Confluence for Process Verification

Conuence for Process Verication J.F. Groote M.P.A. Sellink

Department of Philosophy, Utrecht University P.O. Box 80.126, 3508 TC Utrecht, The Netherlands email: f jfg , alex [email protected]

Abstract

We provide several notions of conuence in processes and we show how these relate to -inertness, i.e. if s ;;; s , then s and s are equivalent. Using deterministic linear processes we show how these notions can conveniently be used to reduce the size of state spaces and simplify the structure of processes while preserving equivalence. 0

0

1 Introduction In his seminal book 12] Milner devotes a chapter to the notions strong and observation conuence in process theory. Many other authors have conrmed the importance of conuence. E.g. in 13, 9, 5] the notion is used for on the y reduction of nite state spaces and in 12, 15] it has been used for the verication of protocols. We feel that a more general treatment of the notion of conuence is in order. The rst reason for this is that the treatment of conuence has always been somewhat ad hoc in the setting of process theory. This strongly contrasts with for instance term rewriting 10], where conuence is one of the major topics. In particular, we want to clarify the relation with -inertness, which says that if s ;;; s , then s and s are equivalent in some sense. The second reason is that we want to develop systematic ways to prove distributed systems correct in a precise and formal fashion. In this way we want to provide techniques to construct fault free distributed systems. For this purpose the language CRL is designed, being process algebra extended with data 7]. In 6] a proof theory has been developed and in 14] it has been shown how correctness proofs can be checked using proof checkers, giving us the means to deliver descriptions of distributed systems with the highest thinkable level of correctness. In order to show the applicability of the techniques several protocols have been veried 11, 8, 3], both from theoretical and practical perspectives. Experience with these protocols gave rise to the development of new and the adaption of existing techniques to make systematic verication possible 4, 3]. Employing conuence also belongs to these techniques. It appears to enable easier verication of distributed systems, which in essence boils down to the application of -inertness. In the rst part of the paper we address the relationship between conuence and -inertness. The notions proposed in 12] all imply -inertness. We come up with a more general notion, namely weakly -conuence where  is some equivalence. For several notions of equivalence 0

0

1

we show that weakly -conuence and -inertness with respect to  coincide (especially for weak and branching bisimulation), provided the process is -well founded (there are no innite -paths). However, there are many protocols, where there are innite -paths, for instance communication protocols over unreliable channels. Therefore, we introduce the distinction between progressing and non progressing 's and show that weakly progressing conuence is enough to guarantee -inertness. Contrary to what one would expect, weakly -progressing conuence does not imply -inertness. In the second part of this paper we direct our attention to establishing conuence. It does hardly make sense to establish conuence directly on transition systems, because these are generally far too large to be represented. Therefore, we try to establish conuence on Linear Processes 4] which represent large transition systems symbolically in a compact way. In the third part we show how we can use -inertness to reduce state spaces and carry out verications on linear processes. We provide two examples illustrating that the application of conuence often reduces the size of state spaces considerably and simplies the structure of distributed systems, while preserving branching bisimulation. This is in general a very protable preprocessing step before analysis, testing or simulation of a distributed system.

Acknowledgements. We thank Marc Bezem for discussion in an early phase of the project

and Frits Vaandrager for demonstrating the importance of conuence in the verication of a leader election protocol. Furthermore we thank Jaco van de Pol and Wan Fokkink for comments on a draft version of this paper.

2 Preliminary denitions Let S and S be sets. A binary relation R on S and S is a subset of S  S . We write xRy for (x y) 2 R. If S  S we say that R is a binary relation on S . We write xRyRz for xRy ^ yRz and R for the reexive, transitive closure of R. The symmetric closure of R is denoted by R . We write R~ for (R ) . This relation is an equivalence relation, since symmetry is preserved1 by (;) . Finally, we write R for the diagonal-relation on R, i.e. R = f(x x) j x 2 Rg. Denition 2.1. A binary relation R on S is called well-founded i there is no innite sequence fsigi=0 such that si+1Rsi for all i 2 . 0

0

0

0











1

IN

Let Act be an arbitrary set of actions, containing a distinguished element . Throughout this paper we x this set of actions, except that from Section 5 we distinguish progressing -steps (denoted by > ) and non-progressing -steps (denoted by < ). Denition 2.2. A transition system is a pair (S ;;; ) with S a set and ;;;  S  Act  S . a We write s ;;; t instead of ;;; (s a t). Note that this denition implies that we exclude transition systems that have more than one a-step from s to s . 0

1 The converse does not hold, (R ) is not necessarily transitive.  

2

Convention 2.3. We introduce the following notations (a 2 Act  2 Act?): a a a  s ;;; t means s  u1 ;;; ;;; un  t for some u1  : : :  un with n 1, a  a  s ;;; t means s ;;; u ;;; t for some u, a  s ==a= t means s ;;; u1 ;;; u2 ;;; t for some u1  u2 . a a  s  t means s === t _ (a  ^ s ;;; t). Denition 2.4. A relation R  S  S is called a weak bisimulation on (S ;;; ) and (S  ;;;I) i ( a a I t ^ tRt s ;;; t =) 9t : s  sRs =) a a s ;;;I t =) 9t : s  t ^ tRt for all s 2 S and for all s 2 S . We say that R is a weak bisimulation on (S ;;; ) i R is a weak bisimulation on (S ;;; ) and (S ;;; ). Let fRi g be a collection of weak bisimulations on (S ;;; ) and (S  ;;;I), then Si I Ri is also a weak bisimulation on (S ;;; ) and (S  ;;;I). Consequently there exists a maximal weak bisimulation on (S ;;; ) and (S  ;;;I), namely the union of all weak bisimulations on (S ;;; ) and (S  ;;;I). This maximal weak bisimulation is denoted as $w . If s $w t then we say that s and t are weakly bisimular. $w is an equivalence relation. Denitiona 2.5. A transition system (S ;;; ) is called a-well-founded i f(s t) j t ;;; sg is a well-founded relation on S , i.e. there is no innite sequence of the form a a a s1 ;;; s2 ;;; s3 ;;; Let O be the class of ordinals. Denition 2.6. Let R  S  S be a well-founded relation on S . We dene a mapping dR : S ;! O as follows: dR (t) = supf1 + dR (s) j sRtg: a If R = f(x y) j y ;;; xg then we write da instead of dR . da (t) is the length of the longest 







0

0

0

0

0

0

0

0

0

0

0

0

0

i2I

2

0

0

0

chain of a-steps starting from t.

3 Conuence and -inertness In this section we introduce three dierent notions of conuence, namely strong conuence, weak conuence and weak $w -conuence. These three notions have in common that they express that

3

a two `diverging' steps s ;;; t and s ;;; we can picture this as follows:

s0

can be brought together in some sense. In a diagram s0

s a

O t

t0

We investigate whether or not the dierent notions of conuence are strong enough to serve as a condition for s ;;; t =) s $w t (1) to hold. It is obvious that (1) is not valid in general. A simple counterexample is s

s0

(2)

a

O t

where a is not a -step. Transition systems that satisfy (1) are called -inert with respect to $w . 3.1

Strong conuence

Denition 3.1. A transition system (S ;;; ) is called strongly conuent for a i for each a pair s ;;; t and s ;;; s of dierent steps there exists a state t such that t ;;; t and a s ;;; t . In a diagram: 0

0

0

0

0

s0

s

a

a

O

O

t0

t

A transition system (S ;;; ) is called strongly conuent i it is strongly conuent for a, for all a 2 Act. Omitting the word `dierent' in Denition 3.1 would give a stronger notion: t

s

is strongly conuent, but would not be strongly conuent if the word `dierent' was omitted. Theorem 3.2. Strongly conuent transition systems are -inert with respect to $w . 4

Proof. Let (S ;;; ) be a strongly conuent transition system. Consider R = f(x y ) j x ;;; y g  S : It suces to prove that R is a weak bisimulation on (S ;;; ), as in that case, by denition, R  $w . So s ;;; t =) sRt =) s $w t. Assume sRs . We have to prove: a a (i) s ;;; t =) 9t : s  t ^ tRt a a (ii) s ;;; t =) 9t : s  t ^ tRt If s  s then we are trivially done. So assume s ;;; s . a Proof of (i): Assume s ;;; t. The situation is now as follows: 0

0

0

0

0

0

0

0

0

0

s

s0

a

O t

a If these two transitions are dierent, then there exists a state t such that s ;;; t and t ;;; t , by the denition of strong conuence. If t ;;; t then tRt so (i) is satised. If these two transitions are identical, we have t  s and a  , so tRs by S  R. Again, (i) is satised. 0

0

0

0

0

a Proof of (ii): Assume s ;;; 0

t0

0

0

0

. The situation is then as follows: s

s0 a

O t0 a Now take t  t . This does the job, since s ;;; 0

t0

and t Rt since S  R. 0

0

2

The converse of Theorem 3.2 is obviously not valid. A transition system that is -inert with respect to $w , is not necessarily strongly conuent. As a counter example one can take (2) with a  . This counter example means that strong conuence is actually a stronger notion than we need since we are primarily interested in -inertness (wrt. $w ). Hence we introduce a weaker notion of conuence, which diers from strong conuence in that we allow -steps in the paths from t to t and from s to t . 0

0

0

5

3.2

Weak conuence

Denition 3.3. A transition system (S ;;; ) is called weakly conuent for a i for each pair a a s ;;; t and s ;;; s of dierent steps there exists a state t such that s  t and t ;;; t . 0

0

0



0

0

In a diagram:

s

s0 a

a

O

O



t

t0

A transition system (S ;;; ) is called weakly conuent i it is weakly conuent for a, for all a 2 Act. The following example (due to Roland Bol) shows that weak conuence is too weak to serve as a condition for (1) to hold, i.e. weak conuent transition systems are not necessarily -inert with respect to $w . s



s0

(3)

a

O

O t

t0

This transition system is weakly conuent but s ;;; t does not connect bisimilar states if a 6 . Note that (3) is not -well-founded. In Theorem 3.6 we prove that -well-founded, weakly conuent transition systems are -inert with respect to $w . This means that we can not replace (3) by a -well-founded counter example. The following lemma is very useful and frequently used in the remaining of the paper. Lemma 3.4. Let (S ;;; ) be -well-founded and weakly conuent for . Let s ;;; s and s ;;; t, then there exists a t such that s ;;; t and t ;;; t . In a diagram: 0

0





0

0



0



0

0



s

s0





O



t

O

t0

Proof. We use induction on d (s). Note that the lemma is trivial if s  s or s  t. (In particular, the lemma is trivial for d (s) = 0.) Suppose that s 6 s and s 6 t, say s ;;; u ;;; t and s ;;; u ;;; s . Assume that the lemma holds for all x satisfying d (x) < d (s). We 0

0

0



0

distinguish two cases:

6



 s ;;;

u

and s ;;;

u0

are identical. We can draw the following picture: u

s

u



s0

0





O



t0

t

;;;  s ;;; 

t



and s ;;; u and s ;;;

t0



0



t0 u0

O

exist because the lemma holds (by induction) in u. are dierent. Now we can draw the following picture: 

u0

s

s0



O



O





u

u





O



O



t

O

s00

00



t00

O

s0

The upper-left part of the diagram is given by weak conuence for . The other parts are given by induction hypotheses for u, u and u . 0

00

2

We can not omit ` -well-foundedness' as a condition in Lemma 3.4. As a counter example take (3) with a  . The following relations form the core of all our `conuence implies -inertness' proofs. , f(x y) j x ;;; yg Bw , f(x y ) j x ;;; y _ x $w y g: Lemma 3.5. Let (S ;;; ) be -well-founded and weakly conuent, then is a weak bisimulation on (S ;;; ): (4) 

Proof. Let s s , i.e. s ;;; s , then we have to show: a a (i) s ;;; t =) 9t : s  t ^ t t a a t ^ t t (ii) s ;;; t =) 9t : s  a a (ii) is easy, take t  t then s  t since s ;;; s ;;; 



0

0

0

0

0

0

 0

 0

0



0

reexivity of



.

7

0

t0

. Furthermore t

t

 0

holds by

By induction to d (s) we show that (i) holds. If s  s (and in particular, if d (s) = 0) the lemma is trivial: take t  t. Assume that (i) holds for all states x with d (x) < d (s). Let s ;;; s ;;; s . We are in the following situation: 0

0



00

0



s

s00

s0

a

O t

In case a  then we apply Lemma 3.4. If a 6 then we can draw the following diagram: 

s

s00

s0 



O

O



u

a

v

a

a

O

O



u0

v0



O



O



O



t

t

t0

00

The left part of the diagram is given by weak conuence. The upper-right part is given by Lemma 3.4. The middle-right part is given by applying the induction hypothesis on u v and a u ;;; u , using that d (u) < d (s). Finally the lower-right part of the diagram is given by a applying Lemma 3.4 again. We are done because t t and s  t. 2 

0

 0

0

0

Theorem 3.6. Weakly conuent transition systems are -inert with respect to $w . Proof.  $w by Lemma 3.5. Now s ;;; t =) s t =) s $w t. 



2

On page 5 we mentioned that -inertness with respect to $w does not imply strong conuence. The same ( -well-founded) counter example2 illustrates that -inertness with respect to $w does not even imply weak conuence. So weak conuence and -inertness with respect to $w are independent notions. If we restrict ourselves to the -well-founded transition systems we have strict inclusion of the weakly conuent transition systems into the transition systems that are -inert with respect to $w . 2 Diagram (2) with a  , on page 4

8

3.3 Weak bisimulation conuence

In the denition below we introduce yet another notion of conuence. This thirth notion is optimal in the sense that it is equivalent with -inertness with respect to $w for -well-founded systems.

Denition 3.7. A transition system (S ;;; ) is called weakly $w -conuent for a i for each a 

pair s ;;; t and s ;;; s of dierent steps there exists states u and u such that u $w u ,  a s  u and t ;;; u. In a diagram: 0

0

0

0

0

s

s

a O t

a O $ u wu

0



0

A transition system (S ;;; ) is called weakly $w -conuent i it is weakly $w -conuent for a, for all a 2 Act.

We want to prove that in -well-founded transition systems `weak $w -conuence' implies ` inertness with respect to $w '. In order to prove this we can not simply `copy' the proof of Lemma 3.5, since is not necessarily a weak bisimulation on weakly $w -conuent transition systems, as the following example shows: 

s

t

(5) a a O O s t Here = f(s s) (s  s ) (s t) (t t) (t  t )g is not a weak bisimulation although the transition  s $w t . The diagram above is also an example of system is weakly $w -conuent since s ;;; 0



0

0

0

0

0

a transition system that is weakly $w -conuent but not weakly conuent. 0

0

0

The following lemma is used in the proof of 3.9.  Lemma 3.8. Let (S ;;; ) be -well-founded and weakly $w -conuent. Let s ;;; s and ~ a a s  t. There exists a state t such that tBw t and s  t . In a diagram: 0

0

0

s

0



0

s

0

a O t

Bw~ 9

a O t 0

Proof. We use induction on d (s). If s  s (and in particular if d (s) = 0) then the lemma is 0

trivial. Suppose that s ;;; s ;;; s and assume that the lemma holds for all states x such that d (x) < d (s). If a  then t  s satises the required properties, namely tBw~ t since     t ;;; s ;;; s and s  t by reexivity of  .  a  Assume that a 6 . Say s ;;; v ;;; u ;;; t. We distinguish two cases:  v  s. We can draw the following picture: 00

0

0

0

0

0

0

0

s

s

a O u

a O $ u wu

 00



Bw~

0

00

s

0

a O t 0



O t The left-part of the diagram is given by weak conuence and the right-part of the diagram follows from applying the induction hypothesis on s , which is allowed since d (s ) < d (s). Now tBw~ t and s ==a= t so t satises the required properties. v 6 s. We are in the following situation: 00

0



0

0

00

0

s

s

0



O v

O v



0

a O t

a O t

Bw~

0

The upper-part of the diagram follows directly from Lemma 3.4 and the lower-part of the diagram is given by application of the induction hypothesis on v, which is allowed since a d (v) < d (s). We are done because tBw~ t and s  t. 0

0

0

2

Lemma 3.9. Let (S ;;; ) be -well-founded and weakly $w -conuent, then the equivalence ~ relation Bw , dened on page 7, is a weak bisimulation on (S ;;; ). 10

Proof. As sBw~ s , we may assume that there exists an n  0 such that 0

s  x0 Bw x1 Bw  Bw xn 1Bw xn  s : 







0

;

We have to show: a a (i) s ;;; t =) 9t : s  t ^ tB~w~ t a a (ii) s ;;; t =) 9t : s  t ^ tBw t Since Bw~ is symmetric we have (i)()(ii). We prove (i). 0

0

0

0

0

0

0

Proof of (i): We prove the following slightly stronger result by induction to n: a s  t =) 9t : s 0

0

 a

t

0

^ tB~ t : w

(i )

0

0

For n = 0 the validity of (i ) is trivial. Let n > 0 and assume that the lemma holds for n ; 1. Consider the following diagram: 0

x0 a O t

Bw~

xn

Bw~

a O u

;

Bw

1

xn



u is given by the induction hypothesis. We distinguish three cases for xn 1Bw xn: ;

Bw~

x0

xn

;



xn

1

a O u

a O t

Bw~ Applying Lemma 3.8 gives a state t satisfying the right properties. If xn 1 $w xn then use the  denition of weak bisimulation and if xn 1 ;;; xn then simply take t  u. 2 0

;

0

;

Theorem 3.10. Let (S ;;; ) be -well-founded. Then (S ;;; ) is weakly $w -conuent i (S ;;; ) is -inert with respect to $w .

Proof. Let (S ;;; ) be -well-founded.

(=)) By Lemma 3.9, the equivalence relation Bw~ , dened on page 7, is a weak bisimulation.  Since $w is the union of all weak bisimulations, we have Bw~ $w . Now s ;;; t =) sBw~ t =) s $w t. a  ((=) Let s ;;; t and s ;;; s . Then s $w s since (S ;;; ) satises (1). Now, by denition, a there exists a state t such that s  t and t $w t , so we are done. 2 0

0

0

0

0

0

11

Note that we need the -well-foundedness of (S ;;; ) only in the proof from left to right (it allows us to apply Lemma 3.9). We conclude this section with an overview of the results, which have been depicted in Figure 1. Below the horizontal line we have the -well-founded transition systems. We see that strong conuence always implies -inertness with respect to $w . The other two notions of conuence do not imply -inertness with respect to $w . However, the counter examples are all -non-wellfounded (above the horizontal line). Finally, we see that weak $w -conuence and -inertness with respect to $w coincide for -well-founded transition systems (below the horizontal line).

$ ' $ ' '' $$ & % & % & % weakly $w -conuent weakly conuent

 -inert with respect to $w

strongly conuent

?

 -well-founded

?

?

Figure 1: The transition sytems in a diagram

4

Other graph equivalences

In this section we study the consequences of replacing $w in Section 3 by other process equivalences. From the large variety of equivalences, that have been proposed to capture the behavioural aspects of processes (see e.g. 16]), we chose strong bisimulation, branching bisimulation and nite trace equivalence. This choice is motivated by the fact that these three equivalences are frequently used in the eld of process theory.

4.1 Two denitions generalised

We generalise those notions of Section 3 that assume an equivalence relation on S . Denition 4.1. Let  S  S be an equivalence relation. A transition system (S ;;; ) is called a-inert with respect to  i a s ;;; t =) s  t for all s t 2 S

12

Denition 4.2. A transition system (S ;;; ) is called weakly -conuent for a i for each a 

pair s ;;; t and s ;;; s of dierent steps there exists states u and u such that u  u ,  a s  u and t ;;; u. In a diagram: 0

0

0

0

0

s

s

a O t

a O uu

0



0

A transition system (S ;;; ) is called weakly -conuent i it is weakly -conuent for a, for all a 2 Act.

4.2 Strong bisimulation

Denition 4.3. A relation R S S is called a strong bisimulation on (S ;;; ) and (S  ;;;I) 0

i

0

(

a a t =) 9t : s ;;; I t ^ tRt sRs =) ss ;;; a a ;;;I t =) 9t : s ;;; t ^ tRt for all s 2 S and for all s 2 S . 0

0

0

0

0

0

0

0

0

0

We say that R is a strong bisimulation on (S ;;; ) i R is a strong bisimulation on (S ;;; ) and (S ;;; ). Similar to weak bisimulation we have that the union of any collection fRi gi2I of strong bisimulations on (S ;;; ) and (S  ;;;I) is again a strong bisimulation on (S ;;; ) and (S  ;;;I). The maximal strong bisimulation on (S ;;; ) and (S  ;;;I) is denoted by $. If s $s t then we say that s and t are strongly bisimilar. The relation $ is an equivalence relation. 0

0

0

About the state of aairs, in case we replace $w in Section 3 by $, we can be short. Non of the notions of conuence, presented in this section, is strong enough to imply -inertness with respect to $. This follows immediately from the (trivial) fact that even a strongly conuent transition system is not necessarily -inert with respect to $, e.g.

s

t

a

with a 6 , is strongly conuent but not -inert with respect to $.

4.3 Branching bisimulation

u

In the previous subsection we explained that non of the notions of conuence implies -inertness with respect to $. Even stronger graph equivalences than $ of course give the same result and are therefore not interesting for us to analyse here.

13

Branching bisimulation, which we study in this subsection, however, is weaker than strong bisimulation (and stronger than weak bisimulation). We briey explain the dierence between weak- and branching bisimulation:

R

s

s

s

0

R

s

0



a



O u

s

a O u

a O t

0

R

O u

R

a O u

0





O O O R t R t t t For weak bisimulation (see the left diagram above) it is not required that the states that are passed before the a-step are related to s and that the states, that are passed after the a-step, a a are related to t. This means that in the simulation s  t of s ;;; t there may be states in which other steps were enabled. In other words: the branching structure is not preserved in the simulation. The basic idea behind branching bisimulation is that this branching structure is preserved in a simulation, by relating the intermediate states as depicted in the right diagram above. Denition 4.4. A relation R S  S is called a branching bisimulation on (S ;;; ) and (S  ;;; ) i 8 a > s ;;; t =) a  ^ tRs ] _ >  a <  9 u u : s ;;; I u ;;; I u ^ sRu ^ tRu ] sRs =) > s ;;; a I t =) a  ^ sRt ] _ >  a : 9u u : s ;;; u ;;; u ^ s Ru ^ t Ru ] 0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

for all s 2 S and for all s 2 S . We say that R is a branching bisimulation on (S ;;; ) i R is a weak bisimulation on (S ;;; ) and (S ;;; ). The union of all branching bisimulations is denoted as $b . Observe that Denition 4.4 is not the relation we informally described above, since we do not enforce the extra relation-requirements for all the intermediate states. Only the states immediately before and after the a-step are subject to this extra requirements. Allthough the informal description above Denition 4.4 is a strictly stronger notion, the union of all such relations (and the union is what actually interests us) equals $b 17]. 0

0

14

Note that the existence of t , as depicted in the diagram above, is always trivially satised since we can take t  u . Therefore, this requirement is omitted in Denition 4.4. We provide the same theorems as for the weak bisimulation case. The proofs are analogous to the corresponding weak bisimulation versions of those theorems. Only a number of extra conditions must be checked. We omit those proofs. 0

0

0

Theorem 4.5. Strongly conuent transition systems are -inert with respect to $b. Theorem 4.6. Weakly conuent, -well-founded transition systems are -inert with respect to

$. b

Theorem 4.7. Let (S ;;; ) be -well-founded, then (S ;;; ) is weakly $b -conuent i (S ;;; ) is -inert with respect to $b .

4.4 Finite trace equivalence

In this subsection we study the consequences of replacing $w in Section 3 by nite trace equivalence, which is denoted as  in this paper. In order to dene  we introduce some notations rst.

Notations. Let A? denote the set of words over A. The empty word is denoted by ". Concatenation of words is denoted by juxta-position. `(w) denotes the length of word w.

`(") = 0 `(a w) = 1 + `(w) for all a 2 A w 2 A?

For the rest of this subsection we x the transition system (S ;;; ). Denition 4.8. Let s 2 S . The set Traces(s) of traces starting from s, is the smallest set of words over Act, satisfying  a Traces (s) = fext (a)  j s ;;; t ^  2 Traces (t)g  f"g at

where ext : Act ;! Act? is dened by ext (a) =

Furthermore, we dene Traces (S ) =

S

s2S

(

" if a  a if a 6

Traces (s).

Denition 4.9. Let s s 2 S then s  s i Traces (s) = Traces(s ). 0

It is a well-known fact that

0

$  w

0

so statements like

Weakly/strongly -conuent systems are -inert with respect to 15



are trivial consequences of 3.2 and 3.6. However, a  -version of Theorem 3.10 (from left to right) is not trivially implied by 3.10, since the equivalence  also appears in the notion of conuence. So not only the proof obligation but also the premise is weakened. Let Tracesn (s) = fx j x 2 Traces (s) ^ `(x)  ng. Tracesn (s) is the set of traces, starting from s, with length less or equal to n. Now  Traces (s) = Tracesn(s) n2IN

and s  s i Tracesn (s) = Tracesn (s ) for all n 2 . We write s n t i Tracesn (s) = Tracesn(t). A trace  2 Tracesn(s) n Tracesn(s ) is called an n-distinguishing trace for (s s ). Denition 4.10. Let s 2 S . The set Execs(s) of executions starting from s, is the smallest set, satisfying  a a Execs(s) = fs ;;;  j s ;;; t ^  2 Execs(t)g  fsg 0

0

IN

0

0

at

Furthermore we dene Execs(S ) = Ss S Execs(s). We also write `() for the length3 of  for all  2 Execs(s). Theorem 4.11. -well-founded, weakly  -conuent transition systems are -inert with respect to . Proof. We have to prove that  x ;;; y =) x  y for all x y 2 S: (6) Assume that (6) does not hold in general, i.e. there exist triples (x y z ) 2 S  S  such that  x ;;; y and x 6z y. Let (s s  n) be such a triple, and assume that n is minimal, i.e.  (7) (x ;;; y ^ x 6z y) =) z  n for all triples (x y z ): 2

IN

0

 Since Traces (s ) Traces (s), which follows immediately from s ;;; s , and since Tracesn(s) 6= Tracesn(s ), there is an n-distinguishing trace fora (s s ). Note that n > 0 because Traces0 (u) = " for all u 2 S . Let   ext (a)  with s ;;; t and  2 Traces (t) be such a trace. 0

0

0

0

0

Assume that a 6 . Now `() = 1 + `( ) so  a  on s ;;; t and s ;;; s gives 0

0

0

3

0

2 Traces

n;1

(t). Applying weak -conuence

s

s

a O t

a O uu

0



0

the number of steps of , not the number of states

16

Since 2 Tracesn 1 (u ) implies 2 Tracesn (s ), we conclude that 62 Tracesn 1 (u ). Moreover, 62 Tracesn 1 (u) because u  u . Let t  x0 ;;; : : : ;;; xm  u. Combining xi ;;; xi+1 with (7) gives that xi n 1 xi+1 for all i 2 f0 : : :  m ; 1g. Now, transitivity of n 1 leads to t n 1 u , contradicting that 2 Tracesn 1 (t) n Tracesn 1 (u ). 0

;

0

0

0

0

;

0

0

;

;

;

0

;

;

;

0

0

We conclude that a   . In other words: the rst step, corresponding to an n-distinguishing trace, must be a  -step. Now = ext ( ) = " = so `( ) = `( ) = n and 2 Tracesn (t). Moreover, we have that 62 Tracesn (u) because 62 Tracesn (s ). From the transitivity of n it now follows that xi 6n xi+1 for some i 2 f0 : : :  m ; 1g. Thus, we have constructed another minimal triple (xi  xi+1  n) on which we can apply the same argument. However, since s ;;; t  x0 ;;; : : : ;;; xi we know that d (xi ) < d (s), which means that we nd an in nite decreasing sequence of `counter-examples' for (6). This contradicts the  -well-foundedness of (S ;;; ), so the assumption that (6) is not generally valid is violated. 2 0

0

0

0

0

0

0

5 Transition systems that are not -well-founded Most of the results in Sections 3 and 4 rely on  -well-foundedness of the transition system in question. However, many realistic examples of protocol speci cations correspond to transition systems that are not  -well-founded. As soon as a protocol internally consists in some kind of correction mechanism (e.g. retransmissions in a data link protocol) the speci cation of that protocol will contain a  -loop. In Section 8.2 we see an example of this phenomenon. Since we feel applicability to realistic examples is important, we considered the requirement that the transition system has to be  -well-founded a serious drawback. Therefore, we distinguish what we will call progressing  -steps and non-progressing  -steps. This enables us to formulate a slightly more subtle notion of conuence, which is suciently strong for our purposes and only relies on well-foundedness of the progressing  -steps.

5.1 Progressing and non-progressing -steps Convention 5.1. We use the following notations:

s ;;>; t for a progressing  -step from s to t, s ;;; t or s ;; t for s ;;>; s ;;a; t ;;>; t. s a> t for s ==a=> t _ (a   ^ s ;;>; t). Transition systems where the  -steps are labeled with > or with < are called  -labeled transition systems. Instead of  -inertness with respect to , we try to prove > -inertness with respect to . In a formula: s ;;>; t =) s t (8)     

0

0

17

De nition 2.4 of `weak bisimulation' remains unchanged for  -labeled transition systems. Combined with Convention 5.1(iii) this means that the  -steps mentioned in 2.4 may either be progressing or not.

5.2 Progressing conuence

For each notion of conuence, introduced in Section 3 as well as each notion introduced in Section 4, we can de ne a progressing version. Those progressing versions are given below in de nitions 5.2, 5.3 and 5.4. As we will see, only the rst two notions (de nitions 5.2 and 5.3) are useful to us. The notion of conuence, de ned in De nition 5.4, does not imply > -inertness and is therefore not interesting. A counter example is given in Proposition 5.9. Denition 5.2. A  -labeled transition system (S ;;; ) is called strongly >-conuent (proa > nounce: strongly progressing conuent) i for each pair s ;;; s and s ;;; t of di erent steps there exists a state t such that t ;;>; t and s ;;a; t . In a diagram: > s s 0

0

0

0

0

0

a

a

O > t t Denition 5.3. A  -labeled transition system (S ;;; ) is called weakly >-conuent (proa > nounce: weakly progressing conuent) i for each pair s ;;; s and s ;;; t of di erent steps there exists a state t such that t ;;>; t and s a t . In a diagram: > s s O

0

0

0

0

0

0

0

a

a

O_

>

O



t t Denition 5.4. A  -labeled transition system (S ;;; ) is called weakly >- -conuent (pronounce: weakly progressing -conuent) i for each pair s ;;>; s and s ;;a; t of di erent steps there exist states u and u such that t ;;>; u, s a u and u u . In a diagram: > s s 0

0

0

0

0

0

0

a O

a > 

O_

t u u Theorem 3.2 and Theorem 3.6 have a progressing counterpart, stating that the progressing version of the conuence notion in question implies >-inertness with respect to . 18

0

Theorem 5.5. Strongly >-conuent transition systems are >-inert with respect to , for 2 f$w  $b  g.

Proof. Analogous to the corresponding proofs in sections 3 and 4.

2

Lemma 5.6. Let (S ;;; ) be >-well-founded and weakly >-conuent for > . Let s ;;>; s  

0

and s ;;>; t, then there exists a t such that s ;;>; t and t ;;>; t . In a diagram: > s s 0

0

0

0



0

>

>





O

t Proof. Analogously to the proof of Lemma 3.4.

O

> 

t

0

2

Lemma 5.7. Let (S ;;; ) be >-well-founded and weakly >-conuent, then x ;;>; yg

> = f(x y) j

is a weak bisimulation. Proof. Let s >s , i.e. s ;;>; s , then we have to show: (i) s ;;a; t =) 9t : s a t ^ t > t (ii) s ;;a; t =) 9t : s a t ^ t > t  ; s ;;a; t . Furthermore t t holds by (ii) is easy, take t  t then s a t since s ;; > reexivity of > . By induction to d> (s) we show that (i) holds. If s  s (and in particular, if d> (s) = 0) the lemma is trivial: take t  t. Assume that (i) holds for all states x with d> (x) < d> (s). Let s ;;>; s ;;>; s . We are in the following situation: > > s s s 

0

0

0

0

0

0

0



0



0

0

0



0

0



0

0

00

0



00

0

a O

t In case a  > then we apply Lemma 5.6. If a  < then there exists (by weak >-conuence) a  t . If s ;;>; t then we can draw the following diagram: state t such that t ;;>; t and s  > > s s s 0

0

0

0

0

0



00

0

>






O

t



O

> 

t

00

19

> 

O

t

0

The right-part of the diagram is given by Lemma 5.6. The case s ;;>; u ;;; t is treated like the general case a 6  . If a 6  then we can draw the following diagram: > > s s s 0

0

0



00

>

> 



>

O

O



u

a

0

v

a

a O

O

> 

u

0

v

>

0

>





O

O  t t t The left part of the diagram is given by weak >-conuence. The upper-right part is given by Lemma 5.6. The middle-right part is given by applying the induction hypothesis on u > v and u ;;a; u , using that d> (u) < d> (s). Finally the lower-right part of the diagram is given by applying Lemma 5.6 again. We are done because t > t and s a t . 2

>

O





00

0



0



0

0

0

Theorem 5.8. Weakly >-conuent, >-well-founded transition systems are >-inert with re-

spect to , for 2 f$w  $b  g. Proof. > $w by Lemma 5.7. Now s ;;>; t =) s >t =) s $w t, which proves the theorem for  $w (and hence also for  ). In order to prove the theorem for  $b some extra conditions have to be checked. 2

Proposition 5.9. Let (S ;;; ) be weakly -well-founded then (S ;;; ) is not necessarily > -inert with respect to , for 2 f$w  $b  g. Proof. Let a 6  . The following transition system is not >-inert with respect to since s4 ;;>; s6 and s4 6 s6. However, weak <  s1  s2  s3  s4 


O

O

s5

s6 20

Suppose R S  S is de ned by s1 Rs5Rs6 and s2 Rs3Rs4 , then one easily veri es that R~ is a branching bisimulation on S . Now (S ;;; ) is weakly >-$b -conuent because > > s4 s3 s4 s6



> 

and




> O O O s3 s2 $b s4 s6 $b s6 Since $b $w  we know that the transition system is also weakly >-$w -conuent and weakly >--conuent so we are done. 2 O



s2



So far, we showed that weak >-conuence is useful to us and weak >- -conuence is not. One might wonder whether there are other ways to relax the notion of weak >-conuence. The obvious way to do this is to allow non-progressing  -steps in either the path t ;;; t or the path s a t . We show that the notions of conuence, thus obtained (weak >-conuence1 and weak >-conuence2 ), do both not imply > -inertness and are therefore not useful to us. 0

0

0

5.10. A system (S ;;; ) is called weakly >-conuent1 i for each pair s ;;a; t Denition  a

and s ;;>; s of di erent steps there exists a state t such that t ;;; t and s > t . In a diagram: > s s 0

0

0

0

0

0

a

a

O



a

s



O_

t t Now the following transition system is weakly >-conuent1 but not > -inert with respect to , for 2 f$w  $b  g. s >

0

0

b

s

00

(9)


-conuent since the  -step satisfying t ==b=> t and s ;; from s to t is non-progressing. O

0

0

0

0

0

00

00

00

00

0

21

Denition 5.11. A system (S ;;; ) is called weakly >-conuent2 i for each pair s ;;a; t  a and s ;;>; s of di erent steps there exists a state t such that t ;;>; t and s  t . In a diagram: > s s 0

0

0

0

0

0

a

a O

>

O



t t The following transition system is weakly >-conuent2 but not > -inert with respect to , for 2 f$w  $b  g. > s s < (10) a > 0

0

O

O

t t The progressing  -step from s to t does not connect weakly bisimilar states. (10) is weakly >-conuent2 because the following properties hold: > > s t s s 0

0

0

0

a

a

O

t

> 

0

0


and < if progressing and non-progressing  's are distinguished) has no data parameter. In 4] summands without a recursive call are also allowed in the de nition of a linear process. We omit these summands here. It is straightforward to see how a linear process equation determines a transition system. The process p(d) can perform an action a(fa (d ea )) for every a 2 Act and every data element ea of sort Ea , provided the condition ba (d ea ) holds. The process then continues as p(ga (d ea )). Hence, the notions de ned in the previous sections carry over directly. It is well-known that modulo strong bisimulation a deterministic linear process equation has a unique solution p which is called a deterministic linear process (D-LP). A linear process is called convergent i the corresponding transition system is  -well-founded. If we distinguish progressing and non-progressing  's, we use the notion convergence with respect to the progressing  's (i.e. > ). Denition 6.2. A linear process as de ned in de nition 6.1 is called >-convergent i there is a well-founded ordering < on D such that for all d : D and e> : D> if b> (d e> ), then g> (d e> ) < d. The > symbol in `>-convergent' refers to `progressing' and not to the ordering on D. However, the ordering on D and the labeling on  -steps are closely related. Typically, the  -steps that are labeled with > are precisely those  -steps p(d) ;;; p(d ) satisfying d < d. So after each performence of a progressing  -step one is moved towards a state with a value that is strictly smaller with respect to some well-founded ordering. Thus, the progressing  -steps express progression in that sense that progression is made in the execution of internal activity. 0

0

6.2 A condition for strong conuence

We provide sucient criteria for p to be strongly conuent. Let p be a deterministic linear process as de ned in De nition 6.1. The criteria can best be understood via the following diagram.  p(d) p(g (d e ))

a(fa (d ea )) O

a(fa (g (d e ) ea )) 0

O



p(g (ga (d ea ) e )) = p(ga (d ea )) p(ga (g (d e ) ea )) Note that in this diagram p(ga (d ea )) and p(g (d e )) are supposed to be dierent if a =  . We summarise the conditions in the following theorem. 0

0

23

Theorem 6.3. The process p as de ned in De nition 6.1 is strongly conuent if for all a 2 Act , e1 : Ea  e2 : E such that (i) a =  ) ga (d e1 ) 6= g (d e2 ) (ii) ba (d e1 ) ^ b (d e2 ) the following property holds:

8 >> fa(d e1 ) = fa(g (d e2 ) e3 ) ^ < e2 ) e3 ) ^ 9e3 : Ea  e4 : E > bba ((gg ((d >: g (ga (dd ee1 )) ee4 )) =^g (g (d e ) e ): a 

2

3

 a

1

4

6.3 A condition for weak progressing conuence

In this section we derive a condition to establish that a D-LP is weakly conuent. This is more involved, because we must now speak about sequences of transitions. In order to keep notation compact, we introduce some convenient abbreviations. Let   : : : range over lists of pairs h a ea i with a 2 Act and ea : Ea . We de ne Gd ( ) with d 2 D by induction over the length of : Gd ( ) = d Gd ( h a ea i) = ga (Gd ( ) ea ) Each determines an execution fragment: (fa ( d () ea )) p| (d) ;;;;;;;;;;;{z;; p(Gd ( ))} ;;a; ;;;;;;;;;; p(Gd ( h a ea i)) determined by is the execution fragment determined by h a ea i. This execution fragment is allowed for p(d) i the conjunction Bd ( ) of all conditions associated to the actions in evaluates to true . The boolean Bd ( ) is also de ned by induction to the length of : Bd ( ) = true Bd ( h a ea i) = Bd ( ) ^ ba (Gd ( ) ea ) We write 1 ( ) for the sequence of actions that is obtained from by applying the rst projection to all its elements. 1 ( ) =

1 ( h a ea i) = 1 ( )a The diagram for weak >-conuence can be redrawn instantiated for D-LPs as shown below. The actions in the (possibly empty) sequences 1  2 and 3 must all be progressing  -steps, that is: 1 ( i ) = > for all i = 1 2 3. > p(d) p(g> (d e> )) 0

G



a(fa (d ea )) O

p(ga (d ea ))

a(fa (Gg> (de> ) ( 1 ) ea ))O _ > p(Gga(dea ) ( 3 ) = p(Gg> (de> ) ( 1 h a ea i 2 )) 0



0

24

We summarise this diagram in the following theorem. Due to its generality the theorem looks rather complex. However, in those applications that we considered, the lists that are existentially quanti ed were mainly empty, which trivialises major parts of the theorem. Theorem 6.4. The process p as de ned in De nition 6.1 is weakly >-conuent if p is >convergent and for all e1 : Ea  e2 : E> such that (i) a = > ) ga (d e1 ) 6= g> (d e2 ) (ii) ba (d e1 ) ^ b> (d e2 ) the following property holds: 8 > 1( i) = > for all i = 1 2 3 ^ >>< fa(d e1 ) = fa(Gg (de2) ( 1 ) e3 ) ^ > 9 1 e3  2  3 > Bga(de1 ) ( 3 ) ^ >> Bg> (de2 )( ) ^ : Gga(de1 )( 3 ) = Gg> (de2) ( ) 

where = 1 h a e3 i 2 , or a =  and =

1 2

.

7 State space reduction Here we employ the results about conuence and  -inertness that we have obtained thus far to achieve state space reductions and to simplify the behaviour of processes. In this section we work in the setting of branching bisimulation, but the results apply to weak bisimulation as well. First we present the results on transition systems in general, and then on linear processes. This is done as for transition systems the results are easy to understand. However, as argued in the previous section, the results can be applied more conveniently in the setting of linear processes.

Denition 7.1. Let T1 = (S ;;; ) and T2 = (S ;;;I) be  -labeled transition systems. We

call T2 a  -Prioretised-reduction (TP-reduction) of T1 i (i) ;;;I ;;; , (ii) for all s s 2 S if s ;;a; s then s ;;a;I s or s ;;>;I s for some s . Clearly, T2 can be obtained from T1 by iteratively removing transitions from states as long as these keep at least one outgoing progressing  -step. It does not need any comment that this may considerably reduce the state space of T1 , especially because large parts may become unreachable. The following theorem states that if T1 is > -inert with respect to $w , then a TP-reduction maintains weak bisimulation. As conuence implies  -inertness, this theorem explains how conuence can be used to reduce the size of transition systems. Theorem 7.2. Let T1 = (S ;;; ) and T2 = (S ;;;I) be  -labeled transition systems. Let $b be the maximal branching bisimulation on T1 and T2 . If T1 is >-inert with respect to $b and T2 is a  -well founded TP-reduction of T1 then s $b s for each state s 2 S . 0

0

0

25

00

00

Proof. Let R denote the union of all branching bisimulations on T1. Since T1 is >-inert with respect to $b we have (by de nition) that s ;;>; s =) sRs

(11) holds. We prove that R is a branching bisimulation on T1 and T2 . Then, by de nition, R $b and the theorem follows immediately since sRs for all s 2 S . Let sRs . We have to prove: (i) s ;;a; t =) a   ^ tRs ] _ 9u u : s ;;;I u ;;a;I u ^ sRu ^ tRu ]  ; u ;;a; u ^ s Ru ^ t Ru ] (ii) s ;;a;I t =) a   ^ sRt ] _ 9u u : s ;; We rst prove (i). Suppose s ;;a; t. We are in one of the following situations: 0

0

0

0

0

0

0

0

0

0

0

s R

s

0

R

0

R

s

0



0

or

t

0

s

 O

0

0

u

O

R

s

u

a

0



a O

O

R u The existence of u and u as depicted above is given by the de nition of R. If all transitions of s ;;; u occur in T2 (and in particular if s  u ) then we are done. To settle (i) in the other case | i.e. the case that not all transitions of s ;;; u occur in T2 (and in particular s 6 u ) | we prove that the following property holds: R s s s R s t

0

0

0

0

0

0

0

0

0

0

0

0

 s





O

R

u

a

=)

s

O

O

H

R

y

a

a



a H

O

t R y t R u We use induction on d (s ). Here, d is de ned with respect to T2 , i.e. d (x) equals the number of ;;;I-steps that can be executed from x.  ; u ;;a; u of T , such that Let v and v be those states occurring in the path s ;; 1   ; u ;;a; u that does not s ;;;I v ;;6;I v . Id est, v ;;; v is the rst transition of s ;; 0

0

0

0

0

0

0

0

0

0

26

0

occur in T2 . We can draw the following diagram: R s s

0

 s

>

H

R

v

 s



Iz



O

R

u

a

a O

O

R u t  ; u ;;a; u , if v  u then v ;;; v is If s  v then v ;;; v is the rst transition of s ;;  a the last transition of s ;;; u ;;; u and otherwise v ;;; v is an intermediate transition  ; u ;;a; u . of s ;; The transition v ;;>;I z exists because T2 is a TP-reduction of T1 . Since ;;;I ;;; we can conclude vRz , using (11). Furthermore sRz (by transitivity of R) and d (z ) < d (s ). Since R is a branching bisimulation on T1 there exist states x and x as depicted below: > s R v Iz  0

0

0

0

0

0

0

0

0

0

0

0

0



O

u .. .

s

R

a





O

x

a

O

R

t

27

O

x

0

Now, by the induction hypothesis, there exist states y and y such that > s R v  0

Iz



O

u .. .

s





H

R

y

a

a H

O

R t and we are done because y and y satisfy the required properties.

y

0

0

The validity of (ii) is easy. Suppose s ;;a;I t . We are in the following situation: 0

0

s

R

s

0

a H

t Since ;;;I ;;; we have that s ;;; t . Now there exist states u and u as depicted below since R is a branching bisimulation on T1 . s R s 0

0

0

0

0





O

u

R

a

s

0

a

O

u

R

0

so we are done. 28

H

t

0

2

As has been shown in the previous section, weak >-conuence can relatively easy be determined on Linear Processes. We provide a way to reduce the complexity of a Linear Process. Below we reformulate the notion of a TP-reduction on linear processes. We assume that p is a linear process according to de nition 6.1 and that the data sort E is ordered by some total ordering , which assigns priority among  -actions in the TP-reduction. Denition 7.3. The TP-reduction of p is the linear process X X a(fa (d ea )) pr (ga (d ea ))  ba (d ea ) ^ ca (d ea ) pr (d) = a Act ea :Ea 2

(

where

e> : E> b(d e> ) if a 6= > ca (d ea )  :9 :9e> : E> ea  e> ^ b(d e> ) if a = > Note that for the sake of conciseness, we use 9 in the condition ca (d ea ), which does not adhere to the formal de nition of CRL. Theorem 7.4. If the linear process p is >-convergent and weakly >-conuent, and if pr is convergent, then for all d : D p(d) $b pr (d)

8 Two examples We illustrate how we apply the theory by means of two examples, where the structure of the processes is considerably simpli ed by a conuence argument.

8.1 Concatenation of two queues

Consider the following linear process Q(q) describing a queue q: X Q(q) = r(er )  Q(in (er  q)) + s(toe (q))  Q(untoe (q))  ne (q) er :Er

The boolean expression ne (q) evaluates to true i q is not empty. The function in is used to insert an element to a queue and the function untoe is used to remove that element of a queue which has been inserted rst. The function toe returns this rst element. Now the following linear process Q(h q1  q2 i) describes the concatenation of two queues q1 and q2 : Q(h q1  q2 i) = Per :Er r(er )  Q(h in (er  q1) q2 i)  true +   Q(h untoe (q1 ) in (toe (q1 ) q2 ) i)  ne (q1 ) + s(toe (q2 ))  Q(h q1  untoe (q2 ) i)  ne (q2 ) As we can see, the process Q(h q1  q2 i) can always read a datum and insert it in q1 . If q2 is not empty then the `toe' of q2 can be sent. The internal action  removes the rst element of q1 and inserts it in q2 . 29

r(::)

-

q1



-

q2

s(::)

-

Using Theorem 6.3 we can straightforwardly prove that Q(h q1  q2 i) is strongly conuent. For the read action r we nd the condition that for all queues q1  q2 and er : Er ne (q1 ) ) 9er : Er er = er ^ ne (in (d q1 )) ^ h in (er  untoe (q1 )) in (toe (q1 ) q2 ) i = h untoe (in (er  q1 )) in (toe (in (er  q1 )) q2 ) i: Similarly, we can formulate the following conditions for the action s. For all queues q1  q2 (ne (q2 ) ^ ne (q1 )) ) toe (q2 ) = toe (in (toe (q1 ) q2 )) ^ ne (in (toe (q1 ) q2 )) ^ ne (q1 ) ^ h untoe (q1 ) untoe (in (toe (q1 ) q2 )) i = h untoe (q1 ) in (toe (q1 ) untoe (q2 )) i: With the appropriate axioms for queues, the validity of these facts is easily veri ed. For the a =  we nd that the precondition a =  ) ga (d e1 ) 6= g (d e2 ) is instantiated to  =  ) h untoe(q1 ) in(toe(q1 ) q2 ) i 6= h untoe(q1 ) in(toe(q1 ) q2 ) i, which is a trivial contradiction. Now, by Theorem 7.4, the following TP-reduced version (see De nition 7.3) of Q(h q1  q2 i) is branching bisimilar to Q(h q1  q2 i). Qr (h q1  q2 i) = P  true ^ empty (q1) + er :Er r(er )  Qr (h in (er  q1 ) q2 i)   Qr (h untoe (q1) in (toe (q1 ) q2 ) i)  ne (q1 ) + s(toe (q2 ))  Qr (h q1  untoe (q2 ) i)  ne (q2 ) ^ empty (q1 ) Note that after the TP-reduction q1 never contains more than one element! 0

0

0

8.2 The alternating bit protocol

The alternating bit protocol (ABP) consists of a sender S , a receiver R and two unreliable channels K and L. (See 2], page 108) All these components can straightforwardly be described by a linear process.

*      2

1

- S

HH Y HH 6 HHH

K

L 30

H HH 3 HHH HHj    5  

R

4

-

The sender

The variables ds , bs and ns are the data parameter, the bit and the state of the sender. If ns = 0 then S can read a fresh datum r1 (x). If ns = 1, it wants to send data to channel K and if ns = 2 then S is waiting for an acknowledgement. S (ds:D bs:IB ns:IN) = Px:D r1 (x) S (x bs  1) ns = 0   + s2(ds  bs) S (ds bs  2) ns = 1   + r6( bs) S (ds bs  1) ns = 2   + r6 (ce ) S (ds bs  1) ns = 2   + r6(bs) S (ds  bs 0) ns = 2   :

:

Note that this linear process is not deterministic because the last three summands of this linear process equation all perform the same action r6 (::).

The channels

We provide linear process equations for the channels K and L. Again, the processes are not deterministic. Analogously to the sender, dk , bk and nk are the data parameter, the bit and the state of channel K . If nk = 0 then K can read a datum. If nk = 1 then K can choose to deliver the datum correctly (nk := 2) or to loose the datum and report a checksum error ce (nk := 3). After delivary of either message, K can read again. K (dk :D bk :IB nk :IN) = Px:D Py:IB r2(x y) K (x y 1) nk = 0   + i K (dk  bk  2) nk = 1   + i K (dk  bk  3) nk = 1   + s3(dk  bk ) K (dk  bk  0) nk = 2   + s3(ce ) K (dk  bk  0) nk = 3   The linear process equation for channel L is almost identical to the linear process equation for channel K we just gave. The only di erence lies in the fact that channel L does not transport any data but only an acknowledging bit. L(b`:IB n`:IN) = Py:IB r5(y) L(y 1) n` = 0   + i L(b`  2) n` = 1   + i L(b`  3) n` = 1   + s6(b`) L(b`  0) n` = 2   + s6(ce ) L(b`  0) n` = 3   The meaning of the parameters of L is exactly the same as the meaning of the corresponding parameters of K .

The receiver

The parameters dr , br and nr are the data, bit and state of the receiver respectively. If nr = 0 then R is waiting for data to arrive via channel K . If nr = 1 then R wants to send an 31

acknowledgement via channel L and if nr = 2 then R is ready to execute action s4 (dr ), i.e. deliver a datum. R(dr :D br :IB nr :IN) = Px:D r3(x br ) R(x br  1) nr = 0   + 1) nr = 0   + P r (xr3 (bce)) RR((xdr  bbr  2) nr = 0   + r r x:D 3 s5(br ) R(dr  br  0) nr = 1   + s4(dr ) R(dr  br  1) nr = 2   :

:

The parallel composition

The parallel composition @fri si j i=2356g (S K L R) can then be described by the following linear process, that is easily calculated from the four components S , K , L and R. In order to improve the readability we write X a=b ] for the process that is obtained from X (::) by replacing b by a. E.g. in the linear process equation for the sender we could have written S 2=ns ] instead of S (ds  bs  2) and so on. k

k

k

X (ds  bs ns dk  bk  nk  b`  n` dr  br  nr ) = P r (x) X x= ]1= ] ns = 0   + n d x:D 1 2 d b 1 c2 (ds bs) X  =n ] =d ] =b ] =n ] ns = 1 nk = 0   + c6 (b`) X 0=n ]0=n ]:b =b ] b` = bs ns = 2 n` = 2   + 1 0 c6 (b`) X  =n ] =n ] b` = bs ns = 2 n` = 2   + 1 0 c6 (ce ) X  =n ] =n ] ns = 2 n` = 3   + d 1 0 c3 (dk  bk ) X  =d ] =n ] =n ] bk = br nr = 0 nk = 2   + d 2 0 : b c3 (dk  bk ) X  =d ] =n ] =n ] =b ] bk = br nr = 0 nk = 2   + 1 0   + c3 (ce ) X  =n ] =n ] nk = 3 nr = 0 0 b 1 c5 (br ) X  =n ] =b ] =n ] nr = 1 n` = 0   + s4(dr ) X 1=n ] nr = 2   + 2 i X  =n ] nk = 1   + 3 i X  =n ] nk = 1   + 2 i X  =n ] n` = 1   + 3 i X  =n ] n` = 1   We assume that initially the alternating bits of S and K are equal and unequal to the alternating bits of L and R. Furthermore we assume that initially all data parameters are equal and that all state parameters are 0. So all initial states are of the form (d b 0 d b 0 b 0 d b 0). In the sequel we abbreviate this state by init (d b). s

s

s

s

k

s

`

s

`

s

`

k

r

s

k

k

r

6

r

^

^

^

`

^

^

^

^

^

k

r

^

^

r

r

^

k

6

r

r

k

s

r

k

s

^

`

r

k

k `

`

:

32

:

Let I = c2  c3  c5  c6  i then I (X (init (d b))) is not  -well-founded. For instance r1 (x) X (init (d b))  X (x b 1 d b 0 b 0 d b 0) f

g

:

:

c2(x b) O c2 (x b)  X (x b 2 x b 1 b 0 d b 0) X (x b 1 x b 0 b 0 d b 0) 4

:

:

:

c6 (ce )

i O X (x b 2 x b 3 b 0 d b 0)

X (x b 2 x b 0 b 3 d b 0) 4

:

:

:

:

i

:

c3 (ce ) O X (x b 2 x b 0 b 0 d b 1)

c5 ( b) X (x b 2 x b 0 b 1 d b 0) will, after hiding, result in a  -loop. This means that we can not use Theorem 3.6 or Lemma 3.9 in order to derive property (1). Theorem 3.2 is also useless since I (X (init (d b))) is obviously not strongly conuent. However, if we divide the  -steps of I (X ) in progressing and nonprogressing ones, such that the result is > -well-founded, then we can apply Theorem 6.4. Let Y be the process obtained from I (X ) by labeling those  -steps that set nk or n` to 3, with < and all the other  -steps with >. Y (d  b  n  d  b  n  b  n  d  b  n ) = P s r s(x)s Ykx=k ]1=k ]` ` r r r ns = 0   + n d x:D 1 > Y 2=n ]d =d ]b =b ]1=n ] ns = 1 nk = 0   + 0 0 : b > Y  =n ] =n ] =b ] b` = bs ns = 2 n` = 2   + 1 0 > Y  =n ] =n ] b` = bs ns = 2 n` = 2   + 1 0 > Y  =n ] =n ] ns = 2 n` = 3   + d 1 0 bk = br nr = 0 nk = 2   + > Y  =d ] =n ] =n ] d 2 0 : b > Y  =d ] =n ] =n ] =b ] bk = br nr = 0 nk = 2   + 1 0 > Y  =n ] =n ] nk = 3 nr = 0   + 0 b 1 > Y  =n ] =b ] =n ] nr = 1 n` = 0   + s4(dr ) Y 1=n ] nr = 2   + 2 > Y  =n ] nk = 1   + 3 < Y  =n ] nk = 1   + 2 > Y  =n ] n` = 1   + 3 < Y  =n ] n` = 1   :

:

s

s

s

s

k

s

`

s

`

s

`

k

r

r

k

^

k

s

6

k

k

r

6

r

^

^

^

`

^

^

^

^

^

k

r

^

^

r

r

s

s

r

r

k

:

:

^

`

r

k

k `

`

In order to proceed we need the following lemma: 33

:

Lemma 8.1. (i) (ii) (iii) (iv) (v)

nk = 0 n` = 0 nr = 0 nr = 0 bs = br 6

6

6

The following invariant properties hold in every state of

> (ns = 2 > (ns = 2 > (nk = 0 > br = b` > (ds = dr

; ; ;

^

; ; ;

^

; ; ;

^

Y (init (d b))

.

ds = dk bs = bk ) nr = 0 nk = 0 br = b`) ns = 2) ^

^

^

; ; ;

; ; ;

^

ns = 0) 6

Proof. Straightforward induction.

2

Next we show that Y (init (d b)) is weakly >-conuent. Since we formulated the conditions for weak >-conuence for deterministic linear processes (Theorem 6.4) we rst formulate a deterministic version Y 0 of Y . Y 0(ds bs  ns dk  bk  nk  b`  n` dr  br  nr ) = P r (x) Y 0 x= ]1= ]  + ns = 0 ns ds x:D 1 0 1 s4(dr ) Y (  =nr ] nr = 2  + " # P  Y 0 3=nk ] if n = 1 (nk = 1 n = 1)  + n:IN < 3= ] if n = 2  ( n n = 2) n` ` = 1 8 2= ]ds= ]bs= ]1= ] if n=1 2 (n =1 n =0 n=1) 3 > ns nk s dk bk k > > 0=ns ]0=n` ]:bs=bs ] if n=2 66 (b` =bs ns=2 n` =2 n=2) 77 > 1 0 >  =ns ] =n` ] if n=3 666 (b` =bs ns=2 n` =2 n=3) 777 > > 77 1=ns ]0=n` ] if n=4 66 (ns=2 n` =3 n=4) > < d 1 0 k 6 P  Y 0  =dr ] =nr ] =nk ] if n=5 6 (bk =br nr =0 nk =2 n=5) 77   n:IN > dk 2 0 : b >  =dr ] =nr ] =nk ] r=br ] if n=6 66 (bk =br nr =0 nk =2 n=6) 77 > 77 > 1=nr ]0=nk ] if n=7 666 (nk =3 nr =0 n=7) > 77 > 0=nr ]br=b` ]1=n` ] (nr =1 n` =0 n=8) if n=8 66 > 75 2= ] > 4 ( n n =9)  if n =9 nk k =1 > : 2= ] (n =1 n=10) if n=10 ^

_

^

^

^

6

^

^

^

_

^

^

^

_

^

6

^

_

^

^

^

_

^

^

^

_

^

^

_

^

^

_

^

n`

_

_

^

`

Lemma 8.2. Y 0(init (d b)) > Proof. Conuence must be checked for all a Act and e1 : E , with respect to all e2 : E . is weakly

-conuent.

2

a

>

We do this by a straightforward application of Theorem 6.4. We have distinguished 140 cases that have been listed in the table below. For 68 cases, marked with a in the table the condition ba (d e1 ) b> (d e2 ) does not hold. In 10 cases, marked with a , the condition a = > ga (d e1 ) = g> (d e2 ) is violated. In 60 of the remaining 62 conuence is immediately clear from the fact that the substitutions do not a ect each other (i.e. they are commutative). These cases are marked with a in the table below. 

^

)

6

34

r1

s4

< 1

< 2

> 1 > 2 > 3 > 4 > 5 > 6 > 7 > 8 > 9 > 10

> 1



> 2

> 3



> 4





> 5



> 6

> 7





> 8



> 9

> 10



 So, there are 2 cases left. Each case corresponds to the choice of a channel to corrupt the datum or not. We only treat the case < 1 and > 9. We take 2 empty and = 1 using that a =   5 and 3 = >  7 . We must now check the three requirements

h

Bg (de ) a 1

( 3 )

> (de2 )

Bg

i

h

( ) and

Gg

i

a (de1 )

( 3 ) =

Gg > (de2 )

( )

These boil down to the following three proof obligations, where the trivial ones have been omitted. All obligations follow from the invariant in Lemma 8.1 in a straightforward fashion as we know that nk = 1.

nr = 0 bk = br

^

nr = 0 and dk = dr :

In the case that br = bs , we take 1 empty and 3 = >  7 >  8 >  10 >  3 >  1 >  9 . The three requirements now become 6

h

h

i h

i h

i h

i h

i

i

nr = 0 n` = 0 br = bs ns = 2 true and ns = 2 br = b` n` = 0 nr = 0 ds = dk bs = bk : These also follow from the invariant and the fact that nk = 1. ^

^

^

6

^

^

^

^

^

2

The TP-reduction now prescribes that in all states where there is a progressing  -step all other actions can be removed. In the cases where nk = 1 or n` = 1 this is applicable we can remove the non-progressing  -steps. By removing all transitions that have become unreachable in this way, we obtain the following simple process of which each state has only one outgoing transition. In particular, the channels have become reliable. One easily veries that this process is convergent. E.g. the natural number 3 (( ns ) mod 3) + 3 ((nr 2) mod 3) nk n` + 4 decreases after each  -step. By Theorem 7.4 this reduced process is branching bisimilar to the alternating bit ;

;

35

;

;

protocol.

Z (ds bs  ns dk  bk  nk  b` n` dr  br  nr ) P r (x) Z x= ]1= ] n d x:D 1 s4(dr ) Z8 1=n ] 2=n ]d =d ]b =b ]1=n ] > > > 0=n ]0=n ]:b =b ] > < P  Z d =d ]2=n ]0=n ]:b =b ] n:IN > > 0=n ]b =b ]1=n ] > 2 > > : 2==n ]] n s

s

r

s

s

s

k

k

`

r

r

k

`

=

r

r

`

s

k

s

s

k

`

k

r

r

if n=1 if n=2 if n=6 if n=8 if n=9 if n=10

 + 3  +

ns = 0 n 2 (n =1 n =0r = n2=1) s k 66 (b`=bs ns=2 n`=2 n=2) 66 (bk =br nr =0 nk =2 n=6) 66 (n =1 n =0 n=8) r ` 64 (nk =1 n=9) (n`=1 n=10) ^

6

^

^

^

^

^

^

_

^

^

^

^

_ _

_

_

77 77 77   75

^

References 1] D.J. Andrews, J.F. Groote, and C.A. Middelburg, editors. Proceedings of the International Workshop on Semantics of Specication Languages, Utrecht, The Netherlands. Workshops in Computing, Springer-Verlag, 1993. 2] J.C.M. Baeten and J.W. Klop, editors. Proceedings of the 1st Conference on Theories of Concurrency, CONCUR '90, Amsterdam, the Netherlands, August 1990, volume 458 of Lecture Notes in Computer Science. Springer-Verlag, 1990. 3] M.A. Bezem and J.F. Groote. A correctness proof of a one-bit sliding window protocol in CRL. The Computer Journal, 37(4):289{307, 1994. 4] M.A. Bezem and J.F. Groote. Invariants in process algebra with data. In B. Jonsson and J. Parrow, editors, Proceedings of the 5th Conference on Theories of Concurrency, CONCUR '94, Uppsala, Sweden, August 1994, volume 836 of Lecture Notes in Computer Science, pages 401{416. Springer-Verlag, 1994. 5] R. Gerth, R. Kuiper, D. Peled, and W. Penczek. A partial order approach to branching time logic model checking. Computer Science Report 94/53, Department of Mathematics and Computer Science, Eindhoven University of Technology, December 1994. 6] J.F. Groote and A. Ponse. Proof theory for CRL: a language for processes with data. In Andrews et al. 1], pages 231{250. 7] J.F. Groote and A. Ponse. The syntax and semantics of CRL. In A. Ponse, C. Verhoef, and S.F.M. van Vlijmen, editors, Proceedings of the 1st Workshop in the Algebra of Communicating Processes, ACP '94, Utrecht, the Netherlands, July 1994, pages 26{62. Springer-Verlag, July 1994. 8] J.F. Groote and J.C. van de Pol. A bounded retransmission protocol for large data packets. A case study in computer checked verication. Technical Report 100, Logic Group Preprint Series, Utrecht University, October 1993. 36

9] G.J. Holzmann and D. Peled. An improvement in formal verication. In Proceedings FORTE 1994 Conference, Bern, Switzerland, 1994. 10] J.W. Klop. Term rewriting systems. In S. Abramsky, D.M. Gabbay, and T.S.E. Maibaum, editors, Handbook of Logic in Computer Science, volume 2, pages 1{116. Oxford Science Publications, 1992. 11] H. Korver and J. Springintveld. A computer-checked verication of Milner's scheduler. In M. Hagiya and J.C. Mitchel, editors, Proceedings of the 2nd International Symposium on Theoretical Aspects of Computer Software, TACS '94, Sendai, Japan, volume 789 of Lecture Notes in Computer Science, pages 161{178. Springer-Verlag, 1994. 12] R. Milner. A Calculus of Communicating Systems, volume 92 of Lecture Notes in Computer Science. Springer-Verlag, Berlin, 1980. 13] H. Qin. Ecient verication of determinate processes. In J.C.M. Baeten and J.F. Groote, editors, Proceedings of the 2nd Conference on Theories of Concurrency, CONCUR '91, Amsterdam, the Netherlands, August 1991, volume 527 of Lecture Notes in Computer Science, pages 471{494. Springer-Verlag, 1991. 14] M.P.A. Sellink. Verifying process algebra proofs in type theory. In Andrews et al. 1], pages 315{339. 15] F.W. Vaandrager, 1994. Uitwerking Tentamen Protocolvericatie. Unpublished manuscript. 16] R.J. van Glabbeek. The linear time - branching time spectrum. In Baeten and Klop 2], pages 278{297. 17] R.J. van Glabbeek and W.P. Weijland. Branching time and abstraction in bisimulation semantics (extended abstract). Technical Report CS-R8911, CWI, Amsterdam, April 1989.

37