1 / 23

Rob van Glabbeek (Sydney) Marc Voorhoeve (TUE)

Rob van Glabbeek (Sydney) Marc Voorhoeve (TUE). Liveness, Fairness and Impossible Futures. Contents. Motivation IF equivalence Results. IF. contrasim. weak bisim. fair testing. weak+div. trace. strong bisim. failure. ready simulation. Context. Why yet another equivalence relation?.

hani
Télécharger la présentation

Rob van Glabbeek (Sydney) Marc Voorhoeve (TUE)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rob van Glabbeek (Sydney) Marc Voorhoeve (TUE) Liveness, Fairnessand Impossible Futures

  2. Contents • Motivation • IF equivalence • Results

  3. IF contrasim weak bisim fair testing weak+div trace strong bisim failure ready simulation Context Why yet another equivalence relation?

  4. Motivation System development: model-based vs. requirement-based. Combination often preferable. Equivalence implementation – model:branching/weak bisimilarity? Advantages: compositional, preservation of any requirement. Disadvantage: restrictive. Non-bisim equivalence: compositional when congruenceincreases implementer’s freedom.

  5. Compositional verification abstraction reduction (contrasim)

  6. corrupted states hidden visible Too much freedom! Processes v,w : failures/ready simulation equivalent! v w t u Legend: t: tryc: connect f: fail s: stop Corrupted state u : action c impossible.u reachable from wnot v.

  7. Motivation (conclusion) Non-bisim equivalences:more freedom for implementer. Needed:knowledge about preservation of properties. IF (impossible future) equivalence preserves AGEF properties.

  8. Contents • Motivation • IF Equivalence • Results • Preliminary notions • Definition • Properties preserved • Connection with liveness and fairness

  9. gsmspec gsmimpl Transition systems Process: state in labeled transition system (LTS) v w Legend: t: try c: connectf: fail s: stop

  10. Set A of visible actions: Special hidden action Transition relations v = gsmspec LTS: pair , S a set (of states) : ternary transition relation trace relation

  11. Impossible futures equivalence IF: decorated trace IF equivalence: same IFs Congruence with root condition:

  12. Properties preserved by IF Having observed a, it is possible to continue with a trace b from B. m-calculus: CTL: (AGEF property) Not IF preserved (not AGEF):

  13. Some AGEF properties √ No deadlock/livelock: Soundness: Delivery (d) possible after order (o): Orderthat is not confirmed (c) can be aborted (a): An order that can be confirmed, can be aborted (at the same time): Not AGEF:

  14. f GSM example Legend: t: tryc: connect f: fail s: stop v w u Corrupted state u: no connection possible. Corrupted state reachable from w not v. m-calculus predicates (AGEF properties) Paths terminating with f, can eventually do c testable Paths terminating with f, can continue with tc non-testable

  15. Liveness Infinite tf-sequence impossible: CTL: Implies liveness combined with AGEF property (fairness assumption) Verify AGEF instead of liveness! v w

  16. Contents • Motivation • IF Equivalence • Results • Preservation • Fair testing • Proof method

  17. Preservation results • IF congruence preservesall AGEF properties. • Any congruence preservingany non-testable AGEF propertyis at least as fine as IF. • Any congruence at least as coarse asweak bisim, satisfying RSP and preservingany nontrivial AGEF propertyis at least as fine as IF.

  18. Fair testing (FT) FT preserves all testable AGEF properties and (assuming fairness) all AGAF properties but different IF’s FT does not satisfy RSP: two processes satisfy

  19. Proof method Suppose ~ is a congruence w.r.t. CCS compositionand there exist a,B,p,q with p ~ q such that Let and set with

  20. Context C _ b i

  21. Conclusions • Many system safety and livenessproperties are of AGEF kind.AGAF liveness: AGEF + fairness. • IF and FT: compositional verificationof AGEF properties. • FT: only testable AGEF properties,RSP cannot be used. Thank you for your attention

  22. Composition Systems built from components C1

  23. Verification b a c Verify property, e.g.: b may eventually occur after a Advantage: compositionality. Possible: prove e.g. Simplify components Disadvantage: cumbersome, restrictive. Alternative: Non-bisim equivalence that is congruence w.r.t. composition and preserves requirements!

More Related