 , s 1 , a 2 , . . . a path from s, let C(π) be the alternating sequence of colours and actions obtained from C(s 0 ), a 1 , C(s 1 ), a 2 , . . . by contracting all finite maximal consecutive subsequences C, τ, C, τ, . . . , τ, C and all infinite maximal consecutive subsequences A colouring C is [fully] consistent if two states of the same colour always have the same [complete] C-coloured traces. Two states s and t are (divergence blind) branching bisimulation equivalent, notation s ↔ b t, if there exists a consistent colouring C such that C(s) = C(t).
They are divergence sensitive branching bisimulation equivalent, notation s ↔ λ b t, if there exists a fully consistent colouring C such that C(s) = C(t).
A consistent colouring preserves divergence if two states of the same colour always have the same divergent C-coloured traces. Two states s and t are branching bisimulation equivalent with explicit divergence, The difference between ↔ b , ↔ λ b , and ↔ ∆ b is illustrated in the following example. Example 3.2. Consider first the LTS and its colouring depicted in Figure 2a. This colouring is consistent and we have s It is not fully consistent because state t has a complete trace whereas u has not. It is easy to see that every fully consistent colouring must assign different colours to states t and u, and so that t ↔ λ b u. One such colouring is given in Figure 2b and it shows that u ↔ λ b v and x ↔ λ b y ↔ λ b z. Note, however, that this colouring, although fully consistent, does not preserve divergence. State v has a divergent trace a whereas u has not, and similarly state z has a divergent trace whereas y has not. Any colouring that preserves divergence must assign different colours to states u and v and to states y and z, meaning that u ↔ ∆ b v and y ↔ ∆ b z. One such colouring is given in Figure 2c. It shows that x ↔ ∆ b y. In fact, these are the only two (different) states that are branching bisimulation equivalent with explicit divergence.
In the definition of ↔ ∆ b above, consistency and preservation of divergence appear as two separate properties of colourings. Instead we could have integrated them by adding an extra bit (∆) at the end of those finite coloured traces that stem from infinite paths. Likewise, ↔ λ b could have been defined by adding such an extra bit at the end of those finite coloured traces that stem from maximal paths. Lemmas 2.5 and 2.6 about colourings on Kripke structures apply to labelled transition systems as well. The proofs are essentially the same. Lemma 3.3. Let C be a colouring such that two states with the same colour have the same C-coloured traces of length three (i.e. colour -action -colour). Then C is consistent.
Lemma 3.4. Let C be a consistent colouring such that two states with the same colour have the same complete C-coloured traces of length one. Then C is fully consistent.
Lemma 3.5. Let C be a consistent colouring such that two states with the same colour have the same divergent C-coloured traces of length one. Then C preserves divergence.
Proof. Exactly like the proof of Lemma 2.6, but letting σ be a divergent C-coloured trace of s; π, π ′ infinite paths; C(t ′ ) a divergent C-coloured trace of t ′ ; and ρ ′ , ρ ′′ infinite paths.
Branching bisimulation equivalence and branching bisimulation equivalence with explicit divergence were originally defined in Van Glabbeek & Weijland [10]. There, only finite coloured traces are considered, and a consistent colouring was defined as a colouring with the property that two states have the same colour only if they have the same finite coloured traces. By Lemma 3.3 this yields the same concept of consistent colouring as Definition 3.1 above.
In [10], a consistent colouring is said to preserve divergence if no divergent state has the same colour as a nondivergent state. Here a state s is divergent if it is the starting point of an infinite path of which all nodes have the same colour. This is the case if s has a divergent coloured trace of length one. Now Lemma 3.5 says that the definition of preservation of divergence from [10] agrees with the one proposed above. Hence the concepts of branching bisimulation and branching bisimulation with explicit divergence of [10] agree with ours.
Theorem 3.6. ↔ b , ↔ λ b and ↔ ∆ b are equivalence relations. Proof. We show the proof for ↔ b ; the other two cases proceed likewise.
We will regard any equivalence relation on S as a colouring, the colour of a state being its equivalence class. Conversely, any colouring can be considered as an equivalence relation on states.
The diagonal on S (i.e., the binary relation {(s, s) | s ∈ S}) is a consistent colouring, so ↔ b is reflexive. That ↔ b is symmetric is immediate from the required symmetry of colourings.
To prove that ↔ b is transitive, suppose s ↔ b t and t ↔ b u. So there exist consistent colourings C and D with C(s) = C(t) and D(t) = D(u). Let E be the finest equivalence relation containing C and D. Then E(s) = E(t) = E(u). It suffices to show that E is consistent.
First of all note that the E-colour of a state is completely determined by its C-colour, as well as by its D-colour: C(p) = C(q) ⇒ E(p) = E(q) and D(p) = D(q) ⇒ E(p) = E(q) for all p, q ∈ S. Thus, if two states have the same sets of C-coloured traces or the same sets of D-coloured traces, they must also have the same sets of E-coloured traces.
Suppose E(p) = E(q). Then there must be a sequence of states (p i ) 0≤i≤n such that p = p 0 , q = p n and for 0 ≤ i < n we have either C(p i ) = C(p i+1 ) or D(p i ) = D(p i+1 ). As C and D are consistent colourings, p i and p i+1 have the same C-coloured traces or the same D-coloured traces. In either case they also have the same E-coloured traces. This holds for 0 ≤ i < n, so p and q have the same E-coloured traces. Thus E is consistent.
Lemma 3.7. Let C be a consistent colouring and s ∈ S. Then the complete C-coloured traces of s consist of the C-coloured traces of s that are infinite, divergent, or maximal, in the sense that they cannot be extended.
Proof. By definition, infinite and divergent C-coloured traces of s are complete. Let σ be a maximal C-coloured trace of s, and let π be a path from s such that C(π) = σ. Let π ′ be an extension of π to a maximal path. As σ is a maximal C-coloured trace, in the sense that it cannot be extended, we have C(π ′ ) = σ. Hence σ is a complete C-coloured trace of s. Now let σ be a complete C-coloured trace of s that is not infinite, nor a divergent C-coloured trace of s. In that case σ = C(π) for π a finite maximal path from s. Let t be the last state of π. We have ¬∃a, t ′ . t a − → t ′ . Suppose, towards a contradiction, that σ is not maximal, i.e. there is a path π ′ from s such that C(π ′ ) is a proper extension of σ. Then there must be a state u on π ′ with C(u) = C(t), such that u has a coloured trace σ ′ of length > 1, which is a suffix of C(π ′ ). As C is consistent, σ ′ is also a coloured trace of t, contradicting ¬∃a, t ′ . t a − → t ′ .
As for Kripke structures, for any colouring C, the C-coloured traces of a state s are the prefixes of the complete C-coloured traces of s. Moreover, Lemma 3.7 says that the complete C-coloured traces of a state s are completely determined by the C-coloured traces of s together with the divergent C-coloured traces of s. Hence, any colouring that is consistent and preserves divergence is also fully consistent. Therefore, ↔ ∆ b is finer than ↔ λ b , which is finer than ↔ b .
The difference between ↔ λ b and ↔ ∆ b is that only the latter sees the difference between those maximal finite coloured traces that stem from finite paths (ending in deadlock ) and those that stem from infinite paths (ending in livelock ). For deadlock-free LTSs (having no states s with ¬∃a, s ′ . s a − → s ′ ) the equivalences ↔ λ b and ↔ ∆ b coincide.

Translating between Kripke structures and labelled transition systems
We presuppose a set A of actions with a special element τ ∈ A, and a set AP of atomic propositions. A doubly  [5] for studying relationships between notions defined for Kripke structures and notions defined for LTSs. Condition (i) states that a transition is unobservable in the underlying Kripke structure (i.e., a transition between states with the same label) if and only if it is an unobservable transition in the underlying labelled transition system (i.e., a τ -transition). Condition (ii) expresses that the label of the target state of a transition is completely determined by the label of the source state and the label of the transition. Consequently, the label of a state t reachable from a state s is completely determined by the label of s and the sequence of labels of the transitions leading from s to t. Condition (iii) says that the label of a transition is fully determined by the labels of its source and target state. Many semantic equivalences on LTSs, such as ↔ b , ↔ λ b and ↔ ∆ b , are considered in the literature; for an overview see [8].
Definition 4.2. Any semantic equivalence ∼ on LTSs extends to L 2 TSs by declaring, for all states s and t in an L 2 TS, that s ∼ t iff L(s) = L(t) and s ∼ t in the associated LTS.
Any semantic equivalence ∼ on Kripke structures extends to L 2 TSs by declaring, for all states s and t in an L 2 TS, that s ∼ t iff s ∼ t in the associated Kripke structure. The following theorem was proved in [5] for finite consistent L 2 TSs. Here we drop the finiteness restriction.  One way to obtain D is to label any transition s − → t by the pair (L(s), L(t)) (or simply by L(t)) when L(s) = L(t), or τ when L(s) = L(t). An alternative is the label (L(s) − L(t), L(t) − L(s)), where (∅, ∅) is identified with τ .
Unlike the situation for Kripke structures (Observation 4.4) it is not the case that every LTS can be obtained as the LTS associated to a consistent L 2 TS. A simple counterexample is presented in [5]. Thus, in encoding LTSs as L 2 TSs, it is in general not possible to keep the set of states the same.
, that is, it preserves ("⇒") and reflects ("⇐") divergence sensitive branching bisimulation equivalence, and likewise for ↔ b , and ↔ ∆ b . A common LTS-to-L 2 TS transformation is presented in [5]. It takes an LTS L = (S, →) to an L 2 TS η(L) by inserting a new state halfway along any transition s a − → t with a = τ . This new state is labelled {a}, and each of the two transitions replacing s a − → t (from s to the new state and from there to t) is labelled a. Transitions s τ − → t are untouched. One takes η(s) = s for s ∈ S and all such states from L are labelled with the same dummy symbol in η(L). (Consult [5] for the formal definition and examples.) In [5] it is shown that this transformation preserves and reflects ↔ λ b ; the same proof applies to ↔ b and ↔ ∆ b . An LTS-to-L 2 TS transformation η yields an LTS-to-Kripke-structure transformation that we also call η, namely the one transforming an LTS L into the Kripke structure associated to η(L). In fact, using Theorem 4.3 and Observation 4.4, any LTS-to-Kripkestructure transformation η that preserves and reflects the required equivalences can be obtained in this way.
An LTS-to-L 2 TS transformation η makes it possible to define when a state s in an LTS satisfies a CTL * −X formula ϕ. Namely, one defines s |= η ϕ iff η(s) |= ϕ. This way, CTL * −X can be used as temporal logic on LTSs.
Theorem 4.6. Let s and t be states in an LTS, and let η be an LTS-to-L 2 TS transformation. Then Proof. This is an immediate consequence of the requirement that η preserves and reflects ↔ b and ↔ λ b , in combination with Theorems 2.7, 2.8 and 4.3.

Parallel composition
For a behavioural equivalence to be useful in a process algebraic setting, it is essential that it is a congruence for the operations under consideration. In this section we prove that ↔ ∆ b and ↔ b are congruences for the merge or interleaving operator . This operator is often used to represent (asynchronous) parallel composition. However, ↔ λ b fails to be a congruence for . We characterise the least discriminating congruence that makes all the distinctions of In the following definition we provide the necessary and sufficient conditions for a binary operation on the set of states of an LTS to qualify as a merge.
Definition 5.1. A binary operation on the states of an LTS is a merge if for all s, t, u ∈ S and for all a ∈ A it holds that s t a − → u iff − there exists s ′ ∈ S such that s a − → s ′ and u = s ′ t; or − there exists t ′ ∈ S such that t a − → t ′ and u = s t ′ . The structural operational semantics of any process calculus that includes an operation for pure interleaving generates an LTS with merge. Moreover, any LTS can be augmented to an LTS with merge, for instance through a transition system specification [1] that includes all states of the original LTS as constants and a binary operation with the usual structural operational rules for interleaving parallel composition. Henceforth we deal with LTSs with a merge .
Proof. Let R be the reflexive and transitive closure of the relation Let C be the function that assigns to each state its equivalence class with respect to R. It suffices to prove that C is a consistent divergence preserving colouring. So suppose C(r) = C(r ′ ). Using Lemmas 3.3 and 3.5 it suffices to show that r and r ′ have the same C-coloured traces of length three and the same divergent C-coloured traces of length one. It is straightforward, but notationally cumbersome, to establish this in the special case that r = p q and r ′ = p ′ q ′ with p ↔ ∆ b p ′ and q ↔ ∆ b q ′ . The general case then follows by induction on the length of a chain of pairs from the relation displayed above showing that the pair (r, r ′ ) is in its reflexive and transitive closure.
A similar proof shows that also ↔ b is a congruence for . However, ↔ λ b is not. Example 5.3. Consider an LTS with merge that contains a state 0 without outgoing transitions, a state ∆0 with a τ -loop (an outgoing τ -labelled transition to itself) and no other outgoing transitions, and a state a with a a − → 0 and no other outgoing transitions.
(Note that such an LTS is, e.g., generated by the structural operational semantics of CCS with recursion.) Then 0 ↔ λ b ∆0. Figure 4a shows the fragment consisting of the states 0, ∆0 and a of the LTS under consideration. Figure 4b shows a fragment where the merge is applied. Observe that 0 a ↔ λ b ∆0 a. The reason is that ∆0 a has a maximal path that stays in its initial state, whereas 0 a has not. This problem does not apply to ↔ b because 0 a ↔ b ∆0 a. It does not apply to ↔ ∆ b because 0 ↔ ∆ b ∆0. The example above involves a deadlock state, namely 0. This is unavoidable, as on LTSs without deadlock ↔ λ b coincides with ↔ ∆ b (cf. Section 3) and hence is a congruence for . The standard solution to the problem of an equivalence ∼ failing to be a congruence for a desirable operator Op is to replace it by the coarsest congruence for Op that is included in ∼ [13]. Applying this technique to the current situation, the coarsest congruence for included in ↔ λ b turns out to be ↔ ∆ b . Theorem 5.4. ↔ ∆ b is the coarsest congruence for that is included in ↔ λ b . 4 4 Strictly speaking, we merely show that ↔ ∆ b is the coarsest congruence for that is included in ↔ λ b and satisfies the Fresh Atom Principle (FAP). This principle, described in [9], is satisfied by a semantic equivalence ∼ on LTSs when ∼ on an LTS L can always be obtained as the restriction of ∼ on any given larger LTS of which L is a subLTS, and whose transition labels may be drawn from a larger set of actions Proof. We have already seen that ↔ ∆ b is a congruence for , and that it is included in ↔ λ b . To show that it is the coarsest, we need to show that if ∼ is any congruence for that is included in ↔ λ b , then ∼ is included in ↔ ∆ b . So let ∼ be such a congruence and assume s ∼ t. We need to show that s ↔ ∆ b t. Let a be an action that does not occur in any path from s or t. Since ∼ is a congruence for , we have s a ∼ t a, where a is the state from Example 5.3. As ∼ is included in ↔ λ b we obtain s a ↔ λ b t a. Let C be a fully consistent colouring with C(s a) = C(t a). Define the colouring D by D(p) = C(p a) for p a state reachable from s or t, and D(p) = p otherwise. Then D(s) = D(t). It suffices to show that D is consistent and preserves divergence, implying s ↔ ∆ b t. So suppose D(p) = D(q) with p = q. Then C(p a) = C(q a). First we show that p and q have the same D-coloured traces. Let σ be a D-coloured trace of p. Then σ is also a C-coloured trace of p a. As p a and q a have the same complete C-coloured traces, they surely have the same C-coloured traces (for the coloured traces of a state are the prefixes of its complete coloured traces). Hence σ is a C-coloured trace of q a. As p is reachable from s or t, the action a cannot occur in σ. Therefore, σ must also be a D-coloured trace of q. By symmetry, any D-coloured trace of q is also a D-coloured trace of p, and hence p and q have the same D-coloured traces.
Next, we show that p and q have the same divergent D-coloured traces. So let σ be a divergent D-coloured trace of p. Then σ is also a divergent C-coloured trace of p a. Hence σ is a complete C-coloured trace of p a and thus also of q a. As the action a cannot occur in σ, it is not possible that σ stems from a finite maximal path from q a. Therefore, σ must be a divergent C-coloured trace of q a, and hence a divergent D-coloured trace of q. Again invoking symmetry, p and q have the same divergent D-coloured traces.
It follows that D is consistent and preserves divergence; thus s ↔ ∆ b t. So if one is in search of a semantics such that, for s and t states in an LTS, − if there is a CTL * −X state formula ϕ such that s |= η ϕ but t |= η ϕ, then s and t should be distinguished, − if s and t can be distinguished after placing them in a context u for some u, then they should be distinguished to start with, and − no two states should be distinguished unless this is required by the previous two conditions, then branching bisimulation semantics with explicit divergence is the answer, for s ↔ ∆ b t iff for all u and all ϕ ∈ Φ we have s u |= η ϕ ⇔ t u |= η ϕ.

6.
Adding deadlock detection to CTL * −X We saw above that there are important properties of states s in an LTS that can be expressed in terms of a context u and a CTL * −X formula ϕ, namely as s u |= η ϕ, but that cannot be directly expressed in terms of CTL * −X . This is somewhat unsatisfactory, and therefore we propose an extension of CTL * −X in which this type of property can be expressed directly. We add a path modality ∞ that is valid on a path π iff π is infinite. This path modality, than those of L. FAP allows us to use the state a that figures in the proof of Theorem 5.4, regardless of whether such a state, or the fresh action a, occurs in the given LTS or not. FAP is satisfied by virtually all semantic equivalences documented in the literature, and can be used as a sanity check for meaningful equivalences [9]. or actually an equally expressive one, was studied prior by Kaivola & Valmari [11] in the context of Linear Temporal Logic without the next state operator-see Section 9.
Definition 6.1. The syntax of CTL * ∞ is given by ϕ : Validity is defined as in Definition 2.2, but adding the clause − π |= ∞ iff the path π is infinite.
The negation of ∞ holds for a maximal path π iff π is finite, and hence ends in a deadlock. It is tempting to simply extend CTL * −X with a state formula δ such that s |= δ iff ¬∃s ′ . s − → s ′ . This would make it possible to express ∞ as ¬Fδ. However, this would make the resulting logic too expressive: the two states in the Kripke structure • − → • (with the empty labelling) are branching bisimulation equivalent with explicit divergence, yet they would be distinguished by this extension of CTL * −X , as only the last state satisfies δ. CTL * ∞ is an extension of CTL * −X . There is no need for a similar extension of CTL * , for δ can be expressed as ¬∃X⊤. In particular, CTL * ∞ is not more expressive than CTL * . The definition of branching bisimulation equivalence with explicit divergence lifts easily to Kripke structures: s ↔ ∆ b t, for s and t states in a Kripke structure, iff there exists a consistent and divergence preserving colouring C such that C(s) = C(t). Here divergence preserving is defined as in Section 3; by Lemma 3.5, this time applied to Kripke structures, a consistent colouring preserves divergence iff, for any states s and t, C(s) = C(t) implies for any infinite path π from s with C(π) = C(s) there is an infinite path ρ from t with C(ρ) = C(t).
Theorem 6.2. s ↔ ∆ b t iff s |= ϕ ⇔ t |= ϕ for all CTL * ∞ state formulas ϕ. Proof. "Only if" goes as in the proof of Theorem 2.7, reading |= for |= db , requiring C to be consistent and divergence preserving, and, in the second paragraph, requiring the paths π and ρ to be maximal and C(π) to be a complete coloured trace of s and t. Here we use that if a colouring is consistent and divergence preserving, then two states with the same colour must also have the same complete coloured traces. This follows from Lemma 3.7, this time applied to Kripke structures.
There is one extra case to check. Suppose C(π) = C(ρ) and π |= ∞, but ρ |= ∞. Then the last state t of ρ has the same colour C(t) as one of the states s of π. Let π ′ be the (infinite) suffix of π starting at s. Then C(π ′ ) = C(s) = C(t), yet there is no infinite path from t, contradicting that C is divergence preserving.
"If" goes as in the proof of Theorem 2.7, but this time we also have to show that C preserves divergence. So let s and t be states and π an infinite path from s with C(π) = C(s) = C(t) = C. Let U = {u | there is a path from t to u and C(u) = C}.
For every u ∈ U pick a CTL * ∞ formula ϕ u ∈ C − C(u). Now s |= ∃ ∞ G( u∈U ϕ u ) and, as C(s) = C(t), also t |= ∃ ∞ G( u∈U ϕ u ). Thus, there is an infinite path ρ from t such that t ′ |= u∈U ϕ u for all states t ′ in ρ. It follows that t ′ ∈ U. Hence C(t ′ ) = C and thus C(ρ) = C.

7.
Adding deadlock detection to CTL −X CTL −X is the sublogic of CTL * −X that only allows path formulas of the form ϕ U ϕ ′ and ¬(ϕ U ϕ ′ ), where ϕ and ϕ ′ are state formulas. Equivalently, it can be defined as only allowing path formulas of the form ϕ U ϕ ′ and Gϕ, for we have Theorems 2.7 and 2.8 are also valid when using CTL −X instead of CTL * −X , for their proofs use no other temporal constructs than ∃(ϕ U ϕ ′ ) and ∃Gϕ.
A natural proposal for CTL ∞ would be to add the path quantifier ∃ ∞ to CTL −X , thus yielding the syntax However, we can economise on that, for s |= ∃Gϕ iff s |= ∃ ∞ Gϕ ∨ ∃(ϕ U (∀Gϕ)) where ∀Gϕ is an abbreviation for ¬∃(⊤ U ¬ϕ). Hence CTL ∞ can be given by the syntax It follows immediately from the proof of Theorem 6.2 that this language is sufficiently expressive to characterise branching bisimulation equivalence with explicit divergence: It is tempting to simply write ∃ ∞ G as ∃G; that is, to keep the same syntax as for CTL −X but define its semantics in such a way that ∃(ϕ U ϕ ′ ) asks merely for a finite path, whereas ∃Gϕ asks for an infinite one. This deadlock sensitive interpretation of CTL −X is an alternative for the interpretation of [5]. It is consistent with the classical interpretation of CTL [7,3], as for total Kripke structures there is no difference between ∃ ∞ and ∃.

The deadlock extension of Kripke structures
Following De Nicola & Vaandrager [5] we have applied CTL * −X to non-total Kripke structures by using maximal instead of infinite paths in the definition of validity. As remarked in Section 2, the same effect can be obtained by transforming a non-total Kripke structure into a total one by adding a self-loop s − → s to every deadlock state s, and applying the standard CTL * −X semantics to the resulting total Kripke structure. However, the latter does not apply to CTL * ∞ , because the self-loop s − → s invalidates the formula ∃¬∞ that holds in any deadlock state s. Here we define another transformation on Kripke structures that makes every Kripke structure total, and allows the encoding of CTL * ∞ in terms of CTL * −X . An example of this transformation is depicted in Figure 5. "Only if": Let C be a consistent and divergence preserving colouring on K. Extend it to a colouring D on D(K) by assigning a fresh colour δ to the extra state s δ of D(K). It suffices to check that D is consistent and divergence preserving.
Claim. From any state s in K with the same colour as a deadlock state t in K there must be a path π to a deadlock state such that C(π) = C(t).
Proof of claim. As t has no C-coloured traces of length two, neither does s, and as t has no divergent C-coloured traces, neither does s. Thus, all paths from s are finite and only pass through states with colour C(t).
Application of the claim. The D-coloured traces of length two of a state s = s δ in D(K) are the C-coloured traces of length two of the state s in K, together with the trace C(t)δ in case s has the same colour as a deadlock state t in K. Thus D is consistent by Lemma 2.5, and preserves divergence by Lemma 3.5.
The "if"-direction of the theorem, with a similar proof, also applies to ≈ s and ≈ dbs , but the "only if"-direction does not. As a counterexample, let K be a Kripke structure with a deadlock state d (having no outgoing transitions) and a livelock state l (with a self-loop as its only one outgoing transition); neither state satisfies any atomic propositions. In K we have d ≈ s l, and hence d ≈ dbs l, but in D(K) we have d ≈ dbs l, and hence d ≈ s l.
Considering that Kripke structures of the form D(K) are total, and that on total Kripke structures ≈ s and ↔ ∆ b coincide, it is in fact impossible to define a transformation like D for which Theorem 8.2 holds for both ↔ ∆ b and ≈ s . Now let η be an arbitrary LTS-to-L 2 TS-transformation, yielding an LTS-to-Kripkestructure transformation that is also called η (see Section 4). Then D • η is not a valid LTS-to-Kripke-structure transformation as intended in [5], for it fails to preserve ↔ λ b / ≈ s and ↔ b / ≈ dbs (cf. Definition 4.5). Yet, it satisfies and on total Kripke structures ↔ ∆ b and ≈ s coincide), and as such it is a suitable transformation for defining validity of CTL * −X formula on states in LTSs. We obtain: Corollary 8.3. Let s and t be states in an LTS, and let η be an LTS-to-L 2 TS transformation. Then s ↔ ∆ b t iff s |= D•η ϕ ⇔ t |= D•η ϕ for all CTL * −X state formulas ϕ. Thus, one way to make CTL * −X suitable for dealing with deadlock behaviour on LTSs is to stick to total Kripke structures and translate LTSs to Kripke structures by a translation D • η instead of a transformation η as proposed in [5]. This way branching bisimulation equivalence with explicit divergence becomes the natural counterpart of stuttering equivalence on Kripke structures, and we have the modal characterisation of Corollary 8.3.
An alternative is to stick to more natural transformations η meeting the criteria on Definition 4.5, apply the definition of validity of CTL * −X formulas to non-total Kripke structures as in [5], and extend CTL * −X to CTL * ∞ as indicated in Section 6. Below we show that these solutions lead to equally expressive logics on LTSs.
We remark that checking whether s δ |= ∃ψ ′ is simple: just substitute ⊤ for δ and ⊥ for all other atomic propositions in ψ ′ , while simplifying subformulas ψ 1 U ψ 2 to ψ 2 . The latter is justified because the unique infinite path starting from s δ has only itself as suffix. In CTL * ∞ the path modality ∞ is equally expressive as the path modality ψ U δ of Definition 8.4, saying of a path that it is finite and all its suffixes satisfy ψ. This is because π |= ψ U δ ⇔ π |= ¬∞ ∧ Gψ and π |= ∞ ⇔ π |= ¬Fδ ⇔ π |= ¬⊤ U δ. In this light, the encoding D of CTL * ∞ into CTL * δ merely adds a conjunct ¬δ here and there. These conjuncts are not optional; they enable, for instance, the correct translation of the CTL * ∞ path formula Gp by the CTL * δ formula ¬δ ∧ G(δ ∨ p). Recall that in Section 6 we considered extending CTL * −X with a state formula δ such that s |= δ iff ¬∃s ′ . s − → s ′ . We then argued that this would make the resulting logic too expressive. Note that in our current proposal the atomic proposition δ only holds in the fresh state s δ of the deadlock extension D(K) of a Kripke structure K and not in any of the original states of K. As a consequence, in CTL * ∞ , which does not have the next state modality X, we can express the property that deadlock is unavoidable (when all paths from an original state of K lead to deadlock), but we still cannot express the property of being deadlocked (i.e., the property that holds in an original state of K iff no further transitions are possible).
Theorem 8.6. Also the logics CTL δ and CTL ∞ are equally expressive.
Proof. This follows because D can be restricted to a mapping from CTL ∞ to CTL δ formula and E to a mapping from CTL ∞ to CTL δ formula. In particular, otherwise.

Linear temporal logic with deadlock detection
Linear Temporal Logic [14] (LTL) is the sublogic of CTL * that allows propositional variables p ∈ AP but no other state formulas to be used as path formulas. Path formulas are applied to states by an implicit universal quantification: s |= ψ iff s |= ∀ψ. In this section we explore the programme of this paper in the setting of LTL −X (LTL without the next state modality), and compare the results with the branching time case. First we characterise the equivalence induced on the states of a Kripke structure (S, L, →) by validity of LTL −X formulas. We can conveniently use the notion of complete coloured traces in this characterisation, observing that L is a colouring in the sense of Definition 2.3. We write s ≈ L t if the states s and t have the same complete L-coloured traces. Now two states satisfy the same LTL −X formulas iff they have the same complete L-coloured traces.
"If": Suppose that s ≈ L t. Then, without loss of generality, there exists a maximal path ρ from t such that for all maximal paths π from s it holds that L(π) = L(ρ); we define an LTL −X formula ψ such that s |= ψ, while t |= ψ.
First, we define for every colour C, which is a subset of AP, a formula ψ(C) with the property that π |= ψ(C) iff the first state of π has colour C. (A possible definition of ψ(C) would be p∈C p ∧ p ∈C ¬p; however, one can economise on the cardinality of this conjunction by including only one conjunct for every other colour D that actually occurs in the underlying Kripke structure-this way we meet the cardinality restriction imposed in Section 2.) For every maximal path π from s such that L(ρ) is not a prefix of L(π), let ψ π = (· · · ((ψ(C 0 )) U (ψ(C 1 ))) U · · · ) U (ψ(C k )) , where C 0 , C 1 , . . . , C k is the shortest prefix of L(ρ) that is not also a prefix of L(π). For every maximal path π from t such that L(ρ) is a prefix of L(π), let ψ π = ¬(· · · ((ψ(D 0 )) U (ψ(D 1 ))) U · · · ) U (ψ(D k )) , where D 0 , D 1 , . . . , D k is the shortest prefix of L(π) that is not also a prefix of L(ρ). Note that in either case we have ρ |= ψ π while π |= ψ π . Now, define ψ by ψ = ¬ {ψ π | π a maximal path from s} .
It is not hard to check that in a Kripke structure with less then κ states, for κ an infinite cardinal, less than κ of the formulas ψ π are different. Now, since ρ is a path from t such that ρ |= ψ, it follows that t |= ψ. On the other hand, since π |= ψ π , it follows that π |= ψ for all paths π from s, and hence s |= ψ.
In order to lift this notion of equivalence from Kripke structures to LTSs, consider a trivial colouring T, assigning the same colour to all states in an LTS, and write s = λ T t if s and t have the same complete T-coloured traces. In [8], = λ T was called divergence sensitive trace equivalence. The following counterpart of Theorem 4.3 indicates that = λ T is on LTSs what ≈ L is on Kripke structures: Theorem 9.2. On a consistent L 2 TS ≈ L equals = λ T . Proof. If π is a path from a state s and ρ a path from t in a consistent L 2 TS (S, L, →), then L(π) = L(ρ) ⇔ L(s) = L(t) ∧ T(π) = T(ρ) where L(π) denotes the L-coloured trace in the associated Kripke structure (thus, forgetting the actions) and T(π) denotes the trivially coloured trace in the associated LTS (thus, keeping the visible actions, but forgetting the colours). This is an immediate consequence of the definition of consistency, and it immediately implies the theorem.
Theorem 9.5. s ≈ ∆δ L t iff s |= ψ ⇔ t |= ψ for all LTL ∞ formulas ψ. Proof. Let L δ (π) be the L-coloured trace of a path π as given in Definition 2.3, but with a symbol δ tagged at the end iff π is finite and maximal (i.e. ending in deadlock). Then s ≈ ∆δ L t iff for every path π from s there is a path ρ from t such that L δ (π) = L δ (ρ), and vice versa.
"If": Suppose that s ≈ ∆δ L t. Then, without loss of generality, there exists a maximal path ρ from t such that for all maximal paths π from s it holds that L δ (π) = L δ (ρ). As in the proof of Theorem 9.1 we define an LTL −X formula ψ such that s |= ψ, while t |= ψ. For π a maximal path from s such that L(π) = L(ρ), we define the formula ψ π exactly as in the proof of Theorem 9.1. In case L(π) = L(ρ) but L δ (π) = L δ (ρ) we take ψ π to be ∞ or ¬∞. The definition of ψ remains the same.
Corollary 9.6. Let s and t be states in an LTS, and let η be an LTS-to-L 2 TS transformation preserving and reflecting = ∆δ T . Then s = ∆δ T t iff s |= η ψ ⇔ t |= η ψ for all LTL ∞ formulas ψ. The deadlock extension of Definition 8.1 gives the same result.
Theorem 9.7. Let s and t be states in an LTS, and let η be an LTS-to-L 2 TS transformation preserving and reflecting = ∆δ T . Then s = ∆δ T t iff s |= D•η ψ ⇔ t |= D•η ψ for all LTL −X formulas ψ.
Proof. Just like Corollary 8.3, this follows immediately from the observations that s ≈ ∆δ L t within a Kripke structure K iff s ≈ ∆δ L t within the Kripke structure D(K) (cf. Theorem 8.2), and that on total Kripke structures the equivalence relations ≈ ∆δ L and ≈ L coincide. Kaivola & Valmari [11] study equivalences on LTSs with the property that under all plausible transformations of LTSs into Kripke structures two equivalent states (transformed into states of Kripke structures) satisfy the same formulas in either LTL −X or LTL ∞ . They characterise the coarsest such congruences for a selection of standard process algebra operators-including the merge, but also a partially synchronous parallel composition as well as nondeterministic choice-as NDFD -equivalence (for LTL −X ) and CFFD -equivalence (for LTL ∞ ). In turns out that neither = ∆λ T nor = ∆δ T are congruences for the partially synchronous parallel composition, or for nondeterministic choice. Hence to satisfy the requirement of being a congruence for these operators, NDFD -equivalence is necessarily finer than = ∆λ T , and CFFD -equivalence is necessarily finer than = ∆δ T . The question of raising the expressiveness of LTL −X to the level where it characterises NDFD-or CFFD-equivalence directly remains open.

Conclusion
In this paper we enabled CTL −X and CTL * −X to be used as logics on labelled transition systems (LTSs) while taking deadlock behaviour into account. This could be accomplished by adding a modality to CTL * −X , by adapting the semantics of the G-modality (in CTL −X ), or by adapting the translations from [5] from LTSs to Kripke structures. We have shown that these approaches all lead to equally expressive logics on LTSs. Our work allows the