GREYBOX REFINEMENT AND GENERAL PROPERTIES

A Theory for Refinement and Compatibility

4. GREYBOX REFINEMENT AND GENERAL PROPERTIES

4.1. Blackbox vs Greybox Refinement. Blackbox refinement between PIOs without internal transitions can be used to derive greybox refinement.

Theorem 4.47(Blackbox vs Greybox) LetA,BandCbe PIOs such thatA,Bare composable withTA=TB =TC=∅. IfCvbbAthenC⊗BvgbA⊗B.

PROOF. The claim follows by Prop. 4.43 (2) and Thm. 4.45.

Using Cor. 4.46 we obtain from corresponding assumptions thatC⊗Dvgb_A

⊗B. There-

fore, in order to establish greybox refinement between compositions of PIOs, one either checks greybox refinement for each of the PIOs of the composition or, in case there are local internal transitions that hinder this approach, one first hides all local steps and then checks either blackbox or greybox refinement.

For asynchronous communication we consider only the case of completely buffered PIOs. The general case holds analogously.

Theorem 4.48(Blackbox vs Greybox (asynchronous)) LetA,BandCbe PIOs such that

A,BandC,Bare composable. IfC_vbb_A_thenΩ(_C)_ξ

⊗Ω(B)ξ_vgbΩ(_A)_ξ

⊗Ω(B)ξ. PROOF. By Thm. 4.25 we haveΩ(C)vbbΩ(_A)_{and by Lem. 4.5,}Ω(_C)_ξ

vbbΩ(_A)_ξ_.

Now the claim follows by Prop. 4.47.

It is an open question if Thm. 4.48 holds for buffered PIOs where only the local actions of the underlying control automataA,BandCare hidden.

4.2. Weak Simulation and Temporal Logics. The conditions (C-IOT) and (C-Tau) of greybox refinement correspond to the requirements of weak simulation between general labelled transition systems. By this means it is immediate that properties expressed with respect to the transition relation∆Aof an abstract PIOAwhich are known to be preserved

by weak simulation are also preserved by greybox refinement, and thus hold for a greybox refinementCofA. In the following we will define a notion of weak simulation for PIOs

that takes only the relation∆ into account and investigate preservation results based on finite and infinite weak traces. A specialised logic that takes both relations into account is defined in [HJS01], though only for strong modal logic.

Definition 4.49(Weak simulation) LetAandCbe PIOs.Aweakly simulatesC, written

C4∆A, ifLA =LCand there existsR⊆SA×SCsuch that(s0,A, s0,C)∈Rand for

all(sA, sC)∈Rthe following conditions hold:

∀l∈IC∪OC∪TC.∀s0C∈SC.(sC, l, s0C)∈∆C =⇒ (C-IOT) (∃s0A∈SA.(sA, l, s0A)∈∆τA∧(s0A, s0C)∈R) ∀s0C∈SC.(sC, τ, s0C)∈∆C =⇒ (C-Tau) (∃s0 A∈SA.(sA, s0A)∈∆τA∧(s0A, s0C)∈R)

Analogously, we define a weak simulation fromC toA, denoted byA4ΠCusing the set of persistent transitionsΠ. In the following we focus on the direction fromAtoC.

Weak simulation fromCtoAis used in the discussion of liveness properties below.

Corollary 4.50(Weak simulation) LetAandCbe PIOs. IfC_vgb_A_then_C

4∆A. With Cor. 4.50 a number of known results for weak simulation carry over to greybox refinement. In the case ofτ-free transition systems one could even transfer results known

for strong simulation relations, for instance preservation of the universal and the existential fragments ofCTL∗_{[BKL08, Thm. 7.76, Thm. 7.79]. In the following, however, we stick}

70 4. A THEORY FOR REFINEMENT AND COMPATIBILITY

First, we consider trace inclusion. LetA be a PIO and lets _∈ SA. The statesis

terminalif it has no outgoing transitions, i.e. for alll_{∈ L}(A)and for alls0

∈SAit holds

that(s, l, s0₎ _/

∈ ∆A. Afinite∆-runofAis a finite sequences0,Al1s1. . . sn−1lnsn with

si ∈SA,li+1∈SLAand(si, li+1, si+1)∈∆τ_Afor all0≤i < n. Aninfinite∆-runofA is an infinite sequences0,Al1s1l2. . .withsi∈SA,li+1∈SLAand(si, li+1, si+1)∈∆τ_A for alli_≥0. Amaximal∆-runofAis either infinite, or finite withsn being a terminal

state.

A finite weak∆-trace of Ais a finite sequencel1. . . ln withli ∈ SLA such that

there is a finite∆-runs0l1s1. . . sn−1lnsnof A. WithT∆∗(A)we denote the set of finite weak∆-traces ofA. Aninfinite weak∆-traceof Ais an infinite sequencel1l2. . .with

li∈SLAsuch that there is a infinite∆-runs0l1s1l2. . .ofA. WithT∆(A)we denote the set of all infinite and finite weak∆-traces such that there is a maximal∆-run ofA.

Proposition 4.51 (Greybox trace inclusion) Let A and C be PIOs. Let C be without terminal states. IfC_vgb_A_then_T

∆(C)⊆T∆(A).

PROOF. SinceC is without terminal states it suffices to consider infinite runs. Let

%=s0,Cl1s1,Cl2. . .be an infinite∆-run ofC. By Cor. 4.50 there exists a weak simulation

relationR _⊆SA×SC such that(si,A, si,C)∈Rfor alli≥0. The relation can be used

to construct inductively an infinite∆-runs0,Al1s1,Al2. . .ofA. Since the∆-runs yield the same infinite weak∆-trace, we haveT∆(C)⊆T∆(A). The assumption on terminal states is necessary. The example in Fig. 4.14 satisfies

C vgb_A _{as witnessed by the relation} _R =

{(a1, c1),(a2, c2),(a3, c3),(a4, c2)}. But

T∆(C)6⊆T∆(A)sincem1∈T∆(C)andm1∈/T∆(A).

(a) Concrete systemC c4 m2 m1 c1 c2 c3 m1 (b) Abstract systemA a3 m2 m1 a1 a2

FIGURE4.14. Terminal states invalidate greybox trace inclusion

Greybox trace inclusion also holds for finite weak∆-traces.2 _{We use Prop. 4.51 for}

the proof of the following lemma and hence assumeC to be without terminal states. A direct proof would not need this assumption. Let % _∈ T∆(A) be a weak infinite∆- trace of A. The set of finite prefixes pref(%)is given by pref(%) = _{%¯ _∈ (S_L

A)∗ | ¯

%is a finite prefix of%_}. For example, if%=l1l2. . .thenpref(%) ={, l0, l0l1, . . .}. Lemma 4.52 LetAandCbe PIOs. LetC be without terminal states. IfC_vgb_A_then

T∗

∆(C)⊆T∆∗(A).

PROOF. By Prop. 4.51 we have T∆(C) ⊆ T∆(A). The set of finite prefixes for

T∆(A)andT∆(C)coincide with the set of finite weak∆-traces ofAandCrespectively. Sincepref is monotone we havepref(T∆(C))⊆pref(T∆(A)), wherepref(T∆(C)) = S

%∈T∆(C)pref(%)and analogous forA. ThereforeT ∗

∆(C)⊆T∆∗(A).

The infinite part of greybox trace inclusion was used in [HJK09] to prove the preservation of buffered compatibility, a notion of compatibility similar to our current definition of asynchronous compatibility. In the following we investigate the preservation of more general properties.

Safety and liveness properties. Safety properties specify that, within a transition system, a certain action may not happen or a certain state may not be reachable. In the following we

4. GREYBOX REFINEMENT AND GENERAL PROPERTIES 71

consider the formalisation of safety properties as given by Tracta in the context of labelled transition systems (LTS) [Gia99]. Tracta focuses on actions and uses finite deterministicτ- free labelled transition systems for the specification of safety properties.3_{The finite traces}

of these property automataformally represent a safety propertyP using a subset of the observable alphabet of the LTS to whichPrelates. Satisfaction is defined using finite trace

inclusion between the propertyPand the LTS restricted to the alphabet ofP. Tracta uses

traces withobservableactions [Gia99, p. 14] corresponding to our notion of weak finite traces (cf.T∗ _{for IOTSs in Sect. 2.1 in Chap. 3). Based on this observation we transfer}

the Tracta approach to our setting as follows.

Denote the weak finite traces of an LTS byT∗_{. Let}_A_{be a PIO. A}_{safety property}_P sf forAis specified by aτ-free deterministic LTSPsf = (SLA, S, s0,∆). AsatisfiesPsf, writtenA|=Psf if and only ifT∆∗(A/H)⊆T∗(Psf), whereH =SLA\SLPsf.

Next we show that greybox refinement preserves safety properties. For the proof we rely on Lem. 4.52 which requires the concrete system to be without terminal states. Using Cor. 4.50 and a lemma for PIOs analogous to Lem. 3.6 on finite trace equivalence between IOTSs one could drop this assumption for the following theorem.

Theorem 4.53 LetAandCbe PIOs. LetCbe without terminal states. IfC_vgb_A_{then it} holds thatA_|=Psf impliesC|=Psf.

PROOF. ByA _|= Psf we have T∆∗(A/H) ⊆ T ∗₍_P

sf)withH = SLA\SLPsf.

SinceH _⊆LAandLA=LC byCvgbA, it follows from the definitions thatC/Hvgb

A/H. Moreover, hiding does not affect the absence of terminal states, thus Lem. 4.52 is

applicable and it follows thatT∗

∆(C/H)⊆T∆∗(A/H)and henceC|=Psf. There is an interesting connection between the satisfaction of safety properties and neutral behaviours as discussed in Chap. 3. Since property automata areτ-free we may

apply Prop. 3.8 in order to check if a certain safety property is satisfied. Neutrality was considered in the context of component behaviours and IOTSs. A corresponding notion for PIOs could be defined with regard to the transition relation∆. LetAandBbe composable

PIOs. B is ∆-neutral for A if AθS(A,B) ≈ gb

∆ A⊗B (cf. p. 36), where ≈ gb

∆ denotes greybox equivalence with respect to the transition relations ∆ on both sides. With an analogy to Prop. 3.8 we obtain for composable PIOsAandBsuch thatS

LB⊆SLAand

H =S_L

A\SLB,Bis∆-neutral forAiffT∆∗(A/H)⊆T

∗₍_B₎_{. Therefore, if}_P sf is a safety property forAwe have

A|=Psf if and only ifPsfis∆-neutral forA.

Liveness properties assert that "eventually something good happens". In contrast to safety properties along finite traces, eventuality relates to the infinite traces of a system and requires, in the context of transition systems, an action to happen infinitely often or a state to be visited repeatedly, for instance. Using a weak simulation fromC toA, the

results above hold analogously for traces inΠ. Therefore, we could useA4ΠCto claim the preservation of liveness properties similar to Thm. 4.53. However, as weak simulation is known to be ignorant with regard to divergence (infinite τ-paths) it is immediate that greybox refinement does not preserve liveness properties in general. Consider for instance the two examples in Fig. 4.15, taken from [Gia99, p. 101]. A liveness propertyφcould require that it is always the case that ifmhappens then eventuallynhappens, using LTL

the requirement reads as(m =_⇒ _♦n). Both abstract PIOs,A1andA2, satisfyφ, but neither doesC1norC2, which is due to the divergingτ-paths.

One way to cope with τ loops is to extend greybox refinement with an additional

requirement for divergence, making the refinement relation divergence-sensitive. By this means liveness properties such asφcould be preserved. We believe that such an extension

3_{Determinism is not a restriction. A non-deterministic LTSs can be transformed to an equivalent deterministic}

72 4. A THEORY FOR REFINEMENT AND COMPATIBILITY

(a)C1(left) andA1(right)

n m n m c2 vgb τ τ c0 c1 a0 a1

(b)C2(left) andA2(right) n m m n c1 c0 τ a0 a1 a2 vgb c2

FIGURE4.15. Greybox refinement ignores divergence

would allow for an even more general statement, as divergence-sensitive weak equivalence is known to preserve CTL∗

\ formulas [BKL08, Lem. 7.129], that is, CTL∗ formulas

without the next operator. SinceCTL∗_{comprises both, CTL and LTL, such an extension}

would be quite useful. We briefly address this issue in the next section.

Stutter trace inclusion. Greybox trace inclusion in the context of PIOs seems to be an analogy to stutter trace inclusion in the context of Kripke structures as considered by [BKL08, p. 533].4 In this case, Cor. 7.93 of [BKL08] would carry over which states the preservation of LTL\ formulas. Stutter steps are used to abstract from internal steps.

Stutter trace inclusion then requires for all traces%Cof a concrete systemCthe existence

of a trace%Ain the abstract systemAsuch that%Cand%Aare stutter equivalent, i.e. equiv-

alent modulo stutter steps. However, a closer look reveals an important difference in the underlying set of traces. [BKL08, Def. 7.89] considers traces as given by the executions (runs) of the underlying transition system. Our formalisation, in contrast, usesweaktraces without internal labels, that is, traces that rely on steps(si, li+1, si+1)∈∆τwithli∈SL.

A definition that includes internals would requireli ∈SL∪ {τ}.

More precisely, aninfinite strong∆-runof a PIOAis an infinite sequences0,Al1s1l2. . . withsi ∈ SA,li+1 ∈ SLA∪ {τ} and ifli+1 6= τ then(si, li+1, si+1) ∈ ∆τA, and if

li+1 =τthen(si, si+1)∈ ∆τA, fori ≥0. Aninfinite strong∆-traceofAis an infinite

sequencel1l2. . .withli ∈SLA∪ {τ}such that there is a strong∆-runs0l1s1l2. . .ofA. We denote the set of infinite strong∆-traces ofAbyTs

∆(A). Note that the definition is still relaxed with respect to the number ofτtransitions.

As mentioned above, greybox refinement is too weak with regard to divergentτpaths

to ensure trace inclusion for strong∆-traces. Consider for example the transition systems in Fig. 4.16. It holds thatC_vgb_A_but_Ts

∆(C) 6⊆T s ∆(A)sinceτ ω ₌ _{τ τ . . .} ∈Ts ∆(C) whileτω _/ ∈Ts ∆(A).

(a) Concrete systemC

(b) Abstract systemA

FIGURE4.16. Greybox refinement and strong∆-traces

4_{In other words, greybox trace inclusion uses the action (event) labels of a transition system, hence is action-}

5. DISCUSSION AND RELATED WORK 73

A solution along the lines of divergence-sensitive equivalence relations as defined in [BKL08, Def. 7.106] requires an extension of our refinement relations that takes divergence of the concrete system into account. A states _∈SAof a PIOAdivergesif there

exists an infinite execution fragmentsl1s1l2. . .∈frag(A)such thatli =τfor alli≥1.

Let AandC be PIOs. A refinement relation R _⊆ SA ×SC is divergence-sensitiveif

for all (sA, sC) ∈ R it holds that, if sC diverges then sA diverges. A definition of

divergence-sensitive greybox refinement requires the existence of a divergence-sensitive relationR_⊆SA×SCsuch that(s0,A, s0,C)∈Rand for all(sA, sC)∈Rthe conditions

in Tab. 4.13 hold.

Since divergence-sensitive weak equivalence is known to preserveCTL∗

\formulas

we believe that it is possible to show an analogous result for divergence-sensitive greybox refinement. Such a result requires a translation between PIOs and Kripke structures which could be based on work of de Nicola and Vaandrager who define a mapping between labelled transition systems and Kripke structures in [NV90]. However, still this relates to the slightly restricted setting of this section which considered only the ∆ part of PIOs and therefore it could be more effective to approach directly an extension of the strong modal logic developed by [HJS01] to a weak modal logic suitable for the specification of properties with regard to both transition relations of a PIO.

5. Discussion and Related Work

The development of a refinement theory initially started with a slightly aligned notion of interface automata [dAH01a], called I/O-transition systems, in [BHH+_{06]. Since then,} the quest for an appropriate theory applicable to port-based components focused on interface automata and extensions of their refinement relation based on alternating simulation [dAH01a]. Alternating simulation is characterised by a simulation relation that alternates between inputs and outputs. The correct refinement of a more abstract specification is required to show at least the inputs and at most the outputs as given by the specification. The freedom to add inputs, in particular in combination with the freedom to add and remove internal transitions is useful to allow implementations with additional I/O behaviour. But, in contrary, it endangers the preservation of properties that have been verified on the level of the specifications.

We considered the property output compatibility, a notion similar to “compatibility” of de Alfaro and Henzinger but also to what is called “bad activity” by Adamek and Plasil in [AP05]. It turned out that it is difficult to preserve compatibility if it is allowed to add internal transitions beforean input transition of the specification is simulated in the im- plementation. The approach of de Alfaro and Henzinger disallows such a refinement, and we did likewise in our first approach to transfer the relation to systems with asynchronous communication in [HJK09]. However, we believe that refinements with additional internal transitions preceeding the simulated input transition are quite common, in particular in the setting of component-based systems where composition and abstraction are the crucial system building operators. Moreover, the preservation result for the relation developed in [HJK09] did not generalise for arbitrary open systems.

The solution, motivated by the aims (1) to preserve a notion of weak compatibility for both, synchronous and asynchronous communication and (2) to be transferable to open systems with asynchronous communication required the strengthening of the refinement relation with regard to the input transitions of a specification. If we do not allow to add arbitrary input transitions we are one step closer to our aims. Additionally, in order to obtain freedom with regard to preceeding internal transitions while preserving output compatibility, the preservation of these internal paths is required if it is a path to a matching input transition. Taken together we arrive at a concept of "persistent transitions" as a subset of the transitions of an IOTS that cover at least paths to inputs needed to preserve output compatibility of the specification. The resulting formalism ofinput-persistentI/O-transition

74 4. A THEORY FOR REFINEMENT AND COMPATIBILITY

systems is a special case of modal I/O automata [LNW07] and the given theory might have been worked out on the basis of MIOs as considered in [BMSH10] for systems without buffered message exchange as well. However, we abstained from doing so, since, as argued in Sect. 1.1, the additional expressiveness seems not required in the context of output compatible environments.

In [BMSH10] a notion of “interface theory” is defined, providing a formal frame

In document Janisch, Stephan (2010): Behaviour and Refinement of Port-Based Components with Synchronous and Asynchronous Communication. Dissertation, LMU München: Fakultät für Mathematik, Informatik und Statistik (Page 77-83)