Fault tolerant bisimulation and process transformations

Original citation:

Janowski, Tomasz (1994) Fault-tolerant bisimulation and process transformations. University of Warwick. Department of Computer Science. (Department of Computer Science Research Report). (Unpublished) CS-RR-270

Permanent WRAP url:

http://wrap.warwick.ac.uk/60948

Copyright and reuse:

The Warwick Research Archive Portal (WRAP) makes this work by researchers of the University of Warwick available open access under the following conditions. Copyright © and all moral rights to the version of the paper presented here belong to the individual author(s) and/or other copyright owners. To the extent reasonable and practicable the material made available in WRAP has been checked for eligibility before being made available.

Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way.

A note on versions:

The version presented in WRAP is the published version or, version of record, and may be cited as it appears here.For more information, please contact the WRAP Team at:

Fault-Tolerant Bisimulation and Process

Transformations

?

Tomasz Janowski??

Department of Computer Science University of Warwick, Coventry CV4 7AL, UK

Abstract. We provide three methods of verifying concurrent systems which are tolerant of faults in their operating environment - algebraic, logical and transformational. The rst is an extension of the bisimulation equivalence, the second is rooted in the Hennessy-Milner logic, and the third involves transformations of CCS processes. Based on the common semantic model of labelled transition systems, which is also used to model faults, all three methods are proved equivalent for certain classes of faults.

1 Introduction

Many models of concurrent systems have been proposed in the literature, based on either actions or states. Examples include sequences [MP91], trees [Mil89], machines [LT87], partial orders [Pra86] and event structures [Win89]. They oer dierent ways of representing executions of systems (linear or branching), their concurrent activity (interleaving or non-interleaving) and interaction (shared memory or message-passing). A concept which unies various models is alabelled transition system[Kel76], a triple (P;A;!) whereP is a set of processes,Aa set

of actions and!PAP a labelled transition relation. Labelled transition

relations are often dened by induction on the structure of processes, providing thestructured operational semantics[Plo81] of process description languages. An example of such a language is CCS [Mil89].

As models of processes, labelled transition systems describe their behaviour in detail, including particulars of their internal computation. However, in order to specify a process and then to prove its correctness, it is useful to decide which properties of the model are relevant and which can be ignored. Following [Mil89], it is most common to ignore these properties which cannot be observed in the nite interval of time. Two ways to do so are as follows:

{

we can identify a process with its equivalence class, according to the (weak)

bisimulation equivalence[Par81];

{

we can identify a process with its properties, specied by the (weak) formulas of the Hennessy-Milner logic [HM85] and veried by satisfaction relationj=. ? To be presented at the Third International Symposium \Formal Techniques in

Real-Time and Fault-Tolerant Systems", Lubeck, Germany, September 1994.

A vital test of the usefulness of any formal theory is that statements of this theory must be conrmed in practice (by experiment). Given such statements as P Q or Qj= M, it is expected that the low-level process Q, when placed in

the real environment, behaves respectively as specied by the high-level process P or the formula M. In practice however, such Q depends on various hardware components which often malfunction because of the physical faults. Such faults aect the semantics of Q so that it may no longer behave as specied. Moreover, physical faults do not exist before Q is put into practice and so cannot be removed beforehand, they must be tolerated.

Clearly, it is not possible to tolerate arbitrary faults. We have to decide which faults are anticipated (and thus should be tolerated) and which are not (such faults arecatastrophical). To represent the eect of the anticipated faults on the semantics of processes, we will use the set

) of thefaulty transitions. To verify

fault-tolerance is then to prove that the low-level process behaves `correctly' in the presence of the transitions

). As such, fault-tolerance depends on the

chosen notion of correctness. In this paper we provide three methods to verify fault-tolerance for bisimulation equivalence and the Hennessy-Milner logic:

1. A fault-tolerant bisimilarity <! where P <! Q if observing P in the

fault-free environment (performing transitions )) and Q in the environment

which contains anticipated faults (performing transitions ) and

)),

we cannot tell them apart in the nite interval of time.

2. A relationjj= to verify satisfaction of formulas of the Hennessy-Milner logic

in the presence of the anticipated faults (when processes P undergo both

normal and faulty transitions ) [

)).

3. A language D for specifying faults and a process transformation T(Q; )

where given the CCS process Q, the eect of transitions

) (specied by 2D) on Q are represented syntactically. Then, verifying that Q is

fault-tolerant involves proving either:

(a) P T(Q; ) for the high-level process P, or

(b) T(Q; )j= M for the formula M.

We show that, for wide classes of faults, all these methods are equivalent:

P <! Q !8M

2MP

j= M i Qjj= M

" "

j j

# #

P T(Q; ) !8M

2MP

j= M i T(Q; )j= M

(1)

When the `full' fault-tolerance is either impossible or too expensive to ensure, we may be still satised with its conditional version, given certain assumption about the quantity of faults. To this end we will use n2N[f1gas the maximal

number of times transitions

) can occur successively (if n = 1 then

)

can occur at any time; if n = 0 then not at all). As before, we provide and prove the equivalence of the three methods for verifying n-conditional fault-tolerance: relations <! nandjj=n, and transformation

e

The rest of this paper is as follows. In Section 2 we describe the semantic model. `Intolerant' bisimulation equivalence, its fault-tolerant and conditional fault-tolerant versions are dened in Section 3. Their logical characterisation, in terms of the Hennessy-Milner logic, is given in Section 4. Both languages, of processes and faults, are dened in Sections 5 and 6, followed by transformations

T and e

T which are shown to provide the third, equivalent method of verifying

fault-tolerance and conditional fault-tolerance in Section 7. Finally, in Section 8, we draw some conclusions and comment on the directions for future work.

2 Semantic Model

Consider the labelled transition relation ). If (P;;P 0)

2 ) then we write

P )

_{P and say that P performs and evolves into P}0(we also use P )

s _P0

for the action sequence s2A

). One kind of transition we wish to largely ignore

is )

_{where action is unobservable and represents the outcome of a joint}

activity (interaction) between two processes. Interaction takes place on the pair of complementary actions a;a2LwhereL=def A fgis the set of observable

actions and is a function overAwhich is bijective and such that a = a, a6=

and = . We use to range overA and to range over L" =def L[f"g

where " denotes the empty sequence. We also letbbe the function overA such

that" = ",b : s =d bs anda : s = a :d s (: denotes concatenation).b

When placed in the `real' environment, a process may not behave according to ): it may either perform transitions

) which do not belong to ),

) \ ) = ;, or it may refuse to perform some of the transitions ). The

rst case is demonstrated by transition P )

c _P00in Figure 1, the second (in part)

by Q )

b _Q000. To represent the second case in full, we should physically remove

Q )

b _Q000from the diagram. This would complicate our model so suppose only

that this transition may be refused. This is achieved by two more transitions Q

)

_Q00

)

a _Q0 which may preempt (due to the occurrence of ) transition

Q )

b _Q000. Given the set

) of faulty transitions as the eect of faults, we let ) contain both kinds of transitions, ) =def ) [

) (we also use )

s _{for the action sequence s}

2A ).

P P’’ Q Q’’

a

τ

b c

b a

P’

P’’’

Q’

Q’’’ a

3 Bisimulation and Fault-Tolerance

There are many equivalences by which to abstract from the behavioural de-tails of the transition relation ). They dier, among other things, in the

adopted model of execution (linear- or branching-time) and concurrency (inter-leaving or non-inter(inter-leaving). The best known of them and deemed to be the strongest among interleaving and branching-time equivalences is that of bisim-ulation equivalence [Par81],. Two bisimilar processes, their semantics dened

by transition relation ), cannot be distinguished by observing them in the

nite interval of time. This property may no longer hold in the presence of faults which result in the additional transitions

) (of the low-level process). As such, allows to verify correctness in the absence of faults only, it isfault-intolerant.

How to verifyfault-tolerance, i.e. correctness in the presence of transitions ),

and conditional fault-tolerance, where transitions

) occur under assumption

n about their quantity, is the topic of the current section.

3.1 Fault-Intolerance

Bisimulation equivalence is dened as the maximal xed point of the functional

F on the set of binary relations B onP, (P;Q)2F(B) i

whenever P )

_P0then 9Q

0;sQ )

s _Q0

^bs =b^(P 0;Q0)

2B

whenever Q )

_Q0then 9P

0;sP )

s _P0

^bs =b^(P 0;Q0)

2B

(2) This maximal xed point exists because F is monotonic: if B

1

B

2 then F(B

1)

F(B

2). Originally, it was reached `from above', as the limit of the

sequence Fn(PP) for all n0. Unfortunately, unless innite ordinals n are

taken into account, this requires that transition relations )

_are

weak-image-nite i.e. that for all P 2 P, the set fP 0

jP )

s _P0

^ s =b bg is nite. No

such assumption is needed to reach`from below', as the union of all pre-xed

points B of F, =def S

fB jBF(B)g [Par81]. An additional advantage is

the useful technique for proving P Q. It is enough to nd a pre-xed point B

of F such that (P;Q)2B. Such a B is called abisimulation. We have:

P Q i whenever P )

_P0then 9Q

0;sQ )

s _Q0

^bs =b^P 0

Q

0

whenever Q )

_Q0then 9P

0;sP )

s _P0

^bs =b^P 0

Q

0 (3)

3.2 Fault-Tolerance

If observing two processes, the high-level in the fault-free environment (perform-ing transitions )) and the lower-level in the environment which is aected by

the anticipated faults (performing transitions )), we cannot tell them apart

The rst is the direct extension of to take account of transitions

).

We have P <! Q if P and Q are `bisimilar', the rst performing transitions )

and the second both ) and

). We dene <! using amust-bisimulationB

which is a binary relation such that if (P;Q)2B then any ) transition of

P is matched by some transition sequence ) of Q and any ) transition

of Q is matched by some transition sequence ) of P, such that the matched

transitions have the same observable actions and B is preserved: whenever P )

_P0then 9Q

0;s Q )

s _Q0

^bs =b^(P 0;Q0)

2B

whenever Q )

_Q0then 9P

0;s P )

s _P0

^bs =b^(P 0;Q0)

2B

(4) Then P <! Q i (P;Q)2B for some must-bisimulation B. Such Q satises the

basic postulate: no external observer can distinguish between P which behaves according to transitions ) and Q which may additionally perform transitions

). In one aspect however, such Q is unsatisfactory. Because <! allows to

match transitions of the high-level process by faulty transitions of the low-level one, such Q may not behave properly in the environment where not all transitions

) are provided. For Q to behave as specied, transitions

) must occur.

In practice however, it is more useful is to assume the mere possibility of faults (that faultsmayoccur), not their necessity (that theymustoccur).

This assumption is met by may-bisimilarity P <?Q where only normal

tran-sitions of Q are allowed to match trantran-sitions of P. As before, may-bisimilarity

<? is dened as the largestmay-bisimulationwhich is a binary relation B such

that if (P;Q)2B then:

whenever P )

_P0then 9Q

0;s Q )

s _Q0

^bs =b^(P 0;Q0)

2B

whenever Q )

_Q0then 9P

0;s P )

s _P0

^bs =b^(P 0;Q0)

2B

(5)

Example1. Consider the high-level process P in Figure 2 and four low-level, fault-aected processes Q, R, S and T. We have:

1. P Q because f(P;Q);(P

0;Q0);(P0;Q00)

gis a bisimulation but P6<!Q and

P6<?Q because there is no must- or may-bisimulation which contains (P;Q):

Q )

_Q000and P )

s _{P (}

b

s = ") only, however P )

a _P0but Q000 6 ).

2. P <! R because f(P;R);(P;R

000);(P0;R0);(P0;R00)

g is a must-bisimulation

but P 6R and P6<?R because there is no bisimulation or may-bisimulation

which contains (P;R): P )

a _P0and R )

s _R0( b

s = a) only, however P0 )

b _P

but R0has no normal transitions, R0 6 ).

3. P <! S becausef(P;S);(P;S

000);(P0;S0);(P0;S00)

gis a must-bisimulationand

P S because f(P;S);(P

0;S0);(P0;S00)

gis a bisimulation. Also P6<?S

be-cause there is no may-bisimulation which contains (P;S): S )

_S000 and

P )

s _{P (}

b

s = ") only, however P )

a _P0but S000 6 )

a _.

4. P <! T, P <?T and P T because f(P;T);(P;T

000);(P0;T0);(P0;T00) g is

τ

a

τ b

R

R’’’

R’ R’’

a b

τ

τ Q

Q’’’ b a

Q’ Q’’

P

P’ b a

τ

τ b

a τ

a

τ b

a b

S

S’ S’’

S’’’

T

T’ T’’

T’’’

a b

Fig.2.Transition diagrams ofP,Q,R,S andT with faulty transitions.

The example shows thatand <! are not comparable: <! does not imply,

nor does imply <! . However, it is easy to show that any may-bisimulation is

simultaneously a must-bisimulation and a bisimulation. As a result, because all relations are dened as the union of the corresponding bisimulations, we have:

<? <! \ (6)

The example (P <! S and P S but P6<?S) also shows that this inclusion is

proper i.e. that P <! Q and P Q together are not enough to establish P <?Q.

That is a pity since P <?Q which is more desirable than P <! Q, is also more

dicult to establish (the equivalence diagram (1) for <! is only partly valid for

may-bisimilarity <?). However, for B to be a may-bisimulation, it is not only

necessary but also sucient that B is a bisimulation and a must-bisimulation: B is a may-bisimulation i it is a must-bisimulation and a bisimulation. (7) Thus in order to prove P <?Q, it is enough to show that (P;Q)2B for B which

is a bisimulation and a must-bisimulation at the same time. This justies our eorts to establish the properties of <! in the rst instance. What both relations

have in common is that neither of them is reexive or symmetric (they are not preorders). For processes in Figure 2 we have:

{

Q6<!Q because there is no must-bisimulation which contains the pair (Q;Q):

Q )

_Q000and Q )

s _{Q (}

b

s = ") only, however Q )

a _Q0but Q000

6 ).

Conse-quently Q6<?Q because of (6).

{

Q<?P because f(Q;P);(Q

0;P0);(Q00;P0)

gis a may-bisimulation but P6<!Q

because Q )

_Q000and P )

s _{P (}

b

s = ") only, however P )

a _P0but Q000 6 ).

Consequently we have Q<?P and P6<?Q, as well as Q<! P and P 6<!Q.

Transitivity is most desirable to support the stepwise development of pro-cesses and to support the reasoning in the presence of faults where it maybe help-ful to deal with only some of transitions

) (not all) at a time. To this end let

us partition

) among m > 0 nonempty disjoint sets

)

j , ) =

Sm

j=1

)

j . Given j = 0;:::;m we dene )

j as the union of the normal transitions )

and the rst j partitions of

): j) =def ) [ Sj

i=1

)

i . This gives an ascending sequence ) = )

0

m) = ) of the transition relations.

Suppose now that for 0 j lm, <?

j

l and <!

j

l denote the

correspond-ing bisimulation relations where transitions j) are regarded as normal and

transitionsSl

i=j+1

)

i as abnormal: P <?jlQ i whenever P )

j P0then 9Q

0;s Q )

s

j Q0

^bs =b^P 0

<?jlQ 0

whenever Q )

l Q0then 9P

0;s P )

s

j P0

^bs =b^P 0

<?

j

lQ0 (8)

Relation <!

j

l is dened alike. Then, given j k l, we can easily prove the

following transitive properties of <! and <? (is the relational composition):

<?jk <?jl <?jl <! jk <! kl <! jl (9)

According to the rst inclusion, to tolerate transitionsSl

i=j+1

)

i (given <?),

at least once we must tolerate them altogether. According to the second, to tolerate transitionsSl

i=j+1

)

i (with respect to <! ), it is enough to rst tolerate

transitions Sk

i=j+1

)

i and then transitions

Sl

i=k+1

)

i . Following the rst inclusion, it is easy to see that <? is transitive. This is not the case for <! and

in general the rst inclusion does not hold for <! and the second for <?, as

shown by processes in Figure 3. We have: P <! Q<! R but clearly P 6<!R. Also,

P <? 0

1S and S <?

1

2T but P 6<?

0

2T because T

)

2 T

000 and P )

s

0 P ( b

s = ") only, however P )

a

0 P

0but T000 6 )

0 .

P

P’ b a

τ

τ b

a τ

τ

a b

S

S’ S’’

S’’’

T

T’ T’’

T’’’ τ

a

τ b

a b

Q

Q’ Q’’

Q’’’

R

R’ R’’

2 2

1 1

b a

a b

3.3 Conditional Fault-Tolerance

For any may- or must-bisimilar processes P and Q,

) is the assumption

about faults of the operating environment of Q, where Q is guaranteed to behave `properly', as specied by P. We call

) aqualitativeassumption, in opposite

to thequantitativeassumptions n2N[f1gwhich are introduced in this section

and specify the maximal number of times transitions

) can occur successively

(if n = 0 then

) are assumed not to occur at all; if n =1 then they can

occur at any time). The reasons for introducing such assumptions are threefold:

{

For certain sets

), we cannot ensure fault-tolerance in full. In these

cir-cumstances, we must be satised with its degraded, conditional version, for certain assumptions about the quantity of

).

{

Even when the `full' fault-tolerance is (in theory) possible, we may choose its conditional version because it is often easier to do so. This argument is true for applications which are not safety-critical.

{

Conditional fault-tolerance may facilitate the stepwise procedure where Q is rst designed for restricted assumptions about faults and then stepwise transformed for increasingly relaxed assumptions.

Recall that if Q )

s _Q0 then Q evolves into Q0 performing the sequence s of

transitions ) and

). This may be no longer the case if transitions

)

can only occur under assumption n. It these circumstances we will use the family

f )ijgni;j

=0of relations

)ijPA

P. If (Q;s;Q 0)

2 )ij then we write

Q s ij) Q

0and say that Q evolves into Q0 by the sequence s 2A

of transitions ), under assumption n, and given that i is the number of times transitions

) have successively occurred before and j after Q s ij) Q

0. Formally, relations )ij are dened by the following inductive rules:

Q " ii)Q

Q )

:

s ijQ00whenever 9Q

0 Q )

_Q0 )

s 0

jQ00 _

Q

)

_Q0 )

s i+1

j Q00

^i6= n

(10)

The induction above is well-dened: the rst rule provides the base, for the empty sequence ", and the second rule decreases the length of the action sequence by one. Given n = 0, we always have i = n, so transitions

) cannot occur at all.

Given n =1, it is never the case that i = n, so

) can occur at any time.

Consider conditional version of <?, <?n. We have P <?nQ if observing P in

the fault-free environment (performing transitions )) and Q in any

environ-ment where itmayalso perform transitions

) (provided no more than n times

in a row), we cannot distinguish between them in the nite amount of time. In order to keep track of the number i of the successive transitions

), <?nis

de-ned using [0;n]-indexed familiesfBigni

=0 of binary relations Bi

PP. Such

a familyfBigni

=0 is called a conditional must-bisimulation i for all i;j

2[0;n]

and 2A, if (P;Q)2Bi then:

whenever P )

_P0 then 9Q

0;s;j Q )

s ijQ0

^bs =b^(P 0;Q0)

2Bj

whenever Q ij)Q 0then

9P 0;s P

)

s _P0

^bs =b^(P 0;Q0)

2Bj

Similarly,fBigni

=0 is called a conditional may-bisimulation i for all i;j

2[0;n]

and 2A, if (P;Q)2Bi then:

whenever P )

_P0 then 9Q

0;sQ )

s _Q0

^bs =b^(P 0;Q0)

2Bi

whenever Q ij)Q 0then

9P 0;sP

)

s _P0

^bs =b^(P 0;Q0)

2Bj

(12)

Let i2[0;n]. We dene relations <! inand <?inas follows:

P <! inQ i (P;Q)2Bifor some fBigni =0

which is a conditional must-bisimulation P <?inQ i (P;Q)2Bifor some fBigni

=0

which is a conditional may-bisimulation Then we have P <! nQ i P <!

0

nQ and P <?nQ i P <? 0

nQ.

Example2. Consider processes in Figure 4. We have:

{

P6<?Q and P6<?

2Q because of transition Q 000

)

a _{Q which enables two}

sub-sequent actions a. However P <?

1Q because then Q 000

)

a _{Q (as the second}

one in a row) cannot be chosen.

{

P6<!R and P6<!

3R because of transition R 000

)

_R00 which, after performing

a and b, leads to R00where action a is not possible. However P <!

2R because

then transition R000

)

_R00 (as the third one in a row) cannot be chosen.

Finally P6<!

1R because then R 0

)

b _R000 cannot be taken but is needed to

match transitions of P. 2

P

P’ b a

τ

a b

Q

Q’ Q’’

Q’’’

b a

b

b

a R

R’ b

τ τ

R’’

R’’’ a

Fig.4.Transition diagrams ofP,QandRwith abnormal transitions.

Conditional may-bisimilarity <?nis monotone decreasing with respect to n.

This is not the case for <! n, as shown by P <!

2R and P 6<!

1R in Figure 4. For

n = 1, <! 1 and

<?

1 coincide with their unconditional versions; for n = 0,

they coincide with. We have the following diagram of inclusions:

<? = <? 1

<?n +1

<?n <? 0=

\ \ \ k

<! = <! 1

<! n +1

<! n <! 0=

4 Logic of Processes

The Hennessy-Milner logic [HM85] is a simple modal logic for specifying prop-erties of processes. It provides a language M of formulas M which extends

propositional logic by the modal operatorshiM.Mis dened by the grammar:

M ::= truejM^M j:M jhiM (14)

The semantics of M (the set of all processes which satisfy M) is dened by relation j= P M where if (P;M) 2j= then we write P j= M. Following

[HM85],j= is dened as the least set such that:

P j= true

P j= M^N i P j= M ^ P j= N

P j=:M i not P j= M

P j=hiM i 9P 0;s P

)

s _P0

^ bs = ^ P 0

j= M

(15)

We abbreviate:true as false,:hi:M as []M and for m > 1 denehimM

as hihim

1M and hi

1M as

hiM ([]mM is dened alike).

Algebraically, we can identify a process with its equivalence class. However, given a logic where properties of processes can be stated and veried, we can identify a process with its properties. When both algebraic and logical views agree, that is when two processes are equivalent i they have the same properties, then we say that the equivalence is characterised by the logic. Following [HM85], if P Q then P and Q satisfy the same formulas M 2 Mand the other way

round but only for weak-image-nite ):

P Q i 8M 2M P

j= M ,Qj= M (16)

The aim of this section is to provide similar statements for fault-tolerant and conditional fault-tolerant extensions of. Consider the new relationjj=PM

which is dened like j= except that the transitions ) are now used to dene

the semantics of formulashiM:

Qjj=hiM i 9Q 0;s Q

)

s _Q0

^ bs = ^ Q 0

jj= M (17)

Applyingj= for the high-level process andjj= for the low-level one, we can show

that for weak-image-nite relations ), must-bisimilarity <! is characterised

by the Hennessy-Milner logic:

Proposition1.

For weak-image-nite relation ) we have:

P <! Q i 8M 2M P

j= M , Qjj= M

Proof. ()) By induction on the structure of M. (() We show that the relation

B =def f(P;Q)j 8M 2M P

j= M , Q jj= Mg is a must-bisimulation. For

Because P <?Q implies P <! Q, we also have P j= M i Q jj= M for any

P <?Q and M 2M. The inverse however does not hold, as demonstrated by P

and S in Figure 2 which have the same properties (P with respect toj= and S

according tojj=) but still P6<?S.

Example3. Consider processes in Figure 2 and two formulas for m0:

{

M = [b]2m

haitrue which asserts that the rst action a is always possible

after an even number of b's;

{

N = [a]hbi 2m+1

haitrue where the second occurrence of a may be possible

after an odd number of b's.

We have P j= M ^N and thus Q j= M ^N and S j= M ^N because of

P Q S. We also have P <! R what gives R jj= M ^N and P <! S what

results in Sjj= M ^N. Finally Qjj=:M ^N and Rj= M^:N. 2

Consider n2N[f1gwhich species the maximal number of times

transi-tions

) can occur successively. The logical characterisation of <! n involves

conditional satisfaction relationjj=n which is dened in terms of the family of

relationsjj=in, indexed by [0;n]. Consider i2[0;n]. For all formulas excepthiM, jj=inis dened likej=. ForhiM we have:

Qjj=inhiM i 9Q 0;s;j Q

)

s ijQ0

^ bs = ^ Q 0

jj=jnM (18)

Thus Q jj=inM if Q satises M, performing transitions ) and

) but

the last no more than n times in a row and no more than n i of them initially. Finally, we dene P jj=nM i P jj=

0

nM. Given suchjj=nand provided that )

is weak-image-nite, we can prove the following characterisation theorem:

Proposition2.

For weak-image-nite relation ) we have:

P <! nQ i 8M 2M P

j= M , Qjj=nM

Proof. ()) By induction on the structure of M. (() We show that the family fBigni

=0 of relations Bi =def

f(P;Q)j 8M 2M P

j= M , Q jj=in Mg is a

conditional must-bisimulation. For details see Appendix A. 2

As a result, because P <?nQ implies P <! nQ, we have P j= M i Qjj=nM

for all P <?nQ and M 2M.

Example4. Consider processes in Figure 4, m0 and the following formulas:

{

M =haitrue^[a][a]false

where action a is possible but then it cannot be followed by another a;

{

N =hbitrue^[b][a]false

where action b is possible but not followed by a either. We have P j= [a][b]

2m+1(M

^N) and thus Q j= [a][b]

2m+1(M

^N) because

of P Q. For Q we have Qjj= [a][b]

2m+1N and Q

jj=:[a][b]

2m+1M, however

Qjj= 1[a][b]

2m+1(M

^N) because then transition Q 000

)

a _{Q, which enables two}

subsequent actions a, cannot be chosen. For R we have Rjj=:[a][b]

2m+1M and

Rjj=:[a][b]

2m+1N, however R jj=

2 [a][b]

2m+1(M

^N) because then transition

R000

)

_R00 cannot be chosen.

5 Language of Processes

The structure of a process P has been ignored so far, it was dened as an element of the abstract set P. The more complex is the behaviour of P however, the

greater is the need to treat P structurally. In this section, following [Mil89], we dene P as the language of processes which is given the structured operational

semantics [Plo81] in terms of the labelled transition system (P;A; )).

The syntax ofPis based on two sets of symbols,Aof actions andX of process

identiers, and involves two syntactic categories, E of process expressions and D of declarations. Let X;Y 2X, LLand f be a function over A such that

f() = , f(a)6= and f(a) = f(a).E is dened by the grammar:

E ::= X j

0

j :E j E + E j EjE j EnL j E[f] (19)

Informally,

0

is unable to take any action and :E performs and then behaves like E. The operator + represents summation,j parallel composition, nrestriction and [ ] renaming. One derived operator is E

aF where E and F

proceed in parallel with actions out of E and in of F `joined' and restricted, EaF =

def (E[mid=out]jF[mid=in])nfmidgwhere mid is not used by E or F.

We use X(E) for the set of all identiers in E and EfF=Xgfor the process

expression E where all identiers X are replaced by F. In order to interpret X 2 X(E), we use declarations of the form X = F. If also Xb 2 X(F) then

such X is dened by recursion. Given X = F and Yb = G where Xb 2X(G) and

Y 2 X(F), such X and Y are dened by the mutual recursion. In the sequel

we will often need to manipulate declarations for mutually recursive identiers. Then, it will be helpful to use a simple language Dfor specifying collections of

such declarations. D, ranged over by andr, is dened by the grammar:

::= [ ] j [X= E]b j j r (20)

Informally, [ ] is an empty declaration and [X = E] declares X as E andb

other identiers as in . Moreover, and rperform respective

op-erations (-prex and summation) on the right sides of all the corresponding declarations in and r. Formally, 2 D is assigned a partial function [[]]

fromX toE which is dened in Figure 5 by induction on the structure of . We

use dom() as the domain of [[]] (dom([]) =def ;) and ran() as its range.

[[]](X) =

def:[[]](X) if X

2dom() [[[Y =b E]]](X) =

def

E if X=Y

[[]](X) if X6=Y; X2dom() [[r]](X) =

def (

[[]](X) if X2dom() dom(r) [[]](X)+[[r]](X) if X2dom()\dom(r) [[r]](X) if X2dom(r) dom()

We abbreviate [][X = E][Yb = F] as [Xb = E;Yb = F] and write [Xb = Eb jp]

for all declarations X = E such that the predicate p holds. is said to be closedb

if all identiers in the right side expressions of are declared in :

[

F2ran()

X(F)dom() (21)

A process P 2P is nally the pairhE;iof the process expression E and

the closed declaration for all identiers of E, X(E) dom(). We write hE;ihF;riifhE;iandhF;riare identical.

The semantics of hE;i 2 P is dened in terms of the labelled transition

system (P;A; )) by induction on the structure of E. If E = X then transitions

of hX;i involve the semantics of , they are inferred from the transitions of h[[]](X);i. Following [Mil89], transition relation ) is the least set dened

by inference rules in Figure 6.

h:E;i )

hE;i

hE;i )

hE 0;

i

hE+F;i )

hE 0

;i

hF;i )

hF 0;

i

hE+F;i )

hF 0

;i hE;i )

hE

0 ;i hEjF;i )

hE

0 jF;i

hF;i )

hF 0

;i hEjF;i )

hEjF

0; i

hE;i ) a

hE 0;

i hF;i ) a

hF 0;

i

hEjF;i )

hE 0

jF 0

;i hE;i )

hE

0; i

hEnL;i )

hE 0

nL;i

; ;62L

hE;i )

hE 0;

i

hE[f];i ) f()

hE 0

[f];i h[[]](X);i )

hE;i

hX;i )

hE;i

; X2dom()

Fig.6.Operational semantics of processesP

Example5. Consider n2N[f1gand the process Rnwhich performs actions a

and b; the rst at any time; the second no more than n times in a row. We have Rn =def hY

0;n

rniwhere:

n=def[Yi= a:Yb 0

j0in] rn=def[Yi= b:Yb i

+1

j0i < n]

2

We compose processes by composing their expressions, using the process combinators (19). For binary operators + andjwe assume that the component

processes have disjoint sets of identiers. If dom()\dom(r) =;then:

:hE;i =def h:E;i hE;inL =def hEnL;i hE;i[f] =def hE[f];i hE;i+hF;ri=def hE + F;ri hE;i j hF;ri=def hE jF;ri

In the language dened so far, processes interact by synchronising on com-plementary actions a and a. There is no directionality or value which passes between them. For pragmatic reasons, we also need a value-passing language for the set V of values (we assume, for simplicity, that V is nite). To this end we introduce value constants (like "), value variables (like x and s), value and boolean expressions (like e and p respectively), built using constants, variables and any function symbols we need. The last include ]s as the length of the se-quence s, s0its rst element, s

0all but the rst element and s : x as the sequence

s with value x appended. We also introduce parameters into process identiers: X(e1;::;en) for X of arity n. Then we extend the basic language by input and output prexes a(x):E, a(e):E and conditionals

if

p

then

E

else

F. For their translation into the basic language see [Mil89].

Example 6. Consider a buer Bufm of capacity m > 0, which receives (by action

in) and subsequently transmits (by action out) all values unchanged, in the same order and with at most m of them received but not sent. We have:

Bufm =def hX(");ri

where =def[X(s)= in(x):X(s : x)b j0]s < m] r=def[X(s)= out(sb

0):X(s 0)

j0 < ]sm]

2

6 Language of Faults

Although a fault is modelled by a set of transitions, using this set directly is not the most convenient way of specifying faults in practice, especially when the abnormal behaviour we want to describe is complex. The purpose of this section is to dene the language where faults can be specied and combined.

The idea is to use process identiers as `states' which can be aected by faults. Consider a process hX;i. Transitions ofhX;ican be only inferred from the

transitions of h[[]](X);iwhere [[]](X) is the process expression assigned to

X by . In order to specify faults, we will use an alternative, `faulty' declaration

2D. Suppose that X 2dom( ). Then X is assigned yet another expression

[[ ]](X) which determines abnormal transitions of hX;i, following transitions

of h[[ ]](X);iand denoted by ):

h[[ ]](X);i )

hE;i

hX;i )

hE;i

(23) Transition relation ) is dened as the least set which satises inference rules

in Figure 7 and used to denote -aected semantics ofP. We also dene:

Q )

_Q0 i Q )

_Q0and Q 6 )

_Q0 (24)

and relations )ijPA

P (10), given i;j 2[0;n] and faulty transitions

h:E;i )

hE;i

hE;i )

hE 0;

i

hE+F;i )

hE 0

;i

hF;i )

hF 0;

i

hE+F;i )

hF 0

;i hE;i )

hE

0; i

hEjF;i )

hE 0

jF;i

hF;i )

hF 0;

i

hEjF;i )

hEjF 0;

i

hE;i ) a

hE 0;

i hF;i ) a

hF 0;

i

hEjF;i )

hE 0

jF 0

;i hE;i )

hE

0; i

hEnL;i )

hE 0

nL;i

; ;62L

hE;i )

hE 0;

i

hE[f];i ) f()

hE 0

[f];i h[[]](X);i )

hE;i

hX;i )

hE;i

; X2dom()

h[[ ]](X);i )

hE;i

hX;i )

hE;i

; X2dom( )

Fig.7.Operational semantics of processesPaected by the fault .

is not assumed to be closed. However, in order to ensure that ) does

not lead from the well-dened process (where all identiers are declared) to the ill-dened one, we assume that all process identiers in the right-side expressions of are declared by :

[

F2ran( )

X(F)dom() (25)

We useP P for the set of suchhE;iand assume that ) P AP

and )ijP A

P .

Example7. Consider the following declarations which specify various commu-nication faults of the bounded buer Bufm, creation ( e), corruption ( c),

omission ( o), replication ( r) and permutation ( p) of messages: e =def [X(s)= :out(b

p

):X(s) j0]sm]

c =def [X(s)= :out(b p

):X(s0)

j0 < ]sm]

o =def [X(s)= :X(sb 0)

j0 < ]sm]

r =def [X(s)= :out(sb 0):X(s)

j0 < ]sm]

p =def [X(s)= :out((sb 0)

0):X(s0 : s 00)

j1 < ]sm]

We usep

to denote messages which has been corrupted or created. This is a way to abstract from their particular value which is immaterial. Also, we assume that when permuted, only one message is delayed. In order to specify more complex faults, e.g. simultaneous creation, omission and permutation of messages, we can use the summation e o p of declarations:

[X(s)= :out(b p

):X(s)j]s = 0]

[X(s)= :out(b p

):X(s) + :X(s0)

j]s = 1]

[X(s)= :out(b p

):X(s) + :X(s0) + :out((s0)

0):X(s0: s 00)

7 Fault Transformation of Processes

The primary eect of faults is that a process no longer behaves according to the normal transition relation ). In addition to ), it can also perform

transitions

), specied by 2D. This is a direct, semantic method to

repre-sent eects of faults on the behaviour of the process. In this section we prerepre-sent an alternative, syntactic method. The idea is to capture the eect of faults, specied by , by the process transformation T(; ) where for any Q2P ,

its behaviour in the -aected environment is `the same' as the behaviour of

T(Q; ) in the environment which is free of faults [Liu91, LJ91]. We show that T(Q; ) yields the binary relation onPP which coincides with <! and the

satisfaction relation which agrees withjj=. In the conditional case we provide a

transformation e

T(; ;n) which is shown to coincide with <! n andjj=n.

7.1 Fault-Tolerance

Consider 2 D which species transitions

) and a process hE;i 2 P

with the well-dened, -aected semantics ). If hE;ihas no identiers in

common with then hE;i is not aected by the transitions

). Suppose

that X2dom()\dom( ) and that transitions ofhE;ican be inferred from hX;i )

hE 0;

i. We have either h[[]](X);i )

hE 0;

i

hX;i )

hE 0;

i

or h[[ ]](X);i )

hE 0;

i

hX;i )

hE 0;

i

(26) where the rst transition is normal (it uses to interpret X) and the second is faulty (it uses ). The ability ofhE;ito perform the second transition (with

respect to )) can be syntactically represented by summation, by redening

its process identier X as [[]](X) + [[ ]](X). To represent the capacity for all transitions in

), such a summation must be performed for all identiers X2

dom()\dom( ). This leads to the following transformation:

T(hE;i; ) =def hE; i (27)

We would like to show thatT(hE;i; ) captures the eect of faults, specied

by on hE;i. Observe rst that declarations (and thus transformation T)

`persist' through the transitions ) and ):

IfhE;i )

_Q0then Q0 hE

0;

ifor some E 0.

IfT(hE;i; ) )

_R0then R0

T(hE 0;

i; ) for some E

0. (28)

Both statements can be shown by transitional induction. Transitional induction is also employed to prove the following lemma (for details see Appendix B):

Lemma3.

If Q2P

then Q )

_Q0i

T(Q; ) )

TransformationT(; ) induces the satisfaction relation onP Mwhich

holds between a process Q 2 P and a formula M 2 M i T(Q; ) j= M.

Applying Lemma 3, we can show that this relation coincides withjj=:

Proposition4.

If M 2M, Q2P and

transitions

) are specied by

then Qjj= M i T(Q; )j= M

Proof. By induction on the structure of formulas M, applying Lemma 3. For

details see Appendix B. 2

TransformationT(; ) also induces the binary relation on P P which

holds between P 2P and Q 2P i P T(Q; ). The following proposition

asserts that this relation coincides with must-bisimilarity <! :

Proposition5.

If P 2P, Q2P and

transitions

) are specied by

then P <! Q i P T(Q; )

Proof. It is easy to see that for weak-image-nite ), this statement follows

from the characterisation theorem (16) and Propositions 1 and 4. For any ),

it follows from the fact that:

BPP is a must-bisimulation iT(B; ) is a bisimulation (29)

whereT(B; ) =deff(P;T(Q; ))j(P;Q)2Bg. For details see Appendix B.2

Thus for must-bisimilarity <! , we have the equivalence diagram (1) of all

three approaches to verify fault-tolerance, given

) such that ) is

weak-image-nite. For ) which is not weak-image-nite, we cannot guarantee that

P j= M i Qjj= M for all M2Mimplies P <! Q.

Moreover, for may-bisimilarity <?, we cannot guarantee that P T(Q; )

im-plies P <?Q. However, applying equivalences (7) and (29) it is easy to see that

BPP is a may-bisimulation i it is a bisimulation together withT(B; ).

As a result, given transitions

), we have the following statements:

P Q i (P;Q)2B for B which is a bisimulation

P <! Q i (P;Q)2B for B such thatT(B; ) is a bisimulation.

Example 8. Consider m;w > 0 and the task to ensure a reliable communication, specied by the bounded buer Bufw, over a medium of capacity m which

omits and replicates messages. To this end, we will use a version of the sliding window protocol with the window size w. The protocol consists of two processes, the sender So and the receiver Ro. The rst transmits all messages with their sequence numbers i modulo w+1, such that at most w messages are sent without being acknowledged. Suppose, for simplicity, that acknowledgements take place by synchronising So and Ro on the action ack. We use s for the sequence of messages sent but not acknowledged (]sw) and repeatedly retransmit s

0. For

all arithmetic operations taken modulo w + 1 we have:

So =def hZs(0;"); [Zs(i;s) = in(x):Zs(i;s;x)b j0]s < w]

[Zs(i;s) = ack:Zs(i;sb 0)

j0 < ]sw]

[Zs(i;s) = out(i ]s;sb

0):Zs(i;s)

j0 < ]sw]

[Zs(i;s;x)= out(i;x):Zs(i + 1;s : x)b j0]s < w]

[Zs(i;s;x)= ack:Zs(i;sb 0;x)

j0 < ]s < w]

[Zs(i;s;x)= out(i 1;sb

0):Zs(i;s;x)

j0 < ]s < w]i

Ro =def hZr(0); [Zr(i) = in(j;x):b

if

i = j

then

out(x):ack:Zr(i + 1)

else

Zr(i)]i

Given such So and Ro, we can prove that: Bufw(So

a

T(Bufm; o r) aRo)

nfackg

and consequently Bufw <! (So aBuf

maRo)

nfackg, following Proposition 5

and the fact that processes So and Ro are not aected by o r (they have

disjoint sets of identiers). However, the above statement does not depend on the transitions specied by o r and we can nd a bisimulation B such that

(Bufw;(SoaBuf

m aRo)

nfackg)2 B and T(B; o r) is a bisimulation.

Thus we have Bufw <?(So aBuf

maRo)

nfackg. 2

7.2 Conditional Fault-Tolerance

Consider declaration and a process hE;i2 P . Suppose that we want to

verifyhE;iin the presence of transitions

) and under assumption n about

their quantity. To this end, like before, we will use process transformations. The idea is to use a familyfXigni

=0 of identiers for each identier X of or .

Consider i2[0;n] and the following transformations b

Ti(;n) and e

Ti(; ;n): b

Ti(hE;i;n) =def hEi;ni and e

Ti(hE;i; ;n) =def T( b

Ti(hE;i;n); n)

where Ei =defEfXi=X jX 2X(E)g

n=def[Xi= Fb fY 0=Y

jY 2X(F)gj[[]](X) = F ^0in]

n =def[Xi= Fb fYi +1=Y

Thus e

Ti is dened in terms of transformationsT and b

Ti. Also, nis obtained

from by replacing each declaration X = F with the family of declarationsb

Xi= Fb fY 0=Y

jY 2X(F)g, for all i2[0;n], and similarly for nbut only given

i2[0;n). Finally, we dene b

T(;n) and e

T(; ;n) taking i = 0: b

T(hE;i;n) =def b T

0(

hE;i;n) e

T(hE;i; ;n) =def e T

0(

hE;i; ;n)

(30) Recall the familyf )ijgni;j

=0of relations which denotes the eect of transitions

) on the semantics ofP , under assumption n about their quantity. There

are two problems to obtain the same eect using transformations: 1. Consider X 2 dom()\dom( ) and hX;i )

hE;i which can be

in-ferred fromh[[]](X);i )

hE;iorh[[ ]](X);i )

hE;i. The problem

appears whenhX;i )

hE;ican be inferred from both of them. Then it

is always regarded as `normal' by )ij but not always by e

T(; ;n). If no

such E and exists then we say that has the proper eect on . 2. The second problem is that in case of e

T(; ;n) (but not )ij), some

tran-sitions do not `update' the index i. Suppose that =def [X= :a:X] andb

=def [X= b:X]. Then we have:b hX;i

)

ha:X;i )

a

hX;iand thus hX;i )

a 0 0

hX;i, however e T

0(

hX;i; ;n) )

a e T

1(

hX;i; ;n). We can

solve this problem assuming that all expressions involved arelineari.e. they are of the formPk

i=1i:Xi ( is linear if all F

2ran() are linear).

Under assumption about the linear form of and , we can easily show that: ifhX;i )

_Q0then Q0

hY;iand

if e

Ti(hX;i; ;n) )

_R0then R0

e

Tj(hY;i; ;n)

(31) where Y 2X and j2[0;n]. Then we have the following lemma:

Lemma6.

If hX;i2P where

has the proper eect on and and are linear thenhX;i )

s _ij

hY;i i e

Ti(hX;i; ;n) )

s e

Tj(hY;i; ;n)

Proof. By induction on the length of s. For details see Appendix C. 2

Like before, transformation e

T(; ;n) induces two relations: the satisfaction

re-lation which holds between Q2P and M 2Mi e

T(Q; ;n)j= M and the

bi-nary relation which holds between P 2P and Q2P i P e

T(Q; ;n). Under

assumptions of Lemma 6, we can show that the rst relation coincides with con-ditional satisfaction relation and the second with concon-ditional must-bisimilarity:

Proposition7.

If M 2MandhX;i2P where

has the proper eect on and and are linear thenhX;ijj=nM i

e

Proof. We show that for all i2[0;n],hX;ijj=inM i e

Ti(hX;i; ;n)j= M.

The proof proceeds by induction on the structure of M, applying Lemma 6. For

details see Appendix C. 2

Proposition8.

If P 2P andhX;i2P where

has the proper eect on and and are linear then P <! nhX;i i P

e

T(hX;i; ;n)

Proof. For weak-image-nite ), this statement follows from (16) and

Propo-sitions 2 and 7. For any ) and familyfBigni

=0 such that if (P;Q)

2Bi then

QhX;i, it follows from the fact that:

fBigni

=0is a conditional must-bisimulation i e

T(fBigni

=0; ;n) is a bisimulation

(32) where e

T(fBigni

=0; ;n) =def Sn

i=0 f(P;

e

Ti(Q; ;n))j(P;Q)2Big.

For details of the proof see Appendix C. 2

Assuming additionally that all right-side expressions in are of the form

Pk

i=1:Xi, the same result can be obtained applying auxiliary actions,

concur-rent composition and processes Rn(Example 5):

e T 0(

hX;i; ;n) =def (hX;(a)(b )ijRn)nfa;bg

where [[a]](X) = [[]](X)fa:Y=Y jY 2X([[]](X))g.

Thus for <! nand under assumptions of Lemma 6, we have the equivalence

diagram similar to (1), given

) such that ) is weak-image-nite.

Con-sider b T(fBigni

=0;n) =def Sn

i=0 f(P;

b

Ti(Q;n))j(P;Q) 2 Big. For <?n we can

show that fBigni

=0 is a conditional may-bisimulation i e T(fBigni

=0; ;n) and b

T(fBigni

=0;n) are bisimulations.

Although the linear form of and is necessary to establish these results, the meaning of e

T and b

T for non-linear and is also well-understood. While

in the rst case all transitions are signicant, they all `update' the index i, in the second case only chosen ones are signicant. The main reason for `mismatch' between e

T(; ;n) and )ijfor non-linear expressions lies in the restrictive form

of the latter. In the following example we will illustrate using transformations

e

T to verify conditional fault-tolerance forhE;iand which is not linear. Example 9. Consider n;m > 0 and the task to ensure a reliable communication (specied by Bufm+n+2) over a mediumof capacity m which permutes messages.

To this end we will use two processes: the sender Spn and the receiver Rpn. In

order to determine the proper transmission order, messages will be send by Spn

with their sequence numbers modulo n. The value of n determines the number of parallel components Sti of Rpn(i = 0;:::;n 1), each one used to store a

message with the sequence value i, received out-of-order. The value of?means

Spn =def hZs(0);[Zs(i)= in(x):out(x;i):Zs(i + 1)b j0i < n]i

Rpn =def (CtrjSt 0

j jStn 1)

nfst

0;:::;stn 1 g

Ctr =def hZr(0); [Zr(i) = in(x;j):b

if

i = j

then

out(x):Zm(i + 1)

else

stj(x):Zr(i) j0i < n]

[Zm(i)= stb i(x):

if

x =?

then

Zr(i)

else

out(x):Zm(i + 1)j0i < n]i

Sti =def hZmi; [Zmi = stb i(x):sti(x):Zmi+ sti(?):Zmi]i, 0i < n

We can shown that the process SpnaBuf

maRp

ntolerates p, provided the

number of successive permutations is not greater than n: Bufm+n+2

e T(Spn

aBuf

maRp

n; p;n) 2

8 Conclusions

Currently, there is a number of methods for specifying and proving correctness of systems which are tolerant of faults in the operating environment [Cri85, JH87, LJ91, Nor92, Pel91, PJ93, Pra87]. Based on dierent formalisms and various semantic models, of systems and faults, using dierent ways to represent eects of faults on the behaviour of systems, they are dicult to compare and relate. In particular, it is not certain whether a system which is fault-tolerant with respect to one of these methods is also fault-tolerant according to the others.

Acknowledgements

I am grateful to my supervisor, Mathai Joseph, for many valuable comments on draft versions of this paper, to Zhiming Liu for stimulating discussions on fault-tolerance, and to David Walker for his reading, helpful comments and for putting some literature to my attention.

References

[AH92] L. Aceto and M. Hennessy. Termination, deadlock and divergence. Journal of ACM, 39(1):147{187, 1992.

[Cri85] F. Cristian. A rigorous approach to fault-tolerant programming. IEEE Trans-actions on Software Engineering, 11(1):23{31, 1985.

[HM85] M. Hennessy and R. Milner. Algebraic laws for nondeterminism and concur-rency. Journal of the ACM, 32(1):137{161, 1985.

[JH87] He Jifeng and C.A.R. Hoare. Algebraic specication and proof of a distributed recovery algorithm. Distributed Computing, 2:1{12, 1987.

[Kel76] R. Keller. Formal verication of parallel programs. Communications of ACM, 19(7):561{572, 1976.

[Lar87] K.G. Larsen. A context dependent equivalence between processes. Theoretical Computer Science, 49:185{215, 1987.

[Liu91] Z. Liu. Fault-Tolerant Programming by Transformations. PhD thesis, Univer-sity of Warwick, 1991.

[LJ91] Z. Liu and M. Joseph. Transformations of programs for fault-tolerance. For-mal Aspects of Computing, 4:442{469, 1991.

[LT87] N. Lynch and M. Tuttle. Hierarchical correctness proofs for distributed algo-rithms. Technical report, MIT Laboratory for Computer Science, 87.

[LT88] K.G. Larsen and B. Thomsen. A modal process logic. InProc. 3rd Annual Symposium on Logic in Computer Science, pages 203{210, 88.

[Mil89] R. Milner. Communication and Concurrency. Prentice-Hall International, 1989.

[MP91] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems, volume 1. Springer-Verlag, 1991.

[Nor92] J. Nordahl. Specication and Design of Dependable Communicating Systems. PhD thesis, Technical University of Denmark, 1992.

[Par81] D. Park. Concurrency and automata on innite sequences. LNCS, 104, 81. [Pel91] J. Peleska. Design and verication of fault tolerant systems with CSP.

Dis-tributed Computing, 5:95{106, 1991.

[PJ93] D. Peled and M. Joseph. A compositional approach for fault-tolerance using specication transformation. LNCS, 694, 1993.

[Plo81] G. Plotkin. A structural approach to operational semantics. Technical report, Computer Science Department, Aarhus University, 81.

[Pra86] V. Pratt. Modeling concurrency with partial orders. International Journal of Parallel Programming, 15(1):33{71, 1986.

[Pra87] K.V.S. Prasad. Combinators and Bisimulation Proofs for Restartable Systems. PhD thesis, Department of Computer Science, University of Edinburgh, 1987. [Wal90] D.J. Walker. Bisimulation and divergence. Information and Computation,

85:202{241, 90.

A Proofs from Section 4

Lemma9.

B is a must-bisimulation i for all (P;Q)2B and s2A :

whenever P )

s _P0then 9Q

0;t Q )

t _Q0 ^bs =

b

t^(P 0;Q0)

2B

whenever Q )

s _Q0then 9P

0;t P )

t _P0 ^bs =

b

t^(P 0;Q0)

2B Proof. ()) Consider (P;Q) 2 B and let P P

0 )

1

)

n _Pn

P

0 where

n0 and s =

1:::n. If n = 0 then P 0

P and it is enough to take t = "

and Q0

Q. If n > 0 then for all k 2[1;n] there exists Qk and tk such that

Qk 1 )

tk _Qk,tbk = c

k and (Pk;Qk)2B. Let t =deft 1:

: tn. Then Q )

t _Q0,

b

t =bs and (P 0;Q0)

2B. For Q )

s _Q0the proof is the same.

(() It is enough to take s such that ]s = 1. 2

Proof of Proposition 1.

()) Let P <! Q and M2M. We will show that P j= M i Qjj= M, by induction

on M. Let P j=hiM

1(for true, M1 ^M

2and :M

1the proof is obvious). Then

P )

s _P0 where b

s = and P0 j= M

1 for some s and P

0. Applying Lemma 9,

there exists t and Q0such that Q )

t _Q0, b

t =bs and P 0

<! Q

0. Then, by induction

we have Q0 jj= M

1 and nally Q

jj=hiM

1. For Q

jj=hiM

1the proof is similar.

(() Consider B =def f(P;Q)j 8M 2M P

j= M , Q jj= Mg and suppose

that ) is weak-image-nite. We will show that B is a must-bisimulation. Let

(P;Q) 2 B and P )

_P0. Then P

j= hbitrue and Q jj= hbitrue what gives

Q )

s _Q0 for some s ( b

s =) and Qb 0. Let

Q be the set of all such Q

0. Because ) is weak-image-nite, we have Q = fQigni

=1 for some n > 0. Then, it is

enough to nd i2[1;n] such that (P 0;Q

i)2B. Suppose on the contrary, that

for all i 2 [1;n] there exists Mi 2 M such that P 0

j= Mi and Qi 6jj= Mi. Let

M =def M1

^^Mn. Then we have P 0

j= M and so P j= hbiM, however

Q6jj=hbiM in spite of (P;Q)2B. For Q )

_Q0 the proof is the same ( ) is

also weak-image-nite). 2

Lemma10.

If Q s ij) Q 0

)

t j_kQ00 then Q )

s:

t ikQ00.

Proof. By induction on the length of s. If Q " ij)Q 0

)

t j_kQ00then we have Q0

Q

and i = j what implies Q )

":t ik

Q00. If Q )

:s ij

Q0 )

t j_{k then either i < n and}

Q )

_Q000 )

s i+1

j Q0 )

t j_kQ00 or Q )

_Q000 )

s 0

jQ0 )

t j_kQ00 for some Q000. In the

rst case by induction Q000 )

s:t i +1

k Q00so we get Q )

:s:

tikQ00. In the second case by

induction Q000 )

s:t 0

kQ00 so we nally get Q )

:s:

tikQ00.

2

Lemma11.

Consider fBigni

=0 where Bi

P P for i 2 [0;n]. fBigni

=0 is a conditional

must-bisimulation i for all i;j2[0;n], (P;Q)2Bi and s2A :

whenever P )

s _P0 then 9Q

0;j;tQ )

t ijQ0 ^

b

t =sb^(P 0;Q0)

2Bj

whenever Q s ij)Q 0then

9P 0;t P

)

t _P0 ^

b

t =sb^(P 0;Q0)

Proof. ()) Consider i 2 [0;n], (P;Q) 2 Bi and s =

1:::n. Suppose that

P P 0

)

1

)

n _Pn

P 0for n

0. If n = 0 then it is enough to take t = ",

j = i and Q0

Q. It n > 0 then for all k2[1;n] there exists Qk, tk and ik such

that Qk 1 )

tk ik 1

ik Qk,tbk = c

k and (Pk;Qk)2Bik where Q 0

Q and i

0= i. Let

t = t1 :

: tn. Then b

t = bs, (P 0;Q

n)2 Bin and from Lemma 10, Q t ii)

nQn. For Q s ij)Q

0 the proof is similar.

(() It is enough to take s such that ]s = 1. 2

Proof of Proposition 2.

()) Let i2[0;n], P <! inQ and M 2M. We will show that P j= M i Qjj=inM

by induction on M. Let P j=hiM

1 (for true, M1 ^M

2 and :M

1 the proof is

obvious). Then P )

s _P0 and b

s = for some P0such that P0 j= M

1. Applying

Lemma 11, there exists t (bt = ) and j such that Q )

t ijQ0 and P0 <! jnQ

0 for

some Q0. Then by induction we have Q0 jj=jn M

1 and thus Q

jj=in hiM 1. For

Qjj=inhiM

1 the proof is similar.

(() Let Bi =def f(P;Q)j 8M 2M P

j= M , Q jj=in Mg and suppose that ) is weak-image-nite. We will show that fBigni

=0 is a conditional

must-bisimulation. Suppose that i 2[0;n], (P;Q) 2Bi and P )

_P0. Then we have

P j=hbitrue and Qjj=inhbitrue so Q s ij) Q

0for some j and s such that b

s =.b

Let Qj be the set of all such Q

0. Because

) is weak-image-nite, we have Qj = fQ

j kg

kj

k=1 where kj

0 and there exists j such that kj > 0. Then it is

enough to show that for some j there exists k2[1;kj] such that (P 0;Qj

k)2Bj.

Suppose on the contrary: for all j 2 [0;n] and for all k 2 [1;kj] there exists

M_kj2Msuch that P 0

j= M

j

kand Qjk 6jj= M

j

k. Let M =def Vn

j=0 Vk

j

k=1 M

j k. Then

we have P0

j= M so P j=hbiM, however Q6jj=in hbiM in spite of (P;Q)2Bi.

For Q s ij)Q

0 the proof is the same, because

) is also weak-image-nite. 2

B Proofs from Section 7.1

Proof of Lemma 3.

We proceed by transitional induction. Let =def .

()) If Q hE;i )

_Q0 then Q0 hE

0;

i (28) and we will show that hE; i )

hE 0;

iby induction on the inference of transitionhE;i )

hE 0;

i.

There are six cases: 1. EE

0. Then h:E 0; i ) hE 0; i.

2. E E

1+ E2. Then either hE 1; i ) hE 0;

ior hE 2;

i )

hE 0;

i. For

the rst (the second is symmetrical), by induction hE 1; i ) hE 0; iand

so we havehE 1+ E2;

i )

hE 0;

i.

3. EE 1

jE

2. Then there are three cases:

(a) hE 1; i ) hE 0 1;

i where E 0

E

0 1

jE

2. Then by induction we have hE 1; i ) hE 0 1;

iand so hE 1 jE 2; i ) hE 0 1 jE 2; i.

(b) hE 2; i ) hE 0 2;

iwhere E 0

E

1 jE

0

2is similar.

(c) hE 1; i ) a hE 0 1;

iandhE 2; i ) a hE 0 2;

ifor = and E 0 E 0 1 jE 0 2.

By inductionhE 1; i ) a hE 0 1;

iandhE 2; i ) a hE 0 2;

4. E E 1

nL. ThenhE 1; i ) hE 0 1;

ifor ;62 L and E 0

E

0 1

nL. Thus

by inductionhE 1; i ) hE 0 1;

iand so hE 1

nL; i )

hE 0 1

nL; i.

5. EE

1[f] is similar.

6. E X. Then either h[[]](X);i )

hE 0;

i or h[[ ]](X);i )

hE 0;

i.

Consider the rst (the second is symmetrical), then X 2 dom() and by

inductionh[[]](X); i )

hE 0;

i. There are two cases:

(a) X62dom( ). ThenhX; i )

hE 0;

ibecause [[ ]](X) = [[]](X).

(b) X2dom( ). Then [[ ]](X) = [[]](X)+[[ ]](X) from (25) and so because h[[]](X) + [[ ]](X); i )

hE 0;

i, we havehX; i )

hE 0;

i.

(() LetT(Q; ) )

_R0where Q

hE;i. Then R 0

T(hE 0;

i; ) applying

(28) and we will show that hE;i )

hE 0;

i, using the similar induction on

the inference of the transitionhE; i )

hE 0;

i. Consider E X only. Then h[[ ]](X); i )

hE 0;

iand by induction we haveh[[ ]](X);i )

hE 0;

i. Thus

there are two cases:

1. X 62dom( ). Then [[ ]](X)=[[]](X) sohX;i )

hE 0;

i.

2. X 2dom( ). Then [[ ]](X) = [[]](X) + [[ ]](X) applying (25) so we either

haveh[[]](X);i )

hE 0;

ior h[[ ]](X);i )

hE 0;

i. In both cases we

nally gethX;i )

hE 0;

i. 2

Proof of Proposition 4.

We will show that Qjj= M i T(Q; )j= M by induction on the structure of

M. LetT(Q; )j=hiM

1 (for true, M1 ^M

2 and :M

1 the proof is obvious).

ThenT(Q; ) )

s _R0where b

s = , R0 j= M

1 and R 0

T(Q

0; ) applying (28).

Thus Q )

s _Q0from Lemma 3 and by induction we have Q0 jj= M

1. As a result

Qjj=hiM

1. For Q

jj=hiM

1 the proof is similar.

2

Proof of Proposition 5.

()) Let P <! Q. Then (P;Q) 2 B which a must-bisimulation for

). We

will show that T(B; ) =def f(P;T(Q; ))j(P;Q) 2 Bg is a bisimulation. If

P )

_P0 then Q )

s _Q0 where b

s = and (Pb 0;Q0)

2B for some Q

0. But then

(P0; T(Q

0; ))

2T(B; ) and T(Q; ) )

s

T(Q

0; ) what follows from Lemma

3. IfT(Q; ) )

_R0then we get R0 T(Q

0; ) (28) and applying Lemma 3 we

have Q )

_Q0. Thus there exists P0such that P )

s _P0, b

s = and (Pb 0;Q0)

2B.

Because then (P0; T(Q

0; ))

2T(B; ), T(B; ) is a bisimulation.

(() If P T(Q; ) then (P;T(Q; ))2B which is the least bisimulation with

this property. Applying (28), it is easy to see that there exists C P P

such that B =T(C; ) and it is enough to prove that C is a must-bisimulation.

Let (P;Q)2C and P )

_P0. Then (P;

T(Q; ))2B and applying (28) there

exists Q0 and s such that

T(Q; ) )

s

T(Q 0; ),

b

s = and (Pb 0;

T(Q 0; ))

2

B. Then we have (P0;Q0)

2 C and Q )

s _Q0 from Lemma 3. Let Q )

_Q0.

ThenT(Q; ) )

T(Q

0; ) from Lemma 3 and there exists P0and s such that

P )

s _P0, b

s = and (Pb 0;

T(Q 0; ))

2B. Thus (P 0;Q0)

2C what completes the

C Proofs from Section 7.2

Proof of Lemma 6:

We proceed by induction on the length of s. Let n=def n n.

()) For s = " it is immediate. Let hX;i )

:s

ijhY;i. Because the right-side

expressions of and are linear, applying (31) there exists Z and k such that

hX;i )

hZ;i )

s _kj

hY;i. There are two cases:

{

hX;i )

hZ;i where k = 0. Because has the proper eect on , this

transition can be only inferred fromh[[]](X);i )

hZ;i. Thus we have h[[ n]](Xi); ni )

hZ 0; n

iand by induction: e

Ti(hX;i; ;n) )

e T

0(

hZ;i; ;n) )

s e

Tj(hY;i; ;n)

{

hX;i

)

hZ;iwhere i6= n and k = i + 1. It can be only inferred from h[[ ]](X);i )

hZ;iand soh[[ ]](X);i )

hZ;i( is linear). Thus we

haveh[[ n]](Xi); ni )

hZi +1; n

ibecause i6= n and by induction e

Ti(hX;i; ;n) )

e Ti

+1(

hZ;i; ;n) )

s e

Tj(hY;i; ;n)

(() For s = " it is immediate. Let e

Ti(hX;i; ;n) )

:s e

Tj(hY;i; ;n).

Apply-ing (31), e

Ti(hX;i; ;n) )

e

Tk(hZ;i; ;n) )

s e

Tj(hY;i; ;n) for some Z

and k. The rst transition can be only inferred fromh[[ n]](Xi); ni )

hZk; ni

and there are two possible cases:

{

h[[n]](Xi); ni )

hZk; niwhere k = 0. Thenh[[]](X);i )

hZ;iand

by induction we havehX;i )

hZ;i )

s 0

jhY;iandhX;i )

:s

ijhY;i.

{

h[[ n]](Xi); ni )

hZk; ni where i 6= n and k = i + 1. Then we have h[[ ]](X);i )

hZ;isohX;i

)

hZ;i( has the proper eect on ).

Thus by induction,hX;i

)

hZ;i )

s i+1

j hY;iso hX;i )

:s

ijhY;i. 2

Proof of Proposition 7:

It is enough to show that for all i2[0;n] and M 2M:

hX;ijj=iM i e

Ti(hX;i; ;n)j= M

The proof proceeds by induction on the structure of M. ()) LethX;ijj=ihiM

1. Then

hX;i )

s _ijQ0where b

s = , Q0 jj=jM

1 and by

(31), Q0

hY;i for some Y 2 X. Thus e

Ti(hX;i; ;n) )

s e

Tj(hY;i; ;n)

applying Lemma 6 and by induction, e

Tj(hY;i; ;n) j= M

1. Then because b

s = , we nally have e

Ti(hX;i; ;n)j=hiM

1. In the remaining cases (true, :M

1 and M1 ^M

2) the proof is obvious.

(() Let e

Ti(hX;i; ;n)j=hiM

1. Then e

Ti(hX;i; ;n) )

s _R0 where b

s = , R0

j= M

1and by (31), R 0

e

Tj(hY;i; ;n) for some Y 2X and j2[0;n]. Thus

we have hX;i )

s _ij

hY;iapplying Lemma 6, and by inductionhY;ijj=jM 1.

Finally we gethX;ijj=ihiM 1 (

b