Synchronous and asynchronous digital circuits, parallel programs, and network protocols are examples of concurrent systems. We view a concurrent system as a set of discrete-state processes. We define, analyse, and implement a liveness condition for concurrent systems.
I Introduction
Synchronous and asynchronous digital circuits, parallel programs, and network protocols are examples of concurrent systems. We view a concurrent system as a set of discrete-state processes. We define, analyse, and implement a liveness condition for concurrent systems.
Two functional correctness concerns for concurrent systems are safety and liveness. Intuitively, safety properties assert that "something bad does not happen" and liveness properties assert that "something good eventually does happen" [ll] .
Defining a liveness condition has a major obstacle. In our view, a correctness condition should be expressible in terms of common descriptions of concurrent systems, such as Petri nets, concurrent programs in some language, or digital circuit schematics together with, say, logic relationships between the inputs and outputs of each component. The obstacle is that such descriptions specify only the finite executions (sequences of events) of concurrent systems, while two systems with different liveness properties can have the same finite executions. For this reason, finite-execution models have been considered ambiguous for defining liveness (e.g., see [2] ).
On the other hand, it is not desirable to use extended models in which the users have to specify liveness properties and/or infinite executions, because such user-dzrected approaches have serious deficiencies. From a practical point of view, they are tedious and error-prone. From a theoretical point of view, they have not produced a necessary and sui%-cient condition for liveness definable in terms of common models of concurrent systems (like the models above). From both points of view, they provide no indication of completeness of the liveness requirements, which are left up to the users t o derive instead of being extracted from common specifications.
To illustrate how appropriate liveness requirements are easy to overlook and hard to specify explzcztly, let us consider a gate specified by a boolean function. In the absence of timing concerns, it is easy to forget to specify that a gate should not deadlock internally; such an error allows for an asynchronous circuit t o do nothing in response to changes in inputs. Also, consider a mutual exclusion element which ensures that two processors do not access the same resource at the same time. Trivial implementations are an arbiter that serves none of the processes [8] and an arbiter that always favours one of the processes.
Here we resolve the ambiguity of finite-execution models by a different approach. In practice, liveness properties seem t o be zmplzcztly assumed, like deadlock-freedom and fairness in the examples above. We consider that a finite-execution description also specifies the infinite executions of a system. In effect, we attach unique liveness constraznts to finiteexecution smplementatzons and unique liveness requzrements to finite-execution specsjicatsons.
(Of course, diverse liveness requirements for a system are possible, because diverse finite-execution specifi-cations are possible.) This way we obtain a relatwe liveness Condition able to detect deadlock arid unfairness in common models of concurrent systems.
We deriive a language-theoretic and a graphtheoretic form (traplock-freedom) for our liveness condition. We show these two forms are equivalent. The equivalence of two different models is an indication of appropriateness of our condition. We describe an algorithm fior the verification of traplock-freedom.
We also introduce a new condition for safety, which agrees with several previous conditions [15, 17, 5, 4, 181 under certain restrictions on the inputs and outputs, but differs from them at least in the pathological cases of dangling inputs and connected outputs.
We provide theorems for modular and hierarchical verification of safety and liveness. These results are of practical and theoretical importance. Practically, they are a partial remedy to the state-explosion problem in the analysis of concurrent systems. Theoretically, they constitute algebraic characterizations of the relationships we define. The regularity of these theorems may be an indication of appropriateness of our colnditions.
Previous treatments of liveness have not produced a necessary and sufficient liveness condition expressible in terms of common descriptions of concurrent systems. In [lo] and [4], very general frameworks for reasoning about liveness have been proposed, along with thorough algebraic treatments. However, those approaches are user-directed as described above. In [l] , an exhaustive characterization of liveness properties has been proposed. However, nothing is said about which of the properties in the class defined by [l] can be used for a liveness condition. The liveness condition in [la] also provides important insights. Unfortunately, that condition does not properly model fairness, even compared to intuitive explanations in [la] (see [14] ). An interesting trace-based imodel of progress properties with a careful algebraic treatment has been proposed in [HI. However, of the liveness faults, [18] (detects only global deadlock (where every process is blocked).
CCS [13] and CSP [9] can model high-level concurrent systems in a convenient and elegant manner. However, [la] lists several problems with these formalisms when they are used to define liveness, and [4] points out difficulties in using these formalisms for modeling low-level communication.
We use double quotes 'W for citations and single quotes " for some informal or undefined terms.
Multiple references are ordered chronologically.
All results stated here are proven in [14] .
Figure 1: Traplock-freedom.
Informal Preview
In this section we discuss informally some of our motivations and results. This is followed by a formal treatment in the body of the paper. A liveness condition should be able to detect deadlock and unfairness, should be satisfied by correct circuits, and should satisfy certain algebraic properties. Ideally, it should also be satisfied by circuits that, may be incorrect for other reasons, but have no 'deadlocklike' or 'unfairness-like' faults.
A relative correctness condition compares an implementation to a specification (as opposed to examining an implementation by itself).
Traplock-freedom (the graph-theoretic form of our liveness condition) uses automata for the implementation and the specification. In figures, automata, have an initial state marked with an incoming arrow, and edges marked with actions. Inputs have a ? and outputs have a !. Events (occurrences of actions) are assumed to be instantaneous and not to occur at precisely the same time, even if they are independent. In Figures I-4 , the specification is on the left, the implementation on the right, and the sign means relative liveness is satisfied. The 'frames' are just markers.
Basically, traplock-freedom forbids that the implementation get stuck in some set of states while the specification demands an output action to be eventually issued. In Figure 1 (a) , the specification ignores c! because c is not in its alphabet. Traplock-freedom detects a danger of deadlock because the implementation may enter the framed state while the specification stays in the initial state. which combines deadlock with divergence. Again, the specification ignores b!, c!, and d!. The implementation can enter and remain in the framed subgraph while the specification waits for a!. From the specification point of view, this fault is a deadlock-like fault, no different from that in Figure 1 (a) . Figure 1 (c) illustrates unfairness. The implementation can stay in the framed graph, while the specification moves just within its framed subgraph. A c! is thus demanded by the specification, but never comes. In Figure 1 (d) , an a! is demanded by the specification in the initial state, but the implementation cannot produce it right away; it has to produce a b! first. Still, the implementation is fine, since a! will eventually come as requested.
In a user-directed approach, the information in Figures 1-4 , would be considered insufficient because no liveness properties are explicitly specified. It is conceivable that the specification in Figure 1 (a) allows for termination in the initial state, in which case no deadlock would occur. It is also conceivable that the specification in Figure 1 (c) allows for the infinite execution ababab. . ., in which case that implementation would be fine. We avoid such misunderstandings by a precise augmented semantics. The new semantics then specifies the appropriate liveness properties, but still uses just a finitary (finite-execution) description.
A correctness condition should not be perturbed by the introduction of a redundant, disconnected part in a system. If a d!, e! loop (Figure 2 (a) ) is introduced in the implementation in Figure 1 (a), one obtains the automaton in Figure 2 (c). For us, the newly added part neither fixes nor changes the nature of the fault, because the specification sees exactly the same behaviour as before. The danger of deadlock remains, even if some part never stops in the implementation! Some subtle situations are shown in Figure 3 . In Part (a), the specification and implementation are the well-known asynchronous components SELECTOR and TOGGLE (e.g., see [6] ). We think that TOGGLE is a good realization of a SELECTOR in most practical situations. In this, we agree with [18] (p. 63). Our condition is such that firing c in the framed specification cycle exempts the execution point from eventually having to take the exit c from the cycle. Our liveness con- dition is satisfied here. This point of view follows naturally from considering fairness with respect to symbols rather than words. In Part (b), the specification is a FOFLK (e.g., see [6] ) and the implementation is an ASYMMETRIC FORK (unequal branch delays). The specification reflects the fact that branch delays are not known in advance and may vary due to manufacturing dispersion and operating conditions. In VLSI circuits, one branch delay may turn out to be longer than the other. Note that this is normally acceptable. Our liveness condition is satisfied in this situation. Again, this is due to our use of fairness with respect to symbols rather than words. In [14], we also define a liveness condition with respect to words, and discuss its disadvantages. Figure 4 illustrates some subtleties involving choice (output non-determinism). In Part (a), the implementation differs from the specification only because it issues an internal symbol d! before every b!. This difference is not detectable at the interface (formed by the common symbols: a, b, c) so we consider this a good implementation. Traplock-freedom holds in this situation. (Note that the occurrence of b! cannot be preempt,ed by the environment. Due to the output consistency condition (see below), b can only be an input to the environment. Loosely speaking, a system does not control its inputs, and this is true for the environmeint, too.) For Part (b), we take the position that the implementation is not distinguishable from the specification by any external experiment on the implementation. In any experiment, the implementation operates only once. Traplock-freedom is satisfied here. If there are 'many' such implementations available for the experiment, or if the implementation can be used 'many' times, then a more appropriate representation should be that of Part (c), where the choice must be made infinitely often. Here, our condition is not satisfied, because the implementation stays forever in the framed subgraph, while the specification demands a b!. In [14], we also define a liveness condition which considers Part (b) (and similar cases) unacceptable, and discuss the disadvantages of that point of view.
The language-theoretic form of our liveness condition, like that of [12] , is yet another form of "any fair behaviour of the implementation must be fair for the specification". The key point here is the notion of "fair" or, better said, "live" behaviour. For us, live behaviours are those that have a property which we name strong laveness, after one of its relatives, strong fairness. Strong fairness (e.g., see [7] ) is defined for infinite sequences and demands that every syrnbol that is enabled infinitely often be fired infinitely often. Our notion of strong liveness unifies strong fairness with quiescence. Quiescence (e.g., see [lo] ) is defined for finite words and demands that no symbol be enabled at the end of a word. We insist on strong liveness for exactly the output (and internal) symbols. The fact that strong liveness represents the liveness properties of most (maybe all) practical concurrent systems was not noticed before. Also, the unification of st tong fairness and quiescence is new.
Our liveness relationship is transitive and compatible with parallel composition (coupling) of processes. Transitivity means that verification can be performed hierarchically, comparing only pairs of consecutive intermediate specifications. compatibility with coupling means that verification can be performed modularly, replacing parts by more detailed implementations, one part at a time, and comparing only the parts with their specifications. Such structured verification is of crucial1 practical importance, since it can speed up exponentially the overall verification process.
Our liveness condition is applicable only if two other correctness conditions are satisfied: out,put consistency and safety. Output consistency demands that no two processes have a common output (environment included). This is a well-known requirement for normal outputs of digital circuits, and is demanded as a correctness condition (e.g., in Our safety condition basically demands that, whenever an event can be generated by all processes that have it as an output, that event can also be accepted by all processes that have it as an input. Figure 5 illustrates this condition. We refer to the device on the left as P and on the right as Q. In Part (a), a safety fault occurs because Q can generate b! in the initial state, while P cannot accept it. The fault is absent in Part (b), where P can accept b? in any state, while Q can accept a! whenever P can generate a!. One notes that our safety condition has no restrictions, not even an output consistency restriction. This absence of restrictions is of practical relevance for implementations with dangling inputs (inputs not connected to any outputs). (What happens if an input to a component becomes disconnected? Is the circuit still safe?)
In Part (c) input b? of P is dangling. In most cases this would lead to safety violations because dangling inputs can generate transitions at any time (in circuits, they behave like antennae). In this case, however, there is no safety violation because of the dangling b?, since P can accept b? anytime. Part (d) illustrates our safety condition for connected outputs. The communication paradigm we use is 'broadcast' 'non-blocking send'-as is usual in digital circuits. Such outputs are normally not connected. Nevertheless, we do treat this case to 'decouple' safety from output consistency. Part (d) differs from (a) only by the direction of b in P. Informally, we consider connected outputs to be collaborating. In Part (d), b! cannot occur in the initial state because P cannot generate it. One also verifies that there is no safety violation involving a.
In the safety examples above we have considered a network of processes in isolation. A relative safety condition, comparing an implementation to a specification, is obtained by forming a network of the implementation and the environment of the specification (see Section 4) . The environment of the specification is obtained by swapping inputs and outputs.
Although safety was well understood before [15, 17, 5, 4, 181, previous conditions have restrictions (either explicit or hidden in the model) on the ports of the processes they can compare or connect, and on the theorems for structured verification. With our safety condition, we have eliminated all such restrictions. Our safety condition agrees with absence of computation interference [15, 51 if there are no dangling inputs and no connected outputs, but disagrees otherwise.
Trace Structures
We let U be a set, called the symbol universe. An alphabet is a subset of U . A word over an alphabet C is a finite sequence of symbols from E. Concatenation of two words is denoted by their juxtaposition. The empty word is E . For two words s and t , we write s 5 t if s is a prefix of t. A language is a set of words. We use the following notation for languages: pref is prefix-closure (the set of all prefixes of the words in a language), * is Kleene closure, U is union, .
or juxtaposition is concatenation, symbol x can represent language {x}, and alphabet C can represent the language of single-symbol words with symbols from E. A language is prefix-closed if it contains all prefixes of all its words. A trace structure is a triple P = ( i P , o P , l g P ) of two disjoint alphabets i P and OP and a prefix-closed, non-empty language I g P over iP U oP. The words of 1gP are called traces of P. The alphabet of P , denoted by aP, is iP U o P . The symbols in a P are called a c t i o n s of P . If symbol a is in oP, P is a source for a; if a E iP, P is a sink for a.
A trace structure P can represent a process in the following manner. Symbols in aP stand for ports. The symbols in oP, called outputs, are ports controlled by the process; they include the 'internal' ports and the genuine output ports. The symbols in i P , called inputs, represent ports controlled by the environment. The traces in 1gP stand for finite sequences of events that may have occurred in the modeled process up to a certain time.
A network is a set of trace structures. Note that there are no restrictions on the alphabets of the trace structures in a network.
The pro~ectaon of a word t on an alphabet C is a word t l E obtained by deleting from t all symbols which are not in E. For word t , trace structure P, and network N, we denote by t p the projection of t on the alphabet of P, i.e., t p = t J a P , and by t N the projection of t on UQENaQ.
The parallel composztzon of trace structures is a binary operation I1 such that ; 
The composite models a process whose behaviour is compatible with all composed processes. The reflectzon of trace structure P is a trace structure 7 such that iP = oP, oP = iP, and lgF = 1gP.
Reflection models the operating environmst of P. The reflectzon of network N is a network { ] I N } .
Connectivity and Safety Conditions
The ifmt connectivity condition is output consistency.
( U P E N "1 \ ( U P E N O P ) , OllN = U P E N OP, and
Definition 1 Network N as output-consistent, writt e n w ( N ) , if V P, Q E N, OP n OQ = 0.
Anoiher connectivity condition is input control, which insists that no inputs may be left dangling.
As ment,ioned before, our safety condition is independent of connectivity. We call the 'such that' part in the definition of safety the precondition and the 'we have' part the postcondition. Our safety condition says that, whenever an event is allowed to happen by all its sources in N , that event must be allowed to happen by all its sinks in N . To see that, consider t = u a such that U N E 1gllN and symbol a E U. The precondition demands that, for every source P of a in N , ( u u )~ be in 1gP (i.e., a be allowed to happen after U by (source) P ) . The postcondition demands that, for every P E N , ( u a ) p E 1gP (i.e., a is allowed tlo happen after U by every P ) ; finally, the postcondition is nontrivial only for P such that a is neither an output nor outside the alphabet of P (i.e., only for sirtks of a).
D e f i n i t i o n 2 A network N is safe, written a ( N ) , if
Examples axe given in Section 2. 
Theorem 1 For networks M , N , and 0 .such that M & , N , w e h a v e M u O~, N U O .

Liveness
For alph.abet C U , let C" be the set of all infinite sequences of symbols from C, and Cm the set of all finite or infinite sequences of symbols from E.
We We have Em = C" U E".
_ ------------
; Figure 6 : Recurrently enabled and fired symbols.
L--L--+a'; -_ _ ----------' L
and alphabet E, we denote by e@ the projection of e on E. For sequence e, trace structure P , and network N , e p = e l a P and eN = el(UQENaQ).
A limit of a language L is a sequence e such that every prefix of e is in L. A limit of trace structure P is a limit of 1gP. For example, consider a WIRE 
( { a } , { b } , p r e f ( a b ) * ) . The limit set of the WIRE is p r e f ( a b ) * U { ( a b ) w } .
Note that limits can be finite, and that the finite limits of a trace structure are precisely its traces. We have I g P (I l i d .
The limit sets of parallel compositions and reflections can be computed as follows. For trace structures
P and Q , we have lim(P1IQ) = { e E (aP U I e p E l i m p A eQ E l i m Q } and
In formalizing a notion of complete executions of a concurrent system, we have obtained a property that unifies a "strong fairness" property of infinite executions (e.g., see [7] ) with a ''quiescence" property of finite executions (e.g., see [lo] ). The property is formally the same for infinite and finite sequences, but, for clarity, the intuitive explanations are given separately for the two cases.
Symbol a is recurrently enabled by sequence e with respect t o language L if v t 5 e, 3 U : tu 5 e A t u a E L. The set of recurrently enabled symbols of e with respect to L is denoted by r e n L e . Finite sequence t immediately enables a symbol a in language L if t u E L. Note that, if e is infinite, the recurrently enabled symbols of e with respect to L are those symbols that are immediately enabled in L by infinitely many prefixes of e. See Figure 6 i.e., e has no recurrently fired symbols. For example, rfiac(ab)" = { a , b} and rfiaba = 0.
For alphabet C and language L , limit e of L is strongly live with respect to C and L if e recurrently fires all symbols from C that e recurrently enables in L , i.e., if renLe n C E rfie. For infinite e , strong liveness is the same as strong fairness. For finite e , strong liveness means that no symbol from C is enabled at the end of e.
Limit e of trace structure P is an output trap of P if e is strongly live with respect to OP and 1gP. The set of output traps of P is denoted by o t p P . (Note that otpP C_ l i d , and that the set of output traps of a trace structure is uniquely determined by its language and alphabets.) Output traps formalize our idea of 'reasonable' or 'live' complete executions of a process. For an intuitive picture, consider that the execution point of a system follows limit e. The recurrently enabled output symbols can be viewed as exerting a pressure to be fired by the process; that pressure is relieved for recurrently fired symbols only. If an output symbol a is recurrently enabled but is not recurrently fired by e , the pressure builds up and e is not complete because an a event is due to be fired by the process.
For
example, consider a SELECTOR ( { a } , { b , c } , pref(a(bUc))*). The set of output traps is ( a ( b u c ) ) *
U { e E {ub,ac}" I e fires 6 infinitely many times and e fires c infinitely many times }. The finite limits from (a(bUc))* are output traps because they do not immediately enable any output symbol. The infinite limits that fire both b and c infinitely many times are output traps because b and c are the only outputs and are recurrently fired. The remaining finite limits, those in (a(b U c ) ) * a , are not output traps because they immediately enable b and c. The remaining infinite limits are not output traps because they cease to fire one of the outputs after some finite prefix, but they recurrently enable both outputs. Intuitively, the remaining finite limits 'owe' an output event and the remaining infinite limits are 'unfair' to either b or c.
The following definition introduces our condition for liveness. S L",A I is a shorthand for S c,, I A S I .
Definition 3 For networks S and I , we write S I
Informally speaking, we consider that liveness violations are caused by limits that are 'non-live' for the specification, but are 'live' (!) for the implementation. An important insight is that sequences causing liveness faultis need to be live for the implementation, because liveness faults can be caused only by executions that can be produced by the implementation. Examples arid more explanations are given in Section 2, using autlomaton representations. More examples are given in [ 141.
T 
In words, every sequence that is 'live' for the implementation and 'legal' for the specification must be 'live' for the specification, too.
Moldeling Non-deterministic Con-
The language-theoretic model we have used so far is convenient for the algebraic treatment and for handwritten proofs of correctness. For automatic verification, an automaton model seems more suitable.
We define a model of non-deterministic concurrent systems using so-called behaviour automata, which are formally incomplete deterministic finite automata. With an inputloutput distinction, these automata represent non-deterministic systems because, for example, they can have choices between edges marked with output symbols.
Our atutomaton model was inspired by the ''state graphs" used previously in trace theory to represent trace structures having regular languages. To some extent, this model turned out to be similar to the I/Oautomata in [la] .
We define a state graph over a finite alphabet C as a pair G = (stG,edG), where s t G is a finite set of states and edG C V x C x V is a (finite) set of labeled edges . If ( q , b , q ' ) is an edge, then b is its label. Note that some symbols of C might n'ot appear as labels. An example of a state graph is given in Figure 7 A behaviour automaton consists of an unambiguous state graph whose alphabet is partitiloned into inputs andl outputs, together with an initial state.
Formally, a behaviour automaton is a tuple A = (iA, oA, st.4, edA, initA), where iA is the input alphabet oA is the output alphabet, s t A is the set of states, edA is the set of edges, and initA E s t A is the initaal state, such that iA and oA are finite and disjoint subsets of U and (stA,edA) is an unambiguous state graph over iA U oA. We use the same descrilption discipline as for trace structures. For us, internal symbols are outputs, because they are driven by the represented1 device rather than the environment. The unambiguity restriction means that behaviour automata cannot directly represent systems where two options of at choice have the same label (one has to use modeling tricks [14] ). However, we consider such systems to be rather marginal, since actions of interest are normallly denoted by different symbols. I[n particular, the options of a choice should be represented in our model by different output symbols. If the choice is internal to the implementation, the option symbols should be from the complement of the specification alphabet. Note the dissimilarity from CCS, which has only one internal symbol and thus distinguishes the options of a.n internal choice only by their external effects. In [14] we also state a version of our liveness condition in automata with ambiguous choice <and with a CCS-style silent action. The condition we have obtained is quite complex compared t o traplock-freedom. We settled for the unambiguity restriction, for simplicity without a significant loss of modeling power.
A behaviour automaton is rendered like its graph, except that: (a) the initial state is distinguished by an incoming arrow; (b) symbols have punctuation, ? for inputs and ! for outputs; and (c) unused alphabet symbols are listed below the graph. Figure 7 (b) shows a behaviour automaton.
For a behaviour automaton A we use the following notation. The alphabet of A, written aA, is iA U oA; the graph of A, written grA, is (stA,edA); the language of A, written lgA, is the set of all traces spelled by finite paths in grA that start at the initial state. Note that the language of a behaviour automaton is always prefix-closed and contains E. For example, let A denote the behaviour automaton in Figure 7 (b) ; then aA = { a , b, c } and 1gA = pref(ab*).
The semantics of behaviour automata is given by their languages and alphabets. For behaviour automaton A, the trace structure of A is trA = (iA, oA, 1gA) . Note that trA is well-formed.
A subgraph of a behaviour automaton A is a state graph G over aA such that stG C stA and edG C A knot in a behaviour automaton is a non-void, reachable and strongly connected subgraph. For example, the behaviour automaton in Figure 7 (initA, initB) . Informally speaking, the parallel composition describes behaviours consistent with both operands.
As we did for trace structures, we call the result of parallel composition a composite. Note that the case where a 6 aA and a 6 aB cannot occur in the definition of ed(AJIB), because a E a(A(JB). One verifies that AllB is well-formed.
For behaviour automaton A, trace t and sequence e, we use the notation t A = tJaA and eA = elaA. 
We define subgraph GB of B similarly.
Proposition 2 For behaviour automata A and B and knot G in AIIB, G A is a knot in A and G B is a knot in B.
7 Traplock-freedom that GI is a n output trap in I , G s is a n output trap in S.
Traplock-freedom is illustrated in Section 2 .
As we did for CA, we restrict the applicability of the traplock-freedom condition to behaviour automata that satisfy {trS} Cue {trl}, i.e., satisfy the safety and the output consistency conditions.
In conjunction with Property 1, the following theorem shows the equivalence of traplock-freedom condition to the language-theoretic form of our liveness condition.
Theorem1 6 For behaviour automata S and I , I is traplock-free f o r S iff {trS} L A {trI}.
Since two isomorphic behaviour automata have the same lang,uage, Theorem 6 also shows that traplockfreedom is, invariant under automaton isomorphismsa necessary property, since isomorphic automata normally represent the same process.
An Algorithm for Verification of
Livc mess
A polynomial-time algorithm for the parallel composition 'of two behaviour automata can be constructed straightforwardly using the definition of parallel compositions of behaviour automata in Section 7.
We present an algorithm to verify traplock-freedom of two behaviour automata S and I. The worst-case time complexity of our algorithm is C?(lgr(S/11)J3. / O S \ ) . Also, the constants hidden in these 0 ' s are around 1. The worst-case space complexity of our algorithm is O(/gr(S(II)/). Proofs of correctness and the complexity results are given in [14] .
The method for verification of liveness sketched as a remote possibility in [4] is acknowledged to be impractical, because its worst-case time cost grows exponentially with the square of the size of the specification. To assess the practicality of our algorithm, we compare it t o the very successful verification algorithm for mfety in [4] . The (worst-case) time cost of our verification method is no larger than T 3 times a small lineatr factor, where T is the (Worst-case) running time of Dill's safety algorithm. The space cost of our liveness algorithm is the same as that for the safety algorithm in [4] . Note, however, that a liveness condition is of a different nature than a safety condition, and seems to be more complex a priori. Also, in the average case our algorithm does not visit those states of I that cannot be reached according t o the specification; this feature is important because, as pointed out in [4] , most states of a flawed implementation are typically such spurious states. Still, although thie costs of our algorithm for traplock-freedom are polynomial in the sizes of S and I , the costs of the overall verification method should include computing I as a parallel composition. These costs are exponential in the number of components, just like the successful method for safety in ['I] . This state-explosion problem is partly remedied by modular and hierarchical verification (as we have shown that our safety and liveness conditions have the required algebraic properties).
Conclusions
We establish a complete execution semantics t o finite-execution descriptions of concurrent systems, modeling the implicit liveness properties that seem t o be assumed for practical concurrent systems. In defining that semantics, we use strong liveness, a new concept that unifies strong fairness and qui-
