COMPATIBILITY AND N-ARY COMPOSITION - A Theory for Refinement and Compatibility

A Theory for Refinement and Compatibility

3. COMPATIBILITY AND N-ARY COMPOSITION

Blackbox refinement preserves weak and ultra-weak comm-safety. Strong comm- safety, however, is not preserved due to the possibility of adding and removing internal transitions in refined PIOs.

Proposition 4.35 (Preservation) LetA1, . . . , An be pairwise composable PIOs and let

k _{∈ {}1, . . . , n_}. LetC be a PIO such thatCis composable with Ai for all i 6= k. If

C_vbb_A

kand(A1, . . . , An)is weakly (ultra-weakly) comm-safe, then(A1, . . . , Ak−1, C,

Ak+1, . . . An)is weakly (ultra-weakly) comm-safe.

The proof relies on the following lemma.

Lemma 4.36 Let(A1, . . . , An)be pairwise composable PIOs. If(A1, . . . , An)is comm-

safe, thenAk↔(A1⊗ · · · ⊗Ak−1⊗Ak+1⊗ · · · ⊗An)for allk∈ {1, . . . , n}.

PROOF OF LEMMA. LetAR = (A1⊗ · · · ⊗Ak−1⊗Ak+1⊗ · · · ⊗An). By comm-

safety of(A1, . . . , An)it holds thatAk is comm-safe in(A1, . . . , An), thus all reachable

states of⊗i(Ai)are comm-safe forAk. Therefore, the reachable states ofAk⊗ARare

comm-safe forAkand we have for all(sk, sR)∈R(Ak⊗AR)that ∀l∈OAk∩IAR.∃s 0 k∈SAk.(sk, l, s 0 k)∈∆Ak =⇒ ∃s0R∈SAR .(sR, l, s 0 R)∈Π OR AR,

with_OR⊆(OAR\IAk)∪ T(AR). Thus the compatibility condition (A-Out) holds forAk

andAR. The proof for condition (B-Out) is analogous in the direction fromARtoAk.

PROOF OF PROPOSITION. LetAR = (A1⊗ · · · ⊗Ak−1⊗Ak+1⊗ · · · ⊗An). By

Lem. 4.36 it follows thatAk↔wARandAk↔uAR. Thus byCvbbAk, Prop. 4.19 and

Prop. 4.15 we haveC_↔wARandC↔uAR, and hence(A1, . . . , Ak−1, C, Ak+1, . . . An)

is weakly (ultra-weakly) comm-safe.

3.2. Pairwise and Incremental Analysis. The global property of weak comm-safety can be derived from pairwise compatibility analysis. In contrary, to verify ultra-weak comm-safety one needs to apply an incremental approach: Knowing comm-safety forn−1

transition systems, it suffices to check compatibility between their composition and annth

transition system to derive comm-safety for the complete product. In the following we make these claims precise.

Theorem 4.37(Pairwise weak) LetA1, . . . , Anbe pairwise composable PIOs. IfAi↔w

Ajfor alli, j∈ {1, . . . , n}withi6=j, then(A1, . . . , An)is weakly comm-safe.

PROOF. By induction on the number of composed transition systems.

Base case (n= 2). Let(A1, A2)be pairwise composable PIOs and assumeA1↔wA2, then, by the conditions for weak output compatibility, for all(sA1, sA2)∈R(A1⊗A2),

∀l_∈OA1∩IA2 .∀s 0 A1∈SA1.(sA1, l, s 0 A1)∈∆A1 =⇒ (1) (_∃s0A2 ∈SA2 .(sA2, l, s 0 A2)∈Π T(A2) A2 ) ∀l_∈OA2∩IA1 .∀s 0 A2∈SA2.(sA2, l, s 0 A2)∈∆A2 =⇒ (2) (∃s0A1 ∈SA1 .(sA1, l, s 0 A1)∈Π T(A1) A1 )

By (1) it follows that(sA1, sA2)is weakly comm-safe forA1and by (2) the same holds

forA2, thus(A1, A2)is weakly comm-safe.

Induction step (n+1). Let(A1, . . . , An+1)be pairwise composable and weakly output compatible PIOs. LetAR= (A1⊗· · ·⊗An). By the assumption of pairwise compatibility,

An+1↔wAifor all1≤i≤n, thus it follows by Lem. 4.38 thatAn+1↔wAR. Thus, by

induction assumption,(AR, An+1)is weakly comm-safe and therefore(A1, . . . , An+1)is

66 4. A THEORY FOR REFINEMENT AND COMPATIBILITY

Lemma 4.38 Let(A1, A2, A3)be pairwise composable PIOs. IfA1↔wA2,A1↔wA3 andA2↔wA3, thenA1↔w(A2⊗A3)and(A1⊗A3)↔wA2.

PROOF. First we showA1↔w (A2⊗A3). ByA1↔w A2, the conditions (1) and (2) above (Proof (Prop. 4.37), p. 65) hold. Let(sA1, sA2, sA3) ∈ R(A1⊗A2⊗A3).

Obviously we have(sA1, sA2) ∈ R(A1⊗A2)and(sA2, sA3) ∈ R(A2⊗A3). By (1)

there exists s¯A2,s¯ 0 A2 ∈ SA2 such that(sA2,s¯A2) ∈ Π T(A2) A2 and (¯sA2, l,s¯ 0 A2) ∈ ΠA2.

SinceT(A2)is not shared with any composable PIO, Lem. 4.3 is applicable and it follows that(¯sA2, sA3)∈Π

T(A2)

A2⊗A3and thus condition (A-Out) of weak output compatibility holds

forA1andA2⊗A3. Condition (B-Out) holds analogously using (2) and henceA1↔w (A2⊗A3).

Since we could have chosenA2instead ofA1 andA1⊗A3instead ofA2⊗A3we

have also(A1⊗A3)↔wA2.

Example 4.39(Pairwise ultra-weak) Proposition 4.37 does not hold for the case of ultra- weak output compatibility. LetA1,A2andA3be pairwise composable PIOs as given in Fig. 4.12. Let_S(A1, A2) ={x},S(A2, A3) ={y}andS(A1, A3) ={z}.

A1 /x z/ A2 /y x/ A3 /z y/

FIGURE4.12. Pairwise ultra-weak compatibility does not imply comm-safety ThenA1↔uA2,A2↔uA3andA1↔uA3but(A1, A2, A3)is not ultra-weakly comm-safe, due to state(s0,A1, s0,A2, s0,A3)which is globally reachable but invalidates the require-

ment of ultra-weak comm-safety (Def. 4.34) forAkwith anyk∈ {1,2,3}.

As the example suggests we need a kind of global analysis to obtain ultra-weak communication safety. This kind of analysis is also valid for weak compatibility.

Proposition 4.40(Increment. ultra-weak) Let(A1, . . . , An)be pairwise composable PIOs.

If(A1, . . . An−1)is ultra-weakly comm-safe and(⊗in=1−1Ai)↔uAnthen(A1, . . . , An)is

ultra-weakly comm-safe.

PROOF. By induction on the numbernof PIOs. The casen= 0is trivial. Letn∈N.

By induction hypothesis it holds that(A1, . . . An)is ultra-weakly comm-safe. We need to

show that(⊗n

i=1Ai)↔uAn+1 implies ultra-weak comm-safety of(A1, . . . , An+1). Let

AR= (⊗ni=1Ai). By the compatibility condition (A-Out) forAR↔uAn+1we obtain that

An+1 is ultra-weakly comm-safe in(A1, . . . , An+1). With condition (B-Out) we obtain ultra-weak comm-safety ofARin(A1, . . . , An+1). Note that the reverse direction considered in Lem. 4.36 does not claim communication- safety of(A1, . . . An−1). Compatibility within a composition of transition systems may depend on “unused inputs”. For example an output which is preceeded by an input that is shared but not used by the communication partner is not reachable in the product of these transition systems. Therefore, even though these transition systems are incompatible their composition results in a transition system that is comm-safe. Unused input transitions motivated the "optimistic" approach to compatibility studied by de Alfaro and Henzinger [dAH01a]. The idea is to allow for incompatibilities as long as these are reachable only via unused inputs. Their approach, however requires a special composition operator.

4. Greybox Refinement and General Properties

Within this section we study a notion of refinement, greybox refinement, that allows to take synchronisation transitions within compositions of transition systems into account. The difference with regard to blackbox refinement is similar to the difference between

4. GREYBOX REFINEMENT AND GENERAL PROPERTIES 67 ∀l∈IA∪OA∪TA.∀s0A∈SA.(sA, l, s0A)∈ΠA =⇒ (A-IOT) (∃s0C∈SC.(sC, l, s0C)∈ΠτC∧(s0A, s0C)∈R) ∀s0A∈SA.(sA, τ, s0A)∈ΠA =⇒ (A-Tau) (∃s0 C∈SC.(sC, s0C)∈ΠτC∧(s0A, s0C)∈R) ∀l_∈IC∪OC∪TC.∀s0C∈SC.(sC, l, s0C)∈∆C =⇒ (C-IOT) (∃s0A∈SA.(sA, l, s0A)∈∆τA∧(s0A, s0C)∈R) ∀s0C∈SC.(sC, τ, s0C)∈∆C =⇒ (C-Tau) (∃s0A∈SA.(sA, s0A)∈∆τA∧(s0A, s0C)∈R)

FIGURE4.13. Conditions for greybox refinement betweenAandC

greybox and blackbox equivalence considered in the context of I/O-transition systems used for the formalisation of component behaviours in Chap. 2. The definition treats internal transitions like input and output, but is still relaxed with regard toτ-transitions.

Definition 4.41(Greybox refinement) LetAandCbe PIOs.Cis agreybox refinementof

A, writtenC_vgb_A_{, if}_L

A=LCand there existsR⊆SA×SCsuch that(s0,A, s0,C)∈R

and for all(sA, sC)∈Rthe conditions in Tab. 4.13 hold.

Greybox refinement strengthens the conditions for internal transitions to be simulated analogously to I/O-transitions. Thus, a given greybox refinement relation can be used to witness blackbox refinement. Furthermore, greybox and blackbox refinement coincide for systems without internal transitions.

Lemma 4.42 LetAandCbe PIOs withLA=LC. IfCvgbAthenCξvgbAξ.

Proposition 4.43 LetAandCbe PIOs withLA=LC. Then the following holds.

(1) IfC_vgb_A_then_C

vbb_A_. (2) IfC_vbb_A_and_T

A=TC=∅thenCvgbA.

PROOF. (1) By Lem. 4.42 it holds thatCξ_vgb_Aξ_{. Consider the conditions of}

vgb_{. If} we hide internal transitions inAandC, then we may removeTAand addTCin condition

(A-IOT) such that condition (A-I/O) of blackbox refinement is obtained. The remaining conditions are treated analogously and hence, forAandCwith hidden internal transitions, the conditions (A-IOT), (A-Tau), (C-IOT) and (C-Tau) are equivalent to the respective conditions (A-I/O), (A-Int), (C-I/O) and (C-Int) of blackbox refinement. (2) For PIOs without internal transitions, the conditions for greybox and blackbox refinement coincide analogously to (1). For instance, addingTAand removingTC from condition (A-I/O) of

blackbox refinement yields (A-IOT); and similar for the remaining clauses.

Note that the assumption on empty sets of internal transitions is necessary. Consider for example the case ofTA6=∅. ThenCis allowed by clause (A-Int) of blackbox refine-

ment to skip internal transitions labelled withl∈TA. Such an internal transition, however,

would be required to be preserved along clause (A-IOT) of greybox refinement. If, on the other hand,TC 6=∅then it would be possible for the concrete systemCto add an internal

transition not present in Aalong clause (C-Int) of blackbox refinement. But this is not compatible with requirement (C-IOT) of greybox refinement.

Proposition 4.44(Preorder) LetA,CandDbe PIOs. ThenAvgb_A_{and if}_D

vgb_C_and

Cvgb_A_then_D

vgb_A_.

68 4. A THEORY FOR REFINEMENT AND COMPATIBILITY

Theorem 4.45(Precongruence) LetA,B andCbe PIOs such thatA,B andC,B are composable. IfC_vgb_A_{, then}_C

⊗B_vgb_A

⊗B.

PROOF. LetA_⊗B = ((IAB, OAB, TAB), SAB, s0,AB,∆AB,ΠAB)andC⊗B = ((ICB, OCB, TCB), SCB, s0,CB,∆CB,ΠCB). LetRAC be a witness forCvgbAwith (s0,A, s0,C)∈RAC and let

R={((sA, sB),(sC, sB))|(sA, sC)∈RAC ∧(sA, sB)∈R(A⊗B)},

then((s0,A, s0,B),(s0,C, s0,B))∈R. Let((sA, sB),(sC, sB))∈R. We check the condi-

tions of greybox refinement forR.

(Case A-IOT) Letl_∈IAB∪OAB∪TABand((sA, sB), l,(s0A, s0B))∈ΠAB.

If l _∈ IA ∪OA ∪TA, then there exists (sA, l, s0A) ∈ ΠA andsB = s0B. By clause

(A-IOT) for RAC there exists s0C ∈ SC such that (sC, l, sC0 ) ∈ ΠτC and (s0A, s0C) ∈

RAC. Sincel /∈ S(C, B)(byl /∈ S(A, B),LA = LC) we have by Lem. 4.3 (2), that ((sC, sB), l,(sC0 , sB)) ∈ ΠτCB. Since(s0A, sB) ∈ R(A⊗B)it follows that((s0A, sB), (s0

C, sB))∈R.

Ifl∈IB∪OB∪TB, then there exists(sB, l, s0B)∈ΠBandsA=sA0 . Hence((sC, sB), l, (sC, s0B))∈ΠCB and since(sA, s0B)∈R(A⊗B), it follows that((sA, s0B),(sC, s0B))∈

If l _{∈ S}(A, B), then there exists (sA, l, s0A) ∈ ΠA and (sB, l, s0B) ∈ ΠB, and ei-

ther l _∈ IA ∩OB or l ∈ OA ∩IB. In both cases, by (A-IOT) for RAC, there ex-

ists s0

C ∈ SC such that(sC, l, s0C) ∈ ΠτC and (s0A, s0C) ∈ RAC. By Lem. 4.3 (3) it

follows that ((sC, sB), l,(s0C, s0B)) ∈ ΠτCB and since(s0A, s0B) ∈ R(A⊗B)we have ((s0

A, s0B),(s0C, s0B))∈R.

(Case A-Tau) Let ((sA, sB), τ,(s0A, sB0 )) ∈ ΠAB. Then either (sA, τ, s0A) ∈ ΠA

andsB = s0B or (sB, τ, sB0 ) ∈ ΠB andsA = s0A. In the former case, by (A-Tau) for

RAC, there existss0C ∈ SC such that(sC, s0C) ∈ ΠτC and(s0A, s0C) ∈ RAC. Then, by

Lem. 4.3 (1),((sC, sB),(s0C, sB))∈ ΠτCB. Since(s0A, sB)∈ R(A⊗B)it follows that ((s0

A, sB),(s0C, sB))∈R. For the latter case we have((sC, sB), τ,(sC, s0B))∈ΠCB and

since(sA, s0B)∈R(A⊗B)it follows that((sA, s0B),(sC, s0B))∈R.

(Case C-IOT) Letl_∈ICB∪OCB∪TCBand((sC, sB), l,(s0C, s0B))∈ΠCB.

Ifl∈IC∪OC∪TC, then there exists(sC, l, s0C)∈∆CandsB=s0B. By clause (C-IOT)

for RAC there existss0A ∈ SA such that(sA, l, s0A) ∈ ∆τA and(sA0 , s0C) ∈ RAC. By

Lem. 4.3 (2) it follows that((sA, sB), l,(s0A, sB))∈∆τAB. Since(s0A, sB)∈R(A⊗B)

we also have((s0

A, sB),(s0C, sB))∈R.

Ifl∈IB∪OB∪TB, then there exists(sB, l, s0B)∈∆BandsC =sC0 . Hence((sA, sB),

l,(sA, s0B))∈∆ABand since(sA, s0B)∈R(A⊗B)and(sA, sC)∈RAC it follows that ((sA, s0B),(sC, s0B))∈R.

If l _{∈ S}(C, B), then there exists(sC, l, s0C) ∈ ∆C and(sB, l, s0B) ∈ ∆B, and either

l _∈ IC∩OB or l ∈ OC ∩IB. In both cases, by (C-IOT) forRAC, there existss0_A ∈

SA such that(sA, l, s0A) ∈ ∆Aτ and(s0A, s0C) ∈ RAC. By Lem. 4.3 (3) it follows that ((sA, sB),(s0A, s0B))∈∆τAB, hence(s0A, s0B)∈R(A⊗B)and((s0A, sB0 ),(s0C, s0B))∈R.

(Case C-Tau) Let ((sC, sB), τ,(s0C, sB0 )) ∈ ∆CB. Then either (sC, τ, s0C) ∈ ∆C

andsB = s0B, or(sB, τ, sB0 ) ∈ ∆B andsC = s0C. In the former case, by (C-Tau) for

RAC there exists s0_A ∈ SA such that (sA, s0A) ∈ ∆τA and(s0A, s0C) ∈ RAC. Then by

Lem. 4.3 (1),((sA, sB),(s0A, sB))∈ ∆τAB. Since(s0A, sB)∈ R(A⊗B)it follows that ((s0

A, sB),(s0C, sB))∈R. For the latter case we have((sA, sB), τ,(sA, s0B))∈∆ABand

since(sA, s0B)∈R(A⊗B)it follows that((sA, s0B),(sC, s0B))∈R.

Corollary 4.46(Compositionality) LetA,BandC,Dbe PIOs such thatA,BandC,D

are composable. IfCvgb_A_and_D

vgb_B_{, then}_C

⊗Dvgb_A

⊗B.

PROOF. The proof is analogous to the case of blackbox refinement (cf. Prop. 4.12) using Prop. 4.44 and Thm. 4.45 for greybox refinement.

In document Janisch, Stephan (2010): Behaviour and Refinement of Port-Based Components with Synchronous and Asynchronous Communication. Dissertation, LMU München: Fakultät für Mathematik, Informatik und Statistik (Page 73-77)