Frits W. Vaandrager

Forward and backward simulations I.: untimed systems

A unified, comprehensive presentation of simulation techniques for verification of concurrent systems is given, in terms of a simple untimed automaton model. In particular, (1) refinements, (2) forward and backward simulations, (3) hybrid forward-backward and backward-forward simulations, and (4) history and prophecy relations are defined. History and prophecy relations are abstract versions of the history and prophecy variables of Abadi and Lamport, as well as the auxiliary variables of Owicki and Gries. Relationships between the different types of simulations, as well as soundness and completeness results, are stated and proved. Finally, it is shown how invariants can be incorporated into all the simulations. Even though many results are presented here for the first time, this paper can also be read as a survey ( in a simple setting ) of the research literature on simulation techniques. The development for untimed automata is designed to support a similar development for timed automata. Part II of this paper will show how the results of this paper can be carried over to the setting of timed automata.

Structured operational semantics and bisimulation as a congruence

In this paper the question is considered in which cases a transition system specification in Plotkin style has ‘good’ properties and deserves the predicate ‘structured’. The discussion takes place in a setting of labelled transition systems. The states of the transition systems are terms generated by a single sorted signature and the transitions between states are defined by conditional rules. We argue that in this setting it is natural to require that strong bisimulation equivalence is a congruence on the states of the transition systems. A general format, called the tyft/tyxt format, is presented for the conditional rules in a transition system specification, such that bisimulation is always a congruence when all the rules fit into this format. With a series of examples it is demonstrated that the tyft/tyxt format cannot be generalized in any obvious way. Briefly we touch upon the issue of modularity of transition system specifications. We show that certain pathological tyft/tyxt rules (the ones which are not pure) can be disqualified because they behave badly with respect to modularisation. Next we address the issue of full abstraction. We characterize the completed trace congruence induced by the operators in pure tyft/tyxt format as 2-nested simulation equivalence. The pure tyft/tyxt format includes the format given by De Simone [16, 17] but is incomparable to the GSOS format of Bloom, Istrail & Meyer [7]. However, it turns out that 2-nested simulation equivalence strictly refines the completed trace congruence induced by the GSOS format.

Action versus State based Logics for Transition Systems

A temporal logic based on actions rather than on states is presented and interpreted over labelled transition systems. It is proved that it has essentially the same power as CTL*, a temporal logic interpreted over Kripke structures. The relationship between the two logics is established by introducing two mappings from Kripke structures to labelled transition systems and viceversa and two transformation functions between the two logics which preserve truth. A branching time version of the action based logic is also introduced. This new logic for transition systems can play an important role as an intermediate between Hennessy-Milner Logic and the modal μ-calculus. It is sufficiently expressive to describe safety and liveness properties but permits model checking in linear time.

Petri net models for algebraic theories of concurrency

In this paper we discuss the issue of interleaving semantics versus True concurrency in an algebraic setting. We present various equivalence notions on Petri nets which can be used in the construction of algebraic models: (a) the occurrence net equivalence of Nielsen, Plotkin & Winskel; (b) bisimulation equivalence, which leads to a model which is isomorphic to the graph model of Baeten, Bergstra & Klop; (c) the concurrent bisimulation equivalence, which is also described by Nielsen & Thiagarajan, and Goltz; (d) partial order equivalences which are inspired by work of Pratt, and Boudol & Castellani.

Testing timed automata

We present a generalization of the classical theory of testing for Mealy machines to a setting of dense real-time systems. A model of timed I/O automata is introduced, inspired by the timed automaton model of Alur and Dill, together with a notion of test sequence for this model. Our main contribution is a test generation algorithm for black-box conformance testing of timed I/O automata. Although it is highly exponential and cannot be claimed to be of practical value, it is the �rst algorithm that yields a �nite and complete set of tests for dense real-time systems.

FORWARD AND BACKWARD SIMULATIONS PART II: TIMING-BASED SYSTEMS

A general automaton model for timing-based systems is presented and is used as the context for developing a variety of simulation proof techniques for such systems. As a first step, a comprehensive overview of simulation techniques for simple untimed automata is given. In particular, soundness and completeness results for (1) refinements, (2) forward and backward simulations, (3) forward-backward and backward-forward simulations, and (4) history and prophecy relations are given. History and prophecy relations are new and are abstractions of the history variables of Owicki and Gries and the prophecy variables of Abadi and Lamport, respectively. As a subsequent step, it is shown how most of the results for untimed automata can be carried over to the setting of timed automata. In fact many of the results for the timed case are obtained as consequences of the analogous results for the untimed case.

An efficient algorithm for branching bisimulation and stuttering equivalence

This paper presents an efficient algorithm for the Relational Coarsest Partition with Stuttering problem (RCPS). The RCPS problem is closely related to the problem of deciding stuttering equivalence on finite state Kripke structures (see Browne, Clarke & Grumberg [3]), and to the problem of deciding branching bisimulation equivalence on finite state labelled transition systems (see Van Glabbeek & Weijland [12]). If n is the number of states and m the number of transitions, then our algorithm has time complexity O(n·(n+m)) and space complexity O(n+m). The algorithm induces algorithms for branching bisimulation and stuttering equivalence which have the same complexity. Since for Kripke structures m⩽n2, this confirms a conjecture of Browne, Clarke & Grumberg [3], that their O(n5)-time algorithm for stuttering equivalence is not optimal.

The Theory of Timed I/O Automata

This monograph presents the timed input/output automaton (TIOA) modeling framework, a basic mathematical framework to support description and analysis of timed (computing) systems. Timed systems are systems in which desirable correctness or performance properties of the system depend on the timing of events, not just on the order of their occurrence. Timed systems are employed in a wide range of domains including communications, embedded systems, real-time operating systems, and automated control. Many applications involving timed systems have strong safety, reliability, and predictability requirements, which makes it important to have methods for systematic design of systems and rigorous analysis of timing-dependent behavior. An important feature of the TIOA framework is its support for decomposing timed system descriptions. In particular, the framework includes a notion of external behavior for a TIOA, which captures its discrete interactions with its environment. The framework also defines what it means for one TIOA to implement another, based on an inclusion relationship between their external behavior sets, and defines notions of simulations, which provide sufficient conditions for demonstrating implementation relationships. The framework includes a composition operation for TIOAs, which respects external behavior, and a notion of receptiveness, which implies that a TIOA does not block the passage of time.

Forward and Backward Simulations

A general automaton model for timing-based systems is presented and is used as the context for developing a variety of simulation proof techniques for such systems. These techniques include (1) refinements, (2) forward and backward simulations, (3) hybrid forward?backward and backward?forward simulations, and (4) history and prophecy relations. Relationships between the different types of simulations, as well as soundness and completeness results, are stated and proved. These results are (with one exception) analogous to the results for untimed systems in Part I of this paper. In fact, many of the results for the timed case are obtained as consequences of the analogous results for the untimed case.

Minimum-Cost Reachability for Priced Time Automata

This paper introduces the model of linearly priced timed automata as an extension of timed automata, with prices on both transitions and locations. For this model we consider the minimum-cost reachability problem: i.e. given a linearly priced timed automaton and a target state, determine the minimum cost of executions from the initial state to the target state. This problem generalizes the minimum-time reachability problem for ordinary timed automata. We prove decidability of this problem by offering an algorithmic solution, which is based on a combination of branch-and-bound techniques and a new notion of priced regions. The latter allows symbolic representation and manipulation of reachable states together with the cost of reaching them.