Liveness, Fairness
and Impossible Futures
Rob van Glabbeek (Sydney)
Marc Voorhoeve (TUE)
department of mathematics and computer science
1 of 21
Contents
1. Motivation
2. IF equivalence
3. Results
department of mathematics and computer science
2 of 21
Context
Why yet another equivalence relation?
IF
contrasim
weak bisim
fair testing
weak+div
trace
strong bisim
failure
ready simulation
department of mathematics and computer science
3 of 21
Motivation
System development:
model-based vs. requirement-based.
Combination often preferable.
Equivalence implementation – model:
branching/weak bisimilarity?
Advantages: compositional,
preservation of any requirement.
Disadvantage: restrictive.
Non-bisim equivalence:
compositional when congruence
increases implementer’s freedom.
department of mathematics and computer science
4 of 21
Compositional verification
t
ok
c
nok
f
t (nok . f .t ) * ok .c
abstraction

t
c
 {ok ,nok} (t (nok . f .t ) * ok .c)

f
reduction (contrasim)
t
f
t
c
(t. f ) * tc
department of mathematics and computer science
5 of 21
Too much freedom!
Processes v,w :
failures/ready simulation equivalent!
f
s
v
f
s
t
t
Legend:
t: try
c: connect
f: fail
s: stop
w
s

f
c
visible
u
t
hidden
corrupted states
Corrupted state u : action c impossible.
u reachable from w not v.
department of mathematics and computer science
6 of 21
Motivation (conclusion)
Non-bisim equivalences:
more freedom for implementer.
Needed:
knowledge about preservation of properties.
IF (impossible future) equivalence
preserves AGEF properties.
department of mathematics and computer science
7 of 21
Contents
1. Motivation
2. IF Equivalence
3. Results
department of mathematics and computer science
• Preliminary notions
• Definition
• Properties preserved
• Connection with
liveness and fairness
8 of 21
Transition systems
Process: state in labeled transition system (LTS)
gsmspec
f
gsmimpl
s
v
w
f
t
t
Legend:
t: try
c: connect
f: fail
s: stop
department of mathematics and computer science
s
s
f
c
t
9 of 21
Transition relations
Set A of visible actions:
Special hidden action 
v = gsmspec
A
f
f
LTS: pair ( S , ) ,
S a set (of states)
    S  ( A  {: })  S
ternary transition relation
s
v
b
t
c
d
c
v t c, c  f ,
f  f v, v s b.
trace relation
v  v, v t c,
    S  A*  S
v t f , v tfs b.
department of mathematics and computer science
e
10 of 21
Impossible futures equivalence
IF: decorated trace
v
f
IF ( p ) :
f
{( , B ) | p ': p  p ':
c

  B :: p ' 
 }
v d d 
 d 

d
c
e
(t ,{ fs, c})  IF (v)
v t d  d  c
(t ,{ fs, ft})  IF (v)
fs
b
t

t
s
v t c  c  c
ft
v t f  f  fs
IF equivalence: same IFs
p  IF q 
IF ( p)  IF (q)
department of mathematics and computer science
Congruence with root condition:
ax  ay  IF
x  y
a(x  y )
 IF x   ( x  y)
11 of 21
Properties preserved by IF
IF ( p ) :
( , B)  IF ( p) 
p': p  p': (  B :: p'   )
{( , B ) | p ': p  p ':

  B :: p ' 
 }
Having observed , it is possible to continue
with a trace  from B.
m-calculus:     B   T
CTL: AG   EF (  B  )
(AGEF property)
Not IF preserved
(not AGEF):
 ( 
department of mathematics and computer science
T   T)
12 of 21
Some AGEF properties
No deadlock/livelock:
Soundness:
T* T T
T* T* √
Delivery (d) possible after order (o):
T* oT* T* d T
Order that is not confirmed (c) can be aborted (a):
T* o(c) * T* a T
An order that can be confirmed, can be aborted
(at the same time):
T* oT* ( c T  a T)


Not AGEF:
ob  o(c  a))  IF ob  o(b  c)  o(c  a)
department of mathematics and computer science
13 of 21
GSM example
Legend:
t: try
c: connect
f: fail
s: stop
f
s
v
f
t
t
s
w
f
s
f
c
u
t
Corrupted state u:
no connection possible.
Corrupted state reachable from w not v.
m-calculus predicates (AGEF properties)
T* f 
T* c T
T* f  tc T
Paths terminating with f,
can eventually do c
Paths terminating with f,
can continue with tc
department of mathematics and computer science
testable
non-testable
14 of 21
Liveness
mX  [tf ] X
AG AF (  {t , f }* ( c  s))
Infinite tf-sequence impossible:
CTL:
Implies liveness combined with AGEF property
(fairness assumption)
Verify AGEF instead of liveness!
f
s
v
f
w
s
t
t
s
f
c
department of mathematics and computer science
t
15 of 21
Contents
1. Motivation
2. IF Equivalence
3. Results • Preservation
• Fair testing
• Proof method
department of mathematics and computer science
16 of 21
Preservation results
1. IF congruence preserves
all AGEF properties.
2. Any congruence preserving
any non-testable AGEF property
is at least as fine as IF.
3. Any congruence at least as coarse as
weak bisim, satisfying RSP and preserving
any nontrivial AGEF property
is at least as fine as IF.
department of mathematics and computer science
17 of 21
Fair testing (FT)
FT preserves all testable AGEF properties
and (assuming fairness) all AGAF properties
abx  aby FT a(bx  by)
but different IF’s
FT does not satisfy RSP:
two processes satisfy X  FT aX  ab :
a
a
b
a
a
b
a
a
department of mathematics and computer science
18 of 21
Proof method
Suppose ~ is a congruence w.r.t. CCS composition
and there exist ,B,p,q with p ~ q such that
( , B)  IF ( p) \ IF (q)
Let   a1 an , A  act ( p)  act (q), c  A
and set C ( X )  ( X | U 0 ) \ A with
U i -1  aiU i   c( c   ) (1  i  n)
U n  c B  ( c   )
department of mathematics and computer science
19 of 21
Context C
( , B)  IF ( p) \ IF (q)
U0
_
a1

p': p  p': (  B :: p' 
 )
_
a2
_
an
Un
c
C( X )  ( X | U0 ) \ A
_
c
i
C ( p )  ( p ' | U n ) \ A
cc
( p' | U n ) \ A 

c
C (q)  (q ' | U n ) \ A  cc
( ,{cc})  IF (C ( p)) \ IF (C (q))
department of mathematics and computer science
20 of 21
Conclusions
1. Many system safety and liveness
properties are of AGEF kind.
AGAF liveness: AGEF + fairness.
2. IF and FT: compositional verification
of AGEF properties.
3. FT: only testable AGEF properties,
RSP cannot be used.
Thank you for your attention
department of mathematics and computer science
21 of 21
Composition
_
b
d
C3
Systems built from
components
a
D1
C1
c
D2
_
d
(C1 | C2 | C3 ) \ {d , e}

C2
_
d
e
_
e
C1  ( D1 | D2 ) \ { f }
_
d
_
e
department of mathematics and computer science
D1
f
_
f
D2
c
22 of 21
Verification
b
Verify property, e.g.:
b may eventually
occur after a
T* a
a
c
T* b T
Possible: prove e.g.
 {c} ( S )  w a * ab
Advantage:
compositionality.
Simplify components
Disadvantage: cumbersome, restrictive.
Alternative:
Non-bisim equivalence that is congruence
w.r.t. composition and preserves requirements!
department of mathematics and computer science
23 of 21