Rob van Glabbeek (Sydney)
Marc Voorhoeve (TUE) department of mathematics and computer science 1 of 21

Contents
1. Motivation
2. IF equivalence
3. Results department of mathematics and computer science 2 of 21

fair testing
Context
Why yet another equivalence relation?
IF contrasim weak bisim weak+div trace failure ready simulation strong bisim department of mathematics and computer science 3 of 21

Motivation
System development: model-based vs. requirement-based.
Combination often preferable.
Equivalence implementation – model: branching/weak bisimilarity?
Advantages: compositional, preservation of any requirement.
Disadvantage: restrictive.
Non-bisim equivalence: compositional when congruence increases implementer’s freedom.
department of mathematics and computer science 4 of 21

Compositional verification f t nok ok f t t

 c c t ( nok .
f .
t ) * ok .
c c abstraction

{ ok , nok }
( t ( nok .
f .
t ) * ok .
c ) reduction (contrasim) f t ( t .
f ) * tc department of mathematics and computer science 5 of 21

Too much freedom!
Processes v,w : failures/ready simulation equivalent!
s f v t f t w

Legend: t: try c: connect f: fail s: stop visible c hidden s f u s t corrupted states
Corrupted state u : action c impossible.
u rea chable from w not v.
6 of 21 department of mathematics and computer science

Motivation (conclusion)
Non-bisim equivalences: more freedom for implementer.
Needed: knowledge about preservation of properties.
IF (impossible future) equivalence preserves AGEF properties.
department of mathematics and computer science 7 of 21

Contents
1. Motivation
2. IF Equivalence
3. Results
• Preliminary notions
• Definition
• Properties preserved
• Connection with liveness and fairness department of mathematics and computer science 8 of 21

Transition systems
Process: state in labeled transition system (LTS)
Legend: t: try c: connect f: fail s: stop f gsmspec s v t c gsmimpl f t w s f s t department of mathematics and computer science 9 of 21

Transition relations
Set A of visible actions:
Special hidden action
 
A
( S

S a set (of states)
  
 
S

( A

: {

})

S ternary transition relation f v = gsmspec s f v t c b d c e v f
 t c ,
 f v , c
  v
 s b .
f , trace relation
  
 
S

A
* 
S v
  v , v
 t f , v
 t c , v
 tfs b .
10 of 21 department of mathematics and computer science

Impossible futures equivalence
IF: decorated trace
IF ( p ) :

{(

, B ) |
 p ' : p
  p ' :
  
B :: p '

}
( t , { fs , ft })

IF ( v ) v
 t d
 d fs  d ft f f v t s c b d c
( t , { fs , c })

IF ( v ) v
 t d
 d
 c v
 t c
 c
 c v
 t f
 f
 fs e
IF equivalence: same IFs p

IF q
IF ( p )


IF ( q ) department of mathematics and computer science
Congruence with root condition: ax
 x
 ay
 y

IF

IF
 x a (
 x
 

( x
 y )
 y )
11 of 21

Properties preserved by IF
(

, B )

IF ( p )

 p ' : p
  p ' : (
  
B :: p '
 
)
IF ( p ) :

{(

, B ) |
 p ' : p
  p ' :
  
B :: p '

}
Having observed
, it is possible to continue with a trace
 from B.
mcalculus :
 
  
B
 
T
CTL: AG
 
EF (

 
B

)
(AGEF property)
Not IF preserved
(not AGEF):
 
(

T
 
T)
12 of 21 department of mathematics and computer science

Some AGEF properties
No deadlock/livelock:
Soundness:
 
T T
 
T * √
Delivery ( d ) possible after order ( o ) :

T * o T *

T * d T
Order that is not confirmed ( c ) can be aborted ( a ):

T * o (
 c ) *

T * a T
An order that can be confirmed, can be aborted
(at the same time):

T * o T *

( c T
 a T)
Not AGEF: o b
 o ( c
 a ))

IF o b
 o ( b
 c )
 o ( c
 a ) department of mathematics and computer science 13 of 21

GSM example
Legend: t: try c: connect f: fail s: stop f v t s f c
Corrupted state u : no connection possible.
Corrupted state reachable from w not v .
t w f s mcalculus predicates
 
T * c T
(AGEF properties)
Paths terminating with f , can eventually do c testable f tc T Paths terminating with f , can continue with tc non-testable u s t
14 of 21 department of mathematics and computer science

Liveness
Infinite tfsequence impossible:
CTL: AG AF (

 
{ t , f } *
(
 c
  m s
X

[ tf ]
))
X
Implies liveness combined with AGEF property
(fairness assumption)
Verify AGEF instead of liveness!
f v s t c f t w s f s t department of mathematics and computer science 15 of 21

Contents
1. Motivation
2. IF Equivalence
3. Results • Preservation
• Fair testing
• Proof method department of mathematics and computer science 16 of 21

Preservation results
1. IF congruence preserves all AGEF properties.
2. Any congruence preserving any non-testable AGEF property is at least as fine as IF.
3. Any congruence at least as coarse as weak bisim, satisfying RSP and preserving any nontrivial AGEF property is at least as fine as IF.
department of mathematics and computer science 17 of 21

Fair testing (FT)
FT preserves all testable AGEF properties and (assuming fairness) all AGAF properties abx
 aby

FT a ( bx
 by ) but different IF’s a
FT does not satisfy RSP: two processes satisfy X

FT aX
 ab : a b a a a a b department of mathematics and computer science 18 of 21

Proof method
Suppose ~ is a congruence w.r.t. CCS composition and there exist

,B,p,q with p ~ q such that
(

, B )

IF ( p ) \ IF ( q )
Let
  a
1
 a n
, A
 act ( p )
 act ( q ), and set C ( X )

( X | U
0
) \ A with c

A
U i
-
1
U n

 a i
U i
  c

 
B c (


(
 c c
 
 
)
) ( 1
 i
 n )
19 of 21 department of mathematics and computer science

Context C
(

, B )

IF ( p ) \ IF ( q )
U
0
_ a
1
 p ' : p
  p ' : (
  
B :: p '
_ a
2
_ a n
U n c

)
C ( X )

( X | U
0
) \ A c
_
 i
C ( p )
 
( p |' U n
) \ A cc
( p
C ( q
|' U n
)
)
 
\
(
A q |' U n
) \ A
 cc c
(

, { cc })

IF ( C ( p )) \ IF ( C ( q ))
20 of 21 department of mathematics and computer science

Conclusions
1. Many system safety and liveness properties are of AGEF kind.
AGAF liveness: AGEF + fairness
.
2. IF and FT: compositional verification of AGEF properties.
3. FT: only testable AGEF properties,
RSP cannot be used.
Thank you for your attention department of mathematics and computer science 21 of 21

Composition
Systems built from components a
( C
1
C
1

| C
2
( D
1
|
|
C
3
)
D
2
)

\ { d , e }
\ { f }
_ e
C3 d e
_ e
_ d
D1
C1
D2
_ d
_ b
_ d
C2
D1 f
_ f
D2 department of mathematics and computer science c c
22 of 21

Verification b
Verify property, e.g.: b may eventually occur after a
 
T * b T a

Possible: prove e.g.
{ c }
( S )
 w a * ab
Advantage: compositionality.
Simplify components
Disadvantage: cumbersome, restrictive.
Alternative:
Non-bisim equivalence that is congruence w.r.t. composition and preserves requirements!
c
23 of 21 department of mathematics and computer science