Post on 23-Jan-2016
description
1 of 21 department of mathematics and computer science
Rob van Glabbeek (Sydney)
Marc Voorhoeve (TUE)
Liveness, Fairnessand Impossible
Futures
2 of 21 department of mathematics and computer science
1. Motivation2. IF equivalence3. Results
Contents
3 of 21 department of mathematics and computer science
Context
Why yet another equivalence relation?
trace
fair testing
IF contrasimweak bisim
strong bisim
failure ready simulation
weak+div
4 of 21 department of mathematics and computer science
Motivation
System development:model-based vs. requirement-based.Combination often preferable.
Non-bisim equivalence:compositional when congruenceincreases implementer’s freedom.
Equivalence implementation – model:branching/weak bisimilarity?Advantages: compositional,
preservation of any requirement.Disadvantage: restrictive.
5 of 21 department of mathematics and computer science
Compositional verification
t ok c
nokf
t c
f
t c
tf tcft
coktfnokt
coktfnokt
nokok
*).(
).*)..((
.*)..(
},{
abstraction
reduction (contrasim)
6 of 21 department of mathematics and computer science
Too much freedom!
t
s
t
c
s
t
s
f f
f
v w
Processes v,w :failures/ready simulation equivalent!
Corrupted state u : action c impossible. u reachable from w not v.
uLegend:t: tryc: connectf: fails: stop
corrupted states
hiddenvisible
7 of 21 department of mathematics and computer science
Motivation (conclusion)
Non-bisim equivalences:more freedom for implementer.Needed:knowledge about preservation of properties.
IF (impossible future) equivalencepreserves AGEF properties.
8 of 21 department of mathematics and computer science
1. Motivation2. IF Equivalence3. Results
Contents
• Preliminary notions• Definition• Properties preserved• Connection with liveness and fairness
9 of 21 department of mathematics and computer science
Transition systems
t
s
t
c
s
t
s
f f
f
gsmspec gsmimpl
Legend:t: tryc: connectf: fails: stop
Process: state in labeled transition system (LTS)
v w
10 of 21 department of mathematics and computer science
LTS: pair ,S a set (of states) :ternary transition relation
),( S
SAS }){(
v
c
t
bs
ff
d ec
v = gsmspecSet A of visible actions: Special hidden action A
Transition relations
SAS * trace relation
.,
,,
bvvf
fccvsf
t
.,
,,
bvfv
cvvvtfst
t
11 of 21 department of mathematics and computer science
Impossible futures equivalence
}'::
:':'|),{(
:)(
pB
pppB
pIF
ftfst dddv
vIFftfst
)(}),{,(
fst
ct
ffv
ccv
ct ddv
vIFcfst
)(}),{,(
)()( qIFpIF
qp IF
IF: decorated trace
IF equivalence: same IFs
)(
)(
yxxyx
yxaayax
IF
IF
Congruence with root condition:
v
c
t
bs
ff
d ec
12 of 21 department of mathematics and computer science
Properties preserved by IF
Having observed it is possible to continuewith a trace from B.calculus: T B
CTL:(AGEF property)
}'::
:':'|),{(
:)(
pB
pppB
pIF
)'::(:':'
)(),(
pBppp
pIFB
T)T (Not IF preserved(not AGEF):
)(EFAG B
13 of 21 department of mathematics and computer science
Some AGEF properties
No deadlock/livelock: TT*T
Soundness: *T*T √Delivery (d) possible after order (o):
T*T*T*T do
Order that is not confirmed (c) can be aborted (a):
T*T**T aco )(An order that can be confirmed, can be aborted(at the same time): T)T*T*T aco ( Not AGEF:
)()())( acocboboacobo IF
14 of 21 department of mathematics and computer science
t
s
t
c
s
t
s
f f
f
Legend:t: tryc: connectf: fails: stop
GSM example
v w
Corrupted state u:no connection possible.Corrupted state reachable from w not v.
TTT cf **
(AGEF properties)
f
calculus predicates
Paths terminating with f,can continue with tc
Paths terminating with f,can eventually do c
TT tcf*
u
testable
non-testable
15 of 21 department of mathematics and computer science
Liveness
Infinite tf-sequence impossible: XtfX ][
t
s
t
c
s
t
s
f f
f
v w
CTL: ))((AFAG *},{ scft
Verify AGEF instead of liveness!
Implies liveness combined with AGEF property(fairness assumption)
16 of 21 department of mathematics and computer science
1. Motivation2. IF Equivalence3. Results
Contents
• Preservation• Fair testing• Proof method
17 of 21 department of mathematics and computer science
Preservation results
1. IF congruence preservesall AGEF properties.
2. Any congruence preservingany non-testable AGEF propertyis at least as fine as IF.
3. Any congruence at least as coarse asweak bisim, satisfying RSP and preservingany nontrivial AGEF propertyis at least as fine as IF.
18 of 21 department of mathematics and computer science
Fair testing (FT)
FT preserves all testable AGEF propertiesand (assuming fairness) all AGAF properties
)( bybxaabyabx FT but different IF’s
FT does not satisfy RSP:two processes satisfy :abaXX FT
a a b a
a
a
a b
19 of 21 department of mathematics and computer science
Proof method
Suppose ~ is a congruence w.r.t. CCS compositionand there exist ,B,p,q with p ~ q such that
)(\)(),( qIFpIFB
AcqactpactAaa n ),()(,1Let
and set AUXXC \)|()( 0 with
Bn
iii
ccU
niccUaU
)(
)1()(1
20 of 21 department of mathematics and computer science
Context C
)(\)(),( qIFpIFB
AUXXC \)|()( 0
_a2
c
_an
_a1
c
c
i
))((\))((}){,( qCIFpCIFcc
0U nU
)'::(:':' pBppp
ccn
ccn
n
AUqqC
AUp
AUppC
\)|'()(
\)|'(
\)|'()(
21 of 21 department of mathematics and computer science
Conclusions
1. Many system safety and livenessproperties are of AGEF kind.
AGAF liveness: AGEF + fairness.
2. IF and FT: compositional verificationof AGEF properties.
3. FT: only testable AGEF properties,RSP cannot be used.
Thank you for your attention
22 of 21 department of mathematics and computer science
C3 C2
a
_b
c
d_d
_d
_e
e
D1 D2 c_e _
ff
_d
D1 D2C1
Composition
}{\)|(
},{\)||(
211
321
fDDC
edCCC
Systems built fromcomponents
23 of 21 department of mathematics and computer science
Verification
a
b
c
Possible: prove e.g.abaS wc *)(}{
Disadvantage: cumbersome, restrictive.Alternative:Non-bisim equivalence that is congruencew.r.t. composition and preserves requirements!
Advantage:compositionality.
Verify property, e.g.:b may eventuallyoccur after a
T*T*T ba
Simplify components