Rob van Glabbeek (Sydney) Marc Voorhoeve (TUE)

1 of 21 department of mathematics and computer science

Rob van Glabbeek (Sydney)

Marc Voorhoeve (TUE)

Liveness, Fairnessand Impossible

Futures


1. Motivation2. IF equivalence3. Results

Contents


Context

Why yet another equivalence relation?

trace

fair testing

IF contrasimweak bisim

strong bisim

failure ready simulation

weak+div


Motivation

System development:model-based vs. requirement-based.Combination often preferable.

Non-bisim equivalence:compositional when congruenceincreases implementer’s freedom.

Equivalence implementation – model:branching/weak bisimilarity?Advantages: compositional,

preservation of any requirement.Disadvantage: restrictive.


Compositional verification

t ok c

nokf

t c

f

t c

tf tcft

coktfnokt

coktfnokt

nokok

*).(

).*)..((

.*)..(

},{

abstraction

reduction (contrasim)


Too much freedom!

t

s

t

c

s

t

s

f f

f

v w

Processes v,w :failures/ready simulation equivalent!

Corrupted state u : action c impossible. u reachable from w not v.

uLegend:t: tryc: connectf: fails: stop

corrupted states

hiddenvisible


Motivation (conclusion)

Non-bisim equivalences:more freedom for implementer.Needed:knowledge about preservation of properties.

IF (impossible future) equivalencepreserves AGEF properties.


1. Motivation2. IF Equivalence3. Results

Contents

• Preliminary notions• Definition• Properties preserved• Connection with liveness and fairness


Transition systems

t

s

t

c

s

t

s

f f

f

gsmspec gsmimpl

Legend:t: tryc: connectf: fails: stop

Process: state in labeled transition system (LTS)

v w


LTS: pair ,S a set (of states) :ternary transition relation

),( S

SAS }){(

v

c

t

bs

ff

d ec

v = gsmspecSet A of visible actions: Special hidden action A

Transition relations

SAS * trace relation

.,

,,

bvvf

fccvsf

t

.,

,,

bvfv

cvvvtfst

t


Impossible futures equivalence

}'::

:':'|),{(

:)(

pB

pppB

pIF

ftfst dddv

vIFftfst

)(}),{,(

fst

ct

ffv

ccv

ct ddv

vIFcfst

)(}),{,(

)()( qIFpIF

qp IF

IF: decorated trace

IF equivalence: same IFs

)(

)(

yxxyx

yxaayax

IF

IF

Congruence with root condition:

v

c

t

bs

ff

d ec


Properties preserved by IF

Having observed it is possible to continuewith a trace from B.calculus: T B

CTL:(AGEF property)

}'::

:':'|),{(

:)(

pB

pppB

pIF

)'::(:':'

)(),(

pBppp

pIFB

T)T (Not IF preserved(not AGEF):

)(EFAG B


Some AGEF properties

No deadlock/livelock: TT*T

Soundness: *T*T √Delivery (d) possible after order (o):

T*T*T*T do

Order that is not confirmed (c) can be aborted (a):

T*T**T aco )(An order that can be confirmed, can be aborted(at the same time): T)T*T*T aco ( Not AGEF:

)()())( acocboboacobo IF


t

s

t

c

s

t

s

f f

f

Legend:t: tryc: connectf: fails: stop

GSM example

v w

Corrupted state u:no connection possible.Corrupted state reachable from w not v.

TTT cf **

(AGEF properties)

f

calculus predicates

Paths terminating with f,can continue with tc

Paths terminating with f,can eventually do c

TT tcf*

u

testable

non-testable


Liveness

Infinite tf-sequence impossible: XtfX ][

t

s

t

c

s

t

s

f f

f

v w

CTL: ))((AFAG *},{ scft

Verify AGEF instead of liveness!

Implies liveness combined with AGEF property(fairness assumption)


1. Motivation2. IF Equivalence3. Results

Contents

• Preservation• Fair testing• Proof method


Preservation results

1. IF congruence preservesall AGEF properties.

2. Any congruence preservingany non-testable AGEF propertyis at least as fine as IF.

3. Any congruence at least as coarse asweak bisim, satisfying RSP and preservingany nontrivial AGEF propertyis at least as fine as IF.


Fair testing (FT)

FT preserves all testable AGEF propertiesand (assuming fairness) all AGAF properties

)( bybxaabyabx FT but different IF’s

FT does not satisfy RSP:two processes satisfy :abaXX FT

a a b a

a

a

a b


Proof method

Suppose ~ is a congruence w.r.t. CCS compositionand there exist ,B,p,q with p ~ q such that

)(\)(),( qIFpIFB

AcqactpactAaa n ),()(,1Let

and set AUXXC \)|()( 0 with

Bn

iii

ccU

niccUaU

)(

)1()(1


Context C

)(\)(),( qIFpIFB

AUXXC \)|()( 0

_a2

c

_an

_a1

c

c

i

))((\))((}){,( qCIFpCIFcc

0U nU

)'::(:':' pBppp

ccn

ccn

n

AUqqC

AUp

AUppC

\)|'()(

\)|'(

\)|'()(


Conclusions

1. Many system safety and livenessproperties are of AGEF kind.

AGAF liveness: AGEF + fairness.

2. IF and FT: compositional verificationof AGEF properties.

3. FT: only testable AGEF properties,RSP cannot be used.

Thank you for your attention


C3 C2

a

_b

c

d_d

_d

_e

e

D1 D2 c_e _

ff

_d

D1 D2C1

Composition

}{\)|(

},{\)||(

211

321

fDDC

edCCC

Systems built fromcomponents


Verification

a

b

c

Possible: prove e.g.abaS wc *)(}{

Disadvantage: cumbersome, restrictive.Alternative:Non-bisim equivalence that is congruencew.r.t. composition and preserves requirements!

Advantage:compositionality.

Verify property, e.g.:b may eventuallyoccur after a

T*T*T ba

Simplify components

Rob van Glabbeek (Sydney) Marc Voorhoeve (TUE)

Documents

Transcript of Rob van Glabbeek (Sydney) Marc Voorhoeve (TUE)