Formal Methods in software development a.a.2017/2018 Prof.Anna Labella 12/3/2018

From automata to reactive systems They are supposed to go on forever as Communication protocols Operative systems Command and control devices 12/3/2018

Non determinism vs determinism Synchronous vs asynchronous Their features Communication Observability Non determinism vs determinism Synchronous vs asynchronous 12/3/2018

Labeled transition systems TS=(,S, , S0), where  a non empty finite alphabet S a non empty finite set of states  S    S is a transition relation, S0 S is the set of initial states Similar to a nondeterministic finite state automaton, with possibly more than one initial state, but without terminal states Similar to a labeled Kripke model as we have seen in temporal logic 12/3/2018

A state is identified through the possibilities it offers to go on A transition system generates (finite or infinite) words w0w1w2... iff there are states s0s1s2s3... s.t. s0  S0 and (si,wi,si+1)   A state is identified through the possibilities it offers to go on termination and deadlock 12/3/2018

Example: a recorder off memory tape play dn up T = <S, , , s0> without terminal states ={up, dn} S={off, tape, memory, play} ={(off,dn,tape), (tape,up,off), (tape,dn,memory), (memory,up,off), (memory,dn,play), (play,dn,tape), (play,up,off)} s0={off} 12/3/2018

Parallel transition systems Parallel transition system T=(T1,…,Tn) each Ti is a transition system SiSj= interleaving semantics on its private alphabet, each Ti can make an independent move synchronization is via common events example: power switch and camcorder mode 12/3/2018

Example T=(switch, camera) {pwr_fail, pwr_res} are private to camera but_hi but_lo dn up off on dn, pwr_res up, pwr_fail memory tape play switch camera T=(switch, camera) {pwr_fail, pwr_res} are private to camera synchronization alphabet {up,dn} how big is the state space? 12/3/2018

The global transition system T associated with a parallel transition system (T1,…,Tn) is defined as T=(, S, , S0), where = i S= S1 … Sn S0 = S1,0 … Sn,0, and ((s1,…,sn),a,(s1‘,…,sn‘)) iff - when a is an asynchronous move ai, ((s i),a,(s i‘))i, and then sk= sk‘ for all k≠i - when a is the result of a synchronisation of Ti and Tj ((s i),ai,(s i‘))i and ((sji),aj,(s j‘))j, and sk= sk‘ for all k≠i,j 12/3/2018

Process Equivalences Sameness of behaviour = equivalence of states Many process equivalences have been proposed For instance: q1 ~ q2 iff q1 and q2 have the same paths, or q1 and q2 may always refuse the same interactions, or q1 and q2 pass the same tests, or q1 and q2 satisfy the same temporal formulas, or q1 and q2 have identical branching structure CCS: Focus on bisimulation equivalence 12/3/2018

Finite State Automata Coffee machine A1: Coffee machine A2: 1€ Coffee machine A1: Coffee machine A2: Are the two machines ”the same”? 1€ tea coffee 1€ 1€ 1€ tea coffee 12/3/2018

Bisimulation Equivalence Intuition: q1 ~ q2 iff q1 and q2 have same branching structure Idea: Find relation which will relate two states with the same transition structure, and make sure the relation is preserved Example: q1 q2 a a a c b b c b c 12/3/2018

Strong Bisimulation Equivalence Given: Labelled transition system T = (Q,,R) Looking for a relation S  Q  Q on states S is a strong bisimulation relation if whenever q1 S q2 then: q1  q1’ implies q2  q2’ for some q2’ such that q1’ S q2’ q2  q2’ implies q1  q1’ for some q1’ such that q1’ S q2’ q1 and q2 are strongly bisimilar iff q1 S q2 for some strong bisimulation relation S q1  q2: q1 and q2 are strongly bisimilar 12/3/2018

Exercise Does q0 ~ p0 hold? q1 p0 a b a a q0 p1 a b b a q2 p2 a a 12/3/2018

Exercise Does q0 ~ p0 hold? q0 p0 a a a q1 q2 p1 b c b c q3 q4 p2 p3 12/3/2018

Weak Transitions What to do about internal activity? : Transition label for activity which is not externally visible q  q’ iff q = q0  q1  ...  qn = q’, n  0 q  q’ iff q  q’ q  q’ iff q  q1  q2  q’ (  ) Beware that  =  (non-standard notation) Observational equivalence, v.1.0: Bisimulation equivalence with  in place of  Let q1  q2 iff q1 ~ q2 with  in place of  12/3/2018

Observational Equivalence Let S  Q  Q. The relation S is a weak bisimulation relation if whenever q1 S q2 then: q1  q1’ implies q2  q2’ for some q2’ such that q1’ S q2’ q2  q2’ implies q1  q1’ for some q1’ such that q1’ S q2’ q1 and q2 are observationally equivalent, or weakly bisimulation equivalent, if q1 S q2 for some weak bisimulation relation S q1  q2: q1 and q2 are observationally equivalent/weakly bisimilar 12/3/2018

Exercises a  a  a  a  a  c a b a  b a  c  c 12/3/2018

Exercises b b a a  b  All three are inequivalent a  12/3/2018

Bisimulations Strong Weak Branching 12/3/2018

Bisimulations Strong If a process/state can do a move, then the other one can do the same and viceversa. a a a b b c b c b c 12/3/2018

Bisimulations weak A process can go through (non equivalent, non consecutive) states with invisible moves Trying to simulate the other one. a a a c b c b b 12/3/2018

Bisimulations branching A process can go through different (equivalent) states with invisible moves while the other does not move, but has the same possibilities. a a b b a b c b c 12/3/2018