CTTS Timed Simulation
Lemma 3.11 (Delay ) Given two CTTS A and C such that A has a finite control
and is 1-τ :
∀ScSa ∈2Qc×Qa, Sa ⊆Sc∩FµD(Sa) ∧Sais ∼ −stable ⇒Sa ⊆ FD(Sc) meaning
2
This is not a restriction since the CTTSs are user defined and their set of transitions is always finite. The semantics of the CTTS may still be infinite due to time transitions.
∀Sc ⊆Sa,∀(q1, q2) ∈Sc, (H) z }| { (∀q01 δ, q1 →δ q01 ⇒ ∃q20, q2 δ ∗ =⇒q02∧Σδi = δ∧ (q10, q002) ∈Sa) ⇒ (∃δ >0, q1→ − ∧δ q2 τa∗δ → −) ⇒ ∃q02, q2 τa∗ →q02∧ (∃δ>0, q1 → − ∧δ q02 δ → −)∧ (∀δ>0 q01q002, q1 →δ q10 ∧q02 δ →q200⇒ (q01, q002) ∈Sc)
Proof. Let Sa ⊆ Sc. Let (q1, q2) ∈ Sa such that (H). Let δ > 0 such that
hyp2 : q1 → − ∧δ q2
τa∗δ
→ −. We need to prove that :
∃q02, q2 τa∗ →q02∧ (∃δ>0, q1→ − ∧δ q02 δ →)∧ (∀δ>0 q01q002, q1→δ q10∧q02 δ →q002 ⇒ (q01, q002) ∈Sa) ! (3.1)
Two cases need to be investigated which are whether from the state
(q1, q2)a delay event may occur or not:
1. Suppose hyp3:(q1, q2) |= hdelayi>: Let q0
2= q2, so q2
τa∗
→q02is verified and by hyp3, (∃δ > 0, q1 → − ∧δ q02 →)δ is also verified. We are left
with proving :
(∀δ>0 q01q002, q1→δ q01∧q02 δ
→q002 ⇒ (q01, q200) ∈Sa)
Let δ > 0 q01 q002 such that q1
δ
→ q01∧q02 →δ q002. By hyp1 we know
that ∃q02, q2
(τa|δi)∗
→ q02∧Σδi = δ∧ (q10, q02) ∈ E2). Let q02 such a state.
And since by hypothesis E2 ⊆ E1 then (q01, q02) ∈ E1. Now having
q2 →δ q200 and q2
(τa|δi)∗
→ q02 then by the permutation property we have q02 ∼ q200. By the stability of Sa for the strong bisimulation we obtain (q01, q002) ∈E1. Since Sa ⊆Sc, we have(q01, q002) ∈E1.
2. Suppose hyp4 : (q1, q2) 6|= hdelayi> : By hyp2 we know that there exists st0 such that q2
τa∗
→ st0 and (q1, st0)
δ
→ −. Knowing that the abstract system is 1-τ then either st0 = st or st →τ st0. But by hyp4,
the first case is impossible, then st→τ st0.
Let δ be a delay 6= 0 and q01 such that q1 →δ q01. By hyp1, the ab-
stract system contains a path of τ−δof whatever duration made by
the concrete system that preserves the refinement (∈ E2). This path
surely starts with a τ since time cannot elapse in (q1, q2). By the hy-
pothesis of finiteness of control of the abstract system, it is possible to find a unique τ transition as a first step of all the paths.
Let q2
τ
→ x0 be this transition. We choose x0 as the state q02 of the
property (1) we are proving. Three conditions have to be satisfied : (a) q2
τa∗
(b) (∃δ >0, q1
δ
→ − ∧q02 → −)δ : This is also verified. We take δ al-
ready introduced. We have q1
δ
→q01. We also have x0
δ
→ −since another τ is no longer possible because of the 1-τ hypothesis. (c) Let δ0>0 q10 q002 such that q1
δ0
→q01∧x0
δ0
→ −. By our choice of x0,
there exists a path of duration δ0starting from x0in the abstract
system and preserving the refinement. Knowing that there is only one τ, this path does not contain but a unique step, the δ0
delay. Let x1such that x0
δ0
→x1. We have(q01, x1) ∈E2 ⊆E1.
Discussion On the Assumptions
We discuss the two major restrictions made on the abstract system : 1. τ non-Zenoness and τ divergence: these two are standard assump-
tions made on timed systems. In our context they guarantee the progress of time in the abstract system. This is necessary in our composition-based method because time is always synchronous. Blocking the time in the abstract system could thus result in blocking time in the whole composition and hide concrete delays.
2. No successive τ transitions : permitting τ transitions in A compli- cates the verification of the timed weak simulation, because in this case any delay in C can be matched by a series of delays in A sepa- rated by τ transitions [36]. An example that illustrates this problem is depicted in 3.19. In the composition of the abstract and the con- crete system, a trace where an event a2is not matched with an event
a1 exists. This means that the mu-calculus property will not be sat-
isfied even though a simulation does hold. This belongs to the case where an elapse of 3 u.o.t is consumed entirely by the first time in- terval of the abstract system[0, 3]. The occurrence of a2 would thus
never be followed instantaneously by a matching a1event. Abstract A Concrete C A || C s2 [3,3] s1 s3 a2 s2 s1 s4 s3 a2 s2 [0,3] s1 [1,1] s3 a1 s4 δ 1 s5 a1 δ 3 δ 2 s6 δ 1 s8 s7 a2 a1 s9 s10 a2 a1
Figure 3.19 – Counter Example
Now concerning our 1-τ restriction, general modeling techniques of real time systems are still permitted. For instance, specifying a maximal bound of a global event e is made by a choice between a timed local event τ and the event e. Specifying a minimal bound of a global event e is made by a sequential execution of a timed local event τ and e.
3.5.4 Extension to a Deadlock-Sensitive Timed Weak Simulation The check of Deadlock-Sensitive (DS) timed weak simulation consists also in a µ-calculus property verified on the composition result of the abstract system, the concrete system and the two observers (A |||
C)k(Obs k
Lτ−Ar
Obsδ) where Obs is the control observer, Obsδ is the time observer and Ar= {delay, τ_0}. The DS Timed Weak Simulation criterion is
written in µ-calculus as follows :
∀(q0
a, q0c) ∈Q0a×Qc0,(q0a, q0c, ok, evt0) |= TimedWeakSimulation
z }| {
νX.Obs in ok∧Obsδ in evt0∧
^ i [eic](EFτahe i aiX) ∧ ^ j [τcj]X∧ (EFτahdelayi>) ⇒EFτa(hdelayi> ∧ [delay]X)∧
Event Deadlock
z }| {
^
i
[eia]heici>
This property characterizes a set of product states to which the initial state must belong. This set of states is defined over the composition of states of A,C and the two observers. We comment on the DS-Timed Weak Simulation criterion :
• The first part is exactly the Timed Weak Simulation criterion.
• The second part describes the deadlock preservation property. Ac- tually it describes that each abstract visible event is followed by a corresponding concrete event.
The proof of equivalence of this criterion with the DS-timed weak sim- ulation is direct their formulations are similar.
3.5.5 Extension to a State-Event Timed Weak Simulation
The DS-timed weak simulation criterion is extended to the case of the state-event timed weak simulation with the addition of the relation be- tween the concrete and the abstract propositions. For P the set of propo- sitions and a proposition p ∈ P, the µ-calculus property is then extended with this proposition relation as shown in the following :
∀(q0a, q0c) ∈Q0a×Q0c,(q0a, q0c, ok, evt0) |= DSTimedWeakSimulation
z }| {
νX.Obs in ok∧Obsδ in evt0∧
^ i [eic](EFτahe i aiX) ∧ ^ j [τcj]X∧ (EFτahdelayi>) ⇒EFτa(hdelayi> ∧ [delay]EFτaX)∧
State−Event Deadlock
z }| { ^ i [eia]heici(^ p∈P pc ⇔ pa)∧ PropositionsRelation z }| { ^ p∈P pc⇔ pa
where (qc, qa) |= pc if p ∈ vc(qc) and (qc, qa) |= pa if p ∈ va(qa). We
comment on the addition of the propositions relation :
• We say that for each proposition p, if p is satisfied by the variables of the concrete system xkc, then the variables of the abstract system xl
ashould satisfy it as well. Obviously, the concrete and abstract vari-
ables would depend on the systems that are verified.
The proof of equivalence of this criterion with the State-Event DS- timed weak simulation is direct because their formulations are similar. We just say here that in the given formula, the propositions are verified at the initial state and then after the occurrence of the visible events. This is be- cause the recursivity of the formula is applied after the event occurrence in V
i[eic](EFτahe
i
aiX). This coincides with our mathematical definition of
the simulation.
3.6
Conclusion
We have given in this chapter our first main contribution. This contribution consists in the study of timed simulation relations and their properties. For this we have defined a timed weak simulation that holds in both the state and the action based contexts. We have shown that in order for the weak simulation to preserve linear logic properties, other clauses namely the deadlock and divergence need to be verified. We have also given a verification technique for the simulation. In the next chapter, we tackle the application part of this document. For this, we start by introducing the BPEL language and its relation with formal methods.