In this section we develop a generic theory of strong refinement by parameterizing the definition of simulation by a measure of interference.
We model interference by a relation φ ⊆ M×M, called the interference set, over pairs of multisets2. We use (M, M′)∈φ to denote that M′ is a multiset that may result
from interference from the environment in a configuration with multiset M. Hence, if the current multiset isM, then the set of multisets in which we may end up in through interference from the environment is given by
{M′ |(M, M′)∈φ}
Definition 5.2.1 shows how the interference parameter can be incorporated in the notion of simulation. According to this definition, one configuration is a refinement of another, if the configuration that is being refined is able to simulate all configurations that may result from interference with the current configuration.
Definition 5.2.1 Let R ⊆C×C and φ⊆M×M.
We say that R is a strong φ-simulation if for all (hs, Mi,ht, Ni)∈ R, for all λ, for all (M, M′)∈φ, 1. M =N 2. hs, M′i λ −→ hs′, M′′i ⇒ ht, M′i λ −→ ht′, M′′i and (hs′, M′′i,ht′, M′′i)∈ R 3. s≡skip ⇒ t≡skip
We first prove some standard properties of φ-simulation. Lemma 5.2.2 If Ri are strong φ-simulations, then so are
1. the identity relation over configuration: IdC
2. the composition: R1R2
3. the union: Si∈IRi
2We interchangeably view φ as a relation or as a predicate over pairs of multisets by appealing to
Proof
1. By reflexivity of = and ⇒ .
2. Suppose (hs1, Mi,hs2, M′i) ∈ R1R2, then for some t and N we have
(hs1, Mi,ht, Ni) ∈ R1 and (ht, Ni,hs2, M′i) ∈ R2. Because R1 and R2 are φ-
simulations, we haveM =N =M′. transition
Now let φ(M, M′) and hs
1, M′i
λ
−→ hs′
1, M′′i.
Because (hs1, Mi,ht, Mi)∈ R1, there is some t′ such that ht, M′i
λ
−→ ht′, M′′i and
(hs′
1, M′′i,ht′, M′′i)∈ R1.
Because (ht, Mi,hs2, Mi) ∈ R2, there is some s′2 such that hs2, M′i
λ
−→ hs′
2, M′′i
and (ht′, M′′i,hs′
2, M′′i)∈ R2.
From (hs′1, M′′i,ht′, M′′i) ∈ R1 and (ht′, M′′i,hs′2, M′′i) ∈ R2 follows
(hs′1, M′′i,hs′2, M′′i)∈ R1R2.
termination
Ifs1≡skip then from (hs1, Mi,ht, Mi)∈ R1 we have t≡skip .
From (ht, Mi,hs2, Mi)∈ R2 followss2≡skip .
3. Let R =Si∈IRi. Suppose (hs1, Mi,hs2, Ni)∈ R, then (hs1, Mi,hs2, Ni)∈ Ri for
some i∈I hence M =N. transition Ifφ(M, M′) and hs 1, M′i λ −→ hs′
1, M′′i then, becauseRi is a φ-simulation, we have
hs2, M′i λ −→ hs′ 2, M′′i and (hs′1, M′′i,hs′2, M′′i)∈ Ri. Because Ri ⊆ R also (hs′1, M′′i,hs′2, M′′i)∈ R. termination
The case s1≡skip goes analogously.
Next, we define strong φ-refinement, denoted ≤φ, as the maximal strong φ-
simulation relation. Let hs, Mi and ht, Ni be configurations. We say that hs, Mi is a strongφ-refinement of ht, Ni, denotedhs, Mi ≤φht, Ni, if (hs, Mi,ht, Ni)∈ R for some
strongφ-simulation R. Strongφ-equivalence, denoted =φ, is defined as the intersection
of strong φ-refinement and its inverse. We obtain a (family of) refinement relation(s) over schedules (rather than configurations) by indexing the refinement relation with a multiset.
Definition 5.2.3 1. ≤φ =S{R | R is a strong φ-simulation } 2. =φ = ≤φ ∩ ≤φ−1 3. s≤φ M t iff hs, Mi ≤ φht, Mi 4. s=φ M t iff s≤ φ M t and t≤ φ M s Lemma 5.2.4
1. ≤φ is the largest strong φ-simulation
2. ≤φ is a partial order
3. =φ is an equivalence relation
Proof
1. By Lemma 5.2.2.3 ≤φ is a strong φ-simulation. By Definition 5.2.3.1 it includes
any other strong φ-simulation.
2. Reflexivity follows from Lemma 5.2.2.1, transitivity from Lemma 5.2.2.2, antisym- metry from Lemma 5.2.4.3.
3. Reflexivity and transitivity follow from Lemma 5.2.2.(1 and 2). Symmetry follows from Definition 5.2.3.2.
Analogously to [90] we use some fixed-point theory (see e.g [43]) to show that ≤φ
defines the relation that contains precisely all strong φ-simulations. Definition 5.2.5 Define a function F:C×C → C×C as follows:
IfR ⊆C×C, then(hs, Mi,ht, Mi)∈F(R)if and only if, for allλ, for allM′ :φ(M, M′), 1. M =N
2. hs, M′i λ
−→ hs′, M′′i ⇒ ht, M′i λ
−→ ht′, M′′i and (hs′, M′′i,ht′, M′′i)∈ R
Lemma 5.2.6
1. F is monotonic; i.e. if R1 ⊆ R2, then F(R1)⊆F(R2).
2. R is a strong φ-simulation if and only if R ⊆F(R). Proof
1. Follows directly from Definition 5.2.5.
2. Follows directly from Definition 5.2.5 and Definition 5.2.1.
Monotonicity says that F preserves the ordering ⊆ onC×C. Strong φ-simulations are, by Lemma 5.2.6.2, exactly the pre-fixed-points of F. We wish to show that ≤φ,
which is the largest pre-fixed-point, is a fixed-point of F. Theorem 5.2.7 ≤φ is the largest fixed point of F.
Proof
• ≤φ ⊆F(≤φ): By Lemma 5.2.4, ≤φ is a strong φ-simulation. Then, by Lemma
5.2.6.2, follows ≤φ ⊆F(≤φ).
• F(≤φ) ⊆ ≤φ: Monotonicity of F implies F(≤φ) ⊆ F(F(≤φ)); i.e. F(≤φ) is a
pre-fixed point of F. But because ≤φ is the largest pre-fixed point, it includes F(≤φ), i.e. F(≤φ)⊆ ≤φ.
Moreover, ≤φ must be the largest fixed point of F, because it is the largest pre-fixed
point.
Hence ≤φ is the largest relation that satisfies the definition of strongφ-simulation.
Next, we show that up-to simulations (as in [90]) can be defined for strong φ- simulation.
Definition 5.2.8 Let R ⊆C×C and φ⊆M×M.
We say that R is a strong φ-simulation up-to ≤φ iff for all (hs, Mi,ht, Ni)∈ R,
forall λ, forall M′ :φ(M, M′),
2. hs, M′i λ
−→ hs′, M′′i ⇒ ht, M′i λ
−→ ht′, M′′i and hs′, M′′i ≤φR ≤φht′, M′′i
3. s≡skip ⇒ t≡skip Lemma 5.2.9
If R is a strong φ-simulation up-to ≤φ, then ≤φR ≤φ is a strong φ-simulation.
Proof Leths, Mi ≤φR ≤φht, Ni, hence, for somes
1, t1 andM1, N1,hs, Mi ≤φhs1, M1i,
hs1, M1iRht1, N1iand ht1, N1i ≤φht, Ni. Because ≤φ is a strong φ-simulation and R is
a strongφ-simulation up-to ≤φ follows M =M
1 =N1 =N. transition Assume φ(M, M′) and hs, M′i λ −→ hs′, M′′i. From hs, Mi ≤φhs 1, Mi follows hs1, M′i λ −→ hs′ 1, M′′isuch that hs′, M′′i ≤φhs′1, M′′i.
Fromhs1, MiRht1, Mifollowsht1, M′i
λ −→ ht′ 1, M′′isuch thaths′1, M′′i ≤φR ≤φht′1, M′′i. From ht1, Mi ≤φht, Mi follows ht, M′i λ −→ ht′, M′′i such thatht′1, M′′i ≤φht′, M′′i. Hence, hs′, M′′i ≤φ≤φR ≤φ≤φht′, M′′i. By transitivity of ≤φ follows hs′, M′′i ≤φR ≤φht′, M′′i.
termination: The proof is analogous to the above case.
Lemma 5.2.10 If R is a strong φ-simulation up-to ≤φ, then R ⊆ ≤φ.
Proof From Lemma 5.2.9 follows ≤φR ≤φ ⊆ ≤φ.
By reflexivity of ≤φ (from Lemma 5.2.4.1) follows Id
C ⊆ ≤φ, henceR ⊆ ≤φ.
We show how the statebased and stateless notions from Chapter 4 fit into the generic framework. This enables us to use the generic theory of refinement to fulfill some proof obligations regarding properties of statebased and stateless refinement. First, consider the statebased variant.
Theorem 5.2.11 Let φstatebased=IdM. Then ≦ =≤φstatebased.
Proof From φstatebased =IdM follows {M′ |(M, M′)∈φstatebased}={M}. Hence in-
terference may only change a multisetM intoM. This effectively means that interference is not allowed between successive transitions. The quantification∀M′ :φ
statebased(M, M′)
definition statebased simulation.
The basic properties of statebased simulation and statebased refinement promised by Proposition 4.3.2 and Proposition 4.3.4 follow immediately from Lemma 5.2.2 and Lemma 5.2.4.
From Theorem 5.2.7 follows that ≦ is the largest relation that satisfies the definition of statebased simulation. Hence, ≦ defines the relation that contains precisely all strong statebased simulations.
The fact that strong statebased simulation up-to ≦ may be used to show strong statebased refinements, as promised by Proposition 4.3.6, follows from Lemma 5.2.10.
Next, we show that the stateless variant can be obtained as a special instance of
φ-refinement.
Theorem 5.2.12 Letφstateless =M×M. Then{(hs, Mi,ht, Mi)|M ∈M}=≤φstateless.
Proof From φstateless = M×M follows {M′ | (M, M′) ∈ φ} = M. Hence the set of
possible multisets that may result after interferences in a multiset M equals M. Hence, the quantification ∀M′ : φ(M, M′) in Definition 5.2.1 can be written as ∀M : M ∈ M
which then corresponds to the definition of stateless simulation – albeit that in the latter case the multiset component has been omitted from the (elements of the) simulation relation.
The correspondence between strong stateless simulation and strongM×M-simulation is shown more formally by the following constructions. They show that every strong stateless refinement corresponds to a strong M×M refinement and vice versa.
LetR1be a strong stateless simulation and letR2 be a strongM×M-simulation. De-
fine R′
1 = {(hs, Mi,hs′, Mi) | (s, s′) ∈ R1} and R′2 ={(s, s′) | (hs, Mi,hs′, Mi) ∈ R2}.
It is straightforward to show that R′1 is a strong M×M-simulation and R′2 is a strong
stateless simulation.
The basic properties attributed to stateless simulation and stateless refinement by Proposition 4.4.2 and Proposition 4.4.4 follow immediately from Lemma 5.2.2 and Lemma 5.2.4.
From Theorem 5.2.7 follows that 6 is the largest relation that satisfies the definition of stateless simulation. Hence, 6 defines the relation that contains precisely all strong stateless simulations.
The fact that strong stateless simulation up-to 6 may be used to show strong state- less refinements, as promised by Proposition 4.4.7, follows from Lemma 5.2.10.
Theorem 5.2.13 shows that strong φ-refinement relations are ordered inversely by subset inclusion of the interference set. This can be interpreted as follows: if one configu- ration is a refinement of another configuration in some environment, then this refinement also holds in an environment which performs fewer interferences.
Theorem 5.2.13
Let φ, ψ ⊆M×M be binary relations over multisets. Ifφ ⊆ψ, then ≤ψ⊆≤φ.
Proof
LetR ={(hs, Mi,ht, Mi)| hs, Mi ≤ψ ht, Mi}.
We show that R is a strong φ-simulation. Assume hs, MiRht, Miand φ(M, M′). transition
Byφ⊆ψ followsψ(M, M′). Hence if hs, M′i λ
−→ hs′, M′′i, then byhs, Mi ≤ψ ht, Mifol-
lows ht, M′i λ
−→ ht′, M′′isuch that hs′, M′′i ≤ψ ht′, M′′i. Hence (hs′, M′′i,ht′, M′′i)∈ R.
termination
If s≡skip , then from hs, Mi ≤ψ ht, Mifollows t≡skip .
Theorem 5.2.13 has the following useful implication. Suppose we have two notions of refinement ≤φ and ≤ψ such that φ ⊆ ψ. If we have proven that hs, Mi ≤ψ ht, Mi,
then by Theorem 5.2.13 we may conclude hs, Mi ≤φht, Mi. Thus, to prove that some
configurations are related by some notion of refinement, we may use any other notion of refinement that makes weaker assumptions about the environment. In particular this may be applied to statebased and stateless refinement.
Corollary 5.2.14 If s6t, then hs, Mi≦ht, Mi for all M ∈M.
Proof By Theorem 5.2.13 from IdM ⊂M×M.