Formal Methods in software development a.a.2016/2017 Prof.Anna Labella 4/4/2019

From automata to reactive systems They are supposed to go on forever as Communication protocols Operative systems Command and control devices 4/4/2019

Non determinism vs determinism Synchronous vs asynchronous Their features Communication Observability Non determinism vs determinism Synchronous vs asynchronous 4/4/2019

Example: a recorder off memory tape play dn up ={up, dn} S={off, tape, memory, play} ={(off,dn,tape), (tape,up,off), (tape,dn,memory), (memory,up,off), (memory,dn,play), (play,dn,tape), (play,up,off)} S0={off} 4/4/2019

Parallel transition systems Parallel transition system T=(T1,…,Tn) each Ti is a transition system SiSj= interleaving semantics on its private alphabet, each Ti can make an independent move synchronization is via common events example: power switch and camcorder mode 4/4/2019

Example T=(switch, camera) {pwr_fail, pwr_res} are private to camera but_hi but_lo dn up off on dn, pwr_res up, pwr_fail memory tape play switch camera T=(switch, camera) {pwr_fail, pwr_res} are private to camera synchronization alphabet {up,dn} how big is the state space? 4/4/2019

The global transition system T associated with a parallel transition system (T1,…,Tn) is defined as T=(, S, , S0), where = i S= S1 … Sn S0 = S1,0 … Sn,0, and ((s1,…,sn),a,(s1‘,…,sn‘)) iff for all Ti if ai, then ((s i),a,(s i‘))i, and if ai, then s i=s i‘. If a is the result of a synchronisation of ((s i),ai,(s i‘))i and ((sji),aj,(s j‘))j, then then s k=s k‘ for all k≠i,j 4/4/2019

Labeled transition systems TS=(,S, , S0), where  a non empty finite alphabet S a non empty finite set of states  S    S is a transition relation, S0 S is the set of initial states Similar to a nondeterministic finite state automaton, with possibly more than one initial state, but without terminal states Similar to a labeled Kripke model as we have seen in temporal logic 4/4/2019

A state is identified through the possibilities it offers to go on A transition system generates (finite or infinite) words w0w1w2... iff there are states s0s1s2s3... s.t. s0  S0 and (si,wi,si+1)   A state is identified through the possibilities it offers to go on termination and deadlock 4/4/2019

Process Equivalences Sameness of behaviour = equivalence of states Many process equivalences have been proposed For instance: q1 ~ q2 iff q1 and q2 have the same paths, or q1 and q2 may always refuse the same interactions, or q1 and q2 pass the same tests, or q1 and q2 satisfy the same temporal formulas, or q1 and q2 have identical branching structure CCS: Focus on bisimulation equivalence 4/4/2019

Finite State Automata Coffee machine A1: Coffee machine A2: 1€ Coffee machine A1: Coffee machine A2: Are the two machines ”the same”? 1€ tea coffee 1€ 1€ 1€ tea coffee 4/4/2019

Bisimulation Equivalence Intuition: q1 ~ q2 iff q1 and q2 have same branching structure Idea: Find relation which will relate two states with the same transition structure, and make sure the relation is preserved Example: q1 q2 a a a c b b c b c 4/4/2019

Strong Bisimulation Equivalence Given: Labelled transition system T = (Q,,R) Looking for a relation S  Q  Q on states S is a strong bisimulation relation if whenever q1 S q2 then: q1  q1’ implies q2  q2’ for some q2’ such that q1’ S q2’ q2  q2’ implies q1  q1’ for some q1’ such that q1’ S q2’ q1 and q2 are strongly bisimilar iff q1 S q2 for some strong bisimulation relation S q1  q2: q1 and q2 are strongly bisimilar 4/4/2019

Exercise Does q0 ~ p0 hold? q1 p0 a b a a q0 p1 a b b a q2 p2 a a 4/4/2019

Exercise Does q0 ~ p0 hold? q0 p0 a a a q1 q2 p1 b c b c q3 q4 p2 p3 4/4/2019

Weak Transitions What to do about internal activity? : Transition label for activity which is not externally visible q  q’ iff q = q0  q1  ...  qn = q’, n  0 q  q’ iff q  q’ q  q’ iff q  q1  q2  q’ (  ) Beware that  =  (non-standard notation) Observational equivalence, v.1.0: Bisimulation equivalence with  in place of  Let q1  q2 iff q1 ~ q2 with  in place of  4/4/2019

Observational Equivalence Let S  Q  Q. The relation S is a weak bisimulation relation if whenever q1 S q2 then: q1  q1’ implies q2  q2’ for some q2’ such that q1’ S q2’ q2  q2’ implies q1  q1’ for some q1’ such that q1’ S q2’ q1 and q2 are observationally equivalent, or weakly bisimulation equivalent, if q1 S q2 for some weak bisimulation relation S q1  q2: q1 and q2 are observationally equivalent/weakly bisimilar 4/4/2019

Exercises a  a  a  a  a  c a b a  b a  c  c 4/4/2019

Exercises b b a a  b  All three are inequivalent a  4/4/2019

Bisimulations Strong Weak Branching 4/4/2019

Bisimulations Strong If a process/state can do a move, then the other one can do the same and viceversa. a a a b b c b c b c 4/4/2019

Bisimulations weak A process can go through (non equivalent, non consecutive) states with invisible moves Trying to simulate the other one. a a a c b c b b 4/4/2019

Bisimulations branching A process can go through different (equivalent) states with invisible moves while the other does not move, but has the same possibilities. a a b b a b c b c 4/4/2019

Proving Equivalences The bisimulation proof method: To establish P  Q: Identify a relation S such that P S Q Prove that S is a weak bisimulation relation This is the canonical method There are other methods for process verification: Equational reasoning Temporal logic specification/proof/model checking 4/4/2019

Bisimilarity as a maximal fixed point Let us take Q  Q to start with, then calculate F(Q  Q) ={ (q1,q2) | q1  q1’ implies q2  q2’ and viceversa}. By iterating the procedure, we obtain a decreasing chain …F4(Q  Q)  F3(Q  Q)  F2(Q  Q)  F(Q  Q) We can apply Tarski’s theorem and obtain a maximal fixed point S  Q  Q. The relation S is a strong bisimulation. The same holds for weak bisimulation relation defining F(Q  Q) ={ (q1,q2) | q1  q1’ implies q2  q2’ and viceversa} 4/4/2019

4/4/2019

4/4/2019

4/4/2019