Semantics of Well-Terminating Nets - Observing True" Concurrency

3.1 Testing Equivalence

This chapter develops some semantics for WT Nets that are compositional for all the WT Net operators presented in Chapter 2 and are respectively adequate for may-equivalence, must -equivalence, and Testing Equivalence [19]. Some fully abstract versions of these semantics are then presented.

Denition 3.1.1

A semantics, [[]], assigning to any process,

P

, a meaning, [[

P

]], is composi-tional for an operator on processes if semantic equality is a congruence for the operator, i.e., the operator preserves semantic equality. We say that a semantics is adequate for an equiv-alence on processes if semantic equality implies process equivequiv-alence. Finally, we say that a semantics is fully abstract for a process equivalence with respect to a set of operators if the semantics is adequate for the equivalence and semantic equality is the coarsest congruence for those operators.

We presume that the reader is familiar with the experiment-based theory ofmay-equivalence, must-equivalence, and Testing equivalence on labeled transition systems developed in [19]. In order to keep this thesis relatively self-contained, we repeat the basic denitions here.

The idea behind experiment-based testing is that experimenters are given the ability to interact with processes in a way that aects both the process and the experimenter. In order to model success of an experiment, a special action

!

is chosen to represent success. In this setting, both processes and experimenters are labeled transition systems over a common alphabet, except that in addition, the experimenter is allowed to independently perform the special actions

1

and

!

. Processes do not have the ability to perform either

1 !

. Both the experimenter and the process must \move together" on visible actions in the common alphabet, but can move independently on the

action. In general, the behavior of an experimenter on a process is non-deterministic.

An experiment is a sequence of possible interactions between an experimenter and a process.

Such a sequence is a computation i it is an interaction which cannot be extended, i.e., it is a maximal sequence of interactions. A computation is successful i the experimenter passes through a state in which the

!

action is enabled. We say that a process,

p

, may satisfy an experimenter,

e

, i some interactive computation between

e

and

p

is successful. We say that a

process,

p

, must satisfy an experimenter,

e

, i every interactive computation between

e

and

p

is successful.

Denition 3.1.2

Let

TS

1 and

TS

2 be labeled transition systems respectively over alphabets Act1

;

Act2, where Act1and Act2 may contain the

action but do not contain the

1 !

action.

Let

E

be the set of labeled transition systems over Act1^[Act2^[^f

1 ;!

^g. Then

TS

1 and

TS

aremay-equivalent i Act1= Act2and

TS

1and

TS

2may satisfythe same set of experimenters in

E

. Similarly,

TS

1 and

TS

2 are must-equivalent i Act1 = Act2 and

TS

1 and

TS

2 must satisfy the same set of experimenters in

E

TS

1 and

TS

2 are Testing-equivalent i they are both may-equivalent and must-equivalent.

The denitions of these equivalences carry over directly to WT Nets: two WT Nets will be said to be may-equivalent, must-equivalent, or Testing equivalent i their labeled transi-tion systems are respectivelymay-equivalent, must-equivalent, or Testing equivalent under the above denition. We assume without loss of generality that for any WT Net, ^h

N;

Actⁱ, the special actions

1

and

!

are not in Act.

For technical simplicity, we will work with an alternate formulation of these equivalences, namely, partial trace equivalence [19, 30] and failures equivalence [7, 8, 9, 21]. In order to keep this thesis relatively self-contained, we repeat the denitions here:

Denition 3.1.3

Let

TS

be a labeled transition system,^h

S;

Act^[^f

;

^,^!

;s

^initⁱ, where Act is a set of visible actions. A state

s

is divergent i

s

can perform an innite sequence of

-actions.

A failure set of a state

s

is any set of visible actions,

a

, that are not enabled at

s

, even after further performing any nite sequence of

-labeled actions; that is,

s

⁶=^a⁾. Then:

traces(

TS

)^def= ^f

v

²Act:

s

^init=^v^{) g}

TS

)^def= ^fh

v;F

ⁱ:

v

²Act

; F

Act

;

and there is some state

s

such that

s

^init=⁾^v

s

and

F

is a failure set of

s

[fh

v;F

ⁱ:

v

²^D(

TS

) and

F

Act^g

TS

)^def= ^f

v

⁰:

v;v

⁰²Act and

s

^init =^v⁾

s

for some divergent state

s

For any WT Net^h

N;

Actⁱ, we dene traces(^h

N;

Actⁱ)^def= traces(lts(^h

N;

Actⁱ)),^F(^h

N;

Actⁱ)^def=

F(lts(^h

N;

Actⁱ)), and^D(^h

N;

Actⁱ)^def= ^D(lts(^h

N;

Actⁱ)).

Proposition 3.1.4

Let

TS

1 and

TS

2 be labeled transition systems respectively over nite alphabets Act1

;

Act2, where Act1 and Act2 may contain the

action but do not contain the

1 !

action. Then

TS

1 and

TS

2 aremay-equivalent i Act1= Act2 and traces(

TS

1) = traces(

TS

2).

TS

1 and

TS

2 are must-equivalent i Act1 = Act2, ^F(

TS

1) = ^F(

TS

2) and ^D(

TS

1) =

TS

2).

TS

1and

TS

2are Testing-equivalent i Act1= Act2, traces(

TS

1) = traces(

TS

2),^F(

TS

1) =

TS

2) and ^D(

TS

1) =^D(

TS

2).

The proof is a straightforward generalization of that in [19] and is left to the reader.

As shown in [19],may-equivalence, must-equivalence, and Testing-equivalence are compo-sitional for all the standard CCS/CSP operators on labeled transition systems. Furthermore, they are compositional for (the natural denition of) choice renements on labeled transition systems. Similar properties hold for WT Nets:

Proposition 3.1.5

^may-equivalence, must-equivalence, and Testing-equivalence on WT Nets are compositional for all our CCS/CSP-style operators, choice renements, and alphabet ex-pansion and shrinking.

The proof is analogous to that of [19] and is omitted.

Since labeled transition systems are inherently sequential, these equivalences are also com-positional for (the natural denition of) split renements on labeled transition systems. A similar result holds for purely sequential WT Nets:

Proposition 3.1.6

may-equivalence,must-equivalence, and Testing-equivalence are composi-tional for split renements on sequential WT Nets, in which no transitions can re concurrently in any reachable marking.

Proof.

Let ^h

N;

Actⁱbe a sequential WT Net, and let

a;a

;a

^,be distinct symbols in Act.

For any sequence

v

²Act, we dene split(a;a⁺;a^,)(

v

) to be the sequence

:::

^jv^j, where each

i =

a

:a

^, if

v

[

i

] =

a

, and

v

[

i

] otherwise.

Firing any newly-created

a

+-labeled transition in split(a;a⁺;a^,)(^h

N;

Actⁱ) has the eect of

\half-ring" the corresponding

a

-labeled transition of

N

, i.e., removing all the tokens from the preset of the

a

-labeled transition but not placing any tokens in its post-set. Since ^h

N;

Actⁱ is a sequential net,

a

^, is thus the one and only action enabled in split(a;a⁺;a^,)(^h

N;

Actⁱ) after performing any sequence of transitions that ends with an occurrence of a newly-created

a

+ -labeled transition.

It is then straightforward to show that traces(split(a;a⁺;a^,)(^h

N;

Actⁱ)) =

fsplit(a;a⁺;a^,)(

v

) :

v

²traces(^h

N;

Actⁱ)^g^[^fsplit(a;a⁺;a^,)(

v

)

a

+ :

v

a

²traces(^h

N;

Actⁱ)^g

F(split₍_a;a⁺_;a^,₎(^h

N;

Actⁱ)) =

fhsplit₍_a;a⁺_;a^,₎(

v

)

;F

⁰ⁱ : there is some

F

with ^h

v;F

ⁱ²^F(^h

N;

Actⁱ) such that

F

⁰

F

^[^f

a

;

and if

a

+ ²

F

⁰ then

a

F

[fhsplit₍_a;a⁺_;a^,₎(

v

)

a

; F

⁰ⁱ : ^h

v

a;

^;i²^F(^h

N;

Actⁱ) and

F

⁰Act^,f

a

^,^gg

[fh

v;F

ⁱ :

v

²^D(split(a;a⁺;a^,)(^h

N;

Actⁱ)) and

F

Act^g

D(split(a;a⁺;a^,)(^h

N;

Actⁱ)) =^fsplit₍_a;a⁺_;a^,₎(

v

)

v

⁰ :

v

²^D(^h

N;

Actⁱ) and

v

⁰²Act^g The proposition is then a simple consequence of Proposition 3.1.4.

However, as is well-known, neithermay-equivalence, must-equivalence, nor Testing equiv-alence on arbitrary WT Nets is compositional for split renements:

Proposition 3.1.7 ([10])

may-equivalence, must-equivalence, and Testing equivalence are not compositional for split renements on arbitrary WT Nets.

Proof.

It follows easily from Denition 3.1.3 and Proposition 3.1.4 that if any two divergence-free WT Nets are trace inequivalentthen they aremay-inequivalent,must-inequivalent, and Testing-inequivalent. To prove the proposition, we repeat the example given in [10], and il-lustrated in Figure 3-1. It is easy to show that^h

N

;

Actⁱand^h

N

;

Actⁱof Figure 3-1 are Testing-equivalent. However, split(a;a⁺;a^,)(^h

N

;

Actⁱ) and split(a;a⁺;a^,)(^h

N

;

Actⁱ) are trace-inequivalent, since

a

ba

^, is a trace of split(a;a⁺;a^,)(^h

N

;

Actⁱ) but not of split(a;a⁺;a^,)(^h

N

;

Actⁱ). We note that ^h

N

;

Actⁱ is not a sequential net, since the

a

-labeled and

b

-labeled transitions can re concurrently.

It is well-known that trace-inequivalent lts's cannot be strongly bisimilar (cf. [30]). Since the labeled transitions systems of^h

N

;

Actⁱand ^h

N

;

Actⁱ of Figure 3-1 are strongly bisimilar, the same example shows that no interleaving semantics (that lies in between trace equivalence and strong bisimulation) can be compositional for split renements on arbitrary WT Nets. As is discussed in [39, 49], it is necessary keep track of \pomsets", which generalize linear sequences of actions to multi-sets of actions partially ordered to reect causality and concurrency.

3.2 Some Compositional Semantics for WT Nets and Operators

We begin with the standard notions of pomsets.

Denition 3.2.1

A pomset is a labeled partial order. Formally, a pomset,

p

, consists of a set Eventsp whose elements are called events, a set Labelsp whose elements are called labels, a function labelp:Eventsp^!Labelsp, and a partial order relationp on Eventsp. We say that

p

is a pomset over an alphabet Act i Act contains all the labels of

p

is a pomset with an empty carrier, we often simply write^;to denote

p

. If

p

is a pomset with a single event, labeled

a

, we often simply write

a

to denote

p

We say that event

e

causes event

e

⁰ in a pomset

p

e <

e

⁰. The downward-closure, downp(

e

), of event

e

in a pomset

p

is^f

e

⁰²Eventsp:

e

⁰

<

e

^g. The downward-closure, downp(

E

), of a subset

E

of Eventsp is

E

^[^S^fdown_p(

e

E

^g;

E

is downward-closed i downp(

E

) =

E

. We write min(

p

) to denote the set of events in

p

that are minimal with respect to

<

p, i.e., events that do not have any causes in

p

. We write max(

p

) to denote the set of events in

p

that are maximal with respect to

<

p, i.e., events that do not cause any event in

p

. We say that event

e

is a maximal cause of an event

e

⁰ in pomset

p

e <

e

⁰ and there is no event

e

⁰⁰ ²Eventsp

Dans le document Observing True" Concurrency (Page 35-39)