• No results found

The testing paradigm applied to network structure

N/A
N/A
Protected

Academic year: 2021

Share "The testing paradigm applied to network structure"

Copied!
44
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Hele tekst

(1)

The testing paradigm applied to network structure

Citation for published version (APA):

Verhoeff, T. (1994). The testing paradigm applied to network structure. (Computing science notes; Vol. 9410). Technische Universiteit Eindhoven.

Document status and date: Published: 01/01/1994 Document Version:

Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers) Please check the document version of this publication:

• A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website.

• The final author version and the galley proof are versions of the publication after peer review.

• The final published version features the final layout of the paper including the volume, issue and page numbers.

Link to publication

General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain

• You may freely distribute the URL identifying the publication in the public portal.

If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement:

www.tue.nl/taverne

Take down policy

If you believe that this document breaches copyright please contact us at: openaccess@tue.nl

providing details and we will investigate your claim.

(2)

Department or Mathematics and Computing Science

The tesling: Panldigm Applied lO Network Structurc

hy

T. VerhoelT

Computing Science Note <)4/10

Eindhovell. March 1904

(3)

COMPUTING SCIENCE NOTES

This is a series of notes of the Computing Science Section of the Department of Mathematics and Computing Science Eindhoven University of Technology. Since many of these notes are preliminary versions or may be published elsewhere, they have a limited distribution onlv and are not

for review. .

Copies of these notes arc availahk from the author.

Copies can be ordered from: Mrs. M. Philips

Eindhoven University of Technology

Department of Mathematics and Computing Science

P.O. Box 513

5600 MB EINDHOVEN The Netherlands

ISSN 0926-4515

All rights reserved editors: prof.tlr.M.Rem

(4)

Torn Verhoeff

DcpartlllPnt of Mathclllatics and Computing Science Eindhovcn University of Technology

P.O. Box 513, 5600 ME EINDHOVEN, The Netherlallds E-lllail: wstomvillwin. tue . nl

January 1990, Revised February 1994

Abstract

The tcstiny paradiqm provides a simple framework for comparing networks of processes.

To apply the testiug paradigm, oue needs a. suite of test.s and a test criterion expressing

when a. network passes a tCHt. Two network.s arc cOllsidE:~red testing equivalent when they

pa.ss the same tests. In all a.pplications of the testing paradigm that we have seen, tests "probe" (some of) the behavior' of the proc.ess uetwork under test. Network structure,

however, is mostly haudled in an ad hoc W(l,Y.

In this note, we liSP the t(~st.ing paradigm to compare structural aspects of process

networks. Central to onr approach al"(~ the fullowing three ingredients: (i) Tests are

drawn from the .set of process lIetworks, that. is, each test, is itself just a process network. (ii) A (global) correctness coneern, iu tlw form of a predicate, expresses when a network is correct as an autouoIllOUS system. (iii) A network pa..:;;ses a test (by another network) when the composition of two lIetworks involved is a correct (autonomous) system.

OUf approach ha.<; Hcveral merits. It. allows a uniform treatment of structure and be-havior. Structural anci hehavioral COrtectlH~s~ (·oucerUR cau be varied independently within the HftlllC framework. Structural correctueHS concerns cau be made explicit at the very beginning, and Heed not appear implicitly a.s an unmotivated afterthought. Several phe-nomena, such as nondetcrmillislll, cau he illustrated solely in terms of structure, without getting bogged down hy behavioral complic<ttions.

For one pa.rticular choice of (structural) correctness concerns, we work out a model ill

(5)

ii

Contents

1 Introduction

2 Pre-Abstract Model

3 Basic Concepts for a Fully Abstract Model 4 Pointwise Analysis of Correctness

5 Construction of Fully Abstract Model 6 Discussion of Fully Abstract Model

7 Alternative Structural Correctness Concerns 8 Conclusion

A Countable Bags

B Partial Orders and Complete Lattices References CONTENTS 1 1 5 8 13

21

24 27

28

29 32

(6)

1

Introduction

w(~ st,l1dy the Htrl1('tllre of prOCCHS networks, iglloriug their hehavior. Our main goal is to give

a uniform treatment. of the structural aspects of process networks. We do so by working out

one example model in detail.

Why st.udy structure separately? Usually, st.ructural correctness concerns are simply in-corporated at. the "syntactic" level of it model. In that approach, composition is disallowed

when it would yield a composite that. is somehow (structurally) undesirable. For instance,

for asynchronous circuits it. is cnstOluary to prohibit the cOllllection of t.wo output ports (SI'('

'output interference' in [5)). A disadvantage of t.his approach is that composition is a partial operator and, consequently, lllany propositions about composition need to be decorated with

;-u1 hoc synt.adic precondit.ions (Ho-callc(\ hoiler plat.es; sec 'connectable' in 17J). In our

ap-proac:ll we do 110/. disallow allY COIllpositiOlIS, hilt. W(~ fOrJlIlliatp 0111' jlldl!,"lJwut of desirabilit.y ill all explicit strnd.nral eOITcct.IlCSS COllceru. The COlTCct.upss concerll can be used to define a llotion of tCf;t.illg. Using t.lw tCf;tillg paradiglll of [3, G], it then gives rise to a refinement and all equivalence relat.ion. The result is a matlwlllat.ically clean formalism.

It may appear as if t.he formalism that. we develop in this note to deal with network struc-t.ure is far t.oo heavy for its purpose. Admit.t.edly, it. is often much easier t.o deal with structural

corrcctness than behavioral correctness. However, morc complex structural correctness

COIl-cerns require more powerful methods. Furthermore, it turns out that the methods needed to deal with network behavior are very similar (sec [10]). We have made the formalism in t.his note more general t.han is strict.ly necessary, so t.hat. behavioral aspects can be incorporated with little effort. This note is an opportunity for the reader to become familiar with the gen-eral methods in a context. where the results arc fairly easy to predict by intuition. However, we mge the reader t.o make as lit.t.le use as possible of these intuitions.

Overview

III Sect.ion 2, we present. a pre-abstract model. We st.art the presentation by defining t.he set

SyS of all syst.ems (process networks). On SYS we then define structural composition par'

a.nd correctncss criterioll CO'1'1'(xt. This induces relat.ions sat and equ on SYS in a

straighfol'-ward way (also see [10]). Relat.ion sat capt.mes refinement and equ expresses system equiv-alellce. Thus we obtain a pre-abstract model cousisting of the algebra (SYS; par, sat) with congruence equ. The model is called pre-abstrac.t because many networks are distinguished in SYS that we wisht.o identify since they arc equivalent. for all relevant purposes.

We arc interest.ed in the quot.ient algehra (SYSj pal', snt)/eqn consisting of the equ-tongrllcnce dasscs. III Sectiolls 3, 4, and [) we develop an isolllOrphic fully abstract lllOdel.

The objects of t.his abst.ract. model arc functions on the set ~ of link identifiers satisfying cer-tain properties. In Section

u

we disCllSS some of t.he properties of the fully abstract algebra.

Wr: look at alternative fltructnral correctness concerllS in Section 7. Finally, Section 8 contains

collcJu<iing remarks. Appendix A t1efin"s om lIot.ation for count.able bags and Appendix B

snmmarizes some lattice theory.

2

Pre-Abstract Model

The pre-abstract Illodel present.ed in this se<:tion was directly inspired by work of van de Snepscheut. [9], Udding [7, 8], and Ebergen [5,

41.

(7)

2 2 PRE-ABSTRACT MODEL

Alphabets, processes, and systems

As far as structure is concerned, all we care to know about. a process arc the nalnes of its communication ports and the direction of each port (either input or output). In our model, the communication links that connect ports convey signals only; there is no data transport. That way, a link may be implemented by a single wire in an electronic circuit. Data may be encoded by employing several links. If data cOlllllltlllication is to be incorporated on a higher level into the lila del then each port could also have a data type.

Let E be an infinite set of symbols, playing t.he role of port awl link identifiers. Typical (distinct) symbols in ~ are a, ao, at, b, and c. Varia.1)i('s (L, lJ, and c range over~. All

alphabet is a subset of E.

In this note, a process is simply a pair (I, 0) of disjoint alphabets, where I is the set of input ports, or inputs for short, and 0 the set of output ports (outputs). There is no behavior associated with a process. The set of all processes is denoted by PROC. Variables P, Q, and R range over PROC. The projection functions i and a on processes arc defined hy

P (iP,oP) .

A system is an countable bag (see Appendix A) of processes. Note 2.3 below motivates our choice for countable bags. The set of all systems is denoted hy SYS. Variables S, T,

and U range over S

y

S.

A system models (the topology of) a process network as follows. All ports with the same name, say a, are connected by a single cOlllmUllication link, which will also be named fl.. Ports with different names are not so connected. Thus, link:-:; arc implicitly given in a system. Notice that a link never connects a process to itself. A "self-link" must be simulated by introd ucing a separate process that behaves like a link.

2.1 Example Let system S be defined as

[P,

Q,

RJ

([-J

heing the bag constructor, see Appendix A), where

P ({ao,a"bt\,{bo,b2}) Q ({bo, b3), {bl' co}), and R = ({a2,b2},{b3,C,)).

System S may be depicted as in Figure 1. Not.ice that each link in S connects to at most .one input port and one output. port. We will COllie hac:k t.o this when defining c:orrectness.

..

Composition and correctness

Structural composition, or composition for short, is a binary operator on SYS, denoted by par and defined as bag summation. It is a. tot.al operator, is commutative and associative, and

has the empty bag as unit. Composition is easy to carry out in terms of electronic circuits: a circuit for Spar T is obtained froUl a circuit for S and a circuit for T by fusing wire nets with the same name.

On SYS we want. to define a predieate Correct t.hat, eaptnres our (structural) correct-ness concerns. Correct.S is intended to f'xpresses the conditions under which correct

au-tonomous operation of system S is guaranteed. 'Antonomous' here lueans that S is put to

(8)

r - - - _. - - - - , - - - I I bo I b, Co I P Q I b2 b3 I I

-

R

-

I S I L _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ~

Figure 1: Topology diagram of system S

The particular requiremcnts t.hat we have chosen for our example model throughout this

note derive frotIl an iut.ended implementation of systClI1S by electronic circuitry. Sonle alter-native correctness concerns arc discussed in Section 7.

III electronic circuit.s, t.here are a llllluher of lIudcHirable situations. Connected outputs lIlay give rise to power shorts whcll they do not. agree in voltage level. Connecting too many

inputs together may overload the driving output. Dangling inputs may pick up noise and dangling outputs may emit spurious electromagnetic signals. We formalize these concepts as follows.

Link a is said to be conflicting in system S when (3P, Q: [P, Q] <;; S: a E opnoQ),

t.hat. is, when it. COllnects t.wo Ollt.put port.s. Liuk a is eallcd overloaded in S when

(3P,

q:

[P, (J] <;; S: It E iPniq),

that is, when it conned.s t.wo input port.s. System S is called well-formed when it has

neit.her conflicting lIor overloaded links; ot.lwl'wisc, it is called malformed. Formally, S is well-forme(1 when

(VP, Q: [P, (J] <;; S: iPniq = 0 = opnoq)

Syst.em S of Example 2.1 is well-formed. Observe that malformed ness may be introduced by composition of well-formed syst.ems and t.hat. it. persist.s under composition.

In well-formed system S r.olltaiuing processes P and Q therc is a directed communication

link labeled a from P to

q

whenever port. a. is an output. of P, i.e. a E oP, and an input. of (J, i.e. a E iQ (hence,

Pol

Q). Such a link is considered internal t.o the system, in thc

scnse that further connections to it arc uudesirahle, that is, links are output-to-input

connec-tions. System S of Example 2.1 has four such int.ernallinks. Merging and forking of signals must be accomplished by incorporat.ing explicit. merge and fork processes. Internal links are

structurally "visible" hy their nanw, but when illcorporating SystClll behavior, communication

event.s along internal links are int.ended to I", hi(lden, t.hat is, they arc unobservable for other

procl'SSCS. lIt Scctioll 7 we will fiil·wuss mult.i-point. cOllllect.ions.

Link a is said to be undriven or a dangling input in system S (viewed as an autonomous syst.em) when

(9)

4 2 PRE-ABSTRACT MODEL

that is, if it connects to an input port hut 110t to any output port. Link a is called untermi-nated or a dangling output in S (again, viewed as an autonomous system) when

(3 P : PES: a E oP) /\ (V Q : Q E S : a ~ iQ) ,

that. is, if it connects to an output port but not t.o input ports. System S is called closed

when it has no undriven and no untenninated linkH; otherwi:·'i(!) it is called open. Forma.lly,

S is closed when

(U P : PES: iP) = (U P : PES: oP) .

A dangling link is considered an external port of t.he system, availa.blp for COllllCdioll to

the environment of S. System S of Exalllple 2.1 ha., three external inputs and two external outputs. Observe that composition may introduce internal links, namely when one systemllils an external input for which the other system has the corr<'sponding external output. Hence,

openness may disappear under compositioll.

Predicate Correct on SYS is now defined hy Correct.S = "8 is well-formed aIHI elm-led"

Coneet.S expresses that S has output-to-input connections only (is well-formed) and ha., no dangling inputs or outputs (is closed). That is, eadl port that occurs in sOllle process of S

occurs exactly once as input and once as outpnt ill the processes of S.

2.2 Example Notice that both [J (the empty system) and [(0, 0)J (the system consisting

of one "empty)) process, i.e., a process without ports) arc eorrect systems in our sense. Another

example of a correct system is [( { a}, {b} ), ( {b }, { a} )

J,

having two internal links labeled a and b. Examples of incorrect systems arc [( { a}, {b} ), (0, {b} ) J (malformed because of conflicting

link b) and [( {a}, {b}), ({b}, 0)J (well-formed, hut not closed because of dangling input a) .

..

2.3 Note The "empty" process (0, 0) is the only process that possibly occurs more than once in a well-formed system. It is not a very interesting process and could be omitted without

great loss. Therefore, one could also model a :-;ystem as a. sct-in:-;t.ead of a bag-of prOCCHses.

There are several reasons for not doing so.

The main reason is that composition is harder to define satisfactorily for sets. Consider well-formed systems S = [P, QJ and T = [P, RJ where P, Q, and R are distinct non-empty processes. Under our definition, Spu,' T equals [P, P, Q, RJ and this composite is malformed

a.<; iutended. Simply taking set. Hnion a .. '" composit.ioll woni,l yield S lULl' T = {P,

q,

R} wltidl could--unintelltionally-- ·be well-formed agaill. One way to overcome this problem is to ma.ke

composition a partially defined operator, hut that is exactly what we intend to avoid. A second reason is that when process behavior is incorporat.ed, it is well possible that structurally equal processes may have different hehaviors a.~sociat('(l with them. Therefore, if we nlOdcl a system as a set of proc(,H~e:-;, thCll st.ripping a.way process behavior natura.lly

yields a bag of (behaviorless) processes.

Finally, a third reason for w;;ing bags is t.hat under some alternative correctness con-cerns (cf. Section 7), well-formed systems possibly have llluitiple occnrrellces of Hon-empty proccsses.

We have not rest.rictcd our:;clvcs to finite systems, becallHc we want.ed to invcstiga.te SOlIl(' of the problems encollutercd with iufiuite networks. TIH' restriction to counta.hle bags IS

(10)

Testing, satisfaction, and equivalence

On the hasis of the correct.ness concern and the composition operator we define (d. [10])

testing relation pass, satisfaction pre-order ,mt, and equivalence equ by S pass T COTred.(S

1"'''

T) ,

S sat T =

S equ T

(If U :: Spas., U {= T l"'s., U) ,

(If U :: S pass U T l)(lSS U) .

Recall that U ranges over SYS. Relation l"'S.' expresses the result of testing S hy (putting it in environment) T. The l",.,s-set of S, denoted hy pass.S, is defined hy

lJasS .S {U:S[!!] . .-s U: U}.

Relation Bat expresses whplI olle system is at ica.<.;t as "good" as another in the sense of passing at. least the same tests:

S Sltt T IJfL!j/;. S

"2

pa ... T .

It ads as a l'dillellleut relat.ion. Rda.t.ioll equ expresseR that one system is as "good" as

another ill the seuse of passilll-!; t.he :-;amc tests:

S equ T pass.S = puss. T . It may alternatively be defined by

S equ T S sat T A T sat S

and it is a congruence relat.ion Oil (SYSj par, .<Jut).

We are interested in the quotient algebra (SYS; par, sat) / equ. In the next sections we

construct an isomorphic algebra, whose ohject.::> have a mathematically simpler structure than

the congrnence c1a.<.;ses.

3

Basic Concepts for a Fully Abstract Model

In thiH section we illtroducp some fundamelltal concepts for an abstract algebra. A link status is a member of the six-elelllent set A defined by

A (1-,."',I,O,T).

Link statuses will be used to indicate how a system "treats" each link. Their interpretat.ion is as follows:

1- abused (conflicting or overloaded), • internal,

? external input., external output,

o

unused,

T miraculous (compensation for 1-).

The presence of T will be 1I1ot.ivated later in Note 4.:3. A link status function (LSF for short) is a mappiu!', frolll ~ to A. LSFs will 1)(, the objects of t.he fully ahstract model of

(11)

6 3 BASIC CONCEPTS FOR A FULLY ABSTRACT MODEL

"

T

0

'!

1-T 1-T 1-T 1-T 1-T 1-T 1-T

0

T

0

'/

1-T 1-

1- 1-? T '?

1- 1-

1-•

T

1- 1- 1- 1-1- T 1- 1- 1- 1-

1-Table 1: Compm;it.ioll operat.or II 011 A

Section 5. The set of all LSFs is denoted by CST Variahles 0',

fl,

and I range over A and

variables p, q, and l' range over CST For each 0' E A we define the constant LSF aE by

Q:E. a a.

Composition, denoted II, is a binary operator on A defined ill Table 1. For example,

input and output merge into internal under composit.ion: '! 11 !

=

t.

Input cOlllpm~cd with inplIt yields abuse (?II?

=

1-) because conuection:-; :.;honld lw output-to-input.. When modeling multi-point connections one could define composition of inplltfi t.o yield an input again (Hee

Example 7.4).

3.1 Note Defining'!,,! =

0

would model completely! hiddcn intel'llal links. We will

briefly look at that possihility in Section 7. III that case, composition would not bt~ associative

(se,' Example 7.3), which explains Ol\l' pn'fcrcnce for th" ,'lIlTcnt dcfinition (see Propert.y :l.2

~~). ~

3.2 Property Composition operator" on A is commutative, associative, and has

0

as

unit. Furthermore, it. has T as zero and there an' no zero divisors ullder H, that. is, we have

all(3=T = a=T V {J=T.

Proof Commutativity, the unit and t.he z;ero, and the ahHCIlCC of z;ero diviHors are rcadily

verified in Tahle 1. Regarding 'L,soeiat.ivit.y, not.in' t.hat. (i) t.he ""ses where T, 0 (t.he uuit.), or 1- occur are trivial and (ii) any cOlllpositiou of t.hree elelllent.s frolll {., '!,!} yields L ~

In view of Property 3.2, we can extend" to a unary operat.or all tinit.e bags over A (inst.ead of composing just two elements), for example,

,,[ 1

0,

11[0', (3, (31 = a II (3 " (3 .

Composition is not idempotent, but we do have

0' II 0' II a = a II a .

On account of this we can reduce multip1icit.ies ill a. bag to at most two when computing II, without affecting the outcome: for finit.e hap, B over A we have

liB IIG, where

C.a min{B.0',2)

(12)

V\1(' define II for w-hags oV<'r A as well, hy first. reducing t.hem to a finite bag as above. We

abo ext.end " t.o CSF by point.wise applicat.ioll, t.hat. is, p " q is defined by (1' " IJ )." T'.n 11 (j.n .

Obviollsly, II 011 CST inherit.s SOllW pl'opert.i(·s frOlll II 011 Ai for example, it is also commutative

amI associative, alld has O~ as unit. ami T~ as zm·o. Note, however, that it does have zero

divisor:;. \Ve also lIse II a.'"i HIlary opera.t.or OJI n>Hut.ahle hagl':i over CST by defining

("B)."

"[1':

B.p: 1'.a] .

From processes and systems to LSFs

Before we can cxpreSH the eOlTcct.llPSS predicate more simply we need to introduce a mapping from SYS t.o CST First., we define mapping I: PROC -> CSF by

{ ? I.P.a = ~ if a E iP if a E oP otlH'l'wise

Not.e t.hat. t.his is a proper definit.ion since iP awl oP are disjoint. We call1.P the link status function of process P. Sin"e I is an injective lllapping, one may view it as an embedding of PROC in CST Next, we lift. I via" t.o SYS yielding mapping L: SYS -> CSF defined by

L.S = ,,[P : S.P : I.PI .

We call L.S t.he link status function of system S. Not.e t.hat t.his definition takes t.he

lllultiplicity of each process ill S iuto accollut, thus, for exaluplc,

L·[p,q,ql·a I.P.a" I.q.alll.q.a .

3.3 Property For IH'O{"PSS P and SYSt<'lW; Sand T w(' have

and

(Va:: I.P.(l.

r;.

{1-,., T}), (Va:: L.S.a '" T), L.[J = L.[(0,0)J L.[P] L.(S par T)

0);

0); I.P , L.SIIL.T .

We can now express correct.nC8S of a system concisely in terms of its LSF. 3.4 Theorem For Syst"lll S we have

Con·eet.S (Va:: L.S.a

r;.

{1-,'1,!))

..

Proof Observe that (i) S is well-formed if awl ollly if 1- docs not occur as L.S-image and (ii) if S is wdl-fonllpcl, t.lH'1l S is dosed if and ollly if? awl! do llot occur a,<; L.S-image. ..

(13)

8 4 POINTWISE ANALYSIS OF CORRECTNESS

4

Pointwise Analysis of Correctness

We will carry out a pointwise analysis of system correctness in t.his section, that is, by con-centrating on the links individually. In the next sect.ion we will look at t.he global aspect.s of

correctness again.

Inspired by Theorem 3.4, let us define correct.ness predicate C01Tf,ctA and testing relation

passA on A by

Correct /\.0'

" pass A (3

ar/.{1-,?,!} , CorrectA.(O:" (3) .

4.1 Property For systems Sand T we now have Correct.S

S pass T

= =

(Va:: Corm;tA.(L.S.a)) , (Va:: L.S.a pas8A L. T.n) Proof Use Theorem 3.4 and Property

:cu.

Notice that pass A is symmetric since II is cOIlllllutative. Recall the usual derived concepts:

pass /\.0

a sat A (3

b:"

pass A , : , } ,

paS8A·a ~ passA.(3 .

..

The pass A-sets are tabulated in Table 2. Notiee that these pass A-sets arc um'lue, that IS,

0: pass 1\.0

T

T {T, 0,

I ?

.,

1-}

/1"'"

., .

,

0 {T, 0,

}

/

0

"'"

{T,

'! } ?

1

?

{T,

}

"'"

/

{T, 0

}

""'1/

1-

{T

}

1-Table 2: The pass A -sets and the H&sse diagram for I;;A (converse of sat A)

CY

=

(3 if and only if passA.CY

=

pas·'A.!3. Hence, rdat.ion ."ttA induced by pass A is a part.ial

order, also denoted by ;;)A. The Hasse diaRralll of I;;A is given in Table 2. Obviously, (A; I;;A) is a complete lattin'. We will leave ont. suhscript A when it iH clC'ar from the context..

From Table 2 OBe can readily infer a llllluber of properties. For instance, Correct.n is equivalent to Ct ~ • . Each pass-set. has a. minimulll nnder~. Furt.hermore, conlposition i:-; ~­ monotonic. It is a little harder to verify the :-;tronger statement t.hat composit.ion distribut.es

over n. Inst.ead of exploit.ing our detailed knowlecll\e "bollt. A and II, w(' will prove t.ll<'s" propert.ies more generally. The reason f(a doillg :-;0 i:-; t.hat. OlW ellC:Ollutpr:-; a similar sit.uat.iolJ when behavior is incorporated. The general l"!'sUit.H derived here can be carried over direct.ly.

For the remainder of this section (except.ing examplcfi) we allow ourselves to usc only (i) Property 3.2 about. II, (ii) the definitions of 111l.'., and 1;;, (iii) t.hat (A;~) is a complete

lat.tice, and (iv) that each l!Uss-set ha., a minimulll.

It turns out t.o be useful to introduce t.he unary operat.or ~, called reflection, 011 A defined by

(14)

It is properly defined because cadi pas.'i-sd has a Il111Umum. The reflection of a is the "scvpn'st'l test. pasl·wd hy n.

4.2 Property We have n lil/,.'8 ~C\'.

Proof From the definitioll of ~" follows ~n E I"'-S.CY.

..

Reflection enables us to give an alternative expression for the pass relation (Property 4.5), to give an explicit isomorphism between (A; 1;;) ,,"d (A;;;I) (Corollary 4.11), and to formulate all interesting factorizatioll formula (Property 4.13).

4.3 Note Wit.hout T w" could not have d"filled the reflection of .l, for in that case 1'(1..';8.1-. = 0, whereas HOW we have JHL8,<;.l-. = {T}. This mot.ivates the introduction of T (but. Hot onr dlOicc for evalnat.illg (;otll})()NitiOllS illvolviug T). We will come hack to the role of T

in S(~ction G. ..

?

o

T

o

?

Tahlp :3: Refiedioll operator '-'" on A

The effect of reflection is shown ill Tahle 3. From t.his t.able one sees that reflection is an involution, t.hat is, it.s OWll inverse. But we can also prove t.his more generally and we will not.

make further nsc of the tahle (again, excepting examples).

General results for A

We start. hy observing that 1HLS,'i-set.s arc ~-llpward dosed. 4.4 Property We have

(j E ]i1/,8S.C\' II (j 1;;, =? ,E ]iass.n .

Proof We derive

(j E ]i1/,88.CY II Ii I;; ,

{ symmet.ry of ]ia8., alld defillition of I;; }

C\' E pa.,.,.jJ II pa ••. (3 <:; pa88.,

=? { s"t theory }

0' E pa.'i.'L ')'

{ symmetry of ]i1J.88 }

, E 1)(L8S.C\'

Relat.ion pass is expressible in t.erms of the order and reflection:

4.5 Property We have

a pass (3

==

a;;l ~(j .

(15)

10 4 POINTWISE ANALYSIS OF COHHECTNESS

Proof The implication from left to right follows from the definition of ~r; as the i;-minilIllllll of pass.(3. The implication from right to left follows from Property 4.4 and ~/3 E pa.,s.(3.

We can now give a different exprcHRion for correctness:

4.6 Property We have Conect.a Proof We derive

..

Correct.a = {

0

is unit of" } Correct.(a" 0) = { definition of pass } a pass

0

{ Property 4.5 } a;;) ~O

4.7 Note The appearance of 0 in Property 4.6 is not. it coincidence as is seen in the proof:

o

is the unit of" on A. •

4.8 Corollary We have

a" (3 ;;) ~O

==

a;;) ~(3 .

Proof Use Property 4.6, definition of I"L8S, and Propert.y 4.5. Reflection reverses t.he order:

4.9 Property We have Proof We derive

..

ai;(3 { definition of i; } pass.a <;: pass.(3

{ property of min, Im8.'.(; is i;-upwanl closed (Propert.y 4.4) min(pa8s.a) ;;) min(pass./j)

{ definit.ion of ~ } ~a ;;) ~(3

Reflect.ion is an involution:

4.10 Property We have ~~a = Q.

(16)

Proof We derive

Property 4.2 applied to n aud ~" }

{ Property 4.5 }

{ Propert.y 4.9 }

{ autisynnnetry of l;:

..

4.11 Corollary Hdledioll is au isolllorphislII i>etwecll (A; l;:) alld (A; ;;)).

..

4.12 Note So far, we have not w.;cd associativity of II.

..

We llOW prove it property that enables liS to solve ineqllations of the form a"

f3 ;;) ,

for ct. It

is railed a factorization formllia bccallsc it shows how

f3

may factored out of,. We will come hark to this important property in Sectiou U.

4.13 Property (Fact01·izatioT/. Fonnnln) We have

Proof We derive

n,,!3;;),

{ Corollary 1.01, IIsilll(, = ~~, (Prop,,,ty 1.10) (" ,,/i) " ~, ;;) ~O { associativity of" } a"

(f3"

~,)

;;)

~O { Corollary 4.8 }

" ;;)

~(f3

"

~'I)

.

..

The Factorization FonulIla is a Galois COllllect.ioll. It. shows that for each

f3

the fUllctions _II (i

aud ~(f3" ~_) form a Galois pair.

Now we are in a posit.ioll to prove

4.14 Property Compositioll operator II IS n-coutiuuOllS (distributes over arbitrary n),

that is, for W ~ A we have

(17)

12 4 POINTWISE ANALYSIS OF CORRECTNESS

Proof Let W be a subset of A. It suffices to prove that for all -y we have allnw;;)-y

We derive

n

{i3 : i3 E

W :

n

II/J} ;) -y .

..

allnw;)-y

{ Fadorintion Formula (Property 4.13)

n W ;) ~(" II ~-y)

{ property of

n }

(Vi3: i3 E

W: Ii;) ~(all~-Y)) { Factorization Formula}

(Vi3: i3 E

W: all!i;)-y)

{ property of

n }

n

(i3 : i3 E

W : a II (l} ;) -y

4.15 Corollary Composition operator II is ~-lllotlOtOllic.

4.16 Example Composition operator II <loes not distribute ov('r U, as is seen in

Neither n nor U distributes over II. Here is a. tOllnterexample for n:

The same choice of operands provides a counterexample for U.

..

..

Finally, reflection does not distribute over II. For if this were the case then all link statuses

of the form a II ... (\' would be ficlf-dllal :-;ill(;(' II is ('ollllllutat.ive and ... is an involut.iolls. I311t

there arc no self-dual link statuses in A at all (see Table 3). ..

Pointwise extension to CSF

We extend ~ and ~ to t:.SF by pointwise application. Helice, (t:.SF;~) is also a complete lattice and it is isomorphic to its converse via~. Obviously, the Factorization Formula also

applies to composition II on CSF and t.his composition is abo n-continuous. We can now n~fonlltllat{' Property 4.1, giving al tel'uativp ('xl)r(~ssiOllH for t.hp ('OlT('d.Uf'HS prpclicate al1<1 til('

t.f'stillg relation 011 syS. Ohserv(' t.ha.t. in til{' ('xprt'ssioll for IJ(J,,';.'; we profit agaill from t.ite prpst'uc(' of T ill A, which mad(' l'Pfied,ioll possihll',

4.17 Theorem For HyHtelllH Sand T W(' have

Correct.S S pass T

};

L.S;) ~O

,

L.S ;;) ~L. T .

Proof The second eqnivalence follows frolll Properties 4.1 aud 4,J. The first ('qllivalell(,(~

follows from the second and Property 3.3 by observing

Correct.S SIJaSS

!].

In fact, we no longer need to analyze Con'ed dil'f'ct.ly since by now we know so lllllch about. '

(18)

L.S ;;J L. T

'*

S MI,t T ,

L,S = L. T

'*

S "'I'lL T .

4.19 Note In the proof of the preceding corollary, both transitivity and antisymmetry

of ~ arc of import.ance.

On account of Corollary 4,18 and Property 3,3, L may be viewed as an equ-respecting

ab-straction fUllctioIl, because ~L is a congrncIlce relation on (SYSj par, sat) with ~L ~ equ.

But it is not a full abstraction hecause the (:Onverse implications of the corollary do not hold

in general.

4.20 Example Consider processes P and

q,

and systems Sand T defined by

P (0,{a)),

q

(0,{b}),

S [P,PI,

T

[q,ql,

On the one hand we have S eqn T hecause the I'a"s-set" of both Sand T are empty due to output conflicts, On the ot.her halld we have L,S

oF

L. T because, for instance, L's,a = J.

and L. T,a = O. •

5

Construction of Fully Abstract Model

So far we have looked at. pointwise a,.<;pects of correct.ness only. In this section we will tie these

aspects together and develop them illto a fully ahstract model (ef Theorem 5,19).

Under a full abstraction, all equivalent systellls should be identified, i.e" mapped into the salll" ohject. For these fully ahstract ohj"ds we intend to use certain members of LSF, At th" I'nd of the preceding s<"tion w,' ohserved that L iH an abstraction fundion hut not a full

abst.raction. All malformed SystClllH fail every tt~st and, hence, are equivalent. Nevertheless

L-illlages of malforllled systems nmy difl'er, It. turns out that failure to identify malformed

HYS1.elllS is tlw only <ieficicllcy t.ha.t. keeps L froll1 heillg a full ahstraction.

Thercfon~ let liS comiider mappillg [_]:

sys

----jo CSF defined by

[S]

{ J. L,S ~ if ot.herwise (31L:: L,S,n = J.).

,., candidate for a fllll abstraction. It identifies all malformed systems by mapping them into J. ~. We intend to takl' ;;J as flllly ahstract (:(lllnterpart of sat. This requires us to show

S

sat

T

==

[S];;J [T] ,

Furthermore, we need to define a fully abstract counterpart of par on the image space of

sys

IInder

[-I.

We postpone composition for a while and concentrate on the first obligation

(19)

14 5 CONSTRUCTION OF FULLY ABSTRACT MODEL

Satisfaction

The definition of

[_I

can be rewrit.t.en in it way t.hat facilitat.es generali"at.ion. We delil'" t.he

subset eSF,l of eSF by

p E eSF,l

==

(Va,li: p.a =,1: 11.1i =,1).

Notice that. the defining predicat.e on t.he right.-hand side is equivalent to (3 a :: p.a =,1) =? p = ,1 E .

Let l-J be the downward projection induced hy eSF,l in (eSF, £;;) (sec Appendix B), that.

IS,

lpJ = U{r:rEeSF,lI\"£;;II:"}. 5.1 Property For I' E eSF we haVl'

lpJ if (3,,:: lUI = ,i)

othcrwiHe

Proof If(3a:: p.a =,1) t.hen {r: ,. E CSF,l 1\ ,. £;; I): ,.} = {,i);} and, hence, lpJ =,10: in this ca"e; otherwise, I' E eSF,l and, hem:c, ll' J = 1)· •

5.2 Corollary For system S we have [SI = lL.SJ.

From now on we refer t.o Corollary 5.2 iI.' ddillit.ioll of

[_I.

In this section we will work hackwards, t.hat. iH, WP Ht.ate important. theorems early allel ill

their proofR we makf' forwa.rd refl~f(~ll(~CS to Ipl111llat.a proved latpI'. This way w(' ean clirf'diy motivate our interest ill certaiu prop(~rt.i(·s of £SF J.. and L -J.

Predicate C01'1'ect and relatiolls lJaS,';, .'in!" and (~(j'1L IIIay 1)(' <:.IIaractcrizcd ill t.erIllS of [_].

5,3 Theorem For systems Sand T we have

Correct.S [SI ;;) ~OE ,

S pass T - [SI ;;) ~[TI , S sat T = [SI ;;) [TI ,

S equ T [SI=[TI·

Proof We derive the first equivalence. Correct.S

{ Theorem 4.17 } L.S ;;) ~OE

{ property of l-J using ~O>:: E CSF,l }

l

L.S

J ;;)

~OE

{ definition of l S J [SI ;;) ~OE

(20)

S P(]'88 T

{ Theorelll 4.17 } L.S:::J ~L.T

{ property of L-J lIsill!,; ~L. T E CST ~ 011 itCCOllllt. of Lemma 5.4 below}

LL.SJ :::J ~L.T

{ reftectioll rev(~r:-;('K tlw order }

~LL.SJ

I:::

L. T

{ propert.y of L-J lIsillg ~LL.SJ E CST ~ 011 account. of Lemma 5.5 below}

~LL.SJ

I:::

LL.TJ

{ refiection rcvcrxcs the order and definition of K-) }

[SI :::J ~[TI

We derive t.he t.hird equivalence.

S .<ut T

= { definit.iou of SlI.t ('I U : TIm.,", U : S 1)11..,.< u)

{ se<:oud <''1l1ivalence }

('I U: [TI:::J ~[UI: [SI:::J ~[UI)

{ Note below for ':::}'; t.raw;itivit.y of ~ for

'<=' }

[SI:::J

[TI

Note: If

[TI

= 1-~ t.1",n WI' are dOl'" becallse 1-~ is t.he least. element in CST. If

[TI '"

1-~

t.heu, Oll accollnt of Lmllllla 5.u below, we can iust.alltiat.e U such that [Un = '-""'[ T]. The desired rmmlt. now is a COlll-iequcllC(' of ... ]1 = ]J and reflexivity of ~.

The fourth eqnivaiellce follows from t.il(' t.hird amI ant.isyulluetry of ~. .. On account of this theorem, [_~ Illay he viewed as it full abstraction. However, we still have three proof obligat.ions t.o t.ake care of. The first. one is to show that for all systems T we haY!' ~L. T E CST ~. Let. liS define CST T as t.he SlIbset. of CST satisfying

I' E CST T

==

('I It, /i : 1'." = T : p./i = T) .

Not.e that. CST 1. and CSTT arc each other's dnal in the sense that 1) E CST T

==

~1' E CST ~ .

We HOW prove

5.4 Lemma For system S we have L.S E CSTT.

Proof From Prop crty 3.3 follows L.S.a '" T for any ",.and, hem", L.S E CS;

After duali"ation, t.he scenud ohligation is to Bhow LL.SJ E CSTT. We prove

5.5 Lemma For LSF 1) iu CST T we have LI' J E CST T. Hence, for system S we have [SI E CST

(21)

16

5 CONSTRUCTION OF FULLY ABSTRACT MODEL

lpJ·a=T

=>

{lp

J [;;

p and T = max A } p.a = T

=>

{pECSTT} p = T~·

=>

{

TE E CSTT, property of

l-J }

lpJ =

T~

The second part follows from the first and Lemma 5.4.

..

Our third obligation is to show that for each system T wit.h

I TI '"

.l E there exists a syst.em U such that

lUI

= ~I

TJ.

This may be expressed concisely a$

~(ISYSI '- {.l

E})

<;; ISYSI,

where ~ and

I_I

applied to a set. of LSFs yil'lds t.he set. of all im,,!,;es of it.s memhers. III fact., we can show the following st.ronger resnlt.. Define CST' and CST" by

CST' (CST 1.

n CST

T) ,

CST" = CST' '-{TE} .

506 Lemma We have ISYSI = CST". Proof We infer

ISYSI C CSTT,

ISYSI C CST 1. ,

ISYSj

7i

TE, and ISYSI :::> CST" .

from Lemmata 5.4, 5.7, 5.8, and 5.9 respeet.ivcly (t.he latt.er t.hree occur below).

..

507 Lemma CSTT is n-completc ill (CST;

D

(d. ApI'. A) and, hence, CST 1. is

u-complete. Consequently,

l-J

maps into CST 1. and, hence,

I_I

"Iso.

Proof Let. W be a subset. of CST T. WI' dcriw for symhols a "nd b:

=

(n W).a = T

{ n

taken pointwise }

n{p:pE

W:p.a}=T

{ property of

n

using T = max A }

(V P : pEW: poa = T) { W <;; CSTT } (V p : pEW: p.b = T) { roll back} (n W).b = T Hence, n W E CSTT.

..

(22)

5.8 Lernma :For LSF l' we have

Ll,j =T~ '" ]I=T~

For system S we have [SI

of

T);. Proof We derive the first part

L]lj=T~ { T~ = lllax £.SF } Lpj ;;)T~ {property of L-j, using TE E £'SF~} ]I ;;) Tl:: { Tl:: = lllax £.SF } l' = T);

Tl", "'COlli I part uow f{,llows frOlIl t.he first. alld Propert.y 3.3, which implies L.S

of

Tl:. • 5.9 Lemma For all LSFs I' iu £.SF" t.here exist.s a syst.em S such t.hat. [SI = p.

Proof We const.ruct mappiug in"ll: £.SF" --> SYS such t.hat [inv.pl = l' for l' E £'SF".

Let I' E £'SF". Therefore, for all symbols n, we have p.a

of

T. Define system inv.p as

[P,

QJ

where processes P alld Q are given by

P ({a: p.a =?: a), {a: p.a E

{!,+,.l}:

a}) ,

Q ({ a : p.a =

+ :

lL), {a : p.a = .1 : a.}) .

Thus P supplies external input.s a!H1 out.put.s, ami out.put.s for int.ernal and conflicting links,

whereas (J supplies inputs for iuterna.l links and ontputs for conflicting links. On account of

]I E £.SF" we have J.P"J.q = I' a!Hl, heuee, L.{-in"ll.p) = p. Since p E £.SF ~ as well, we have

Ll'

J =

I' aud t.herefore [in"ll·I,1

=

I'· •

5.10 Note In t.he above proof t.here are lllauy choices for system S such that [SI = p. If l' has ueither conftict.iug uor iut.ernallinks, t.hen process Q as defined above equals (0,0) a.wl may be omitted; otherwise) at. least two }ll'oc,csses are required in S.

The construct.ion giveu iu t.he above proof lllay be applied to arbitrary LSFs, thereby ext.ending inv. For p

E

£.SFT" {T~} we theu have L.(inv.p) = p. This is no longer the case

when behavior is iucluded. •

5.11 Corollary For syst.em S we have S equ inv.[SJ. Proof We derive

..

irw.[SI equ S { Theorelll 5.3 } [inn.[SII = [SI { Lemma G.9 } h'ue

We have now fulfilbl our proof obligat.ious coucerning sat.isfaction. Next we consider

(23)

18 5 CONSTRUCTION OF FUI,LY ABSTRACT MODEL

Composition

Given Lemma 5.9, it is straight.forward to give a definition for the fully abstract counterpart. of par on CST": define binary operator lion CST" by

p II q = [inv.p par inv.qJ .

5.12 Lemma (CST"; 11,;;1) is an algehm wit.h t.he same signat.ure iL' (SYS; 1""', sat).

FIIl"-thermore, mapping

[_I

is compatible with composit.ion (1)('" and

II).

Proof All that. is left to check for the Ii"t proposition is that

II

is an operator on CST",

whieh it obviously is. Next we derive compat.ihilit.y of [_~ with eompOfdtion:

=

..

[S par TJ =

[Sill

[TI { definition of II }

[S par TJ = [inv.[SI par inv.[TII { Theorem 5.3 }

5 par T equ inv.[51 pal' inv.[TI

{ Corollary 5.11, equ is congmen"e w.r.t. 1)('"

true

The main result of this sect.ion (Thmrelll 5.19 helow) lllay now I", proven and til<' reader can

skip t.he remainder of t.his :·mbsectiou, which pr('s(mt.s a.1l aitC'fwltivl' definition of

B.

Our current. definit.ion of

II

is rat.hpl' Cllllll)(,l'!-iOtlH' sill(,(' it works via SYS. We can rewrit.p

it. as follow",

[inv.p par inv.ql { definition of

[-I}

lL.(inv.p plLr inv.q)J

{ Property 3.3 } lL.(inv.p) " L.(inv.q)J

{ see proof of Lemma 5.9 }

lp "

qJ

For arbitrary LSFs p and q, we now define I'

II

q hy p

II

q =

lp"

qJ .

We need to show that the restriction of II to CST" is an operator on the latt.er and that

[_I

is compatible with it. We show a little more. (Th" role of CST' will he explained in Section G.)

5.13 Lemma (CST'; 11,;;1) and (CST"; 11,;;1) arc algehras wit.h the same signature as (SYS; par, sat).

Proof All we need to show is that CST' awl CST" arc closed tinder

II.

Let p and q be LSFs in CST' and, henc", in CSFT . Lemma 5.14 below implies ]I" q E CSFT · From Lemmat.a 5.5 and 5.7 we infer lCSFT

J

<;: CSF' and, hence, I'

II

q E CST'.

Let p a.nd q be LSFs ill £SF". III vipw of the prP(~edillg, all tha.t is left to show is

(24)

5.14 Lemma For B an ('onnt.able bag over [SFT we have liB E [SFT and. fnrt.hel'lnorc,

liB = Tl::

=

T); E B .

Proof Let B be ,til cOlult.able bag over [SF T. We ,lerivc for symbol a:

(IIB).a = T

{ definit.ion of II for bags over [SF}

11[1' :

B.p : p.a] = T

{ Propert.Y :3.2: II on A has 110 zero divisors} (3 p : I' E B : p.r, = T)

Bot.h proposit.ions now follow from t.he fact. t.hat. B is a bag over [SF T.

5.15 Lemma Mapping

I_I

is compat.ible wit.h composit.ion (pa,' aud

II),

that is,

IS

pa,'

T]

=

IS]

II

[T] .

Proof For syst.ems Sand T we derive

[S

pUT

T]

{ definition of [_] }

l

L.(S pa,' T)J { Propert.y 3.3 } lL.S II L. TJ { definitiou of

II

L.S IIL.T

{ Lelnma 5.1G below, using Lemmata 5.4 and 5.5 }

lL.SJ IllL.TJ

= { definition of

1-]

IS]

II

[T]

..

.

..

5.16 Lemma For LSFs p and q with q E [SFT we have

I'

II

q =

lp J II

q .

Proof On account. of the defiuition of

II

we need t.o show

lp

II

qJ

=

IIp J

II

qJ .

For 'J" E LSF.L we derive

pllq;;)T

{ Factorization Formula applied poiutwise (Property 4.13) } p ;;) ~(q II ~r)

{ propert.y of

l-J

using ~(q II ~r) E [SF.L on account. of q E [SFT, r E [SF.L,

(25)

20 5 CONSTRUCTION OF FUJ"LY Al3STRACT MODBL

{ Factorization Formula applied pointwise }

lpjllq~r

Application of the definition of l-j completes the proof.

5.17 Corollary Composition operat.or

II

is associative on CSF T.

Proof We derive (p

II

q)

II ,.

{ definition of

II }

llpllqjllrj = { Lemma 5.16 using T E CSF T } l(pllq)II,.j

Associativity of

II

now follows from associativity of II.

..

..

5.18 Example The condition q E CSFT in Lemma 5.16 and Corollary 5.17 is crucial. Consider LSFs p and q defined by

p.a =

{~

q.a =

{~

if a = a otherwise if a = a otherwise

Then we have p E CSFT, q ~ CSFT, and

p

II

q = lp II qj = l qj = q

of

.1 E = l.l E Iud = .1 E

II

q

Fully abstract model and .summary of construction We now have all the ingredients for a flllly ahstrad. model.

lpj

II

q .

5.19 Theorem Algebras (SYS;sat,lIfLT)/eqn awl (CSF";;;),

II)

are isomorphic.

..

Proof (CSF"; II,;;)) is an algebra accordinl!; to Lelllma 5.12 (or 5.13). On account of Theo-rem 5.3 and Lemma 5.12 (or 5.15), mapping

I_I

is a homomorphislll frolll (SYS; P"T, sat) to (CSF";

II, ;;)).

On account of Lemma 5.9 it is a surjection. From Theorem 5.3 also follows

equ = ~(-J'

Now we can apply the Homomorphism Theorem to complete the proof.

..

Let us summarize the key ingredients of the (;Ollstrnctioll.

First we introduce the "mini" algebra (A; II, ~) and derive a Humber of general properties.

Next. we consider the function space CSF = ~ --> A and turn it. into the algebra (CSF; II, 1;;)

by pointwise extension. It inherits lWtIlY properties from t.he milli algehra. 'P'ROC and SYS are mapped into CSF via I and L respectively, t.ranslating t.he ahstract.ion prohlcllI to CSF.

(26)

The set. CSF lias to he reduced. We cOllsidpr t.he predicate

p.fl

=

T =? 1,.1i

=

T ,

whose llnivcnwJ closure over a a.nd b ddiues t.lle subset £SF T. £SF' is the intersection of

£.SFT and it.s refted.ion £'SF~. Dowllward projection

l-J

onto £.SF ~ and full abstraction

[_I

arc defined. The followillg propert.ies of £.SF T are proved. For process P, countable bag B

over £.SFT, subset. W of £.SFT, LSF I' in £.SFT, and LSF q in £.s:F', {TE} we have

(0) T); E £.SF' (1)

0"

E £.SF' (2) I.P E £.SF T (3) I.P =P TE (4) liB E £.SFT (5) liB = T); '" T); E B (6) n W E £.SFT (7)

ll'

J

E £.SF T (8)

(35: 5

E SYS :

[51

= q)

( used in Lemmata 5.5 and 5.S } ( usee] in Theorem 5.3 } ( Propert.y 3.3 } { Property 3.3 } { Lemma 5.14 } { Lemma 5.14 } { L{~l1lllla 5.7 } { L{'llllllft 5.5 } { Lelllma. 5,9 }

Th" proof:, rely on t.he s]H'cific form of t.he definillg predicate for £.SF T. They need to be redone for each part.icular application, for example, when using other structural correctness

coucerns or when incorporating behavior. The following are general consequences of the

definitions and the ahove properties; they need not be redone for other applications. For LSF I' in £.SF Taw] system 5 we have

(9) L.5 E £.SFT (10) L.S

t

T" (11)

lp

J

E £.SF' (12)

lp

J

= Tl.: '" P = TE (13)

[51

E £.SF' (14)

[51

=P TE (15) [SYSI = £.s:F' '- (T"}

( (2) and (4) ahove, def. L.S } { (:3) alld (5) above, def. L.S } { (6) and (7) ahove, def.

lp

J }

{ Lemma 5.8, uses (0) above} (V) am] (11), and def.

[51 }

( (10) and (12), and def.

[51 }

{ (8) above, (13), and (14) } TIl(' fully abst.ract. version of eGmpositioll in £.SF', i.e.

II,

is defined hy

p

II

q =

lJ!

II qJ .

Propert.y (1) aboYC' is alRo Heeded t.o show t.hat.

0"

is t.he unit. of

II

in £'SF'.

6

Discussion of Fully Abstract Model

In t.his section we illvest.igat.e t.he fully ahst.ract. model. We list a couple of important properties enjoyed by this model and we discuss t.he Fact.ori"ation Formula and interpretations of greatest

lower bounds.

Important properties

We have att.empted t.o restrict. ourselves to properties that do not mention the internal math-ematical st.ruct.ure of the ohjects in the fully abstract. model (£.SF"), that is, their heing

(27)

22 6 DISCUSSION OF FULLY ABSTRACT MODEL

mappings from E to A. These properties may be used as the beginning of au axiomatic characterization. We have not looked for a complete axiomatic characterization.

LSF TE is included again, because the resulting algebra is much richer than (CSF"; II, ;;)); that is, we investigate the algebra (CSF'; II,;;), ~). Keep in mind, however, that TE has no concrete counterpart. in SyS. In this sect.ion, members of CSF' will be called abstract

processes, or processes for short.

6.1 Property (CSF';~) is a complete lat.tice. There exist. uHi<[ue abstract processes c and z such that for all processes p, q, and ,', and all sets W of processes we have:

(0) p

II

q qIIp

(II

is commut.ative)

(1) (p

II

q)

II

r

=

PII(qllr)

(II

is associative)

(2) p

II

e

=

p (e is unit of

II)

(3) p

II

q

=

z p=z V q=z (z is zero of

II,

no zero divisors)

(4) p#z

'*

p

II

~z

=

~z (~z is pseudo zero of II)

(5) p ;;) q

=

p

II

~q ;;) ~e (relationship between

II,

~, ~) (6) plln' W

=

n' {q : IJ E W : p

II

q}

(II

is n'-continuous)

(7) ~~p

=

P (~ is self-inverse)

(8) p~q ~p ;;) ~q (~ reverses ~)

(9) z = n0 (z is maximum)

(10) pllq;;)r p;;) ~(q

II

~r) (Fact.orization Formula)

Proof CSF.L is U-complete and CSF T is n-complet.c in (CSF;~) (Lemma 5.7).

Further-more, we have

(Vp: p E CSFT: Lpj E CSFT)

011 account of Lelllllla G.5. Hence (cf. theormu OIl eomplet.(' lattices ill APPClldix A), ((SF';~)

is a complete lattice in which greatest. lower hounds (n') arc computed as follows: n' W = Ln Wj .

We take e = OE and z = TE. Unicity follows from 2 and 3. We derive n'-continuity of II:

plln'

W

{ definition of

II,

property of n' } Lpil Ln Wjj { Lemma 5.16 } LpllnWj { II is n-continuous (d. Property 4.14) } Ln{q:qE W:Pllq}j { Lemma 6.2 below} Ln{q: q E W: Lp II qj}j { property of n', definition of II

n'

{q : q E W : p

II

q}

(28)

6.2 Lemma For subset W of CSF Wl' haV<'

In WJ

=

In{I,: l' E

W:

l]lJ}J

Proof For l' E £SF L we derive:

n

W:::J r { propert.y of n } ('1]1 : l' E W : l' :::J 'r) { propert.y of l~J. lIsing l' E £SF L } (V P : l' E W :

l1'

J

:::J 'r) { propert.y of n } n {I' : ]I E W :

lp

J} :::J l'

Application of the definition of

l

~

J

completes the proof.

The properties listed above do not characterize the algebra completely (i.e. up to lsomor~

phism), nO!' are they independent.

Factorization Formula

We now briefly discllHS sOllie asp"cts of the Factorization Formula. One application is as follows. Given to he implemented is some specification r. The implementor decides to at~

tempt. all ilIlplcmeutatioll COIupOfiillg a known process q (being an educated guess) with some

unknown process I' that still needs to be fOllnd. What would be an appropriate specification

for 1), giVCll q and T? The Fact.oril,atioll Forul1Ila yields ...."...(q 11 '-""'r) as specification for p. III

fact, this is t.he weakest. Sl"'cification for Sllell it 1'. Any acceptable solntion p will sat.isfy it. Thus, by using the Factoril,ation Formula one does not exclude any solutions.

One may wond"r what happens if the rhoie" of q was inappropriate for the given 1'. An

inappropriat.e choire of q lcaves less room for choosing]l. In the worst case q

II

~r equals -L~. According to the Factorization Formula the specification for p then is TE. Equation p: p :::J TE has T~ as only solution. So, what happeuH is t.hat. this choice of q requires p to be a "miracle".

TIlliS, t.he presence of T~ ill t.he ahstrad. algehra is l1scful ill tha.t. it. cnables us t.o express 1l11so1vability of ccrtaiu eqllat.iolls withill t.iw HUHld.

Finally, it. is worth t.o not.e that. choosing l' eqllal to ~(q

II

~1') does not necessarily imply that. T'

II

q t.hen eqllals 1'. Reflect.ion is not. an inverse of composition in the usual sense. The

best. we can say is t.hat (~(q

II

~1'»

II

q is at. least as good as 1', but. it may be strictly better. It is quite possible that. we have chosen a process q which is "t.oo good" for the purpose,

and that no ]I is able to "cancel" t.his abundance of goodness (e.g., consider the choice of TE

for q). In t.he case of syst.em st.ruct.lIl'e (not. paying attention to behavior) this is actually the only way in which q may he "irreversibly" good. When behavior is incorporated there are 1Il0rc subtle examples (sec [10]).

Interpreting greatest lower bounds

Takil1g the gl'CateHt. lower bOI1I1<1 (n) lllay be interpreted (l .. O;; "demonic non-deterministic c1lOice))

when occurring in all iInplelllcnt.at.ion or a.'-i expressing impienJentation freedom when occur-ring ill a specificat.ion. The idea behind t.he first illterpret.ation is that when confronted with

(29)

24 7 ALTERN.4.TIVE STRUCTURAL CORRECTNESS CONCERNS

p n q all one knows is that it is either 1) or lJ, hut t.here is no way of knowing which one it iR

in advance. It has as formal basis:

(1)

which may be paraphrased as: in order for ]J

n

q to implement. 1': it. is necessary that both p

and q individually implClucnt. 1'. Tha.t. is, when W-:illg p n q as implementation (for 1'), OlW

had better be prepared for the worst (as chosen hy the demon). By the way, we have an equivalence in (1), that is, in order for p n q to iluplelllcnt ,', it is also sufficient that both p and q individually implement T.

6.3 Note The above kind of non-detenninislll does not have anything to do with choice present in process behavior: we are dealing with structure only here. ..

The fonnal basis for the second interpretatioll lIlay he fOlllUI ill:

(2)

which may be paraphrased as: in order for ]I to satiRfy specifi<:atioll q n 1', it suffices that l'

satisfies either q or r. III this easc, however, we do Bot hav(' an equivalence. One IIlay at tiU1CS get away with an implf'mclltation p of q

n ".

that. lwit.her implclllPut.S q nor 1'1 as is showll ill

the following example.

6.4 Example Let a and b be distinct sYlllbob in ~. Consider processes q and ,. given hy

{

0

if c = a q.c

+

otherwise

{

0

if c = b r.c =

+

otherwise

and take p =

+E.

Then we have p =

q

n

r, hcncc]J ;;) q

n

'f, that is, p satisfies specification

q n T. But we have neither p ~ q nor l' ~ 7'1 in fact ]J C q and p

c::

T. ..

Likewise, one can interpret U as "(-tugelic llOll-df!t(~rlllhJist.ic dwin~" whcn occurring III au

implementation:

or as expressing implementatioll r('strictiol1 whcH occllrring in a. Hpecificatioll:

(4)

(Of the latter the converse also holds.)

7

Alternative Structural Correctness Concerns

III this section we briefly look at SOllie a.lt(~rllativ(' st.ruct.ural COlTPCt.IlCSS cOJl(:crns for SYHt.ClllS. 7.1 Example First we weaken t.he eorrcdlless concern t.hat. we ha.ve used so far in that. there should be output-to-input connect.iolls only, but. t.here may he dangling inputs or Qntpnts

(30)

T n 1m,'i,') o·n ... 00' 1 T T (; ! 'I

-L -L (; (; T (; ?

/

"-T (; ? ? ? ? T (;

"-

/

T (; (;

-L T T 1 -L

Tahle 4: The lJa"-'o-sets ann duals for A, and the Hasse diagram for [;;0

(the system need not be dosed) for autollolllOUS operation. This corresponds to defining Con'ecto on A by

Correcto.a

==

n

l'

-L .

The resulting lJasso-sets are tabulated in Table 4. Notice that reflection is not affected by this change in correctness concern. Also notice that COlTecto.a is equivalent to a ;;)0 •. Finally, notice that (A; [;;0) is a complete lattice. The remainder of the analysis of this correctness

concern is not carried out.

..

7.2 Example Now we weaken the COlTectnc" <:oncem a little less in that there should be output-to-input connections only and no dangling inputs, but there may be dangling outputs for autonomous operation. This corresponds to defining Correeh on A by

Correctl.n

==

art {-L,?} .

The resulting pass l-sets arc tabulated in Table 5. Notice that reflection is again not affected

"

pussl·a ~l" T T T (; ! ?

-L -L

1"-(; T (;

(; T (; ? ?

/1/

? T

T (; (; ?

-L T T

"-I

-L

Table 5: The pa"-'l-sets and duals for A, and the Hasse diagram for [;;l

by this change in correctness concern. Also notice that again Correetl.a: is equivalent to a;;), •. Finally, notice that (A; [;;l) is again a complete lattice. .. 7.3 Example If one wants to lllonel complete hiding of internal links-also structurally-then" needs to be redefined and. hecollles superfluous in the model. Let A2 be the five-element set defined by

Referenties

GERELATEERDE DOCUMENTEN

The present study aims at improving learning performance and retention by applying the testing effect and the spacing effect to learn if these effects can be generalized to

We started with a pre-abstract model h SYS ; par, sati, where SYS is a set of systems (process networks), opc is a (structural) composition operator on SYS , and sat is a

De Dienst Ver- keerskunde heeft de SWOV daaro m verzocht in grote lijnen aan te geven hoe de problematiek van deze wegen volgens de principes van 'duurzaam veilig' aangepakt

1) Develop a method for establishing the validity of important thermal- hydraulic parameters that required in the design of a delugeable flat tube air-cooled

Additional file 4: Monosaccharide composition analysis of the (A) hot buffer-, (B) sodium carbonate and (C) 4 M KOH- soluble fractions, prepared from SR-1 and transgenic (lines 37

This type of genetic engineering, Appleyard argues, is another form of eugenics, the science.. that was discredited because of its abuse by

An overview of a tackling of the transfer pricing problem in the past is shown in table 1 (Eccles 1985): Economic Theory Mathematical programming Accounting Theory Management

The method of topological transformation thus consists of, instead of estimating detailed (but unknown) arcs connecting existing nodes, adding virtual nodes in the net- work such