Compositionality Issues of Statebased Refinement

A method of reasoning about programs is calledcompositionalif properties of a program as a whole can be inferred from properties about the individual components of a program. Compositional reasoning allows one to focus on one part of a program without having to take its context into account. Conversely, non-compositional methods of reasoning are tedious to use for large programs because this requires that programs be considered in their entirety.

A common approach, followed for instance by Milner [90], is to define an equivalence relation over programs (in terms of their semantics) and show that this relation is a congruence over program terms. The congruence property makes it possible to use program equivalences as equational laws to reason about programs in a modular (or compositional) fashion. Equational reasoning facilitates formal calculation and avoids the complexity of operational details.

Attempts at obtaining a compositional method of reasoning about statebased refine- ment according to this approach, run into two kinds of problems. We illustrate these by looking at parallel and sequential composition.

Compositionality of Parallel Composition

Compositional reasoning about statebased refinement of schedules could be justified by showing that statebased refinement is preserved by all combinators from the coordination language. For parallel composition we would need to show the following (where we write s1≦M t1 for hs1, Mi≦ht1, Mi because this highlights that k is a combinator for

schedules rather than configurations):

if s1 ≦M t1 and s2≦M t2 then s1ks2≦M t1kt2

However, the next counterexample shows that this statement is false. Example 4.3.10 Consider the following schedules

Dec = (b dec → Dec)

Inc = (b inc → Inc)

where dec x7→x−1 ⇐ x >0

inc x7→x+ 1 ⇐ x <2 Then, for the initial multiset M0 ={0}, the following refinements hold:

dec ≦M0 Dec

and

inc;inc;inc ≦M0 Inc

Next, we show that dec_kinc;inc;inc₆≦M0 DeckInc.

Execution of _hDec_kInc, M0i may start with the execution of a rewrite rule dec. This

rewrite fails which yields the configuration_hInc, M0i. This configuration terminates once

it reaches _hskip,_{2_}i. Alternatively, execution of _hDec_kInc, M0i may reach a multiset

{2_}by repeated execution ofinc. ThenInc may reduce toskip after whichDeccontinues execution until the multiset {0} is reached. Hence if hInckDec, M0i terminates, the

multiset equals either {0} or {2}.

In contrast, the execution of the configuration hdeck(inc;inc;inc),{0}i may termi- nate in one of the multisets {1} or {2}. Because DeckInc can not terminate in {1}, it is not refined by the schedule deck(inc;inc;inc).

Hence, the statebased refinement relation does not hold for the parallel composition of the schedules because the interaction between dec and inc;inc;inc can give rise to behaviours of deckinc;inc;inc (the composition of refined schedules) that can not be displayed by DeckInc (the composition of the original schedules).

In general, statebased refinement is not preserved by parallel composition because the interaction of the refined components of the composition may give rise to behaviour that is not taken into account by the refinements of the individual schedules.

Compositionality of Sequential Composition

In order to reason compositionally about statebased refinement of sequentially composed schedules, we need to complete the compositionality-formula below such that it yields a valid statement. The question mark in this formula indicates a position where some multiset M needs to be substituted.

if s1≦M t1 and s2≦?t2 then s1;s2≦M t1;t2

We consider the possibilities for choosing a multiset to place at the question mark. From an purely mathematical point of view, the only sensible choice is to relate s2

and t2 by the same relation as that which relates s1 and t1 and their composition -

hence choose “M” (because precongruence is a property of a single relation). However, the statement thus obtained is false: the fact that t2 can simulate s2 in M, does not

guarantee that t2 can simulate s2 after execution of s1, because execution of s1 in M

will generally change the multiset into something other than M which may cause s2 to

behave in a completely different manner compared to how it would behave when started in M. We have no information about whether t2 can simulates2 starting in a multiset

that is different fromM.

The aspect that prevents precongruence for sequential composition is analogous to that what prevented precongruence for parallel composition: One of the components of the (in this case sequential) composition modifies the multiset which may cause the composition of the refined schedules to behave in a way that was not taken into account by the refinements of the individual schedules.

For the case of sequential composition it is always the left-hand side (first) component that modifies what would have been the starting multiset of the right-hand side (second) component. In the case of parallel composition, the order of interference is arbitrary.

The preceding argumentation identifies the need to know in which multiset execution of s1 terminates and hence execution ofs2 starts. This brings up two problems: Firstly,

the outcome of a schedule may be nondeterministic, hence all possible outcomes would need to be considered. Secondly, checking that the multiset is an outcome of s1 requires

Even though the method suggested may not be practical in general, it will be worth- while to develop it a little bit further because it may provide a method of last resort when other more practical methods fail (which will turn out to be the case in Chapter 7). Lemma 4.3.12 suggests a method of reasoning about statebased refinement of sequen- tially composed schedules. It requires that the schedule s2 is a refinement of t2 for all

possible outcomes of s1. Lemma 4.3.12 uses the auxiliary result of Lemma 4.3.11 which

shows that the set of possible outcomes may only decrease as execution proceeds. Lemma 4.3.11 If _hs, M_i λ

−→ hs′_{, M}′_{i, then C(s}′_{, M}′_{)⊆ C(s, M).}

Proof Straightforward from Definition 3.2.3.

Lemma 4.3.12 If 1. s1≦M t1, 2. ∀M′ ∈ C(s1, M) :s2≦M′t₂ then s1;s2≦M t1;t2. Proof Let _R=_{(_hs1;s2, Mi,ht1;t2, Mi)|s1≦M t1 ∧ ∀M′ ∈ C(s1, M) :s2≦M′ t₂}. We show that _R is a strong statebased simulation up-to ≦.

transition

• Assume _hs1, Mi

λ

−→ hs′

1, M′i.

Then from s1≦M t1 follows ht1, Mi

λ

−→ ht′

1, M′i such that s′1 ≦M′ t′₁. By (N5) fol- lows _ht1;t2, Mi

λ

−→ ht′

1;t2, M′i. By Lemma 4.3.11 follows C(s′1, M′) ⊆ C(s1, M).

Hence ∀M′′ : M′′ ∈ C(s′₁, M′) : s2≦M′ t₂. By reflexivity of ≦ follows (hs′₁;s2, M′i,ht′1;t2, M′i)∈ ≦R≦.

• Assume s1≡skip and hs2, Mi

λ

−→ hs′

2, M′i.

From s1≦M t1 follows t1≡skip . Then from s2≦M t2 follows ht2, Mi

λ

−→ ht′

2, M′i

such that s′₂≦M′ t′₂. Fromskip;s∼=_M s and s∼=_M s;skip follows

hs′2, M′i≦hskip;s′2, M′iRhskip;t′2, M′i)≦ht′2, M′i.

termination

t1≡skip . Froms2≡skip and s2≦M t2 followst2≡skip . Hence t1;t2≡skip .

The main issue that Lemma 4.3.12 deals with is the input of the right component (which is the output of the left component). Refining only the left argument of a se- quential composition is more straightforward.

Corollary 4.3.13 For all t, if s′_≦

M s then s′;t≦M s;t.

Proof By Lemma 4.3.12.

The approach suggested by Lemma 4.3.12 allows modular substitution which is typi- cal of compositional methods of reasoning. However, the approach is not compositional: in order to refine the subterms2 ofs1;s2 knowledge about the context (i.e. the outcome

of s1) is used. Hence the practical use of this method is limited by the ease by which

the set of outcomesC(s1) can be determined and the ease by which the set of outcomes

of the sequential compositionC(s1;s2) can be determined given the input-output behav-

iour of the constituentsC(s1) andC(s2). Hence, we have reduced the problem of finding

a method for reasoning compositionally about statebased refinement of behaviour to finding a compositional method for reasoning about the capability of schedules.