Analogous to strong generic refinement, we develop in this section the theory of weak generic refinement which is indifferent toε-transitions. As before, we use a binary relation
φ over multisets to denote the possible interference from the environment. Definition 5.5.1 Let R ⊆C×C and φ⊆M×M.
We say that R is a weak φ-simulation if for all (hs, Mi,ht, Ni)∈ R, for all λ, for all M′ such that (M, M′)∈φ
1. M =N
2. hs, M′i λ
−→ hs′, M′′i ⇒ ∃t′ :ht, M′i λ′
−→*ht′, M′′i such that (hs′, M′′i,ht′, M′′i)∈ R and λ′ =εk·λb for some k ≥0
3. s≡skip ⇒ ht, M′i λ′
−→*hskip, M′i where λb′ =h i
We start by proving some basic properties of weakφ-simulation. We briefly postpone proving transitivity of weak φ-simulation because, in contrast to the strong variant, transitivity of weak φ-refinement requires an additional condition onφ.
1. IdC ={(hs, Mi,hs, Mi)| hs, Mi ∈C} is a weak φ-simulation, 2. Si∈IRi is a weak φ-simulation.
Proof
1. We verify the conditions of Definition 5.5.1. Let (M, M′)∈φ. 1. Follows by reflexivity of =.
2. From hs, M′i λ
−→ hs′, M′′i and −→ ⊆ −→∗ follows hs, M′i λ
−→*hs′, M′′i. If λ = ε, then λ = εk·λb for k = 1. Otherwise, if λ = σ, then λ = εk ·λb for
k= 0. By definition of IdC follows (hs′, M′′i,hs′, M′′i)∈Id
C.
3. By reflexivity of −→* follows hskip, M′i−→λ *hskip, M′i whereλ =h i.
2. Let R =Si∈I Ri. Suppose (hs1, Mi,hs2, Ni)∈ R and (M, M′)∈φ.
Then (hs1, Mi,hs2, Ni)∈ Ri for some i∈I.
We verify the conditions of Definition 5.5.1:
1. Because Ri is a weak φ-simulation, we have M =N.
2. If hs1, M′i λ −→ hs′1, M′′i, then hs2, M′i λ′ −→*hs′ 2, M′′i where λ′ = εk · λb for
some k ≥ 0 and (hs′1, M′′i,hs′2, M′′i) ∈ Ri. From Ri ⊆ R follows
(hs′
1, M′′i,hs′2, M′′i)∈ R.
3. The case s1≡skip is analogously to case 2.
Weak φ-simulation is not in general transitive. We proceed by showing that tran- sitivity can be obtained by the additional condition of reflexivity of φ. The fact that the weak notion of φ-simulation requires this additional property can be explained as follows.
Weak refinement equates the behaviour of hs, Mi and ht, Mi if every transition by either configuration may be matched by a sequence of transitions by the other which has the same effect on the multiset (either s or t may perform more ε-transitions than the other).
The clause ht, M′i λ′
−→*ht′, M′′i in Definition 5.5.1 of weak simulation implicitly as-
The refining configuration s can only achieve the same effect on the multiset if the en- vironment abstains from interfering whilst s is performing one or more transitions to match the behaviour of t. The possibility of non-interference is modelled by including the identity relation on multisets in the interference set.
Lemma 5.5.3 proves that if configurations hs, Mi and ht, Mi are related by a weak interference closed φ-simulation where φ is reflexive, then t can simulate (in a “weak” fashion) any sequence of transitions that s can make.
Lemma 5.5.3 Let φ be reflexive. Let R be an interference closed weak φ-simulation. If (hs, Mi,ht, Mi)∈ R, φ(M, M′), and hs, M′i λ
−→*hs′, M′′i where λ =hλ1, . . . , λni, then
ht, M′i λ′
−→*ht′, M′′i such that(hs′, M′′i,ht′, M′′i)∈ R andλ′ =εk1·λc
1·. . .·εkn·λcn where
ki ≥0 for all i: 1≤i≤n.
Proof By induction on the length n of the transition sequence λ.
• n= 0: Then s′ =s,M′′ =M′ and λ=h i. By definition of−→* followsht, M′i−→h i*ht, M′i.
Since R is interference closed, it follows that (hs, M′i,ht, M′i)∈ R.
• n >0: The transition sequence can be written hs, M′i λ′
−→*hs′′, M′′′i−→hλn s′, M′′i
where λ =λ′·λn. The induction hypothesis gives ht, M′i µ′
−→*ht′′, M′′′i such that
(hs′′, M′′′i,ht′′, M′′′i) ∈ R and µ′ = εk1 ·λc
1 ·. . .·εkn−1 ·λdn−1 where ki ≥ 0 for all
i: 1≤i≤n−1. Fromhs′′, M′′′i λn
−→ hs′, M′′i follows, by (hs′′, M′′′i,ht′′, M′′′i)∈ R
andφ(M′′′, M′′′), thatht′′, M′′′i µ′′
−→*ht′, M′′isuch that (hs′, M′′i,ht′, M′′i)∈ Rand µ′′ =εkn·λc
n. Henceµ\′·µ′′=εk1·λc1·. . .·εkn·λcn whereki ≥0 for alli: 1≤i≤n.
Lemma 5.5.4 Let φ ⊆ M ×M be reflexive. Let R1 and R2 be weak φ-simulations. If
R2 is interference closed, then R1R2 is a weak φ-simulation.
Proof LetR =R1R2. Suppose (hs1, Mi,hs2, Ni)∈ R and (M, M′)∈φ.
Then for some t and N′ we have (hs
1, Mi,ht, N′i)∈ R1 and (ht, N′i,hs2, Ni)∈ R2.
Because R1 and R2 are weak φ-simulations, M =N′ =N.
transition
Assume hs1, M′i
λ
−→ hs′
1, M′′i. Then from (hs1, Mi,ht, Mi) ∈ R1 and φ(M, M′) fol-
lows ht, M′i λ′
−→*ht′, M′′i such that (hs′
k ≥ 0. From (ht, Mi,hs2, Mi) ∈ R2, φ(M, M′) and reflexivity of φ follows by Lemma
5.5.3 that hs2, M′i
λ′′
−→*hs′
2, M′′i such that (ht′, M′′i,hs′2, M′′i) ∈ R2 and λ′′ = εk
′
· λb
for some k′ ≥ 0. From (hs′
1, M′′i,ht′, M′′i) ∈ R1 and (ht′, M′′i,hs′2, M′′i) ∈ R2 follows
(hs′
1, M′′i,hs′2, M′′i)∈ R.
termination
If s1≡skip then, from (hs1, Mi,ht, Mi) ∈ R1, we have ht, M′i
λ
−→*hskip, M′i where
b
λ=h i. From (ht, Mi,hs2, Mi) ∈ R2 and reflexivity of φ follows by Lemma 5.5.3 that
hs2, M′i
λ′
−→*hskip, M′i whereλb′ =h i.
Lemma 5.5.5 shows that interference closed weak φ-simulations are transitive, pro- vided that φ is reflexive.
Lemma 5.5.5 Let φ ⊆M×M be reflexive. If R1 and R2 are interference closed weak
φ-simulations, then R1R2 is an interference closed weak φ-simulation.
Proof From reflexivity ofφfollows by Lemma 5.5.4 thatR1R2 is a weakφ-simulation.
It remains to show thatR1R2 is interference closed.
Assumehs, MiR1R2hs′, Miandφ(M, M′). Thenhs, MiR1ht, Miandht, MiR2hs′, Mi
for some t. BecauseR1 and R2 are interference closed, we get by Definition 5.3.5, that
hs, M′iR
1ht, M′iand ht, M′iR2hs′, M′i. Hence hs, M′iR1R2hs′, M′i.
Next, we show that ifφ is transitive, then a weakφ-simulation is interference closed. Lemma 5.5.6 Let R be a weak φ-simulation. If φ is transitive, then R is interference closed.
Proof We need to show that if sRt and φ(M, M′), then sRM′t.
Suppose φ(M′, M′′). By transitivity ofφ follows φ(M, M′′).
transition Ifhs, M′′i λ
−→ hs′, M′′′i, then byhs, MiRht, Miandφ(M, M′′) followsht, M′′i λ′
−→*ht′, M′′′i
such that s′RM′′′t′ and λ′ =εk·λb for some k≥0.
termination
If s≡skip then by hs, MiRht, Mi and φ(M, M′′) follows ht, M′′i λ′
−→*hskip, M′′i where
b
λ′ =h i.
Now that the necessary basic properties of weak φ-simulation have been estab- lishes, we proceed by defining weak φ-refinement, denoted .φ, as the maximal weak
φ-simulation. Weak φ-equivalence, denoted ≃φ, is defined as the intersection of .φ
and its inverse. Definition 5.5.7
1. .φ =S{R | R is a weak φ-simulation }
2. ≃φ = .φ ∩ .φ−1
3. s.φM t iff hs, Mi.φht, Mi
Next, we show that .φ is interference closed if φ is transitive.
Corollary 5.5.8 If φ is transitive, then .φ is interference closed
Proof Follows from Lemma 5.5.6 because .φ is a weak φ-simulation and φ is transi-
tive.
Lemma 5.5.9
1. .φ is the largest weak φ-simulation.
2. If φ is reflexive and transitive, then .φ is a partial order.
3. If φ is reflexive and transitive, then ≃φ is an equivalence relation.
Proof
1. By Lemma 5.5.2.1 .φ is a weakφ-simulation and by Definition 5.5.7.1 it includes
any other such.
2. We consider the following properties:
• Reflexivity: follows from Lemma 5.5.2.1.
• Transitivity: from transitivity ofφfollows by Lemma 5.5.8 that .φ is interfer-
ence closed. Furthermore, .φ is a weakφ-simulation, hence by reflexivity ofφ
and Lemma 5.5.5 follows that the composition .φ .φ is a weakφ-simulation
that is interference closed. By Lemma 5.5.9.1 follows .φ .φ ⊆ .φ.
• Antisymmetry: follows from Lemma 5.5.9.3. 3. We consider the following properties:
• Reflexivity: follow from Lemma 5.5.9.2 and Definition 5.5.7.2.
• Transitivity: follows from transitivity of .φ (Lemma 5.5.9.2) and Defini-
tion 5.5.7.2.
• Symmetry: follows from Definition 5.5.7.2.
We use some fixed-point theory to show that .φ defines the relation that contains
precisely all weak φ-simulations.
Definition 5.5.10 Define a function F:C×C → C×C as follows:
If R ⊆ C×C, then (hs, Mi,ht, Mi)∈F(R) iff, for all λ, for all M′ :φ(M, M′),
1. M =N
2. hs, M′i λ
−→ hs′, M′′i ⇒ ∃t′ :ht, M′i λ′
−→*ht′, M′′i such that (hs′, M′′i,ht′, M′′i)∈ R and λ′ =εk·λb for some k ≥0
3. s≡skip ⇒ ht, M′i λ′
−→*hskip, M′i where λb =h i Theorem 5.5.11 .φ is largest fixed point of F.
Proof Analogous to the proof of Theorem 5.2.7.
The theory of up-to simulations is developed next for weak φ-simulation. Definition 5.5.12 Let R ⊆C×C and φ⊆M×M.
We say that R is a weak φ-simulation up-to .φ if for all (hs, Mi,ht, Ni)∈ R,
for all λ, for all M′ : (M, M′)∈φ, 1. M =N
2. hs, M′i λ
−→ hs′, M′′i ⇒ ∃t′ :ht, M′i λ′
−→*ht′, M′′i such
that (hs′, M′′i,ht′, M′′i)∈ .φR.φ and λ′ =εk·λb for some k ≥0
3. s≡skip ⇒ ht, M′i λ′
−→*hskip, Mi where λb =h i
Lemma 5.5.13 Let φ ⊆ M×M be reflexive. Let R be a weak φ-simulation up-to .φ
that is interference closed. If (hs, Mi,ht, Mi)∈ R, φ(M, M′), and hs, M′i λ
−→*hs′, M′′i where λ = hλ1, . . . , λni, then ht, M′i
λ′
−→*ht′, M′′i such that (hs′, M′′i,ht′, M′′i) ∈ .φR.φ where λ′ =εk1 ·λc
Proof The proof proceeds analogously to the proof of Lemma 5.5.3.
Lemma 5.5.14
Let φ ⊆M×M be reflexive and transitive. Let R be a weak φ-simulation up-to .φ.
If R is interference closed, then .φR.φ is a weak φ-simulation.
Proof transition
Assumehs, Mi.φR.φht, Miandφ(M, M′). Hencehs, Mi.φhs
1, Mi,hs1, MiRht1, Mi
and ht1, Mi.φht, Mifor some s1 and t1. Assume hs, M′i
λ −→ hs′, M′′i. From hs, Mi.φhs 1, Mi follows hs1, M′i λ′ −→*hs′ 1, M′′i such that hs′, M′′i.φhs′1, M′′i
and λ = εk · λb′ for some k ≥ 0. From hs
1, MiRht1, Mi and Lemma 5.5.13 follows
ht1, M′i
λ′′
−→*ht′
1, M′′i such that hs′1, M′′i.φR.φht′1, M′′i and λ′′ = εk
′
·λb for some
k′ ≥ 0. From ht1, Mi.φht, Mi and Lemma 5.5.3 follows ht, M′i
λ′′′ −→*ht′, M′′i such that ht′ 1, M′′i.φht′, M′′i and λ′′′ =εk ′′ ·λb for some k′′≥0.
Hence, hs′, M′′i.φ.φR.φ.φht′, M′′i. By transitivity of φ and Lemma 5.5.9.2 follows
transitivity of .φ, hencehs′, M′′i.φR.φht′, M′′i.
termination: Follows analogously.
Lemma 5.5.15 Letφ⊆M×Mbe reflexive and transitive. LetRbe a weakφ-simulation up-to .φ.
If R is interference closed, then R ⊆ .φ.
Proof From Lemma 5.5.14 and Lemma 5.5.9.1 follows .φR.φ ⊆ .φ.
From IdC ⊆ .φ follows R ⊆ .φ.
The notions of weak statebased and stateless refinement fit into the framework of φ- refinement analogously to Theorems 5.2.11 and 5.2.12. In order use the generic theory of refinement to prove that the weak notions of refinement satisfy the properties proposed in previous sections, we need to check that the interference parameter satisfies certain properties.
Recall that statebased refinement is obtained fromφ-refinement by takingφstatebased =
IdM. Hence φstatebased is reflexive and transitive. The properties ascribed to weak
Lemmas 5.5.2 and 5.5.9. Theorem 5.5.11 proves that w is the largest relation that satisfies the definition of weak statebased simulation. Hence w defines the relation that contains precisely all weak statebased simulations. The justification of the up- to method for weak statebased refinement, suggested in Proposition 4.3.19, follows by Lemma 5.5.15.
Next, we consider the weak stateless variant. This is obtained from φ-refinement by taking φstateless = M×M. Hence φstateless is reflexive and transitive. The properties
ascribed to weak stateless refinement in Proposition 4.4.31 follow from Lemma 5.5.9. Theorem 5.5.11 proves that - is the largest relation that satisfies the definition of weak stateless simulation. Hence - defines the relation that contains precisely all weak stateless simulations. The justification of the up-to method for weak stateless refinement, suggested in Proposition 4.4.33, follows by Lemma 5.5.15.
The weak variants of φ-refinement are, just as the strong variants, inversely ordered by subset inclusion of the interference set.
Theorem 5.5.16 Let φ, ψ ⊆M×M. If φ ⊆ψ then .ψ⊆.φ.
Proof Analogous to the proof of Theorem 5.2.13.
Consequently, weak stateless refinement is contained in weak statebased refinement. Corollary 5.5.17 If s-t, then hs, Miwht, Mi for all M ∈M.
Proof By Theorem 5.5.16 from IdM ⊂M×M.
Furthermore, strong φ-refinement is contained in weak φ-refinement. Theorem 5.5.18 For all φ: ≤φ ⊆ .φ.
Proof Straightforward from the definitions of strong φ-refinement and weak φ-
refinement.
Consequently, strong statebased refinement and strong stateless refinement are con- tained in weak statebased refinement and weak stateless refinement respectively.
Corollary 5.5.19
2. If s6t, then s-t (or: 6 ⊆ -).
Proof By Theorem 5.5.18.