Modelling and Verification Lecture 4 Properties of strong - - PowerPoint PPT Presentation

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems

Modelling and Verification

Lecture 4 Properties of strong bisimilarity (reprise) Bisimulation games Weak bisimilarity and weak bisimulation games Properties of weak bisimilarity Example: a communication protocol and its modelling in CCS Concurrency workbench (CWB)

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Strong Bisimilarity

Let (Proc, Act, {

a

− →| a ∈ Act}) be an LTS. Strong Bisimulation A binary relation R ⊆ Proc × Proc is a strong bisimulation iff whenever (s, t) ∈ R then for each a ∈ Act: if s

a

− → s′ then t

a

− → t′ for some t′ such that (s′, t′) ∈ R if t

a

− → t′ then s

a

− → s′ for some s′ such that (s′, t′) ∈ R. Strong Bisimilarity Two processes p1, p2 ∈ Proc are strongly bisimilar (p1 ∼ p2) if and

• nly if there exists a strong bisimulation R such that (p1, p2) ∈ R.

∼ =

• {R | R is a strong bisimulation}

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Basic Properties of Strong Bisimilarity

Theorem ∼ is an equivalence relation (reflexive, symmetric and transitive) Theorem ∼ is the largest strong bisimulation Theorem s ∼ t if and only if for each a ∈ Act: if s

a

− → s′ then t

a

− → t′ for some t′ such that s′ ∼ t′ if t

a

− → t′ then s

a

− → s′ for some s′ such that s′ ∼ t′.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

How to Show Nonbisimilarity?

s

a

• t

a

• a
• s1

b

• c
• t1

b

t2

c

• s2

s3 t3 t4 To prove that s ∼ t: Enumerate all binary relations and show that none of them at the same time contains (s, t) and is a strong bisimulation. (Expensive: 2|Proc|2 relations.) Make certain observations which enable us to disqualify many bisimulation candidates in one step. Use the game characterization of strong bisimilarity.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

How to Show Nonbisimilarity?

s

a

• t

a

• a
• s1

b

• c
• t1

b

t2

c

• s2

s3 t3 t4 To prove that s ∼ t: Enumerate all binary relations and show that none of them at the same time contains (s, t) and is a strong bisimulation. (Expensive: 2|Proc|2 relations.) Make certain observations which enable us to disqualify many bisimulation candidates in one step. Use the game characterization of strong bisimilarity.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

How to Show Nonbisimilarity?

s

a

• t

a

• a
• s1

b

• c
• t1

b

t2

c

• s2

s3 t3 t4 To prove that s ∼ t: Enumerate all binary relations and show that none of them at the same time contains (s, t) and is a strong bisimulation. (Expensive: 2|Proc|2 relations.) Make certain observations which enable us to disqualify many bisimulation candidates in one step. Use the game characterization of strong bisimilarity.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

How to Show Nonbisimilarity?

s

a

• t

a

• a
• s1

b

• c
• t1

b

t2

c

• s2

s3 t3 t4 To prove that s ∼ t: Enumerate all binary relations and show that none of them at the same time contains (s, t) and is a strong bisimulation. (Expensive: 2|Proc|2 relations.) Make certain observations which enable us to disqualify many bisimulation candidates in one step. Use the game characterization of strong bisimilarity.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Strong Bisimulation Game

Let (Proc, Act, {

a

− →| a ∈ Act}) be an LTS and s, t ∈ Proc. We define a two-player game of an ‘attacker’ and a ‘defender’ starting from s and t. The game is played in rounds, and configurations of the game are pairs of states from Proc × Proc. In every round exactly one configuration is called current. Initially the configuration (s, t) is the current one. Intuition The defender wants to show that s and t are strongly bisimilar while the attacker aims at proving the opposite.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Strong Bisimulation Game

Let (Proc, Act, {

a

− →| a ∈ Act}) be an LTS and s, t ∈ Proc. We define a two-player game of an ‘attacker’ and a ‘defender’ starting from s and t. The game is played in rounds, and configurations of the game are pairs of states from Proc × Proc. In every round exactly one configuration is called current. Initially the configuration (s, t) is the current one. Intuition The defender wants to show that s and t are strongly bisimilar while the attacker aims at proving the opposite.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Rules of the Bisimulation Games

Game Rules In each round the players change the current configuration as follows:

1 the attacker chooses one of the processes in the current

configuration and makes an

a

− →-move for some a ∈ Act, and

2 the defender must respond by making an

a

− →-move in the

• ther process under the same action a.

The newly reached pair of processes becomes the current

• configuration. The game then continues by another round.

Result of the Game If one player cannot move, the other player wins. If the game is infinite, the defender wins.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Rules of the Bisimulation Games

Game Rules In each round the players change the current configuration as follows:

1 the attacker chooses one of the processes in the current

configuration and makes an

a

− →-move for some a ∈ Act, and

2 the defender must respond by making an

a

− →-move in the

• ther process under the same action a.

The newly reached pair of processes becomes the current

• configuration. The game then continues by another round.

Result of the Game If one player cannot move, the other player wins. If the game is infinite, the defender wins.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

And Now Let’s Play!

Board 1 s

a

• a
• t

a

• s1

b

s2

b

• t1

b

• Does s ∼ t hold?

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Let’s Play Some More!

Board 2 s

a

• a
• t

a

• s1

b

• s2

b

• t1

b

• b
• s3

t2 Does s ∼ t hold?

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Game Characterization of Strong Bisimilarity

Theorem States s and t are strongly bisimilar if and only if the defender has a universal winning strategy starting from the configuration (s, t). States s and t are not strongly bisimilar if and only if the attacker has a universal winning strategy starting from the configuration (s, t). Remark The bisimulation game can be used to prove both bisimilarity and nonbisimilarity of two processes. It very often provides elegant arguments for the negative case.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Game Characterization of Strong Bisimilarity

Theorem States s and t are strongly bisimilar if and only if the defender has a universal winning strategy starting from the configuration (s, t). States s and t are not strongly bisimilar if and only if the attacker has a universal winning strategy starting from the configuration (s, t). Remark The bisimulation game can be used to prove both bisimilarity and nonbisimilarity of two processes. It very often provides elegant arguments for the negative case.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Strong Bisimilarity is a Congruence for CCS Operations

Theorem Let P and Q be CCS processes such that P ∼ Q. Then α.P ∼ α.Q for each action α ∈ Act P + R ∼ Q + R and R + P ∼ R + Q for each CCS process R P | R ∼ Q | R and R | P ∼ R | Q for each CCS process R P[f ] ∼ Q[f ] for each relabelling function f P \ L ∼ Q \ L for each set of labels L.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Other Properties of Strong Bisimilarity

The Following Properties Hold for all CCS Processes P, Q, R P + Q ∼ Q + P P | Q ∼ Q | P P + Nil ∼ P P | Nil ∼ P (P + Q) + R ∼ P + (Q + R) (P | Q) | R ∼ P | (Q | R)

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Example – Buffer

Buffer of Capacity 1 B1

def

= in.B1

1

B1

1 def

= out.B1 Buffer of Capacity n Bn

def

= in.Bn

1

Bn

i def

= in.Bn

i+1 + out.Bn i−1

for 0 < i < n Bn

n def

= out.Bn

n−1

Example: B2

0 ∼ B1 0|B1

B2

in

B1

0|B1 in

• in
• B2

1 in

• ut
• B1

1|B1 in

• ut
• B1

0|B1 1 in

• ut
• B2

2

• ut
• B1

1|B1 1

• ut
• ut
• Lecture 4

Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Example – Buffer

Buffer of Capacity 1 B1

def

= in.B1

1

B1

1 def

= out.B1 Buffer of Capacity n Bn

def

= in.Bn

1

Bn

i def

= in.Bn

i+1 + out.Bn i−1

for 0 < i < n Bn

n def

= out.Bn

n−1

Example: B2

0 ∼ B1 0|B1

B2

in

B1

0|B1 in

• in
• B2

1 in

• ut
• B1

1|B1 in

• ut
• B1

0|B1 1 in

• ut
• B2

2

• ut
• B1

1|B1 1

• ut
• ut
• Lecture 4

Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Example – Buffer

Buffer of Capacity 1 B1

def

= in.B1

1

B1

1 def

= out.B1 Buffer of Capacity n Bn

def

= in.Bn

1

Bn

i def

= in.Bn

i+1 + out.Bn i−1

for 0 < i < n Bn

n def

= out.Bn

n−1

Example: B2

0 ∼ B1 0|B1

B2

in

B1

0|B1 in

• in
• B2

1 in

• ut
• B1

1|B1 in

• ut
• B1

0|B1 1 in

• ut
• B2

2

• ut
• B1

1|B1 1

• ut
• ut
• Lecture 4

Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Example – Buffer

Theorem For all natural numbers n: Bn

0 ∼ B1 0|B1 0| · · · |B1

• n times

Proof. Construct the following binary relation where i1, i2, . . . , in ∈ {0, 1}. R = {

• Bn

i , B1 i1|B1 i2| · · · |B1 in

• |

n

• j=1

ij = i}

• Bn

0 , B1 0|B1 0| · · · |B1

• ∈ R

R is strong bisimulation

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Example – Buffer

Theorem For all natural numbers n: Bn

0 ∼ B1 0|B1 0| · · · |B1

• n times

Proof. Construct the following binary relation where i1, i2, . . . , in ∈ {0, 1}. R = {

• Bn

i , B1 i1|B1 i2| · · · |B1 in

• |

n

• j=1

ij = i}

• Bn

0 , B1 0|B1 0| · · · |B1

• ∈ R

R is strong bisimulation

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Strong Bisimilarity – Summary

Properties of ∼ an equivalence relation the largest strong bisimulation a congruence enough to prove some natural rules like

P|Q ∼ Q|P P|Nil ∼ P (P|Q)|R ∼ Q|(P|R) · · ·

Question Should we look any further???

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition Bisimulation Games Properties Buffer Example Summary

Strong Bisimilarity – Summary

Properties of ∼ an equivalence relation the largest strong bisimulation a congruence enough to prove some natural rules like

P|Q ∼ Q|P P|Nil ∼ P (P|Q)|R ∼ Q|(P|R) · · ·

Question Should we look any further???

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definitions Weak Bisimulation Game Properties of Weak Bisimilarity

Problems with Internal Actions

Question Does a.τ.Nil ∼ a.Nil hold? NO! Problem Strong bisimilarity does not abstract away from τ actions. Example: SmUni ∼ Spec SmUni

pub

• ∼

Spec

pub

• (CM | CS1) {coin, coffee}

τ

• (CM1 | CS2) {coin, coffee}

τ

• (CM | CS) {coin, coffee}

pub

• Lecture 4

Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definitions Weak Bisimulation Game Properties of Weak Bisimilarity

Problems with Internal Actions

Question Does a.τ.Nil ∼ a.Nil hold? NO! Problem Strong bisimilarity does not abstract away from τ actions. Example: SmUni ∼ Spec SmUni

pub

• ∼

Spec

pub

• (CM | CS1) {coin, coffee}

τ

• (CM1 | CS2) {coin, coffee}

τ

• (CM | CS) {coin, coffee}

pub

• Lecture 4

Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definitions Weak Bisimulation Game Properties of Weak Bisimilarity

Problems with Internal Actions

Question Does a.τ.Nil ∼ a.Nil hold? NO! Problem Strong bisimilarity does not abstract away from τ actions. Example: SmUni ∼ Spec SmUni

pub

• ∼

Spec

pub

• (CM | CS1) {coin, coffee}

τ

• (CM1 | CS2) {coin, coffee}

τ

• (CM | CS) {coin, coffee}

pub

• Lecture 4

Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definitions Weak Bisimulation Game Properties of Weak Bisimilarity

Problems with Internal Actions

Question Does a.τ.Nil ∼ a.Nil hold? NO! Problem Strong bisimilarity does not abstract away from τ actions. Example: SmUni ∼ Spec SmUni

pub

• ∼

Spec

pub

• (CM | CS1) {coin, coffee}

τ

• (CM1 | CS2) {coin, coffee}

τ

• (CM | CS) {coin, coffee}

pub

• Lecture 4

Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definitions Weak Bisimulation Game Properties of Weak Bisimilarity

Weak Transition Relation

Let (Proc, Act, {

a

− →| a ∈ Act}) be an LTS such that τ ∈ Act. Definition of Weak Transition Relation

a

= ⇒ =

• (

τ

− →)∗◦

a

− → ◦(

τ

− →)∗ if a = τ (

τ

− →)∗ if a = τ What does s

a

= ⇒ t informally mean? If a = τ then s

a

= ⇒ t means that from s we can get to t by doing zero or more τ actions, followed by the action a, followed by zero or more τ actions. If a = τ then s

τ

= ⇒ t means that from s we can get to t by doing zero or more τ actions.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definitions Weak Bisimulation Game Properties of Weak Bisimilarity

Weak Transition Relation

Let (Proc, Act, {

a

− →| a ∈ Act}) be an LTS such that τ ∈ Act. Definition of Weak Transition Relation

a

= ⇒ =

• (

τ

− →)∗◦

a

− → ◦(

τ

− →)∗ if a = τ (

τ

− →)∗ if a = τ What does s

a

= ⇒ t informally mean? If a = τ then s

a

= ⇒ t means that from s we can get to t by doing zero or more τ actions, followed by the action a, followed by zero or more τ actions. If a = τ then s

τ

= ⇒ t means that from s we can get to t by doing zero or more τ actions.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definitions Weak Bisimulation Game Properties of Weak Bisimilarity

Weak Bisimilarity

Let (Proc, Act, {

a

− →| a ∈ Act}) be an LTS such that τ ∈ Act. Weak Bisimulation A binary relation R ⊆ Proc × Proc is a weak bisimulation iff whenever (s, t) ∈ R then for each a ∈ Act (including τ): if s

a

− → s′ then t

a

= ⇒ t′ for some t′ such that (s′, t′) ∈ R if t

a

− → t′ then s

a

= ⇒ s′ for some s′ such that (s′, t′) ∈ R. Weak Bisimilarity Two processes p1, p2 ∈ Proc are weakly bisimilar (p1 ≈ p2) if and

• nly if there exists a weak bisimulation R such that (p1, p2) ∈ R.

≈ = ∪{R | R is a weak bisimulation}

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definitions Weak Bisimulation Game Properties of Weak Bisimilarity

Weak Bisimilarity

Let (Proc, Act, {

a

− →| a ∈ Act}) be an LTS such that τ ∈ Act. Weak Bisimulation A binary relation R ⊆ Proc × Proc is a weak bisimulation iff whenever (s, t) ∈ R then for each a ∈ Act (including τ): if s

a

− → s′ then t

a

= ⇒ t′ for some t′ such that (s′, t′) ∈ R if t

a

− → t′ then s

a

= ⇒ s′ for some s′ such that (s′, t′) ∈ R. Weak Bisimilarity Two processes p1, p2 ∈ Proc are weakly bisimilar (p1 ≈ p2) if and

• nly if there exists a weak bisimulation R such that (p1, p2) ∈ R.

≈ = ∪{R | R is a weak bisimulation}

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definitions Weak Bisimulation Game Properties of Weak Bisimilarity

Weak Bisimulation Game

Definition All the same except that defender can now answer using

a

= ⇒ moves. The attacker is still using only

a

− → moves. Theorem States s and t are weakly bisimilar if and only if the defender has a universal winning strategy starting from the configuration (s, t). States s and t are not weakly bisimilar if and only if the attacker has a universal winning strategy starting from the configuration (s, t).

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definitions Weak Bisimulation Game Properties of Weak Bisimilarity

Weak Bisimulation Game

Definition All the same except that defender can now answer using

a

= ⇒ moves. The attacker is still using only

a

− → moves. Theorem States s and t are weakly bisimilar if and only if the defender has a universal winning strategy starting from the configuration (s, t). States s and t are not weakly bisimilar if and only if the attacker has a universal winning strategy starting from the configuration (s, t).

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definitions Weak Bisimulation Game Properties of Weak Bisimilarity

Weak Bisimilarity – Properties

Properties of ≈ an equivalence relation the largest weak bisimulation validates lots of natural laws, e.g.

a.τ.P ≈ a.P P + τ.P ≈ τ.P a.(P + τ.Q) ≈ a.(P + τ.Q) + a.Q P + Q ≈ Q + P P|Q ≈ Q|P P + Nil ≈ P . . .

strong bisimilarity is included in weak bisimilarity (∼ ⊆ ≈) abstracts from τ loops

• a
• τ
• ≈
• a
• Lecture 4

Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition of the Protocol Concurrency Workbench Example Sessions in CWB

Case Study: Communication Protocol

r r r r r r r r r r ✫✪ ✬✩ ✫✪ ✬✩ ✫✪ ✬✩ ✛ ❍ ❍ ❍ ❨ ❍❍❍❍ ❥ ✟✟✟✟ ✟ ✯

Send

acc ack error send

Med

trans del

Rec

Send

def

= acc.Sending Rec

def

= trans.Del Sending

def

= send.Wait Del

def

= del.Ack Wait

def

= ack.Send + error.Sending Ack

def

= ack.Rec Med

def

= send.Med′ Med′

def

= τ.Err + trans.Med Err

def

= error.Med

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition of the Protocol Concurrency Workbench Example Sessions in CWB

Case Study: Communication Protocol

r r r r r r r r r r ✫✪ ✬✩ ✫✪ ✬✩ ✫✪ ✬✩ ✛ ❍ ❍ ❍ ❨ ❍❍❍❍ ❥ ✟✟✟✟ ✟ ✯

Send

acc ack error send

Med

trans del

Rec

Send

def

= acc.Sending Rec

def

= trans.Del Sending

def

= send.Wait Del

def

= del.Ack Wait

def

= ack.Send + error.Sending Ack

def

= ack.Rec Med

def

= send.Med′ Med′

def

= τ.Err + trans.Med Err

def

= error.Med

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition of the Protocol Concurrency Workbench Example Sessions in CWB

Verification Question

Impl def = (Send | Med | Rec) {send, trans, ack, error} Spec def = acc.del.Spec Question Impl

?

≈ Spec

1 Draw the LTS of Impl and Spec and prove (by hand) the

equivalence.

2 Use Concurrency WorkBench (CWB). Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition of the Protocol Concurrency Workbench Example Sessions in CWB

Verification Question

Impl def = (Send | Med | Rec) {send, trans, ack, error} Spec def = acc.del.Spec Question Impl

?

≈ Spec

1 Draw the LTS of Impl and Spec and prove (by hand) the

equivalence.

2 Use Concurrency WorkBench (CWB). Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition of the Protocol Concurrency Workbench Example Sessions in CWB

Verification Question

Impl def = (Send | Med | Rec) {send, trans, ack, error} Spec def = acc.del.Spec Question Impl

?

≈ Spec

1 Draw the LTS of Impl and Spec and prove (by hand) the

equivalence.

2 Use Concurrency WorkBench (CWB). Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition of the Protocol Concurrency Workbench Example Sessions in CWB

Verification Question

Impl def = (Send | Med | Rec) {send, trans, ack, error} Spec def = acc.del.Spec Question Impl

?

≈ Spec

1 Draw the LTS of Impl and Spec and prove (by hand) the

equivalence.

2 Use Concurrency WorkBench (CWB). Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition of the Protocol Concurrency Workbench Example Sessions in CWB

Verification Question

Impl def = (Send | Med | Rec) {send, trans, ack, error} Spec def = acc.del.Spec Question Impl

?

≈ Spec

1 Draw the LTS of Impl and Spec and prove (by hand) the

equivalence.

2 Use Concurrency WorkBench (CWB). Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition of the Protocol Concurrency Workbench Example Sessions in CWB

CCS Expressions in CWB

CCS Definitions Med def = send.Med′ Med′ def = τ.Err + trans.Med Err def = error.Med . . . Impl def = (Send | Med | Rec) {send, trans, ack, error} Spec def = acc.del.Spec CWB Program (protocol.cwb) agent Med = send.Med’; agent Med’ = (tau.Err + ’trans.Med); agent Err = ’error.Med; . . . set L = {send, trans, ack, error}; agent Impl = (Send | Med | Rec) L; agent Spec = acc.’del.Spec;

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Definition of the Protocol Concurrency Workbench Example Sessions in CWB

CWB Session

[luca@vel5638 CWB]$ ./xccscwb.x86-linux > help; > input "protocol.cwb"; > vs(5,Impl); > sim(Spec); > eq(Spec,Impl); ** weak bisimilarity ** > strongeq(Spec,Impl); ** strong bisimilarity **

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems

Is Weak Bisimilarity a Congruence for CCS?

Theorem Let P and Q be CCS processes such that P ≈ Q. Then α.P ≈ α.Q for each action α ∈ Act P | R ≈ Q | R and R | P ≈ R | Q for each CCS process R P[f ] ≈ Q[f ] for each relabelling function f P \ L ≈ Q \ L for each set of labels L. What about choice? τ.a.Nil ≈ a.Nil but τ.a.Nil + b.Nil ≈ a.Nil + b.Nil Conclusion Weak bisimilarity is not a congruence for CCS.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems

Is Weak Bisimilarity a Congruence for CCS?

Theorem Let P and Q be CCS processes such that P ≈ Q. Then α.P ≈ α.Q for each action α ∈ Act P | R ≈ Q | R and R | P ≈ R | Q for each CCS process R P[f ] ≈ Q[f ] for each relabelling function f P \ L ≈ Q \ L for each set of labels L. What about choice? τ.a.Nil ≈ a.Nil but τ.a.Nil + b.Nil ≈ a.Nil + b.Nil Conclusion Weak bisimilarity is not a congruence for CCS.

Lecture 4 Modelling and Verification

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems

Is Weak Bisimilarity a Congruence for CCS?

Theorem Let P and Q be CCS processes such that P ≈ Q. Then α.P ≈ α.Q for each action α ∈ Act P | R ≈ Q | R and R | P ≈ R | Q for each CCS process R P[f ] ≈ Q[f ] for each relabelling function f P \ L ≈ Q \ L for each set of labels L. What about choice? τ.a.Nil ≈ a.Nil but τ.a.Nil + b.Nil ≈ a.Nil + b.Nil Conclusion Weak bisimilarity is not a congruence for CCS.

Lecture 4 Modelling and Verification