VericationofConcurrentSystems* PropertyPreservingAbstractionsforthe c1995kluweracademicpublishers,boston.manufacturedinthenetherlands. FormalMethodsinSystemDesign,6,1{36(1995) S.GRAF C.LOISEAUX loiseaux@imag.fr VERIMAG*,RueLavoisier,38330Monbonnot S.BENSALEM A.BOUAJJANI J.SIFAKIS bensalem@imag.fr bouajjan@imag.fr sifakis@imag.fr graf@imag.fr ReceivedOctober1,1992;RevisedFebruary1,1994 Editor:DavidProbst oftwosystems.weproposeandstudyanotionofpreservationofpropertiesexpressedbyformulas S'.Wegiveresultsonthepreservationofpropertiesexpressedinsublanguagesofthebranching toverifyapropertyforasystembyverifyingthesamepropertyonasimplersystemwhichisan Abstract.Westudypropertypreservingtransformationsforreactivesystems.Themainideais abstractionofit.weshowalsounderwhichconditionsabstractionofconcurrentsystemscanbe computedfromtheabstractionoftheircomponents.thisallowsacompositionalapplicationof theproposedvericationmethod. Thisisarevisedversionofthepapers[2]and[16];theresultsarefullydevelopedin[28]. ofalogic,byafunctionmappingsetsofstatesofasystemsintosetsofstatesofasystem time-calculuswhentwosystemssands'arerelatedviah;i-simulations.theycanbeused theuseofsimulationsparameterizedbygaloisconnections(;),relatingthelatticesofproperties Keywords:abstractinterpretation,simulation,propertypreservation,model-checking. 1.Introduction tobeveried,nda(simpler)abstractprogramsuchthatthesatisfactiononthe consistsinusingpropertypreservingabstractions:givenaprogramandaproperty modelsthathavetobeconstructedfortheirapplication.manytechniqueshave itationofautomaticvericationtechniquesistheirapplicabilityonlytorelatively smallnitestateprogramsbecauseoftheexponentialblow-upofthesizeofthe beendevelopedinordertopushfurtherthelimitsofmodel-checking.oneofthem Thegrowingcomplexityofdistributedandreactivesystemsrequiresrigorousde- *ThisworkwaspartiallysupportedbyESPRITBasicResearchAction\REACT" velopmentmethodologiesandautomaticvericationtechniques.awell-knownlim- J.FourierandVerilogSAassociatedwithIMAG *VerimagisajointlaboratoryofCNRS,InstitutNationalPolytechniquedeGrenoble,Universite
2abstractprogramimpliesthesatisfactionontheinitialprogram,calledconcrete actlythisproblem.programsarerepresentedbyfunctionsfonsomelatticeof oftheconsideredproperties. byavailabletools,andthatstillcontainsenoughrelevantdetailsforthesatisfaction constructanabstractprogramthatisboth,simpleenoughinordertobeveried programinthiscontext.animportantpointis,givenaconcreteprogram,howto tiongontheabstractlatticeisanabstractionoffiffgholds.this formingagaloisconnection[35]fromtheconcretetotheabstractlattice,afunc- properties.givensomeabstractlatticeofpropertiesandapairoffunctions(;), [40],[41],theideaofabstractinterpretationhasbeenappliedtoprogramsrepresentedbytransitionsystems,wherethelatticeofpropertiesisthepowersetofstates. forthevericationofinvariancepropertiesofsequentialprograms.however,in ofcorrespondingxpointsoff.untilrecently,thisapproachhasonlybeenapplied guaranteesthatgreatestandleastxpointsofgrepresentupperapproximations Theframeworkofabstractinterpretation(seeforexample[7],[8])addressesex- There,resultsshowingpreservationoffragmentsofCTL[9]fromtheabstractto theconcretesystemhavebeengiven. sion(respectivelyequality)ofobservablecomputationsequences(seeforexample in[25],[1],[30]).however,thisnotionofabstractiondoesnotdirectlyinduceaway tionsofabstractionsaregenerallydenedintermsofvariantsofsimulation[31] andbisimulation[32];theproblemoftheconstructionofabstractprogramshas onlybeenaddressedfornotionsofabstractionsdenedbyequivalences. ordersandequivalenceshasalsobeenwidelystudied.inthisframework,theno- Inthelinearsemanticsframework,theintuitivenotionofabstractionisinclu- Intheframeworkofprocessalgebras,theproblemofpropertypreservingpre- coincidesexactlywiththenotionofabstractiondenedbysimulationinthesenseof criterion. Milner[31],parameterizedbytherelationcorrespondingtotheGaloisconnection abstractionontransitionsystemsasasimulationparameterizedbygaloisconnections(;).weshowthatthenotionofabstractioninducedbyh;i-simulation ofcomputinganabstractprogramforagivenconcreteprogramandobservability Here,wetakeupagaintheapproachfollowedin[40],[41].Wedeneanotionof fifforanystateofs1whichsatisesf,allthestatesofs2initsimagealsosatisfy f.iftheconversealsoholds,thenwesaythatstronglypreservesf.apreservation systems1tothepowersetofthestatesofatransitionsystems2preservesaproperty resultofparticularpracticalinterest,saysthatiftwosystemsarerelatedviah;isimulation,thenallformulasofthe-calculususingnonegationandonlyuniversal thebranchingtime-calculusdenedin[24]forthefollowingnotionofproperty preservation:anarbitraryfunctionfromthepowersetofthestatesofatransition Then,wegivepreservationresultsforfragmentsofafutureandpastversionof
quanticationovercomputationsequences(called2l)arepreservedbyefrom theabstracttotheconcretesystem(whereeisthedualof). structurehomomorphismfromtheconcretetoabstractsystem. studiedintheparticularcasewherethepropertypreservingfunctiondenesa Ourpreservationresultstogetherwiththefactthat,givensomeconcretesystem Thesepreservationresultsgeneralizeresultsgivenin[10]wherethisproblemis 3 composition,whichisimportantfortheapplicationofthismethodinpractice. andsomeconnection(;),anabstractsystemcanbecomputed,allowtheuse gramofacomposedsystembycompositionofabstractionsofitscomponents.it powersetsofconcreteandabstractstates,computetheassociatedabstractsystem Fromapracticalpointofview,therearetworeasonsforbuildinganabstractpro- SAandverifyfonSA.IffholdsonSA,italsoholdsonS. ofthefollowingvericationmethod.inordertoverifyaproperty expressed asaformulafof2l onasystems,provideaconnection(;)betweenthe iseasiertodeneconnections(;)separatelyforeachcomponentthanforthe compoundsystem;proceedingthisway,allowsalsotoavoidbuildingarepresentationoftheglobaltransitionsystemassociatedwiththecomposedsystem.aswell betweencomponents),wegivecompositionalityresults,thatmeansrules,allowing forsynchronousasforasynchronousparallelcomposition(allowingsharedvariables Finally,wegivearesultconcerningcompositionalityofsimulationoverparallel todeduceh;i-simulationforacompoundsystemfromhi;ii-simulationsforits thedenitionofgaloisconnectionsandsomeinterestingpropertiesofthem.in components,whereh;iisexpressedintermsofhi;ii. Section3,thedenitionofh;i-simulationisgiven.Weshowthatthisnotion coincideswiththeusualnotionofsimulation.insection4,wedeneanotionof \abstractprogram"obtainedfromagivenfunctionoritsassociatedrelation. Section6givesresultsconcerningthepreservationoffragmentsofthe-calculus toprovethatafunctionpreservesthevalidityofformulasofagivenlanguage. Section5presentsthenotionofpropertypreservationandgeneralresultsallowing whentransitionsystemsarerelatedviah;i-simulation.section7,givesresults Thepaperisorganizedasfollows.InSection2,wegivesomenotationsandrecall Finally,AnnexAcontainssometechnicalproofs. concerningthecompositionalityofsimulationwithrespecttoparallelcomposition. 2.Preliminarydenitions InSection3,westudytherelationshipbetweenthenotionsofabstractioninthe gramsaremodeledastransitionsystems,thatmeansasbinaryrelationsontheset ofstates.intheframeworkofabstractinterpretation,programsarerepresentedby denethebasicnotions,necessaryforthiscomparison.inprocessalgebraspro- frameworksofprocessalgebrasandofabstractinterpretation.inthissection,we predicatetransformers,i.e.,functionstransformingsetsofstatesintosetsofstates.
4WithanytransitionrelationRcanbeassociateddierentpredicatetransformers, concerningthem,whichareusedintheproofslateron. 2.1.Transitionsystemsandpredicatetransformers WerecallherethedenitionofGaloisconnectionandsomewell-knownproperties theforwardandbackwardimagefunctions,whichwedenoteherebypre[r],respectivelypost[r].intheabstractinterpretationframework,thenotionofabstraction Denition1(Transitionsystems) isbasedontheexistenceofagaloisconnectionbetweenthelatticesofproperties. AtransitionsystemisapairS=(Q;R),whereQisasetofstatesandRisa transitionrelationonq(rqq). Notation1Weadoptthefollowingconventionsandnotations: WeidentifyaunarypredicateonQwithitscharacteristicsetsincethelattice WedenotebyIdQtheidentityfunctionon2Q. GiventworelationsRQQ0andSQ0Q00andtwofunctionsf:Q!Q0 stateq2q,thenotationsp(q)=true,p(q)andq2pareequivalent. ofunarypredicatesisisomorphicto2q.thus,foraunarypredicatepanda asasetofstates(oracorrespondingunarypredicate).therefore,inthesequel \propertylattice"isalwaysthesameas\powersetonthesetofstates". Denition2(Thepredicatetransformerspreandpost) Inthesequel,weconsideralwayspropertiestobestateproperties,i.e.,interpreted gfisappliedtosomeargumentq2q. andg:q0!q00,thendenotethecompositionoftherelationsrandsbyrs GivenarelationQ1Q2,wedenepre[]:2Q2!2Q1andpost[]:2Q1!2Q2 andthecompositionofthefunctionsfandgbygf,respectivelyg(f(q))if statesofq20viatherelationandforq10q1,post[](q10)representsthesetof \successors"ofthestatesofq10via.noticethatwehavepost[]=pre[?1]. by,pre[]def Thatmeans,forQ20Q2,pre[](Q20)representsthesetof\predecessors"ofthe post[]def =X:fq12Q1:9q22X:q1q2g formerspreandpostwhichcanforexamplebefoundin[41]. Thefollowingpropositionsgivesomeusefulresultsconcerningthepredicatetrans- =X:fq22Q2:9q12X:q1q2g Proposition1ForanyrelationfromasetQ1toasetQ2(Q1Q2),we have:
Notation2(Dualofafunction) 2.ForanyX1,X2subsetsofQ2,pre[](X1[X2)=pre[](X1)[pre[](X2), 1.pre[](;)=;, 5 Wedenotebyethedualofafunction:2Q1!2Q2thatis Proposition2LetbeQ1Q2andQ2Q3.Then, edef pre[]=pre[]pre[], post[]=post[]post[], =X:(X). 2.2.Galoisconnections WegivehereafterthedenitionofGaloisconnectionsandsomeusefulwell-known resultsaboutthem.moreinformationcan,e.g.,befoundin[35],[39]. gpost[]=gpost[]gpost[]. fpre[]=fpre[]fpre[], LetQ1andQ2betwosetsofstates.Aconnectionfrom2Q1to2Q2isapairof Denition3(Connections) IdQ1andIdQ2. Proposition3Foranyconnection(;)from2Q1to2Q2,wehave, monotonicfunctions(;),where:2q1!2q2and:2q2!2q1,suchthat =,and=, (;)=;, distributesover[anddistributesover\, (e;e)isaconnectionfrom2q2to2q1. Proposition5Foranyconnection(;)from2Q1to2Q2,wehave, Proposition4LetF:2Q1!2Q1andG:2Q2!2Q2betwofunctionsand(;) aconnectionfrom2q2to2q1.then, 8QQ1;Q0Q2:(Q)Q0iQ(Q0). =Y:SfX22Q1:(X)Yg, FGifandonlyifFG
betweentheconnectionsfrom2q1to2q2andthebinaryrelationsfromq1toq2. 6=X:TfY22Q2:X(Y)g. Proposition6(Connectionsgeneratedbyabinaryrelationonstates) characterizationsallowtodeducethefollowingtwopropositionsshowingthelinks IfQ1Q2,thenthepair(post[];fpre[])isaconnectionfrom2Q1to2Q2and (pre[];gpost[])isaconnectionfrom2q2to2q1. Proposition7(Relationsinducedbyconnections) Thatmeansthatanddetermineeachotherinauniquemanner.These If(;)isaconnectionfrom2Q1to2Q2,thenthereexistsauniquerelation by(q1;q2)2ifandonlyifq22(q1).since(;)=;anddistributesover[ (Proposition3),wehave=post[]. Q1Q2suchthat=post[]and=fpre[]. Proof:Let(;)beaconnectionfrom2Q1to2Q2.Considertherelationdened tionfrom2q2to2q1,thenwehave, Proposition8If(;)isaconnectionfrom2Q1to2Q2and(0;0)isaconnec- andasdistributesover[,wecanwrite=y:fq2q1:(fqg)yg.now, since=post[],itiseasytodeducethat=fpre[]. Furthermore,bytheProposition5,wehave=Y:SfX22Q1:(X)Yg, Proof:ConsidertherelationQ1Q2suchthat=post[]and=fpre[], whichexistsbyproposition7. totalonq1andidq2post[]pre[]foranyq1q2thatistotalonq2. Now,itiseasytoseethatIdQ1pre[]post[]foranyQ1Q2thatis 1.IdIm(e)eandIdIm()e, pre[0]pre[]pre[0]=pre[0]forsomeappropriaterelations;0.byproposition2,thisisequivalenttopre[00]=pre[0],thatis0=00. Symmetrically,0=00isequivalenttopost[0]=post[00],thatisto ByProposition7,theequatione0ee0=e0isequivalentto 2.e0ee0=e0ifandonlyif00=0. Inthissection,wedeneanotionofsimulationbasedonGaloisconnections(;), 3.Simulations calledh;i-simulation.itsdenitionisinspiredbythenotionofabstractinterpretationinthesenseofcousot[7],[8].there,aprogramisrepresentedbyafunction Fmappingpropertiesintoproperties.AfunctionG,mappingabstractproperties post[0]=post[0]post[]post[0],i.e.,0=00.
intoabstractproperties,isanabstractionoffifthereexistsaconnection(;) fromthetheconcretetoabstractlatticeofproperties,suchthatfg. blechoiceforthefunctionfistakingoneofthepredicatetransformersassociated stractionofs"and\ssimulatessa"areequivalent.weshowthatthenotionof withthetransitionrelationr.weconsiderthattheexpressions\saisanab- Inourframework,whereaprogramisatransitionsystemS1=(Q1;R1),apossi- 7 abstractioninducedbythechoicef=pre[r1]coincideswiththenotionofabstractioninducedbysimulationinthesenseofmilner[31]whichisusedinthe S2=(Q2;R2),i.e.,aconnectionfrom2Q1to2Q2. (;)relatingthepropertylatticesoftwotransitionsystemss1=(q1;r1)and frameworkofprocessalgebras. 3.1.Simulationsinducedbyconnections Denition4(vh;iand'h;i) LetS1=(Q1;R1)andS2=(Q2;R2)betwotransitionsystemsand(;)bea First,wedenesimulation(andbisimulations)parameterizedbyaconnection connectionfrom2q1to2q2.dene, fromproposition4. IfS1vh;iS2,wesaythatS1h;i-simulatesS2orS2isanh;i-abstractionof S1.Ausefuldualconditionforthedenitionofh;i-simulationcanbededuced S1'h;iS2ifandonlyifS1vh;iS2andS2vhe;eiS1. S1vh;iS2ifandonlyifpre[R1]pre[R2], Q1andQ2.InPropositions9and10weshowthatthesetwonotionsofsimulation senseofmilnerwhicharebasedonabinaryrelationbetweenthesetsofstates 3.2.Relatingh;i-simulationandbehaviouralsimulation coincide. Denition5(vand') Werecallrstthedenitionsofbehaviouralsimulationandbisimulationinthe LetS1=(Q1;R1)andS2=(Q2;R2)betwotransitionsystemsandbearelation fromq1toq2(q1q2).dene, S1'S2ifandonlyifS1vS2andS2v?1S1. S1vS2ifandonlyifR1?1R2?1,
suchthats1vs2(respectivelys1's2).weshownowthath;i-simulation and-simulationcoincide. 8IfS1vS2,wesaythatS1-simulatesS2orS2isa-abstractionofS1. Q1Q2,thereexistsaconnection(;)from2Q1to2Q2suchthat Proposition9(Fromvh;itov) S1vS2ifandonlyifS1vh;iS2. LetS1=(Q1;R1)andS2=(Q2;R2)betwotransitionsystems.Foranyrelation S1simulates(respectively,bisimulates)thesystemS2ifthereexistsarelation Proof:Weshowthattheintendedconnectionis(post[];fpre[])(byProposition6, thispairisindeedaconnection).supposethats1vhpost[];fpre[]is2,i.e., Then,aspost[]ismonotonicandIdQ1fpre[]post[],weobtain, post[]pre[r1]fpre[]pre[r2]. Proposition10(Fromvtovh;i) LetS1=(Q1;R1)andS2=(Q2;R2)betwotransitionsystems.Foranyconnection Itcanbeshowninasimilarwaythattheconversealsoholds.Thisproves, post[]pre[r1]fpre[]post[]pre[r2]post[]whichimplies (;)from2q1to2q2thereexistsarelationq1q2suchthat post[]pre[r1]pre[r2]post[]whichisequivalenttor1?1r2?1. S1vh;iS2ifandonlyifS1vS2. S1'hpost[];fpre[]iS2ifandonlyifS1'S2. abstractioninthecasewhereprogrammodelsaretransitionsystemsisthesame. Therefore,wedonotdistinguishinthesequelbetweensimulationsparameterized tationandthatchosenintheframeworkofprocessalgebra.infact,thenotionof byrelationsandthoseparameterizedbyconnections;inanycontextweusethe notionwhichallowstopresenttheresultsinthesimplestway. Proof:DirectfromPropositions7and9. 4.Computingprogramabstractions Thisresultclariestherelationshipbetweentheapproachofabstractinterpre- Intheframeworkofprocessalgebraandofprogramrenement,thenotionofsimulationisingeneralusedinordertodecidefortwogivenprogramsifoneofthem simulatestheother.butouraimis,givenaprogrampandarelationrelating concreteandabstractstates,toconstructanabstractprogrampasuchthatp -simulatespa.obviously,therearemanyprogramswhichare-abstractionsof
i.e.whichisascloseaspossibletotheconcreteprogram. anabstractprogramsatisfying foragiven asmanypropertiesaspossible, theabstractprogrammustalsoberepresentablebysometransitionrelationofthe theabstractsetofstatesisatrivial-abstractionofanyp.weareinterestedin P.InparticulartheprogramChaosdenedbytheuniversaltransitionrelationon Inourframework,wherePisrepresentedbyatransitionsystemS=(Q;R) 9 ofs.insection4.1,wedenerstthecriteriumoffaithfulnesswhichissatised byalltransitionsystemsonqawhicharebisimilartoanysmaller(inthesense ofinclusion)-abstractionsofs.usingtheresultsofsection5,wewillseethat simulation,doesnotnecessarilycorrespondtoasolution,thatmeansafunctionof theformpre[ra]forsometransitionrelationra. formsa=(qa;ra),whereqaisthesetofabstractstates.inthiscasethe faithfulabstractionsarethesetofabstractprogramswhichsatisfyallproperties obviousminimalfunctionpost[]pre[r]fpre[] obtainedfromthedenitionof whicharepossiblysatisedbyany-abstractionofsandwhicharepreservedfrom SAtoS. Itiseasytoseethatingeneral,theremayexistseveral\minimal"-abstractions thecasethatisatotalfunction,pre[]=fpre[]holds,whichtriviallyimpliesthat vwhichwedenoteby.undersomeconditionscoincideswiththenotionof S;thiscasehasbeenwidelystudiedintheliterature(seeforexamplein[25],[10]). Sistheleastabstraction.Then,denesastructurehomomorphismfromSto?1Risafaithfulabstractionifistotalandmoreover=?1holds.In forwardandbackwardsimulationforwhichweobtainstrongerpreservationresults WewillseethattheabstractprogramdenedbyS=(QA;R)withR= andillustratethisonasmallexample. thanforv. abstractionrelationsarerepresentedbypredicatesoversetsofprogramvariables Sisinducedinanobviousmannerbyaslightlystrongernotionofsimulationthan 4.1.Faithfulabstractions Denition6(Faithfulabstractions) GivenS=(Q;R)andQQA,wesaythatSA=(QA;RA)isafaithful InSection4.2,weshowhowScanbecomputediftransitionrelationsaswellas abstractionofsviaifsvsaand8s0=(qa;r0):svs0andr0ra implies90qaqa:sa'0s0. Proposition11LetS=(Q;R)beatransitionsystemandQQA. R=?1R(orequivalently,pre[R]=post[]pre[R]pre[]). GivenS=(Q;R)andQQA,totalonQ,wedeneS=(QA;R)where Notation3(ThesystemS) IfistotalonQ,thenSvS.
Proof:Therstandthethirditemsfollowdirectlyfromthefactthatfpre[]pre[] 10Iffurthermore=?1,thenSisafaithfulabstractionofSvia. ifistotalonq(respectivelyfpre[]=pre[]ifisafunction).forthesecond item,weshowthatforanytransitionsystemsa=(qa;ra)suchthatsvsaand RAR,wehaveSA'?1S,theproofofwhichisgivenintheAppendixA.1. Ifisa(total)function,thenSistheleast-abstractionofS.?1.Thereexistexamplesofinterestingabstractionrelationssuchthatisnot fromthepartitiononqinducedby?1intothepartitionofqainducedby successorby,havethesamesuccessorsby.thismeansthatdenesafunction function.if=?1doesnothold,thensisnotnecessarilyfaithful,andin[12] isgivenawaytocomputefaithfulabstractions. vh;i)whichcoincideswiththenotionofforwardandbackwardsimulationused, e.g.in[21],[22]ifistotal. Sisinducedbyaslightlystrongernotionofsimulationthanv(respectively Noticethat=?1ifandonlyifanytwostatesofQhavingacommon Denition7(andh;i) LetS=(Q;R)andSA=(QA;RA)betransitionsystems,andQQAtotal Lemma1(Characterizationof) onqand(;)atotalconnectionfrom2qto2qa.then, LetS=(Q;R)andSA=(QA;RA)betransitionsystems,andQQAtotal onq;denotes?1=(q;r?1)andanalogouslyforsa.then, SSAifandonlyif?1RRA Sh;iSAifandonlyifpre[R]epre[RA] Now,weconsidertheparticularcasewheretransitionrelationsandabstraction 4.2.Symboliccomputationofprogramabstractions relationsarerepresentedbypredicatesoverprogramvariables.thesetsofstates QaretheCartesianproductofthedomainsofatupleofprogramvariables.For SSAifandonlyifSvSAandS?1vS?1 example,ifx=(x;y),thenwehave,q=dom(x)=dom(x)dom(y). theformr(x;x0)wherex0=(x0;y0)isa\copy"ofx,i.e.,dom(x)=dom(x0). XencodesthesourcestateandX0thetargetstateofanytransitioninR.For example.,ifdom(x)=nanddom(y)=bool,thenr=y^(x0=x+1) Then,binaryrelationsonDom(X)canberepresentedbybinarypredicatesof
representsthetransitionrelationrelatingany(n;true)2nboolwith(n+1;b0) Thisapproachisused,e.g.,in[27],[37].InthesamewayarelationfromDom(X) whereb0maytakeanybooleanvalueasy0isnotconstraintintheexpressionr. todom(xa)isrepresentedbyabinarypredicateoftheform(x;xa). connectives.forexample,thefactthatarelationr1isincludedinr2isexpressed Inthissetting,operationsonsets(respectivelyrelations)areexpressedbylogical 11 Section7. areusedaslabels(names)forsynchronizationpurposesinparallelcompositionin ofbinarypredicatesonthesametupleofvariables,s=fri(x;x0)gi2iwherei2i onthesamesetofvariables. byr1)r2andr1^r2representstheintersectionofr1andr2iftheyaredened ables,theabstractionsofsiscomputedas Then,givenanabstractionrelation(X;Y),whereYisatupleofabstractvari- Weconsiderthataprogramisafamilyoftransitionrelationsrepresentedbysets containingexpressionsinwhich,atleastinthecasewheredom(x)anddom(y) arenite,alloccurrencesofvariablesxandx0canbeeliminated. Example:areader/writerproblem Wedescribeasimplereaders/writerssystembythefollowing\program"RW;in S=f9X9X0:(X;Y)^(X0;Y0)^Ri(X;X0)gi2I factrwdenesafamilyoflabeledtransitionrelationswhereforreadabilityreasons anexplicitlabel((b-read),(e-read),...)ofeachactionisputbetweenparenthesesin frontoftheexpressiondeningthetransitionrelation. RW=f (b-read)(wr>0)^(aw=0)^(wr0=wr?1)^(ww0=ww)^ (e-read)(ar>0) (b-write)(ww>0)^(aw=0)^ (Ar=0) ^(Wr0=Wr+1)^(Ww0=Ww)^ ^(Wr0=Wr)^(Ww0=Ww?1)^ (Ar0=Ar+1)^(Aw0=Aw); (Ar0=Ar?1)^(Aw0=Aw); wherewrandwwarepositiveintegervariablesrepresentingrespectivelythenumbersofwaitingreadersandwaitingwriters,arandawrespectivelythenumbers ofactivereadersandactivewriters.thetransitionrelationassociatedwithrw (e-write)(aw>0) (n-wait) g ^(Wr0=Wr)^(Ww0=Ww+1)^ ((Wr0=Wr+1)_(Ww0=Ww+1))^ (Ar0=Ar)^(Aw0=Aw+1); hasaninnitenumberofstatesaswrandwwcanalwaysbeincreasedbyaction (n-wait). (Ar0=Ar)^(Aw0=Aw?1), (Ar0=Ar)^(Aw0=Aw)
relevantinformationis,whetherthenumberofactivereadersandwritersispositive 12 Wewanttoprovemutualexclusionbetweenreadersandwriters.Then,theonly ornot.therefore,wedeneanabstractionrelationmappingtheprogramvariablesontwobooleanvariablesb1andb2meaningrespectively\thereisnoactive reader"and\thereisnoactivewriter",by thevetransitionrelationsriofrwwehavetocomputetheabstracttransition Asisatotalfunction,RWisafaithfulabstractionofRWvia.Foreachoneof pression: ForthetransitionrelationR1(labeledby(b-read))oneobtainsthefollowingex- (Ri)=9X9X0:(X;Y)^(X0;Y0)^Ri(X;X0) ((Wr;Ww;Ar;Aw);(b1;b2)):=(b1(Ar=0))^(b2(Aw=0)). relation (R1)=9(Ar;Aw;Wr;Ww)9(Ar0;Aw0;Wr0;Ww0): transitionrelations: BydoingasimilarcomputationforallRiweobtainthefollowingfamilyofabstract RW=f(b-read)b2 (b1(ar=0))^(b2(aw=0))^(b01(ar0=0))^(b02(aw0=0))^ (Wr>0)^(Aw=0)^(Wr0=Wr?1)^ (Ww0=Ww)^(Ar0=Ar+1)^(Aw0=Aw) =b2^:b01^b02 (e-read):b1^(b02b2), (e-write):b2^(b01b1), (b-write)b1^b2^b01^:b02, (n-wait) ^:b01^b02, Nowwehavedenedanotionofabstractionandawaytocomputeabstractprograms.Animportantpointistoknowforwhichpropertieswecandeducefrom TheniteglobaltransitionrelationrepresentedbyRWisgivengraphicallyin Figure4.2. 5.Generalresultsonpropertypreservation (b01b1)^(b02b2)g thesatisfactionontheabstractsystemitssatisfactionontheconcretesystem.in allstatesofq2initsimagebysatisfypropertyf.wehavestrongpreservation iftheinverseholdsalso;thismeansintuitivelythatwheneverastateofq1does relatedviasomemonotonicfunction:2q1!2q2,thenthesatisfactionofsome statepropertyfispreservedfroms1tos2viaifforanystateofq1satisfyingf ordertoanswerthisquestion,weconsiderrstthegeneralproblemofproperty notsatisfyf,thenthereexistsastateinitsimagebywhichdoesnotsatisfyf. preservationbetweentwosystems.ifthepropertylatticesofthetwosystemsare
(b1;b2) 13 (b1;b2) e-write e-readb-write (b1;b2) b-reade-write e-read Figure1.Readers/Writersabstraction (b1;b2) b-read e-read expressedbyformulasofalogicallanguagef(p)wherep=fp1;p2;:::gisa setofpropositionalvariables.foragivensystems=(q;r)andaninterpretationfunctioni:p!2q,thesemanticsoff(p)isgivenbymeansofafunction that(;)isaconnection,becauseinsection6weapplythisnotionofpreservation Wegiveusefulcharacterizationsofthesedenitionsifthereexistsafunctionsuch jjs;i:f(p)!2q,associatingwitheachformulaitscharacteristicset,i.e.,theset ofstatessatisfyingit.thisfunctionissuchthat8p2p:jpjs;i=i(p). strongpreservationfrompreservationinbothdirections. tosystemsrelatedviah;i-simulation.wegivealsoatheoremallowingtodeduce omittedwhenevertheirvaluescanbedeterminedbythecontext. Tosimplifynotations,eitheroneorbothofthesubscriptsSandIinjfjS;Iwillbe Letusrstintroducesomenotations.Wesupposethatprogrampropertiesare anyq2, thatpreserves(respectivelystronglypreserves)fforionifandonlyiffor Letf2F(P)beaformula,S1=(Q1;R1)andS2=(Q2;R2)betwotransition If=Q1,weomittomentionthatthepreservationison. Denition8(Preservation) systems,q1,i:p!2q1aninterpretationfunctionand:2q1!2q2.wesay ofs1andpropertiesofs2.preservationmeansthatthefunctioniscompatible withthesatisfactionrelation.inthesequel,wherethefunctionunderconsiderationisalwaysmonotonic,andevensuchthatthereexistsafunction,such Inthisdenition,thefunctionestablishesacorrespondencebetweenproperties q2jfjs1;iimplies(respectivelyifandonlyif)(fqg)jfjs2;i. that(;)isaconnection,weusethefollowingcharacterizationsofthenotionof preservationinordertoestablishpreservationresults.
Letf2F(P)beaformula,S1=(Q1;R1)andS2=(Q2;R2)betwotransition 14 Lemma2(Characterizationofpreservation) systems,i:p!2q1beaninterpretationfunctionand:2q1!2q2. 1.ifismonotonicthen 2.ifthereexistssuchthat(;)isaGaloisconnection,then (A)preservesfforIifandonlyif (jfjs1;i)jfjs2;iimpliespreservesffori andifdistributesover[,theconversealsoholds. Theproofof(2A)isdirectfrom(1)andthelastitemofProposition3.(2B)can (jfjs1;i)=(sq2jfjs1;ifqg)=sq2jfjs1;i(fqg)whichestablishestheresult. Proof:Therstdirectionof(1)isimmediate:fromq2jfjS1;I,weobtainby monotonicityof,(fqg)(jfjs1;i)jfjs2;i.ifdistributesover[,then (B)stronglypreservesfforIifandonlyif jfjs1;i=(jfjs2;i) jfjs1;i(jfjs2;i) thatthereexistsfunctions,0suchthat(;)and(0;0)areconnectionsdoes tos2.noticethatthistheoremusesonlythemonotonicityofand0;thefact bededucedfromthefactthat((fqg)jfjs2;i))q2jfjs1;iisequivalentto Sf(q)jfjS2;IgfqgjfjS1;Iand notallowtoweakentheconditionsrequiredhere.therefore,weuseexactlythis theoreminordertoobtainthestrongpreservationresultsinthefollowingsection. ThefollowingtheoremgivesconditionsunderwhichpreservationbyfromS1to Sf(q)jfjS2;Igfqg=(jfjS2;I)byProposition5. Theorem1(Preservationandstrongpreservation) LetS1=(Q1;R1)andS2=(Q2;R2)betwotransitionsystems.Foranyset S2andpreservationby0fromS2toS1impliesstrongpreservationbyfromS1 that00=0andid0,ifpreservesffori:p!im(0)and0 Q1andforanymonotonicfunctions:2Q1!2Q2and0:2Q2!2Q1such (fqg)jfjs2;i.wehave, preservesfforithenstronglypreservesfforion. Proof:Inordertoshowstrongpreservationbysupposethat,forq2, I=0I0.Thus0I=00I0=0I0=Iwhichimpliesq2jfjS1;I. SinceI:P!Im(0),thereexistsaninterpretationfunctionI0:P!2Q2suchthat 0(fqg)0(jfjS2;I)(monotonicityof0), q20(jfjs2;i)(id0), q2jfjs1;0i(0preservesfforiandlemma2).
augmentedbypasttimemodalities,whichwedenotelp. simulationasdenedinsection3.theuniverseofpropertiesthatweconsideris thesetofpropertiesexpressibleinthepropositionalbranching-time-calculus[24] 6.Preservationofthe-calculus Nowwecantackletheproblemofpreservationbetweensystemsrelatedbyh;i- 15 suchasthebranching-timetemporallogicsctl[9]andctl[14]andalsothe forthefragmentsaugmentedbythecorrespondingpasttimemodalityholdalso. linear-timetemporallogicsasptl[36]andetl[42]. pstandsforlogicscontainingpasttimeoperators).weshowfortwosystemss1and S2that,ifS1vh;iS2,thenpreserves3LfromS1toS2andepreserves2L froms2tos1.ifmoreovers1h;is2holds,thenstrongerpreservationresults Thislogicsubsumesinexpressivenessthecommonlyusedspecicationlogics, i.e.,existenceofsimulationsinbothdirections. tionedabovepreservel(p) Weobtainstrongpreservationofthesefragmentsincaseofsimulationequivalence, Inthecasewherethetwosystemsareh;i-bisimilar,thetwofunctionsmen- Wedenefragmentsofthe-calculuscalledL,2L,2Lp,3L,and3Lp(where tion,wereformulatethevericationmethodsketchedintheintroductionandapply ittothesmallexampleintroducedinsection4.2. 6.1.Thepropositional-calculusanditsfragments andinthesecondsubsectionwegivethepreservationresults.inthethirdsubsec- Intherstsubsection,werecallthedenitionofthe-calculusanditsfragments and,undersomeconditions,theystronglypreserveit. Werecallthesyntaxandthesemanticsofthefutureandpastpropositional-calculus Asusually,thenotionoffreeoccurrencesofvariablesinaformulaisdenedasin formulasoflpisdenedbythefollowinggrammar: Lp.LetPbeasetofatomicpropositionsandXasetofvariables.Thesetofthe therst-orderpredicatecalculusbyconsideringtheoperatorasaquantier.a wherefissyntacticallymonotoniconx,i.e.,anyoccurrenceofxinfis f::=>jp2pjx2xj3fj3pfjf_fj:fjx:f andaninterpretationfunctionfortheatomicpropositionsi:p!2q.aformulaf inwhichthepastoperator3pisnotallowed. formulaisclosediftherearenovariablesoccurringfreeinit.listhefragment ThesemanticsoftheformulasisdenedforagiventransitionsystemS=(Q;R) underanevennumberofnegations. aclosedformulaisinterpretedasasetofstates.theinterpretationfunctionis withnfreevariablesisinterpretedasafunctionjfjs;i:(2q)n!2q.inparticular,
16 inductivelydenedasfollows,foravaluationv=(v1;:::;vn)2(2q)nofthevariablesoccurringfreeinit. j>js;i =Q, jpjs;i =I(P), jxjjs;i(v)=vj, jf1_f2js;i(v)=jf1js;i(v)[jf2js;i(v), j:fjs;i(v)=q?jfjs;i(v), j3fjs;i(v)=pre[r](jfjs;i(v)), j3pfjs;i(v)=post[r](jfjs;i(v)), jx:fjs;i(v)=tfq0q:jfjs;i[q0=x](v)q0g: WeextendLpbyaddingasusuallytheformulas?,f^g,f)g,X:f(X),2fand 2pfwhicharerespectivelyabbreviationsfor:>,:(:f_:g),:f_g,:X::f(:X), :3:fand:3p:f. Aformulaofthisextendedlanguageisinpositivenormalformifandonlyifall thenegationsoccurringinitareappliedtoatomicpropositions.itcanbeshown thatanyformulaoflphasanequivalentformulainpositivenormalform. WedenefragmentsofLpcalled2L,2Lp,3Land3Lp.Theirsetsofformulas aregivenrespectivelybythetwofollowinggrammarswherethepasttimemodalities 2pand3parenotallowedinthefuturefragments2L,respectively3L. g::=>j?jpj:pjxj2gj2pgjg_gjg^gjx:gjx:g h::=>j?jpj:pjxj3hj3phjh_hjh^hjx:hjx:h Noticethatpropertiesexpressedbyformulasof2L(p) involveonlyuniversalquanticationovercomputationsequences(duetotheuseofthe2(or2p)operator) whereasthoseexpressedbyformulasof3l(p) involveonlyexistentialquantication overcomputationsequences. Weconsiderthepositivefragments2L(p)+ and3l(p)+ obtainedfromtheabove languagesbyforbiddingtheuseofthenegationevenonatomicpropositions.we consideralsothefragmentsl(p)+ correspondingtothesubsetofl(p) formulasin positivenormalformwithoutnegations.wecantranslateanyformulaofl(p) which isinpositivenormalformintoanequivalentformulainl(p)+ byreplacingnegated atomicpropositions,i.e.,formulasintheform:p,bynewatomicpropositions. Thus,sinceanyformulaofL(p) hasanequivalentformulainpositivenormalform, wecanexpressinl(p)+ anypropertyexpressibleinl(p),modulothisencodingof theformulas:p.obviously,thesametranslationcanbedonefroml(p) tol(p)+ for2f2;3g. In2Lwecanexpressbranching-timepropertiesasforinstancethesafetypropertieswithrespecttothesimulationpreorder[3].Theclassoftheseproperties correspondstothefragmentof2lwithouttheleastxpointoperator.
pressiblebyanondeterministicbuchiautomaton[6],canbeexpressedin2l[4]. Forexample,thesafetyproperty[26],[29],[34]\alwaysP"canbeexpressedby theformulax:(p^2x).moreover,theguaranteeproperty(accordingto[34]) mulax:(p_2x).propertiesintheotherclassesinthehierarchygivenin[34] \eventuallypinanyinnitecomputationsequence"canbeexpressedbythefor- Furthermore,itcanbeshownthatany!-regularlinear-timeproperty,i.e.,ex- 17 areobtainedbyusingalternationsoftheandtheoperators.thepropertiesof 8CTL*canbeexpressedin2Lifwerestrictourselvestomodelswhosetransition relationistotalas8ctl*allowstoexpressgeneraleventuality.noticethatifthe isexpressedbytheformulax:(p_3true^2x),whichisneitherin2lnorin transitionrelationoftheconsideredmodelsisnotnecessarytotal,\eventuallyp" 3L. :P)X:(:init^2pX). rithmsforinvariantsandeventuallypropertieswhichinsomecasesconvergemuch faster.forexample,theformulainit)x:(p^2x)isequivalentto init.moreover,theymaybeusedinordertodenealternativecomputationalgo- propertieswhichcannotbeexpressedusingonlyfuturemodalities,e.g., X:(init_2pX)holdsexactlyinthesetofstatesreachablefromastatesatisfying Pasttimemodalitiescanbeusedfortwodierentaims:theyallowtoexpress Theformulasof3Larenegationsofformulasof2Landconversely. relatingtwopropertylattices,:2q1!2q2,preservesthemeaningoftheatomic First,wedenethenotionofconsistencywhichexpressesthatachosenfunction 6.2.Preservationresults propositionsdenedbyaninterpretationfunctionion2q1.isconsistentwith :2Q1!2Q2.Then,isconsistentwithIif i.e.,theimagesbyoftheinterpretationofpandof:parenoncontradictory. Lemma3saysthat inthecasethat(;)isaconnection consistencyof atomicpropositions. Denition9(Consistency) LetQ1andQ2betwosetsofstatesandI:P!2Q1aninterpretationandafunction withiexpressesthefactthatestronglypreservestheinterpretationofall IifforallatomicpropositionstheimagesofI(P)andI(P)byaredisjoint, aconnection,thenisconsistentwithiifandonlyif UnderthesameassumptionsasinDenition9,ifthereexistssuchthat(;)is Lemma3(Characterizationofconsistency) 8P2P:(I(P))\(I(P))=; 8P2P:((I(P)))=I(P)
18 Proof:AproofbycontradictioncanbeobtainedusingProposition7. Now,wegiveatheoremaboutthepreservationinthecasethatfortwogiven systemss2ands2arerelatedbys1vh;is2.thetheoremsaysthatpreserves formulasof3lfroms1tos2,epreservesformulasof2l(p) froms2tos1andif evens1'h;is2holds,thenaswellasepreservethewholel.furthermore, ifonereplacesvh;ibyh;i,oneobtainsanalogouspreservationresultsforthe fragmentsaugmentedbythecorrespondingpastmodalities. Theorem2(Preservationof2L(p),3L(p) andl(p) ) LetS1=(Q1;R1)andS2=(Q2;R2)betwotransitionsystemsandI1:P!2Q1, I2:P!2Q2twointerpretationfunctions. 1.IfS1vh;iS2(respectivelyS1h;iS2),then (A)preservestheformulasof3L+(respectively3Lp+ )fori1,andifis consistentwithi1thenpreservestheformulasof3l(respectively3lp) fori1. (B)epreservestheformulasof2L+(respectively2Lp+ )fori2,andifeis consistentwithi2thenepreserves2l(respectively2lp)fori2. 2.IfS1'h;iS2(respectivelyS1h;iS2andS2he;eiS1)thenpreserves theformulasofl+(respectivelylp+ )fori1andifisconsistentwithi1then preservestheformulasofl(respectivelylp)fori1. Proof:TheproofthatpreservesL+ifS1'h;iS2consists,duetoLemma2, inshowingthatforanyformulaf2l+andforanyvaluationv,wehave (jfjs1;i1(v))jfjs2;i1((v)). Theproofisdonebyinductiononthestructureoff,andforalloperators(includingxpointoperators),except3and2weneedonlythemonotonicityofin ordertoestablishthisfact.for3weneedthefactthats1vh;is2andfor2 weneedthefactthats2vhe;eis1.thisproofisgiveninappendixa.2. TheproofofpreservationofLp+ undertheconditionthats1h;is2isobtained bylemma1sayingthatforwardandbackwardsimulationimpliess1vh;is2 ands1?1vh;is2?1(wheresi=(qi;r?1 i))andtheobservationthatpost[r]= pre[r?1]. Finally,ifisconsistentwithI1,itisstraightforwardtodeducethat (j:pjs2;i1)j:pjs1;i1. NoticethatwehavealsopreservationofLp+ byebyexchangingtherolesof andeandofs1ands2andthenusingsymmetricalarguments.now,theproofs of(1a)and(1b)areobviousfromthefactthatforthepreservationof3l(p)+ by weneedonlytheconditionthats1vh;is2(respectivelys1h;is2),and forthepreservationof2l(p)+ byetheconditionthats1vhe;eis2(respectively
S1he;eiS2),whichisequivalenttoS1vh;iS2(respectivelyS1h;iS2). ItisknownthatinordertohavestrongpreservationofLoneneedstheexistenceof abisimulationbetweenthetransitionsystemss1ands2(theorem4givestheexact 19 offragmentsoflundertheweakerconditionthatistheexistenceofamutual conditions).byusingtheorem1,oneobtainsfromtheorem2strongpreservation simulationbetweens1ands2andtheadditionalconditionsrequiredintheorem1: Theorem3(Strongpreservationof2L(p) LetS1=(Q1;R1)andS2=(Q2;R2)betwotransitionsystems.IfS1vh;iS2 ands2vh0;0is1(respectivelys1h;is2ands2h0;0is1)for;0such that00=0,then 1.IfId0forsomeQ1,then Furthermore,ifisconsistentwithI,thenstronglypreserves3L(respectively3Lp)forIon. stronglypreserves3l+(respectively3lp+ and3l(p) 2.IfIde0eforsomeQ2,then Theorem4(StrongpreservationofL(p) Proof:(1)isadirectapplicationofTheorem1usingTheorem2.(2)isobtained inthesamewaybyusingproposition8whichguaranteese0ee0=e0. tively2lp)forion. Furthermore,ifeisconsistentwithI,thenestronglypreserves2L(respec- estronglypreserves2l+(respectively2lp+ ) )onforanyinterpretationi:p!. LetS1=(Q1;R1)andS2=(Q2;R2)betwotransitionsystems.IfS1'h;iS2 (respectivelys1h;is2ands2he;eis1)andee=ethen taineddirectlyfromtheorems1and2byreplacing0byeandusingthefact Proof:Astheprecedingtheorem,theproofofstrongpreservationbyisob- 1.stronglypreservesL(respectivelyLp)onIm(e)foranyinterpretation thatidim(e)e(proposition8)andthefactthatisconsistentwithany 2.estronglypreservesL(respectivelyLp)onIm()foranyinterpretation I1:P!Im(). I1:P!Im(e)and I1:P!Im()byusingthesameargumentsasintheproofofTheorem1.The proofforeissymmetrical.
f22lpandaninterpretationfunctioni:p!2q,onecanproceedasfollowsin 20 6.3.Application Theorem2providesthebasisforourvericationmethodbyusingabstraction. GivenaprogramS=(Q;R),asetPofatomicpropositionsoccurringinformula ordertoverifythatssatisesf,i.e.,jfjs;i=q: (1)GiveanabstractionrelationQQAwhichistotalonQandthecorrespondingabstractionfunction=post[]. (2)ComputetheabstractsystemSandverifywhetherthecharacteristicsetof NoticethatasucientconditionforthisisthatjfjS;I=QAexpressingthat fholdsons.iftheanswerin(2)ispositiveandnoatomicpropositionoccurs negatedinf,thenusingtheorem2.(1b),weobtain (3)SsatisesfwiththeinterpretationfunctioneI,i.e.,jfjS;eI=Q. fons,obtainedusingtheinterpretationfunctioni,iscontainedinthe image(q)ofconcretestates,thatmeanswehavetoverifythat Iffurthermore,I(P)=(eI)(P)foranyP2Pthatoccursinf,then e(jfjs;i)=q. thatthisamountstoevaluateastrongerpropertythanf;therefore,themethod functions(infnegationcanonlybeappliedtoatomicpropositions),wededuce Thismeans(byLemma3)thatinordertoapplythevericationmethodone needstheconsistencyofwithiforallatomicpropositionsoccurringnon negatedinf.forpropositionsp2poccurringonlynegatedinf,computing jfjs;iamountstoevaluatefonswithinterpretatione((i(p)))of:p;as e((i(p)))i(p)isalwaystrueandasalloperatorsinfrepresentmonotonic SsatisesfunderinterpretationI,i.e.,jfjS;I=Q. acounter-example,showingthatoneofthestatesinq0doesnotsatisfyf,orwe havetotrywithamoreprecisesetofabstractstatesandcorrespondingconnection. thatsvh;isa(respectivelysh;isaiffcontainspasttimemodalities). Iftheanswerin(2)isnegative,i.e.,e(jfjS;I)=Q0Q,wecantrytond Obviously,insteadoftheabstractsystemS,wecanuseanysystemSAsuch propositionsoccurringonlynegatedinf. canbeappliedeveniftheconsistencyrequirementidnotfullledforatomic functionsoftheatomicpropositionsiandi.inthatcase,itisshownthatthe fromqtoqasuchthatandearerespectivelyconsistentwiththeinterpretation correspondstoh;i-simulationinducedbyrelationswhicharetotalfunctions Asimilarmethodisappliedin[10].Thenotionofhomomorphismconsideredthere
underthiscondition 2L(p) logic8ctl*ispreservedfroms2tos1undertheconditionthatonlyinnitecomputationsequencesareconsidered.thisresultisgeneralizedbytheorem2since thenotionofexacthomomorphismconsideredtherecorrespondstobisimulations arerespectivelyconsistentwiththeinterpretationfunctionsiandi.ifs1and inducedbyrelationswhicharetotalfunctionsfromqtoqasuchthatande ismoreexpressivethan8ctl*.furthermore, 21 eralnotholdonabstractsystemssuchassortheabstractsystemsproposedin because,ifisatotalfunction,wehave=?1). eventualitypropertiesarepreserved,as,eveniftheyarepreserved,theydoingen- [10]. Itshouldalsobenoticedthatitisnotimportanttochooseaframeworkinwhich ThisresultisgeneralizedbyTheorem2(noticethatthistheoremcanbeapplied S2arerelatedbyanexacthomomorphism,thelogicCTL*isstronglypreserved. -abstractionofsifandonlyifsvsa,i.e.,post[]pre[r]fpre[]pre[ra]). wecanalsodeneothernotionsofsimulation,wherethefunctionrepresentinga Usingthisdenitionweobtainpreservationoftheformulasof2Lfromtheabinition4wereplacethefunctionsprebyfpre,thenS2isah;i-abstractionof transitionsystemischosentobefpre[r],post[r]orgpost[r].takingtherstchoice, weobtainpreservationoftheformulasof3lfromsatos.noticethat,ifindefstractsystemsatotheconcretesystems.asalmostallpropertiesweareinterestedinarein2l,thisisagoodnotionofabstraction.but,asalreadymentioned, Atthispoint,wecanalsodiscussthechoiceofournotionofabstraction(SAisa below;andsimilarasin[12],onemayusesuchapairofapproximationsinorder toevaluateanypropertyofl. ulationfromabove,andpropertiesexpressiblein3lbyapproximatingitfrom propertiesexpressiblein2lcanbeveriedbyapproximatingasystembysim- thesystems1understudyifandonlyifs2he;ei-simulatess1.thatmeansthat it,suchasrr:whereristhesubsetoftransitionrepresenting\stuttering"or \observable"or\non-stuttering"steps. \nonobservable"steps,denotesthetransitiveclosureandr:isthethesetof properties,wemustreplacethetransitionrelationrbysometransitiveclosureof wayassbygroupingsetsofstatesintoasingleabstractstate,andallowing onlythoseabstracttransitionscorrespondingtoatransitionofeverycorresponding concretestate.inordertoobtainabstractsystemsallowingtoverifyreachability fragment3l,doingeneralnotholdonabstractsystems,denedinasimilar However,thereachabilityproperties,whicharetheinterestingpropertiesinthe inanotionofabstractionpreservingonlypastmodalities;however,aswehave seenthisisnotveryinteresting,asbyreplacingvby(whichisnotreallya constraintinpractice)oneobtainspreservationofbothfutureandpastmodalities. ThechoicetorepresentthetransitionrelationsRbythefunctionpost[R],results
hasbeencalculatedinsection4.2. Mutualexclusionbetweenthereadersandthewriterscanbeexpressedbythe Weapplytheabovevericationmethodtoreaders-writersforwhichanabstraction 22 followingformula Reader/writerexamplecontinued impliesthatforanysubsequentstate,mutualexclusionholds. presentationinsuchasmallexample. predicatesonprogramvariablesdirectlyintheformulas,whichsimpliesabitthe tiontranslatingthemintopredicatesonconcreteprogramvariables,weusethese Thisformulastatesthatstartingfromastatewithnoactivereadersandwriters Notice,thatinsteadofpropositionalvariablesandanexplicitinterpretationfunc- f=(ar=0^aw=0))x:((ar=0_aw=0)^2x). Wehavetoshowthatpreservesthefourbasicpredicatesoccurringintheformula, namely(ar=0),:(ar=0),(aw=0)and:(aw=0),i.e., foreachoneofthesepredicates.thiscanbeeasilyveried,e.g.for(ar=0),we havepost[](ar=0)=b1andpre[](b1)=(ar=0). resultingintheformula InordertoverifyfonS,wehavetotranslatetheatomicpredicatesbypost[], fa:(b1^b2))x:((b1_b2)^2x) pre[](post[](p))=p jfajs=true.bytheorem2,wehavethatmutualexclusionholdsontheconcrete todothisevaluationecientlyiftheabstractdomainisnite. program.therecentdevelopmentsofbdds[5]andtoolsmanipulatingthem,allows 7.Compositionalityofsimulationwithrespecttoparallelcomposition Intheprevioussectionswegaveamethodreducingthevericationofaproperty ByusingclassicalsymbolicmodelcheckingforCTL(seee.g.in[38]),weobtain ofthesamepropertyonsomeabstractions=(q;r). Thequestionthenariseswhetheritispossibletocomputeabstractionsofcomplex programsastheparallelcompositionofabstractionsoftheircomponentsinorder ofsomeprogramrepresentedasatransitionsystems=(q;r)totheverication simplerprograms,theapplicationofthismethodrequiresthecomputationofthe correspondingglobaltransitionrelationfromwhichanabstractioncanbecomputed. Whendealingwithcomplexprogramsobtainedastheparallelcompositionof
isguaranteedifthecompositionalityproperty toavoidbuildingthetransitionrelationassociatedwiththecomplexprogram.this (S1v1S10)and(S2v2S20) (S1jjS2)vf(j;1;2)(S10jjS20) 23 holds,wherejjisaparallelcompositionoperatorandf(jj;1;2)anabstraction relationdependingonjj,1and2. parameterizedbyarbitraryrelationsandtherelationusedtoobtaintheabstraction ofthecomposedsystemiscomputedfromtheabstractionrelationsappliedtoits ferentparallelcompositionoperatorsandbytakingf(jj;1;2)=1\2. respecttoparallelcomposition.mostofthemconcernsynchronouscompositionor theparticularcasewherethedomainsofthecomposedprocessesaredisjoint. Inthissectionwepresentcompositionalityresultsfor-simulationforthreedif- components. Thereexistalreadymanycompositionalityresultsforsimulationrelationswith tionofthecomplexprogramandtheabstractionresultingfromtheparallelcom- positionoftheabstractionsofthecomponents. Anotherproblemstudiedinthissectionistherelationshipbetweentheabstrac- Noticethatanimportantdierencewiththeseresultsisthatoursimulationsare AsinSection4.2weconsidertransitionsystemsSdescribedbyfamiliesofoftransitionrelationsrepresentedbysetsofbinarypredicatesonasetofvariablesX, i.e.,s=fri(x;x0)gi2iwheretheelementsofiareconsideredaslabelsusedfor Theseresultsallowtocomparethetwoapproachesconcerningthequalityofthe obtainedabstractions. 7.1.Denitionofparallelcomposition LetSi=fRij(Xi;X0i)jj2Iig;i2f1;2gandAI1I2beasynchronizationset(indicatingwhichrelationsmustsynchronize).Furthermore,takeA1= fij9j:(i;j)2aganda2=fjj9i:(i;j)2ag(aiaretheprojectionsofaoni1 otherscanbeconsideredasparticularcasesofit. Denition10(Parallelcomposition) (jjj)andmixed(j[]j).mixedparallelcompositionisthemostgeneraloneandthe respectivelyi2).wedenetheoperatorsjjj;a;j[a]jasfollows: Weconsiderthreetypesofparallelcomposition,synchronous(),asynchronous labeledtransitionsystemsasitallowsustodeneparallelcompositionofprograms sharingvariables. synchronizationpurposesinparallelcomposition.weusethisrepresentationof mixedcompositionj[a]j:
24S1j[A]jS2=fR1i^R2jj(i;j)2Ag[ synchronouscompositiona: asynchronouscompositionjjj: whereforanysetofvariablesx=fx1;::;xng,stablexisthepredicate S1AS2=fR1i^R2jj(i;j)2Ag (x01=x1)^:::^(x0n=xn). fr1i^stablex2?x1ji62a1g[fr2j^stablex1?x2jj62a2g Comments: Themixedcompositionoperatorforcessynchronizationofpairsoftransition S1jjjS2=fR1i^stableX2?X1ji2I1g[fR2j^stableX1?X2jj2I2g Synchronouscompositionisaspecialcaseofmixedcomposition,whereonlythe j62a2.thisoperatorallowstoexpresstheoperatorsofcsp[19]orlotos lattercorrespondstomovesofeithersomer1ifori62a1orofsomer2jfor [20]bysimulatingmessagecommunicationbycommunicationthroughcommon A,ormovesperformedbyonecomponentwhiletheotherremainsidle.The variables. relationsbelongingtoa.r1j[a]jr2canperformeithermovesresultingfrom executionofsynchronoustransitionsispossible.inthecasewherea=i1i2, thesynchronousexecutionoftransitionsinsomer1iandr2jsuchthat(i;j)2 Asynchronouscompositionisthespecialcaseofthemixedcompositionwhere thisoperatoristhesameas^,andthisistheprogramcompositionoperator operatorsofsccs[33],ofs/rmodels[23]andtheoneusedin[15]. usedintla[27].itcanalsobeusedtodescribetheparallelcomposition nizationsetasbefore.then, Lemma4LetbeSi=fRij(Xi;X0i)jj2Iig;i2f1;2gandAI1I2asynchro- orofsomer2jwherej2i2.thisoperatorisexactlythe\unionoperator"of A=;.ThatmeansthatallmovesaremovesofeithersomeR1iwherei2I1 IfAsuchthatA1=A2=;,thenS1AS2=S1j[A]jS2 S1jjjS2=S1j[;]jS2 Unity[11]. IfA=I1I2,thenR1AR2=R1^R2 S1j[A]jS2=fR1if(i;j)gR2jg(i;j)2AjjjfR1i^stableX2?X1gi62A1jjj S1=jjji2IfR1igwherejjji2Iistheobviousn-aryextensionofjjj fr2j^stablex1?x2gj62a2
theothers.wepreferhowevertoconsiderthethreeoperatorsbecausetheygive eachonerisetospecicresults. variables. Themixedcompositionoperatoristhemostgeneraloneasitallowstoexpress ThelastitemcomesfromthefactthatalltheR1iaredenedonthesamesetof 25 7.2.Compositionalityresults Now,wegiveforalloperatorsofDenition10,conditionsontheabstractionrelationsi,underwhichtherule iswhethertheabstractionsr11jjr22and(r1jjr2)1^2arecomparableinordertoknowwhichwayofcomputingabstractionsgivesbetterapproximations: directcomputationfromthecompoundsystemorcomputationbycompositionof holds.furthermore,weareinterestedinapplyingthisruleintheparticularcase wheres0i=sii(denedasinsection4.1).inthatcaseaninterestingquestion (Comp)(S1v1S10)and(S2v2S20) abstractionsofthecomponents.intuitivelyonewouldthinkthat S1jjS2v1^2S10jjS20 toobtainthismodiedrule,slightlyweakerconditionsthanthoserequiredforthe holdsalways.however,theseconditemsofthefollowingtheoremsshowthatthis isonlytruewithoutrestrictionsforsynchronousparallelcomposition.noticealso that,ifthisimplicationholds,thenalsotherule,obtainedbyreplacingin(comp) thesimulationpreordervbyforwardandbackwardsimulation.infact,inorder seconditemofthefollowingtheoremsarenecessary,butaseventhestrongerones arealmostalwayssatisedinpractice,weproposetheinterestedreadertolookat (R1jjR2)1^2)R11jjR22 implication Assumption1ThroughouttherestofthesectionweconsiderasetofvariablesX forsynchronouscompositionrelativelystrongconditionsarenecessary;whereasfor [28]formoredetails. Thethirditemsofthefollowingtheoremsshowthatinordertoobtaintheinverse asynchronouscompositiontheconditionsarerelativelyeasytofull. oftheformx1[x2wherex1andx2arenotnecessarilydisjoint,twotransition abstractvariables. systemssi=frij(xi;x0i)jj2iig;i2f1;2gandxa=x1a[x2aasetof R11jjR22)(R1jjR2)1^2 variablesandxila=xia?xcathelocalabstractvariablesofsi. localvariablesofsiandanalogouslyxca=x1a\x2a,thesetofcommonabstract WedenotealsoXc=X1\X2,thesetofcommonvariables,Xil=Xi?Xcthe
26Weconsideralsotworelationsrelatingtheconcreteandtheabstractdomains, i(xi;xia),whicharetotalonxiandsuchthat1^2istotalonx.inordertosimplifytheexpressionoftheresultsandbecauseitdoesnotrestrictgenerality,wesupposeinthesequelthattherelationsicanbeputintotheform i=il(xi;xila)^ic(xi;xca),i.e.,theabstractlocalandcommonvariablesdo Theorem5(compositionalitywithrespectto) thetotalityof1l,2land1c^2c. notdependoneachother.thisimpliesthatthetotalityof1^2isequivalentto UnderthehypothesesofAssumption1,onehas 3.Ific:XcA!Xcarefunctionsfori=f1;2g,then 2.(R1AR2)1^2)R11AR22 1.Ific:Xc!XcAarefunctionsfori=f1;2g,then R11AR22=(R1AR2)1^2 S1AS2v1^2S01AS02 SiviS0i;i=1;2 get1.ific=c(xc;xca),then tonicityarguments andisdeferredtoappendixa.3. Theorem6(compositionalitywithrespecttojjj) Proof:Theproofisrathertechnical exceptthatof(2)whichusesonlymono- UnderthehypothesesofAssumption1andiffurthermoreil=il(Xil;XilA),we 3.Ific=c(Xc;XcA)andilareonto(8XilA9Xil:il(Xil;XilA),then 2.Ifil:Xil!XilAarefunctionsfori=f1;2g,then (R1jjjR2)1^2)R11jjjR22 R11jjjR22)(R1jjjR2)1^2 S1jjjS2v1^2S01jjjS02 SiviS0i;i=1;2 Theorem7(compositionalitywithrespecttoj[]j) Proof:ThecompleteproofisgiveninAppendixA.3. UnderthesamehypothesesasinTheorem6,weget
1.Ific:Xc!XcAarefunctionsfori=f1;2g,then 2.Ifil:Xil!XilAarefunctionsfori=f1;2g,then S1j[A]jS2v1^2S01j[A]jS02 SiviS0i;i=1;2 27 Proof:ThefactthatR1j[]jR2canbeexpressedbyusingonlyandjjjasgivenin Lemma4,andthattheconditionsofbothoftheprecedingtheoremsaresatised ineachofthecorrespondingpointsisenoughtoprovethetheorem. 3.Ific:XcA!Xcarefunctionsfori=f1;2gandilareonto,then R11j[A]jR22)(R1j[A]jR2)1^2 (R1j[A]jR2)1^2)R11j[A]jR22 ideaistheuseofh;i-simulationwhichisthesameasthestandardsimulation 8.Conclusion Thepaperstudiespropertypreservingtransformationsforreactivesystems.Akey (parameterizedbyarelation)oftenusedtodeneimplementations.furthermore,h;i-simulationsinduceabstractinterpretationsandthisallowstoapplyan models,labeledtransitionsystemswithsilentactionsandusingthewell-known alencesthataredenedintermsofsimulationsorbisimulationswithsilentactions. Forinstance,onecandeneah;i-observationalequivalencebyconsideringas existingpowerfultheoryforprogramanalysis. factthatobservationalequivalenceisstrongbisimulationequivalenceonamodied transitionrelation. trivialsystems.forthis,akeyproblemisthechoiceofappropriateabstraction Theresultspresentedcanbeadaptedsoastobeappliedtopreordersandequiv- relationsdependingonthepropertiestobeveried.ingeneral,thistaskrequires preservationofthesepredicateshelpndingtheminimalnecessaryabstractdomain.alsotheresultsofsection7arehelpfulfortheuserofthemethodas appropriateabstractionsforcomponentsareeasiertondthanabstractionforthe compoundsystem. Animportantissueistheapplicationoftheresultstothevericationofnon- adeepknowledgeoftheconcreteprogramtobeveriedandcannotbeautomated. However,thepredicatesoccurringintheformulaandtherequirementsforthe abstractionrelationisgiven,therestofthemethodcanbemechanized:computationoftheabstraction,vericationoftheformulaandcheckingpreservationof thepredicates.wehaveimplementedasymbolicvericationtoolsupportingthis Inthecasethatboth,theconcreteandtheabstractdomainsarenite,oncean
methodfornitestateprogramsencodedasbdds[17],[28]:programsareparallelcompositionsofcomponentswhicharepredicates(justastheprogramused obtainedbycomposingandabstractingthecomponentsinanyorderusingabstractionrelationsigivenbypredicatesonabstractandconcretevariables.internally intheexampleinsection4.2)onbooleanvariables.anabstractprogrammaybe (operationonintegers,memoriesandbuers)byacorrespondingabstractoperationonveryreducedabstractdomains.thisexampleshowsthatourresultscanbe computationofniteabstractionsofinnitestatesystemsdeservefurtherstudy. AppendixA A.1.ProofofProposition11 WewanttoshowthatifS=(Q;R)isatransitionsystemandandQQA totalonqsuchthat=?1,thensisafaithfulabstractionofsvia.more First,letusshowthatSv?1SA,thatis, precisely,wewanttoshowthatforanysa=(qa;ra)suchthatsvsaand RAR,SAandSare?1-bisimilar. post[?1]pre[r]fpre[?1]=post[?1]post[]pre[r]pre[]fpre[?1]. Bydenition,wehavepre[R]=post[]pre[R]pre[].Thus,bysubstitution ByProposition2andbythefactthatpre[]=post[?1],weobtain post[?1]pre[r]fpre[?1]=post[?1]pre[r]post[?1]fpre[?1] fpre[]. post[?1]pre[r]fpre[?1]pre[ra]:() inordertobeabletocomputeanappropriateabstractsystem. In[18],weappliedthesamevericationmethodtoaninnitestatesystem,a ample,theabstractprogramcouldnotbeobtainedfullyautomatically.ithasbeen computedfromtheconcreteprogrambyreplacingeveryconcretebasicoperation distributedcachememory[13]whichisknowntobediculttoverify.forthisex- Forthisprotocol,theuseofthecompositionalityresultsofSection7wasessential cationofproperties.usingthistool,wehaveveriedaprotocoldescribedin[13]. allpredicatesarerepresentedbybdds.asymbolicmodelcheckerallowstheveriappliedforthecomputationofabstractionsofinnitestatesystems.however,the Now,since=?1(byhypothesis)and(post[?1];fpre[?1])isaconnection (byproposition6),wehave,post[?1]=post[]and post[?1]fpre[?1]id,thus, post[?1]pre[r]fpre[?1]post[]pre[r]fpre[]. Finally,sincebyhypothesiswehave, SvSA,i.e.,post[]pre[R]fpre[]pre[RA],weobtain, post[?1]pre[r]fpre[?1]pre[ra]whichis(*).
Now,since(?1)?1=(?1),weshowthatSAv?1S,thatistosay, post[?1]pre[ra]fpre[?1]pre[r]: Byhypothesis,wehaveRAR,suchitissucienttoshowthat post[?1]pre[r]fpre[?1]pre[r]() 29 A.2.ProofofTheorem2 InordertocompletetheproofofTheorem2itremainstoshowthatifS1=(Q1;R1) Asintherstpartoftheproofweobtain, post[?1]pre[r]fpre[?1]post[]pre[r]pre[], Lemma2,itissucienttoprovethatforanyformulafinL+andforanyvaluation ands1=(q2;r2)aretransitionsystemsandi:p!2q1isaninterpretation function,suchthats1'h;is2thenpreservestheformulasofl+fori.by whichisequivalentto(**). V,wehave Tosimplifythenotations,weomitthevaluationVwheneveritisnotrelevantina proof. (j?js1;i)j?js2;iand(j>js1;i)j>js2;ias(;)=;and(q2)q1. (jpjs1;i)=jpjs2;ibydenitionoftheinterpretationfunction. (jxjjs1;i(v))=(vj)=jxjjs2;i((v)) (jfjs1;i(v))jfjs2;i((v))orequivalentlyjfjs1;i(v)(jfjs2;i((v))). j2fjs1;i=fpre[r2](jfjs1;i)bydenitionofthesemantics.thedualofthe conditionfors1vhe;eis2isfpre[r1]fpre[r2].bysubstitution,weget, (j3fjs1;i)=pre[r1](jfjs1;i) whichisequivalenttoj2fjs1;i(j2fjs2;i): Byinductionhypothesis (jfjs1;i)jfjs2;i weobtain, j2fjs1;ifpre[r2](jfjs1;i): bydenitionofthesemanticsandmonotonicityof.asidq1,weget (j3fjs1;i)pre[r1](jfjs1;i): j2fjs1;ifpre[r2](jfjs2;i); AsS1vh;iS2,i.e.,pre[R1]pre[R2],weget (j3fjs1;i)pre[r2](jfjs1;i):
(jf2_f1js1;i)=(jf2js1;i[jf1js1;i) 30Byinductionhypothesis (jfjs1;i)jfjs2;i follows bydenitionoftheinterpretationfunction.asdistributesover[,wehave (j3fjs1;i)pre[r2](jfjs2;i)=j3fjs2;i: Ananalogousproofcanbeobtainedforconjunction. jx:fjs2;i((v))=tfp2q2:jfjs2;i[p2=x]((v))p2g, wherevisavaluationonq1ofthefreevariablesoff.as(;)isaconnection Byinductionhypothesis,weobtain (jf2_f1js1;i)jf2js2;i[jf1js2;i=jf2_f1js2;i: (jf2_f1js1;i)=(jf2js1;i)[(jf1js1;i): (IdQ2)andismonotonic, Usingtheinductionhypothesisforfwithvaluation(P2)forXgives implies whichimpliesnallybytransitivity, jfjs1;i[(p2)=x](v)(jfjs2;i[((p2))=x]((v))) (jfjs2;i[((p2))=x]((v)))(p2): jfjs2;i[p2=x]((v))p2() TfP2:()gTfP2:()g,i.e., Thus,everyP2satisfying(*)satisesalso(**).Thisimplies Bydistributivityofoverintersection,weobtain TfP2:jfjS1;I[(P2)=X](V)(P2)g TfP2:jfjS2;I[P2=X]((V))P2g=jX:fjS2;I((V)): \f(p2):jfjs1;i[(p2)=x](v)(p2)g(jx:fjs2;i((v))): jfjs1;i[(p2)=x](v)(p2)(): wededucethat f(p2):jfjs1;i[(p2)=x](v)(p2)gfp1q1:jfjs1;i[p1=x](v)p1g leastxpointjx:fjs1;i(v).fromthefactthat, Itremainstoshowthatf(P2):jfjS1;I[(P2)=X](V)(P2)gcontainsthe Ananalogousproofcanbeobtainedforthegreatestxpoint. whichcompletestheproof. Tf(P2):jfjS1;I[(P2)=X](V)(P2)g TfP1Q1:jfjS1;I[P1=X](V)P1g=jX:fjS1;I(V)
notationforthecompositionofrelations: A.3.ProofsofTheorems5and6 WesupposeallthenotationsandhypothesesintroducedinAssumption1ofSection7.2fortheformulationofthetwotheorems.Furthermore,weusethefollowing IfR1(X;X0)andR2(X0;X00)arepredicatesrepresentingrelations,werepresent 31 9X0:R1(X;X0)^R2(X0;X00). A.3.1.ProofofTheorem5 1.Inordertoshowthestabilityofvwithrespecttosynchronouscomposition byr1r2thecompositionoftherelations,i.e.,r1r2representsthepredicate weusedenition5.moreprecisely,weshowthat, (9(X1l;Xc):1((X1l;Xc);(X1lA;XcA))^9i:R1i((X1l;Xc);(X01l;X0c))) implies (**)(W(i;j)2A(R1i^R2j)?1)(1^2))(1^2)(R01^R02)?1. (*)(Wi2I1R1i)?11)1R0?1 9(X01lA;X0cA):1((X01l;X0c);(X01lA;X0cA))^R01((X1lA;XcA);(X01lA;X0cA))) where(*)canbeexpressedas: 8(X01l;X0c)8(X1lA;XcA): 1and(Wj2I2R2j)?12)2R0?1 2 9(X0cA;X02lA):2((X0c;X02l);(X0cA;X02lA))^R02((XcA;X2lA);(X0cA;X02lA))): and(**)canbeexpressedas: 8(X01l;X0c;X02l)8(X1lA;XcA;X2lA): (9(Xc;X2l):2((Xc;X2l);(XcA;X2lA))^9j:R2j((Xc;X2l);(X0c;X02l))) (9(X1l;Xc;X2l):1((X1l;Xc);(X1lA;XcA))^2((Xc;X2l);(XcA;X2lA))^ ^8(X0c;X02l)8(XcA;X2lA): )9(X01lA;X0cA;X02lA):1((X01l;X0c);(X01lA;X0cA))^2((X0c;X02l);(X0cA;X02lA))^ R01((X1lA;XcA);(X01lA;X0cA))^R02((XcA;X2lA);(X0cA;X02lA))): ItisquiteeasytoseethatifwechoosethesameX0candXcAinpart1 9(i;j)2A:R1i((X1l;Xc);(X01l;X0c))^R2j((Xc;X2l);(X0c;X02l)) R01((X1lA;XcA);(X01lA;X0cA))andR02((XcA;X2lA);(X0cA;X02lA)).Thisimplies X0cAthatcanbechosenthenitisunique,whichinducesby(*)that Thefactthatthaticare(thesame)functionsassuresthatifthereexistsa ondom(x)issucienttobeabletochoosethesamex0casuchthatboth 1((X01l;X0c);(X01lA;X0cA))and2((X0c;X02l);(X0cA;X02lA)). and2of(*),andifwecanchoosethesamexc,thentotalityof1^2
2.Wehavetoshowthat(R1AR2)1^2)R11AR22. 32(**).Noticethattherequiredconditionsoniarealsonecessaryifnomore 3.Wehavetoshowtheinverseimplicationof(2).Weshowthat informationonthetransitionrelationsriandr0iisavailable. (R1AR2)1^2=W(i;j)2A(1^2)?1(R1i^R2j)(1^2). As1^2)i,R1i^R2j)R1iandR1i^R2j)R2j,wehave W(i;j)2A?1 W(i;j)2A(1^2)?1(R1i^R2j)(1^2)) R1i1^R2j2((X1lA;XcA;X2lA);(X01lA;X0cA;X02lA))= 1((X1l;Xc);(X1lA;XcA))^R1i((X1l;Xc);(X01l;X0c))^1((X01l;X0c);(X01lA;X0cA)) 9(X1l;Xc)9(X01l;X0c): 8(i;j)2A:R1i1^R2j2)(R1i^R2j)1^2: 1R1i1^?1 2R2j2whichisequivalenttoR11AR22. isadierentproofofimplication(2)).inordertogettheimplication(3),we Theexpressionfor(R1i^R2j)1^2diersfromthisonebythefactallthe derlined),i.e.,inbothsubexpressionsthesamexcandx0cmustbechosen(this 2((Xc;X2l);(XcA;X2lA))^R2j((Xc;X2l);(X0c;X02l))^2((X0c;X02l);(X0cA;X02lA)) existentialquanticationshavetobeputoutsideofthemainconjunction(un- ^9(Xc;X2l9(X0c;X02l): A.3.2.ProofofTheorem6 onthetransitionrelationsriandr0iisavailable. Xc.Noticethattherequiredconditionisalsonecessaryifnomoreinformation isobviouslyguaranteedbytheconditionthaticarefunctionsfromxcainto mustbesurethatchoosinginbothexistentialquanticationsthesamexcand 1.Inordertoshowthestabilityofvwithrespecttojjj,weuseagainDenition5; thesamex0cwedonotobtainlesstransitionsthanwithoutthisconstraint.this (*)(Wi2I1R1i)?11)1R0?1 soweshowthat analogouslyforr2.weshowtheimplicationforsomer1i. that 8i2I1:(R?1 implies (***)((Wi2I1R1i))jjj(Wj2I2R2j)))?1(1^2))(1^2)(R01jjjR02)?1. Ascompositionofrelationsdistributesoverdisjunction,itissucienttoshow 1i^stableX2l)(1^2))(1^2)(R0?1 1and(Wj2I2R2j)?12)2R0?1 1^stableX2lA)and 2
(9(X1l;Xc;X2l):1((X1l;Xc);(X1lA;XcA))^2((Xc;X2l);(XcA;X2lA))^ 8(X01l;X0c;X02l)8(X1lA;XcA;X2lA): R1i((X1l;Xc);(X01l;X0c))^X2l=X02l (R?1 1i^stableX2l)(1^2))(1^2)(R0?1 1^stableX2lA)canbeexpressedas 33 )9(X01lA;X0cA;X02lA):1((X01l;X0c);(X01lA;X0cA))^2((X0c;X02l);(X0cA;X02lA))^ Thisexpressiondiersfromtherstconjunctof(*)(seeitsexpressioninthe R1((X1lA;XcA);(X01lA;X0cA))^X2lA=X02lA). 2.Weshowthat cienttoshowthat1((x1l;xc);(x1la;xca))and1((x01l;x0c);(x01la;x0ca)) Thisisguaranteedbythethefactthat2ldoesnotdependonXcandthefact 8i2I1:(1^2)?1(R1i^stableX2l)(1^2))(1?1R1i1)^stableX2lA and2((xc;x2l);(xca;x2la))implies2((x0c;x2l);(x0ca;x2la)). that2ccoincideswith1c. previousproofitem(1))byaddingalltheunderlinedparts.thus,itissufandanalogouslyforr2.wehave, whereas R1((X1l;Xc);(X01l;X0c))^1((X01l;X0c);(X01lA;X0cA))^ 9(X1l;Xc;X2l)9(X01l;X0c;X02l):1((X1l;Xc);(X1lA;XcA))^ E1= 2((X0c;X02l);(X0cA;X02lA))^X2l=X02l (1^2)?1(R1i^stableX2l)(1^2)((X1lA;XcA;X2lA);((X01lA;X0cA;X02lA))= E2= (1?1R11^stableX2lA)((X1lA;XcA;X2lA);((X01lA;X0cA;X02lA))= 2((Xc;X2l);(XcA;X2lA))^ 9(X1l;Xc)9(X01l;X0c):1((X1l;Xc);(X1lA;XcA))^R1((X1l;Xc);(X01l;X0c))^ 3.Inordertoobtain(3),i.e.,E2)E1,itissucienttoshowthat thereexistsauniquex2lasuchthat2l(x2l;x2la). ordertoobtaine1)e2itissucienttoshowthate1)(x2la=x02la). wheretheunderliningindicatesthedierencesbetweenthetwoexpressions.in Thisisguaranteedbytheconditionthat2lisafunction,i.e.,thatforanyX2l 1((X01l;X0c);(X01lA;X0cA))^X2lA=X02lA bythefactthat2lisontoandthat2ccoincideswith1c. E2)9X2l:2l(X2l;X2lA)^2c(Xc;XcA)^2c(X0c;X0cA)whichisguaranteed
34 References 4.A.Bouajjani.FromLinear-TimePropositionalTemporalLogicstoaBranching-Time 3.A.Bouajjani,J.-C.Fernandez,S.Graf,J.Sifakis,andC.Rodriguez.Safetyforbranchingsemantics.In18thICALP,Madrid.LNCS510,SpringerVerlag,1991. June1992. tions.inworkshoponcomputer-aidedverication(cav),montreal.lncs630, puterscience,82(2),1991,1988.rstpublishedasreportsrc-29,decresearch 1.M.AbadiandL.Lamport.Theexistenceofrenementmappings.TheoreticalCom- 2.A.Bouajjani,S.Bensalem,C.Loiseaux,andJ.Sifakis.Propertypreservingsimula- 5.R.E.Bryant.Graphbasedalgorithmsforbooleanfunctionmanipulation.IEEE -calculus.rtc15,lgi-imag,grenoble,1989. Centerin1988. 6.J.R.Buchi.Onadecisionmethodinrestrictedsecondorderarithmetic.InInternationalCongressonLogic,MethodandPhilosophicalScience.StanfordUniversity Press,1962. 7.P.CousotandR.Cousot.Systematicdesignofprogramanalysisframework.InProc. Trans.onComputation,35(8),1986. 10.E.M.Clarke,O.Grumberg,andD.E.Long.Modelcheckingandabstraction.In 8.P.CousotandR.Cousot.Comparingthegaloisconnectionandwidening/narrowing 9.E.M.Clarke,E.A.Emerson,andE.Sistla.Automaticvericationofnitestateconcurrentsystemsusingtemporallogicspecication:apracticalapproach.In10thACM SymposiumonPrinciplesofProgrammingLanguages(POPL83),1983.Completever- approachestoabstractinterpretation.plilp'92,lncs631,pp269-295.springer 6thACMSymp.onPrincipleofProgrammingLanguages,1979. 11.K.M.ChandyandJ.Misra.ParallelProgramDesign.Addison-Wesley,Massachusetts, Verlag. 12.D.Dams,O.Grumberg,andR.Gerth.Abstractinterpretationofreactivesystems: sionpublishedinacmtoplas,8(2):244{263,april1986. 13.P.Ernberg,L.Fredlund,andB.Jonsson.Specicationandvalidationofasimple SymposiumonPrinciplesofProgrammingLanguages(POPL92).ACM,January 1992. 1988. Abstractionspreserving8CTL*,9CTL*andCTL*.IFIPconferencePROCOMET'94. 16.S.GrafandC.Loiseaux.Programvericationusingcompositionalabstraction.In 15.O.GrumbergandE.Long.Compositionnalmodelcheckingandmodularverication. 14.E.A.EmersonandJ.Y.Halpern.`Sometimes'and`notnever'revisited:Onbranching TAPSOFT93,jointconferenceCAAP/FASE.LNCS668,SpringerVerlag,April1993. Springer-Verlag,1991. InJ.C.M.BaetenandJ.F.Groote,editors,Concur'91,pages250{265.LNCS527, versuslineartime.in10thacmsymposiumonprinciplesofprogramminglanguages (POPL83),1983.alsopublishedinJournalofACM,33:151-178. overtakingprotocolusinglotos.technicalreportt90006,sics,sweden,1990. 17.S.GrafandC.Loiseaux.Atoolforsymbolicprogramvericationandabstraction. 18.S.Graf.Vericationofadistributedcachememorybyusingabstractions.Conference oncomputeraidedvericationcav'94,stanford.lncs818,springerverlag,1994. InConferenceonComputerAidedVericationCAV'93,HeraklionCrete.LNCS697, SpringerVerlag,1993.
21.H.Jifeng.Varioussimulationsandrenements.InREXWorkshoponStepwiseRe- 20.ISO.ISISO/OSI8807-LOTOS:aformaldescriptiontechniquebasedonthetemporal 19.C.A.R.Hoare.CommunicatingSequentialProcesses.PrenticeHallInternational, orderingofobservationalbehaviour.internationalstandard,iso,1989. nementofdistributedsystems,mook.lncs430,springerverlag,1989. 1984. 35 24.D.Kozen.Resultsonthepropositional-calculus.InTheoreticalComputerScience. 25.R.P.Kurshan.Analysisofdiscreteeventcoordination.InREXWorkshoponStepwise 23.J.KatzenelsonandB.Kurshan.S/R:ALanguageforSpecifyingProtocolsandother 22.B.Jonsson.Ondecomposingandreningspecicationsofdistributedsystems.In 286{292.IEEE,1986. North-Holland,1983. CoordinatingProcesses.In5thAnn.Int'lPhoenixConf.Comput.Commun.,pages REXWorkshoponStepwiseRenementofDistributedSystems,Mook.LNCS430, SpringerVerlag,1989. 28.C.Loiseaux.Vericationsymboliquedeprogrammesreactifsal'aided'abstractions. 29.O.Lichtenstein,A.Pnueli,andL.Zuck.Thegloryofthepast.InConferenceon 26.L.Lamport.Provingthecorrectnessofmultiprocessprograms.IEEETransactions 27.L.Lamport.Thetemporallogicofactions.TechnicalReport79,DEC,Systems ResearchCenter,1991. Thesis,UniversiteJosephFourier,Grenoble,January1994. RenementofDistributedSystems,Mook.LNCS430,SpringerVerlag,1989. 30.N.A.LynchandM.R.Tuttle.AnintroductiontoInput/Outputautomata.Report onsoftwareengineering,se-3(2):125{143,1977. 31.R.Milner.Analgebraicdenitionofsimulationbetweenprograms.InProc.Second 32.R.Milner.Acalculusofcommunicationsystems.InLNCS92.SpringerVerlag,1980. 33.R.Milner.AcalculusforSynchronyandAsynchrony.JournalofTheoreticalComputer LogicsofPrograms,LNCS194.SpringerVerlag,1985. 34.Z.MannaandA.Pnueli.Ahierarchyoftemporalproperties.InProceedingof9th MIT/LCS/TM373,MIT,Cambridge,Massachussetts,November1988. Int.JointConf.onArticialIntelligence,pages481{489.BCS,1971. Science,25,1983. 38.J.P.Queille.Lesystemecesar:Description,specicationetanalysedesapplications 35.O.Ore.Galoisconnexions.Trans.Amer.Math.Soc,55:493{513,February1944. 36.A.Pnueli.TheTemporalLogicofPrograms.In18thSymposiumonFoundationsof ACMSymposiumonPrinciplesofDistributedComputing,1990. 39.LuisE.Sanchis.Datatypesaslattices:retractions,closuresandprojections.In 37.A.Pnueli.Applicationoftemporallogictospecicationandvericationofreactive hout.lncs224,springerverlag,1986. reparties.thesis,universitescientiqueetmedicaledegrenoble,june1982. RAIROTheoricalcomputerscience,vol11,nr4,pages339{344,1977. systems:asurveyofcurrenttrends.incurrenttrendsinconcurrency,nordwijker- ComputerScience,13:45{60,1981. ComputerScience(FOCS77).IEEE,1977.RevisedversionpublishedinTheoretical 40.J.Sifakis.Propertypreservinghomomorphismsandanotionofsimulationoftransition systems.rr332,imag,grenoble,november1982.
3641.J.Sifakis.Propertypreservinghomomorphismsoftransitionsystems.InE.Clarke 42.P.Wolper.Temporallogiccanbemoreexpressive.InformationandControl,56,1983. SpringerVerlag,June1983. andd.kozen,editors,4thworkshoponlogicsofprograms,pittsburgh.lncs164,