Interface automata with error states by Bujtor, Ferenc & Vogler, Walter (Prof. Dr.)
Universita¨t Augsburg
KABCROMUNGSH0
Interface Automata with Error States
Ferenc Bujtor and Walter Vogler
Report 2012-09 July 2012
Institut fu¨r Informatik
D-86135 Augsburg
Copyright c© Ferenc Bujtor and Walter Vogler
Institut fu¨r Informatik
Universita¨t Augsburg
D–86135 Augsburg, Germany
http://www.Informatik.Uni-Augsburg.DE
— all rights reserved —
Interface-Automata with Error States
Ferenc Bujtor and Walter Vogler
Institut fu¨r Informatik, Universita¨t Augsburg, D–86135 Augsburg, Germany
bujtor@informatik.uni-augsburg.de vogler@informatik.uni-augsburg.de
Abstract. De Alfaro and Henzinger advocated interface automata to
model and study behavioural types, which describe communication pat-
terns of systems while abstracting e.g. from data. They come with a
specific parallel composition: if, in some state, one component tries to
make an output, which the other one cannot receive, the state is regarded
as an error. Error states are removed along with some states leading to
them. As refinement relation an alternating simulation is introduced.
In this report, we study to what degree this refinement relation is justified
by the desires to avoid error states and to support modular refinement.
For this, we leave the error states in place and mark them as such instead
of removing them in the composition. Our Error-I-O-Transition systems
are slightly more general than Interface automata, which are restricted
to input determinism.
Our basic requirement is: an implementation must be error free, if the
specification is. For two different notions of error freeness, we determine
the coarsest precongruences contained in the respective basic refinement
relations. We characterize these best refinement relations meeting our
desirables with trace sets. Thus our precongruences are less discriminat-
ing than simulation-based ones. Along the way we point out an error in
an early paper by de Alfaro and Henzinger.
1 Introduction
Interface automata as advocated by de Alfaro and Henzinger e.g. in [4] give an
abstract description of the communication behaviour of a system specification
or process in terms of input and output actions. Based on this behavioural type,
one can study whether two systems are compatible if put in parallel, and one
can define a refinement for specifications. Essential for such a setting is that the
refinement relation is a precongruence for parallel composition; in particular, if
we refine two compatible specifications, it must be guaranteed that the refined
specifications are compatible again.
Two processes composed in parallel synchronize on their common actions.
Since interaction is supposed to be binary, such a common action has to be an
output of one process and an input of the other; after synchronization, the action
is internalized, i.e. hidden from the environment. Outputs are under the control
of the respective process, so the process will not wait for the other one when
performing an output. Now the basic idea for compatibility is the following: if,
in a state of a parallel composition, one of the two processes tries to synchronize
by performing an output that the other process should but cannot receive, this
state is regarded as catastrophic; since the second process is not ready to receive
the output, it might malfunction – such an error state has to be avoided. Observe
that interface automata are not input enabled as required for the I,O-automata
of [8]. Instead, a missing input in a state corresponds to the requirement that a
prospective environment must not send this input to this state.
There are two essential design decisions in the approach of [4] that we will
scrutinize in this paper. First, this approach follows an optimistic view: an error
state in a parallel composition is no problem, if it cannot be reached in a helpful
environment. This is reflected in the precise definition of parallel composition:
first a more standard composition is determined; then all states are removed that
can reach an error state just by locally controlled, i.e. output and internal actions
(so-called output pruning). This way, also the last input before reaching an
error state is forbidden since its target state is removed. Although this definition
has some intuitive justification, its details appear somewhat out of the blue;
e.g. the authors of [1] prefer a pessimistic view where every reachable error
state is a problem. The second decision to take some alternating simulation as
refinement relation also seems somewhat arbitrary. Actually, the same authors
used a slightly different relation for a slightly larger class of automata in the
earlier [3]; no real argument is given for the change.
In this paper, we will work out to what degree these design decisions can be
justified from some more basic and, hopefully, more agreeable ideas. We consider
processes modelled by labelled transition systems (LTSs) with disjoint input and
output actions and an internal action τ , more or less like the interface automata
of [4]. Since we try not to exclude any possibilities prematurely, our LTS have
explicit error states; we call them Error-IO Transition Systems or EIO for short.
We consider a standard definition of parallel composition where additionally
error states occur as described above; a composed system also reaches an error
state if one of the components reaches one.
An undisputable requirement for a refinement relation is that an error-free
specification should only be refined by an error-free system. This can be under-
stood as a basic refinement relation, which is parametric in the exact meaning
of error-free: in the optimistic view, error-free means that no error state can
be reached by locally controlled actions only; in the pessimistic view, a system
would be error-free only if no error state is reachable at all. In this paper we
study the optimistic and a hyper-optimistic meaning of error freeness, while
considerations of the pessimistic variant have not been finished yet.
For modular reasoning, which is at the heart of the approach under study, the
refinement relation must be a precongruence: if a component of a parallel compo-
sition is replaced by a refinement, the composition itself gets refined. Our basic
relations fail to be precongruences. Therefore, in each case, we will characterize
the precongruence that is fully abstract w.r.t. the respective basic relation and
parallel composition, i.e. we will determine the coarsest precongruence for par-
allel composition that is contained in the basic relation. These precongruences
are thus justified by very basic requirements.
3
It turns out that, in the optimistic case, the precongruence can be character-
ized as (componentwise) inclusion for a pair of trace sets. Such a pair of sets can
best be obtained from a given EIO by performing output pruning on it. Phrased
another way, with this precongruence each EIO is equivalent to one without
error states – provided that the initial state is not pruned. Essentially, we can
work with EIO without error states, i.e. with interface automata and with the
parallel composition of [4]. Whenever output pruning removes the initial state
of a composition, the components are called incompatible. Thus, as in [4], only
compatible systems should be composed, and refining compatible specifications
leads indeed to compatible systems.
While this justifies the first design decision in [4], our precongruence shows
that alternating simulation is unnecessarily strict. In fact, our precongruence
is not really new. A setting with input and outputs where unexpected inputs
lead to errors has been studied long before [4] for speed-independent (thus asyn-
chronous) circuits. In this context, essentially the same pair of trace sets has
been suggested by Dill in [5]. The difference is that Dill does not start from an
operational model as we do, but on a semantic level with pairs of trace sets;
he requires these pairs to be input enabled. On this semantic level, he also uses
output pruning; a normalized form of his pairs coincides with our pairs (which
are in a sense input enabled, although missing inputs in the EIO are so essen-
tial). Dill uses transition systems for graphical representation, but (if we are not
mistaken) with one exception all of these are deterministic; parallel composition
is never performed on transition systems but on pairs of trace sets only.
There is a subtle point about output pruning. Interface automata in [4] are
deterministic w.r.t. input actions. Since we do not require this here, our output
pruning is a bit different from the one in [4]. In fact, the interface automata
in [3] are not input deterministic, but output pruning used there is the same
as the one in [4]. As a consequence, Theorem 1 of [3] claiming associativity for
parallel composition is wrong. In the settings of [3, 4], associativity is tricky; in
our setting with error states, it is dead easy.
It might seem that we have actually prescribed output pruning in our opti-
mistic approach: we consider only locally reachable errors as relevant and output
pruning removes exactly those states that can reach an error locally. To consider
an alternative, we turn to a ‘hyper-optimistic’ approach next, where only in-
ternally reachable errors are relevant. With this more generous notion of error
freeness we obtain a slightly stronger precongruence; but it is still based on
output pruning, with the difference that some information about the removed
outputs must be retained. This is also a feasible precongruence but, compared
to our first one, it looks unnecessarily involved technically.
Currently we are working on the pessimistic approach.
2 Definitions and Notation
First we define our scenario. We use labelled transition systems (LTS) with dis-
joint input and output actions. The systems can also perform internal, unobserv-
4
able actions, denoted by τ ; in interface automata, internal actions have different
names, but semantically these never play a roˆle. Additionally, the LTS has a
separate set of error states; such states can be created in a parallel composition.
Definition 1 (Error-IO-Transition-System). An Error-IO-Transition-System
(EIO) is defined as a tuple S = (Q, I,O, δ, q0, E), where
– Q – a set of states
– I,O – disjoint sets of input and output actions
– δ ⊆ Q× (I ∪O ∪ {τ})×Q – a transition relation
– q0 ∈ Q – an initial state
– E ⊆ Q – a set of error states
We define the actions of S by Σ := I ∪O, and its signature by Sig(S) = (I,O).
As a shorthand we write Q1, I1, δ1 etc. for components of the EIOs S1 and
Q2, I2, δ2 etc. for S2 and so on. We also use this notation for semantics like ET1
for ET (S1) as defined later on. We also write q
a−→ p for (q, a, p) ∈ δ and q a−→ for
∃p : (q, a, p) ∈ δ. We extend this to sequences w ∈ (Σ ∪ {τ})∗, writing q w−→ p,
(q
w−→ ) whenever q a1−→ a2−→ · · · an−−→ p, (q a1−→ a2−→ · · · an−−→) with w = a1 · · · an.
Furthermore we define w|B as the projection of an action sequence to a set of
actions B. We define q
w⇒ p for w ∈ Σ∗ by q w⇒ p if ∃w′ : w′|Σ = w ∧ q w
′
−→ p. A
sequence q0
a1−→ q2 a2−→ · · · qn is a run underlying a1 . . . an−1|Σ .
In a parallel composition, all common actions are first synchronized without
hiding, and then they are hidden. Two EIOs can only be composed, if their input
and output actions fit together, i.e. the EIOs have neither common inputs nor
common outputs.
Definition 2 (Parallel Composition). Two EIOs S1, S2 are composable if
I1∩ I2 = ∅ = O1∩O2. The parallel composition without hiding is defined for two
composable EIOs as S1 ‖ S2 = (Q, I,O, δ, q0, E), where
– Q = (Q1 ×Q2)
– I =
(
(I1\O2) ∪ (I2\O1)
)
– O =
(
O1 ∪O2
)
– q0 = (q01, q02)
Furthermore, with Synch(S1, S2) = (I1 ∩ O2) ∪ (I2 ∩ O1) being the set of syn-
chronized actions, we define
– δ ={((q1, q2), α, (p1, q2)) | (q1, α, p1) ∈ δ1, α ∈ (Σ1 ∪ {τ})\Synch(S1, S2)}∪
{((q1, q2), α, (q1, p2)) | (q2, α, p2) ∈ δ2, α ∈ (Σ2 ∪ {τ})\Synch(S1, S2)}∪
{((q1, q2), α, (p1, p2)) | (q1, α, p1) ∈ δ1, (q2, α, p2) ∈ δ2, α ∈ Synch(S1, S2)}
– E =(Q1 × E2) ∪ (E1 ×Q2) ‘inherited errors’
∪{(q1, q2) | ∃a ∈ O1 ∩ I2 : q1 a−→ ∧q2 6 a−→}
∪{(q1, q2) | ∃a ∈ I1 ∩O2 : q1 6 a−→ ∧q2 a−→} ‘new errors’
5
The parallel composition (with hiding) S1 | S2 differs only in the definition
of its outputs and its transition function.
– O =
(
(O1\I2) ∪ (O2\I1)
)
δ ={((q1, q2), α, (p1, q2)) | (q1, α, p1) ∈ δ1, α ∈ (Σ1 ∪ {τ})\Synch(S1, S2)}∪
{((q1, q2), α, (q1, p2)) | (q2, α, p2) ∈ δ2, α ∈ (Σ2 ∪ {τ})\Synch(S1, S2)}∪
{((q1, q2), τ, (p1, p2)) | (q1, α, p1) ∈ δ1, (q2, α, p2) ∈ δ2, α ∈ Synch(S1, S2)}
Again we introduce a shorthand S12 for S1 | S2 and use it accordingly for its
components and semantics.
For our results and proofs, we also define | and ‖ as parallel composition on
traces with and without hiding respectively.
Definition 3 (Parallel Composition on Traces). Given two composable
EIOs S1, S2, w1 ∈ Σ∗1 , w2 ∈ Σ∗2 ,W1 ⊆ Σ1 and W2 ⊆ Σ2, we define
– w1 ‖ w2 = {w ∈ (Σ1 ∪Σ2)∗ | w|Σ1 = w1 ∧ w|Σ2 = w2}
– w1 | w2 = {w|Σ12 | w ∈ w1 ‖ w2}
– W1 ‖W2 =
⋃{w1 ‖ w2 | w1 ∈W1 ∧ w2 ∈W2}
– W1 |W2 =
⋃{w1 | w2 | w1 ∈W1 ∧ w2 ∈W2}
We will base our semantics on traces that can lead to error states. In this
context, we will use a pruning function, which removes all output actions from
the end of a trace. We also define a function for arbitrary continuation of traces;
for trace sets, this generalizes to describing the continuation or suffix closure.
Definition 4 (Pruning and Continuation Functions). Given an EIOS,
we define
– prune : Σ∗ → Σ∗, w 7→ u, where w = uv, u = ε ∨ u ∈ Σ∗ · I and v ∈ O∗
– cont : Σ∗ → P(Σ∗), w 7→ {wu | u ∈ Σ∗}
– cont : P(Σ∗)→ P(Σ∗), L 7→ {cont(w) | w ∈ L}
For composable EIOs S1 and S2, consider a run of their parallel composition
S1 ‖ S2 that justifies statement (q1, q2) w⇒ (p1, p2) for w ∈ Σ∗. It is well known
and not difficult to see that such a run can be projected to runs of S1 and
S2, passing through all the first, second resp., components of the states of the
composed run. These projected runs justify qi
wi⇒ pi with w|Σi = wi, i = 1, 2.
Vice versa, any two runs of S1 and S2 justifying qi
wi⇒ pi with w|Σi = wi, i = 1, 2,
are projections of a unique run of S1 ‖ S2 justifying (q1, q2) w⇒ (p1, p2). From
this, the first claim of the next Lemma follows.
Each run of S1 ‖ S2 corresponds to one of S1 | S2 – simply replace some
actions by τ . We also call the projected runs of the former the projections of the
latter.1 In such a case, we also say that the qi
wi⇒ pi, i = 1, 2, are the projections
of (q1, q2)
w′⇒ (p1, p2) in S1 | S2, where w′ ∈ w1 | w2. These considerations justify
the second claim of the next Lemma.
1 This is a slight abuse of language, since these projections have additional actions
and are not really unique; the possible differences do not matter.
6
Lemma 5 (Basic Language of Composition) For two composable EIOs S1
and S2, we have
1. L(S1 ‖ S2) = L(S1) ‖ L(S2)
2. L(S1 | S2) = L(S1) | L(S2).
3 Local Errors
We are now ready to consider some basic relations for refinement of a specifica-
tion. We will use variations of the notation ‘Impl vB Spec’ to denote that Impl
in some basic sense is an implementation of, i.e. refines, the specification Spec.
Throughout, we require Impl and Spec to have the same signature.
3.1 Precongruence for Local Errors
In this section, we will start with a variant based on ‘local actions’, which are
all internal and output actions. We consider the following requirement: An im-
plementation can only have an error state reachable by local actions if the spec-
ification does so as well. This is an optimistic view: It only considers processes
to be dangerous, if they can run into an error on their own, i.e. using only local
actions. Formally:
Definition 6 (Local Basic Relation). An error is locally reachable in an
EIOS, if ∃w ∈ O∗ : w ∈ StT (S). We have Impl vBlocSpec, whenever an error is
locally reachable in Impl only if an error is locally reachable in Spec.
We denote the fully abstract precongruence with respect to vBloc and | by
vcloc.
In order to find the coarsest precongruence, we will need several trace sets
for characterizing the new precongruences. An EIO can reach an error state with
a strict error trace w; if in a parallel composition the environment provides the
inputs and accepts the outputs in w, the composition will reach an error state
as well. If an EIO can perform a trace w such that input a is not possible in
the state reached, then wa is a missing input trace; again, if an environment
provides the inputs and accepts the outputs in wa, the composition will reach
an error state when the environment produces a.
Definition 7 (Error Traces). We define the following trace sets for an EIO
S:
– strict error traces: StT (S) = {w ∈ Σ∗ | q0 w⇒ q ∈ E}
– pruned error traces: PrT (S) = {prune(w) | w ∈ StT (S)}
– missing input traces: MIT (S) = {wa ∈ Σ∗ | q0 w⇒ q ∧ a ∈ I ∧ q 6 a−→}
– basic language: L(S) = {w ∈ Σ∗ | q0 w⇒}
7
Now the coarsest precongruence can be characterized with the following lo-
cal error semantics; the intuitions are as follows. Errors arise in a composition
because a component performs a strict error trace or because it cannot accept
some input after a trace; in the first case, the error is already unavoidable if the
error state can be reached by local actions only. These ideas justify our interest
in traces that lead to errors and the use of PrT and MIT in the definition of
ET below. But as already explained above, the environment must take part in
such problematic behaviour, hence we are also interested in the basic language
of a system.
If along a trace an error can occur, it does not matter anymore whether the
trace itself leads to an error state or whether it can be performed at all. Thus,
we want to obliterate this information about the trace itself; for this purpose,
we close the set of problematic traces under continuation, and we include this
extended set in the language; this technique of flooding is well known e.g. in the
context of failures semantics [2].
It will turn out that we can characterize vcloc as componentwise set inclusion
for pairs (ET (S), EL(S)); we introduce a sign for this relation.
Definition 8 (Local Error Semantics). Let S be an EIO.
– The set of error traces of S is ET (S) = cont(PrT (S)) ∪ cont(MIT (S));
– the flooded language of S is EL(S) = L(S) ∪ ET (S).
For two EIOs Impl and Spec with the same signature, we write
Impl vlocSpec if ET (Impl) ⊆ ET (Spec) and EL(Impl) ⊆ EL(Spec)
and we call Impl and Spec local-error equivalent if Impl vlocSpec and Spec vloc
Impl.
For the characterization result, it is crucial that the local error semantics is
compositional.
Theorem 9 (Local Error Semantics for Composition) For two composable
EIOs S1, S2 and S12 = S1 | S2 we have:
1. ET12 = cont
(
prune
((
ET1 | EL2
) ∪ (EL1 | ET2)))
2. EL12 =
(
EL1 | EL2
) ∪ ET12
Proof. 1.a) ‘⊆’:
Since both sides are closed under cont, it suffices to consider a prefix-minimal
element w of ET12. This means w is in MIT12 or in PrT12.
First we consider the case, that w ∈MIT12:
We know that w = xa with (q01, q02)
x⇒ (q1, q2) 6 a−→, a ∈ I12. Since a ∈ I12, it
holds that a ∈ I1 ·∪I2 and a /∈ O1 ∪ O2. Let w.l.o.g. a ∈ I1. Thus by projection
we get q01
x1⇒ q1 6 a−→ and q02 x2⇒ (i.e. x2 ∈ L2) with x ∈ x1 | x2. Thus we know
that x1a ∈ ET1 and x2 ∈ L2 ⊆ EL2, and it follows that w ∈ (x1 | x2) · {a} ⊆
x1a | x2 ⊆ ET1 | EL2, which is contained in the r.h.s. set.
8
Now we get to the second case: w ∈ PrT12
In this case we know that there exists u ∈ O∗12 such that (q01, q02) w⇒ (q1, q2) u⇒
(q′1, q
′
2) with (q
′
1, q
′
2) ∈ E12 and w = prune(wu).
By projection we get q01
w1⇒ q1 u1⇒ q′1 and q02 w2⇒ q2 u2⇒ q′2 with w ∈ w1 | w2
and u ∈ u1 | u2. Since (q′1, q′2) ∈ E12 it follows that either (q′1, q′2) is an inherited
error, due to q′1 ∈ E1 or q′2 ∈ E2 or it is a new error due to some a ∈ O1 ∩ I2
with q′1
a−→ ∧q′2 6 a−→ or some a ∈ I1 ∩O2 with q′1 6 a−→ ∧q′2 a−→.
If it is an inherited error, then let q′1 ∈ E1 w.l.o.g. Thus we know that w1u1 ∈
ET1. Because of q02
w2u2⇒ , we get w2u2 ∈ L2 ⊆ EL2. Hence wu ∈ ET1 | EL2 and
w = prune(wu) is in the r.h.s. set.
If (q′1, q
′
2) is a new error, let w.l.o.g. a ∈ I1 ∩O2 with q′1 6 a−→ ∧q′2 a−→. Thus we
know that w1u1a ∈MIT1 ⊆ ET1 and w2u2a ∈ L2 ⊆ EL2. By definition of | we
know that w1u1a | w2u2a = w1u1 | w2u2 and thus we are done as above.
1.b) ‘⊇’:
It should be noted that S1 ‖ S2 an S1 | S2 have the same states, error states and
input actions. Consequently, using the prune-function on some trace of S1 ‖ S2
yields v = ε or v ending on some b ∈ I12 = IS1|S2 .
Again it suffices to consider a prefix-minimal element x. For such an x it
holds that:
x ∈ prune
((
ET1 | EL2
) ∪ (ET2 | EL1))
Since x is the result of the prune function, we consider xy ∈ (ET1 | EL2)∪(ET2 |
EL1
)
with y ∈ O∗12. W.l.o.g we assume xy ∈ ET1 | EL2, i.e. there is w1 ∈ ET1
and w2 ∈ EL2 with xy ∈ w1 | w2. We also get w ∈ w1 ‖ w2 such that w|Σ12 = xy.
Below, we will treat several cases, and in each case we will show that there is
some v ∈ PrT (S1 ‖ S2) ∪MIT (S1 ‖ S2) which is a prefix of w and either ends
on an input action of S1 | S2 or is ε. In both cases v|Σ12 is a prefix of x. In case of
v|Σ12 = ε, the latter is obvious. Otherwise v|Σ12 ends on some input action b ∈ I12
and it has to be a prefix of xy by construction of w. Since y ∈ O∗12, this v|Σ12
has to be a prefix of x. Therefore x has a prefix in PrT (S1 | S2)∪MIT (S1 | S2)
and we are done.
Let v1 be the shortest prefix of w1 that is in PrT1 ∪MIT1. If w2 ∈ L2, let
v2 = w2; otherwise, let v2 be the shortest prefix of w2 that is in PrT2 ∪MIT2.
Every action of v1 and v2 has its corresponding action in w. We now assume
that v2 = w2 ∈ L2 or the last action of v1 is before or the same as the last action
of v2. Otherwise, v2 ∈ PrT2 ∪MIT2 ends before v1 and this is analogous to the
case where v1 ends before v2. (Note that the case v2 = w2 ∈ L2 is needed to
cover the situation where w2 ends before v1, but is not an error trace).
If v1 = ε, then choose v
′
2 = v
′ = ε.
If v1 6= ε, then v1 by choice ends with some a ∈ I1, i.e. v1 = v′1a. Let v′
be the prefix of w that ends with the last action of v1 and let v
′
2 = v
′|Σ2 . If
v2 ∈ L2 ∪ PrT2, then v′2 is a prefix of v2. If v2 ∈ MIT2 then it ends with some
b ∈ I2, i.e. b 6= a; according to the above assumption, in this case v1 must end
before v2 and v
′
2 is a proper prefix of v2.
9
In all cases (including the case v1 = ε), we get (*) q02
v′2⇒. Furthermore,
v′2 = v
′|Σ2 is a prefix of v2, and v′ ∈ v1 ‖ v′2 is a prefix of w. Now we have to
consider two cases:
First we consider the case, that v1 ∈MIT1 (and v1 6= ε in this case):
In this case we have q01
v′1⇒ q1 6 a−→ and we let v′ = v′′a. We have to consider two
subcases:
(i) If a is not a synchronizing action, i.e. a /∈ Σ2, then by (*) q02 v
′
2⇒ q2 with
v′′ ∈ v′1 ‖ v′2. Therefore (q01, q02) v
′′
⇒ (q1, q2) 6 a−→ with a ∈ I12. Thus we can
choose v := v′′a = v′ ∈MIT (S1 ‖ S2).
(ii) If a ∈ Σ2, then a ∈ O2 and v′2 = v′′2a. By (*) q02
v′′2⇒ q2 a−→ with v′′ ∈ v′1 ‖ v′′2 .
Thus, (q01, q02)
v′′⇒ (q1, q2) with q1 6 a−→, a ∈ I1, q2 a−→ and a ∈ O2; hence
(q1, q2) ∈ E12. In this case we choose v := prune(v′′) ∈ PrT (S1 ‖ S2).
The second case is v1 ∈ PrT1 (where we might have v1 = ε).
In this case ∃u1 ∈ O∗1 : q01 v1⇒ q1 u1⇒ q′1 with q′1 ∈ E1.
Again q02
v′2⇒ q2, this time with (q01, q02) v
′
⇒ (q1, q2). We have two subcases
depending on ‘how long’ q2 can ‘take part’ in u1.
(i) There is some u2 ∈ (O1 ∩ I2)∗ and some c ∈ (O1 ∩ I2) such that u2c is a
prefix of u1|I2 with q2 u2⇒ q′2 6 c−→.
Consider the prefix u′1c of u1 with u
′
1c|I2 = u2c. We know that q1
u′1⇒ q′′1 c−→.
Then u′1 ∈ u′1 ‖ u2 and (q1, q2)
u′1⇒ (q′′1 , q′2) ∈ E12, i.e. we get a new error.
We can choose v := prune(v′u′1) ∈ PrT (S1 ‖ S2), which is a prefix of v′,
since u′1 ∈ O∗1 .
(ii) Otherwise we have q2
u2⇒ q′2 with u2 = u1|I2 . Then u1 ∈ u1 ‖ u2 and
(q1, q2)
u1⇒ (q′1, q′2) ∈ E12. This is an error inherited from S1. Therefore we
can again choose v := prune(v′u1) ∈ PrT (S1 ‖ S2), which again is a prefix
of v′.
2. Observe that: Li ⊆ ELi and ETi ⊆ ELi. For better readability, we start
from the right hand side of the equation:
(EL1 | EL2) ∪ ET12 =(
(L1 ∪ ET1) | (L2 ∪ ET2)
) ∪ ET12 =
(L1 | ET2)︸ ︷︷ ︸
⊆ET12 (1)
∪ (ET1 | L2)︸ ︷︷ ︸
⊆ET12 (1)
∪(L1 | L2) ∪ (ET1 | ET2)︸ ︷︷ ︸
⊆ET12 (1)
∪ET12 =
(L1 | L2) ∪ ET12 5.2= L12 ∪ ET12 = EL12
uunionsq
10
The above theorem implies that vloc is a precongruence. The main point is
now to show that it is the coarsest one. To show this, we will construct a test
environment U for each relevant trace w of Impl that reveals that w is also a
suitable trace of Spec.
Theorem 10 (Full Abstractness for Local Error Semantics) For two sys-
tems Impl and Spec with the same signature it holds that:
Impl vclocSpec⇔ Impl vlocSpec
Proof. As just noted, it follows easily from Theorem 9 that vloc is a precongru-
ence. Furthermore, ε ∈ ET (S) signifies that an error is locally reachable in S,
since this can only result from ε ∈ PrT (S). Hence, Impl vlocSpec implies that
ε ∈ ET (Spec) whenever ε ∈ ET (Impl), and thus also that Impl vBlocSpec.
It remains to show that Impl vcloc Spec ⇒ Impl vloc Spec. Since Impl
and Spec have the same signature, we will write I for IImpl = ISpec and O for
OImpl = OSpec throughout this proof.
We assume Impl vcloc Spec, hence Impl vBloc Spec and Impl | U vBloc Spec | U
for all EIOs U composable with Impl.
We have to show the following inclusions:
– ET (Impl) ⊆ ET (Spec)
– EL(Impl) ⊆ EL(Spec)
For the first inclusion we consider a prefix minimal element w ∈ ET (Impl). It
suffices to show that w or any of its prefixes is in ET (Spec).
If w = ε, then an error state is locally reachable in Impl, hence also in Spec,
because of Impl vBlocSpec. Therefore ε ∈ PrT (Spec).
So we assume that w = x1 · · ·xnxn+1 ∈ Σ+ with n ≥ 0 and xn+1 ∈ I. We
consider the following process U(see Fig. 1):
– QU = {q0, q1, . . . qn+1}
– IU = O
– OU = I
– q0U = q0
– EU = ∅
– δU = {(qi, xi+1, qi+1) | 0 ≤ i ≤ n} ∪ {(qi, x, qn+1) | x ∈ IU\{xi+1}, 0 ≤ i ≤
n} ∪ {(qn+1, a, qn+1) | a ∈ IU}
For w we can distinguish two cases. Both will lead to ε ∈ StT (Impl | U).
If w ∈ MIT (Impl), then in Impl ‖ U we have (q0Impl, q0) x1···xn⇒ (q′, qn) with
q′ 6 xn+1−−−→ and qn xn+1−−−→. Therefore (q′, qn) ∈ EImpl|U and ε ∈ StT (Impl | U).
If w ∈ PrT (Impl), then in Impl ‖ U we have (q0Impl, q0) w⇒ (q′′, qn+1) u⇒
(q′, qn+1) with some u ∈ O∗ and q′ ∈ EImpl. The latter implies (q′, qn+1) ∈
EImpl|U , and again ε ∈ StT (Impl | U).
Since we now know that ε ∈ StT (Impl | U), we also know from Impl | U vBloc
Spec | U that there is a locally reachable error in Spec | U as well.
There are two kinds of error states Spec | U can have: new or inherited. Since
11
q0 q1 · · · qn
qn+1
x1 x2 xn
x? 6=
x
1
x
? 6=
x
2
x?
∈ IU
xn+
1!
x? ∈ IU
Fig. 1. x? 6= xi indicates all x ∈ IU\{xi}, xn+1! indicates xn+1 ∈ OU
each state of U enables every x ∈ O = IU , a locally reachable new error has to
be one where U enables an output a ∈ OU which is not enabled in Spec. By
construction qn+1 enables no outputs, therefore such a new error state has to be
of the form (q′, qi) with i ≤ n , q′ 6 xi+1−−−→ and xi+1 ∈ OU = I. Thus, by projection
q0Spec
x1···xi⇒ q′ 6 xi+1−−−→ and therefore x1 · · ·xi+1 ∈ MIT (Spec) ⊆ ET (Spec) is a
prefix of w and we are done.
If the locally reachable error is due to an inherited error state, then by projec-
tion U has performed some x1 · · ·xiu with u ∈ I∗U = O∗ (possibly i = 0) and
hence so has Spec. With this, Spec has reached some state in ESpec. Therefore
prune(x1 · · ·xiu) = prune(x1 · · ·xi) ∈ StT (Spec). Again this is a prefix of w
and in ET (Spec) and we are done.
For the second inclusion it suffices to show L(Impl)\ET (Impl) ⊆ EL(Spec),
because of the first inclusion and the definition of EL.
For this we consider a w ∈ L(Impl)\ET (Impl) and show that it is in EL(Spec).
If w = ε we are done, since ε always is in EL(Spec). Therefore we consider
w = x1 · · ·xn with n ≥ 1 and construct an EIO U (illustrated in Fig. 2) with:
– QU = {q, q0, q1, . . . qn}
– IU = O
– OU = I
– q0U = q0
– EU = {qn}
– δU = {(qi, xi+1, qi+1) | 0 ≤ i < n} ∪ {(qi, x, q) | x ∈ IU\{xi+1}, 0 ≤ i ≤
n} ∪ {(q, x, q) | x ∈ IU}
Because of q0Impl
w⇒ q we know that Impl | U has a locally reachable error.
Thus, because of Impl | U vcloc Spec | U , Spec also has to have a locally
reachable error state. Firstly this could be a new error because of some xi ∈ OU
and q0Spec
x1···xi−1⇒ q′ 6 xi−→. In this case x1 · · ·xi ∈ MIT (Spec) and thus w ∈
EL(Spec). Note, that outputs of U are only enabled along this trace. Therefore
there are no other outputs of U , which could lead to a new error.
Secondly it could be a new error due to some a ∈ OSpec, which U could not
12
q0 q1 · · · qn−1 qn ∈ EU
q
x1 x2 xn−1 xn
x? 6=
x
1
x
? 6=
x
2
x?
6= xn
x? ∈ IU
x? indicates some x ∈ IU
Fig. 2. Here and in the following error states are marked with a box.
match. But the only state of U in which not all inputs are enabled is qn, which
already is an error state. If this state is reachable in Spec | U , then the composed
EIO has an inherited error and thus w ∈ L(Spec) ⊆ EL(Spec)
Thirdly it can be an error inherited from U . Since the only state in EU is qn
and all actions are synchronized, this is only possible if q0Spec
x1···xn⇒ . In this case
w ∈ L(Spec) and we are done.
Finally, the error could have been inherited from Spec. In this case q0Spec
x1···xiu⇒
q′ ∈ ESpec, for some i ≥ 0 and u ∈ O∗. This means that x1 · · ·xiu ∈ StT (Spec)
and thus prune(x1 · · ·xiu) = prune(x1 · · ·xi) ∈ PrT (Spec) ⊆ EL(Spec). Hence
again w ∈ EL(Spec) and we are done. uunionsq
3.2 Comparison to Interface Automata
Up to local-error equivalence, we can essentially work with EIOs without error
states. Such EIOs are exactly the interface automata of [4], if they additionally
are input-deterministic: if q
a−→ q′ and q a−→ q′′ for some a ∈ I, then q′ = q′′.
The only difference is that with EIOs without error states we do not have EIOs
anymore that, from the local point of view, are an error initially.
Theorem 11 (Removing Error States) Let S be an EIO, and let prune(S)
be obtained from S by removing the illegal states in illegal(S) = {q ∈ Q | an
error state is reachable from q by local actions}, the respective transitions and all
transitions q
a−→ q′ where a ∈ I and there is some q a−→ q′′ with q′′ ∈ illegal(S).
If q0 6∈ illegal(S), prune(S) is an EIO and local-error equivalent to S.
Output pruning in [4] only removes the illegal states and the respective tran-
sitions. The additional removal of transitions q
a−→ q′ as described in the theorem
is obviously redundant in case of input determinism.
Proof. We assume q0 6∈ illegal(S); then the claim about prune(S) being an EIO
is obvious.
For S vloc prune(S), consider some w ∈ PrT (S) and a suitable underlying
run q0
a1−→ q1 a2−→ · · · qn. Observe that qn is an illegal state and missing in
prune(S). So let qi be the first state on the run such that qi
ai+1−−−→ qi+1 is missing
13
in prune(S). This means that qi is not illegal, ai+1 is an input, and some q with
qi
ai+1−−−→ q is illegal. This implies that some prefix of w is in MIT (prune(S)),
and w ∈ ET (prune(S)).
For wa ∈ MIT (S), we argue similarly. Either some suitable run underlying
w is still in prune(S) and wa ∈ MIT (prune(S)), or some transition of the run
is missing in prune(S) and wa has a prefix in MIT (prune(S)). Thus, ET (S) ⊆
ET (prune(S)).
Analogously for w ∈ L(S), either some run underlying w is still in prune(S)
and w ∈ L(prune(S)), or some transition of the run is missing and w has a prefix
in MIT (prune(S)). Thus, EL(S) ⊆ EL(prune(S)).
For ET (prune(S)) ⊆ ET (S), we just have to consider wa ∈MIT (prune(S)),
where a ∈ I. Consider a suitable run q0 . . . q underlying w in prune(S). Either,
q has no a-transition in S and wa ∈ MIT (S), or q a−→ q′ for some illegal q′ and
wa ∈ PrT (S). Thus, ET (prune(S)) ⊆ ET (S).
For w ∈ L(prune(S)), each run underlying w is still in S and w ∈ L(prune(S)).
Thus, EL(S) ⊆ EL(S). uunionsq
Thus, we could work with EIOs without error states; whenever we put such
EIOs in parallel, we have to normalize the result, i.e. we take prune(S1 | S2)
as parallel composition. We only have to make sure that this is well-defined:
we call EIOs S1 and S2 compatible, if the initial state of S1 | S2 is not illegal;
with this, we only apply the new parallel composition to compatible S1 and S2.
Furthermore, we have:
Proposition 12 If Spec and Spec′ are compatible EIOs and Impl vloc Spec,
then also Impl and Spec′ are compatible.
Proof. If Impl and Spec′ are not compatible, then ε ∈ ET (Impl | Spec′). Now
ET (Impl | Spec′) ⊆ ET (Impl | Spec) by Theorem 9, hence also Impl and Spec
are not compatible. uunionsq
Thus, also on the level of transition systems, output pruning as introduced
in [4] is justified according to our approach. But the refinement relation based on
alternating simulation is somewhat arbitrarily too strict, as we will show below.
To our best knowledge, alternating simulation as refinement relation has first
been considered for modal transition systems [6]; see [7] for a comparison to the
setting of interface automata.
Since the refinement relation of [4] is a precongruence, one might believe that,
due to our coarsest precongruence result, this refinement should directly imply
vloc. This is not really so obvious: we have considered parallel components that
are not interface automata, and this could have forced us to be too strict w.r.t
alternating simulation. But actually, this is not the case, as we show now.
Definition 13. For EIOs S1 and S2 with the same signature, an alternating
simulation relation is some R ⊆ Q1 × Q2 with (q01, q02) ∈ R such that for all
(q1, q2) ∈ R we have:
14
1. If q2
a−→ q′2 and a ∈ I1, then q1 a−→ q′1 and (q′1, q′2) ∈ R.
2. If q1
a−→ q′1 and a ∈ O1, then q2 ⇒ a−→ q′2 and (q′1, q′2) ∈ R.
3. If q1
τ−→ q′1, then q2 ⇒ q′2 and (q′1, q′2) ∈ R.
Thus, such an R requires that the implementation S1 can match a prescribed
input immediately, while an output or τ is allowed for S1 if the specification can
match them by using arbitrarily many internal steps.
Proposition 14 If there exists some alternating simulation relation R for in-
terface automata S1 and S2, then S1 vlocS2.
Proof. Since interface automata do not have error states, we just have to consider
wa ∈ MIT (S1) with a ∈ I for ET (S1) ⊆ ET (S2). Take a suitable run in S1
underlying w, and build up a matching run in S2 as follows. To start with, the
initial states are related according to R. Each output or internal transition in
S1 can be matched according to 13.2 or 13.3, reaching related states again. If
the runs have reached (q1, q2) ∈ R so far and the next transition is q1 a−→ q′1
with a ∈ I1, then either q2 does not have an a-transition and a prefix of w is in
MIT (S2), or q2
a−→ q′2 and (q′1, q′2) ∈ R due to input determinism. If the run in
S1 ends and we have reached (q1, q2) ∈ R, then q2 cannot have an a-transition
due to 13.1 and wa ∈MIT (S2).
The treatment of w ∈ L(S1) is analogous, except that we do not have to
consider a missing action after w at the end. uunionsq
Now we come to the example announced above. The interface automata
in Fig. 3 show two interface automata, which are local-error equivalent – in
particular, they have no inputs: there are no error traces and the basic languages
are the same. But there exists no alternating refinement relation from the first
to the second, since whichever way the second interface automaton matches o,
it will forbid one of o1 or o2 afterwards.
o!
o1
!
o
2 !
o!
o!
o1!
o2!
Fig. 3.
Finally, we show associativity for parallel composition. As mentioned in the
introduction, Theorem 1 of [3] claiming this associativity is wrong due to an error
15
in the definition of pruning; and such a proof is a bit tricky when composition
involves pruning. The problem also demonstrates the danger when one develops
an unorthodox definition justified with informal intuitive arguments only. In the
present paper, pruning is proven correct in Theorem 11, and this proof would
fail with some incorrect definition of pruning.
In our setting with error states, associativity is easy, because the two systems
are easily seen to be isomorphic. Hence, the following result would also hold for
any sensible equivalence on EIOs.
Theorem 15 Let S1, S2 and S3 EIOs. Then S1 | (S2 | S3) and (S1 | S2) | S3
are local-error equivalent.
Proof. Both EIOs are isomorphic to an EIO with state set Q1 × Q2 × Q3, ini-
tial state (q01, q02, q03), signature as that of S1 | (S2 | S3) and the following
transitions and error states.
Transitions:
– (q1, q2, q3)
α−→ (q′1, q2, q3) if q1 α−→ q′1 and α ∈ (Σ1 ∪ {τ})\(Σ2 ∪ Σ3) and
similarly for transitions derived from S2 and S3 instead of S1
and
– (q1, q2, q3)
τ−→ (q′1, q′2, q3) if q1 a−→ q′1 and q2 a−→ q′2 for some a ∈ Σ1 ∩ Σ2 and
similarly for transitions derived from other pairs instead of S1 and S2.
Error states: (q1, q2, q3) is an error state
– if q1 ∈ E1 and similarly for E2 or E3 instead of E1
or
– if q1
a−→ q′1 and ¬q2 a−→ for some a ∈ O1 ∩ I2 or similarly for one of the other
five pairs instead of (S1, S2).
Observe that, in the latter item, (q2, q3) possibly is not an error state and
(q1, (q2, q3))) is a new one, while (q1, q2) is an error state and ((q1, q2), q3) is an
inherited one. uunionsq
4 Internal Errors
Now we consider errors reached by internal actions only. This view is even more
optimistic than our first one, since errors reachable by output actions are no
longer considered dangerous. Nevertheless our result will show, that the result-
ing semantics is not much different from the local error semantics. We will an-
notate each error trace with a set of output actions; if a system with this trace
synchronizes with another one on these output actions, an error state can be
reached with this trace.
Our base relation is now defined as:
Definition 16 (Internal Basic Relation). An error is internally reachable
in S, if ε ∈ StT (S). We have Impl vBint Spec, whenever an error is internally
reachable in Impl only if an error is internally reachable in Spec.
Again we denote the fully abstract precongruence with respect to vBint and |
by vcint.
16
As mentioned above, we add a set of outputs to each error trace thereby
getting an error pair. The intuition is that, once the actions of a pruned trace
have been taken, the system in a composition might be prevented from reaching
an error internally because of an output action that has been pruned, but has
not been synchronized on.
Irgendwie ne Wiederholung – ueberarbeiten
Definition 17 (out function). Given an EIO S, we define out : Σ∗ → P(O)
such that X consists of all output actions in w.
Definition 18 (Error Pair). An error pair over a signature (I,O) is a pair
(w,X) ∈ ((I ∪O)∗ ×P(O)) with out(w) ⊆ X.
Given two composable EIOs S1, S2, we define for an error pair (w,X) over
(I1, O1) and v ∈ Σ∗2 :
(w,X) ‖ v = {(z, Y ) | z ∈ w ‖ v, Y = X ∪ out(v)}
(w,X) | v = {(z|Σ12 , Y ∩Σ12) | (z, Y ) ∈ (w,X) ‖ v}
It is easy to see that these sets consist of error pairs over the signatures of
S1 ‖ S2 and of S12 = S1 | S2 resp. On error pairs over some (I,O), we define the
following prefix relation and the following functions:
(w,X) v (v, Y ) if w v v and X ⊆ Y
prune(w,X) := (prune(w), X) (an error pair again)
cont(w,X) := {(v, Y ) | (w,X) v (v, Y )} (consisting of error pairs)
Definition 19 (Sets of Error Pairs). We define the following sets of error
pairs for an EIO S:
– strict error pairs: StP (S) = {(w,X) | w ∈ StT (S), out(w) = X}
– pruned error pairs: PrP (S) = {prune(w,X) | (w,X) ∈ StP (S)}
– missing input pairs: MIP (S) = {(w,X) | w ∈MIT (S), out(w) = X}
It is easy to see that these sets indeed consist of error pairs over (I,O), and
that they are an enhanced version of similar sets defined in the previous section.
It will turn out that we can characterize vcint as componentwise set inclusion
for pairs (EP (S), EPL(S)), where the latter is the basic language of S flooded
with a set of traces derived from EP (S); we introduce a sign for this relation.
Definition 20 (Internal Error Semantics). Let S be an EIO.
– The set of error pairs of S is EP (S) = cont(PrP (S)) ∪ cont(MIP (S));
– the set of error pair traces of S is EPT (S) = {w | (w, out(w)) ∈ EP (S)};
– the flooded language of S, called error pair language, is EPL(S) = L(S) ∪
EPT (S).
For two EIOs Impl and Spec with the same signature, we write
Impl vint Spec if EP (Impl) ⊆ EP (Spec) and EPL(Impl) ⊆ EPL(Spec)
and we call Impl and Spec internal-error equivalent if Impl vint Spec and
Spec vint Impl.
17
The following lemma collects a number of useful observations for the next
proof.
Lemma 21 Given two composable EIOs S1, S2, w1 ∈ Σ∗1 and w2 ∈ Σ∗2 , we have
1. w ∈ w1 | w2 ⇒ out(w) = out(w1) \ I2 ∪ out(w2) \ I1
2. w ∈ w1 | w2 ⇒ (w, out(w)) ∈ (w1, out(w1)) | w2
3. w ∈ w1 | w2 ⇒ wa ∈ w1a | w2 if a ∈ Σ1 \Σ2
Given an EIO S, an error pair (w,X) over (I,O) and a set M of error pairs,
we have
4. prune(w,X) v (w,X)
5. (w,X) ∈M ⇒ (w,X) ∈ cont(prune(M))
6. StP (S) ⊆ EP (S)
Proof. In particular, Item 6 follows from 5, which in turn follows from 4. uunionsq
For the characterization result, it is again crucial that the internal error
semantics is compositional. Since we will give part of the proof on the level of ‖,
we note the following relationship.
Lemma 22 Given two composable EIOs S1, S2, we have for S12 = S1 | S2
1. PrP (S12) = {(w|Σ12 , X ∩Σ12) | (w,X) ∈ PrP (S1 ‖ S2)}
2. MIP (S12) = {(w|Σ12 , X ∩Σ12) | (w,X) ∈MIP (S1 ‖ S2)}
Theorem 23 (Internal Error Semantics for Composition) For two com-
posable EIOs S1, S2 and S12 = S1 | S2 we have:
1. EP12 = cont
(
prune
((
EP1 | EPL2
) ∪ (EPL1 | EP2)))
2. EPL12 =
(
EPL1 | EPL2
) ∪ EPT12
Proof. 1.a) ‘⊆’:
Since both sides are closed under cont, it suffices to consider a prefix-minimal
element (w,X) of EP12. This means (w,X) is in MIP12 or in PrP12.
First, we consider the case (w,X) ∈MIP12.
We know that X = out(w), w = xa, a ∈ (I1 ·∪I2) \ (O1 ·∪O2) with (q01, q02) x⇒
(q1, q2) 6 a−→ in S1 | S2. Let w.l.o.g. a ∈ I1. Thus by projection we get q01 x1⇒ q1 6 a−→
and q02
x2⇒ with x ∈ x1 | x2. Thus we know that x1a ∈ MIT1 and thus
(x1a, out(x1a)) ∈ MIP1 ⊆ EP1. We also know that x2 ∈ L2 ⊆ EPL2, and
it follows that (w,X) ∈ ((x1a, out(x1a)) | x2) ⊆ EP1 | EPL2 by Lemma 22.2.
This set is contained in the r.h.s. of 23.1 by 22.5.
Now we consider (w,X) ∈ PrP12.
In this case we know that there exists u ∈ O∗12 such that (q01, q02) w⇒ (q1, q2) u⇒
(q′1, q
′
2) in S1 | S2 with (q′1, q′2) ∈ E12 and out(wu) = X ∧ w = prune(wu).
18
By projection we get q01
w1⇒ q1 u1⇒ q′1 and q02 w2⇒ q2 u2⇒ q′2 with w ∈ w1 | w2 and
u ∈ u1 | u2. Since (q′1, q′2) ∈ E12 it follows that either (q′1, q′2) is an inherited
error, due to q′1 ∈ E1 or q′2 ∈ E2, or it is a new error due to some a ∈ O1 ∩ I2
with q′1
a−→ ∧q′2 6 a−→ or some a ∈ I1 ∩O2 with q′1 6 a−→ ∧q′2 a−→.
For the case that (q′1, q
′
2) is an inherited error, let q
′
1 ∈ E1 w.l.o.g.
Thus we know that w1u1 ∈ StT1, (w1u1, out(w1u1)) ∈ StP1 ⊆ EP1 by Lemma
22.6 and w2u2 ∈ EPL2. By Lemma 22.2 we get (wu,X) ∈ (w1u1, out(w1u1)) |
w2u2 ⊆ EP1 | EPL2. Therefore prune(wu,X) = (w,X) ∈ prune(EP1 | EPL2),
which is in the r.h.s. set.
Alternatively, in case that (q′1, q
′
2) is a new error, let w.l.o.g. a ∈ I1∩O2 with
q′1 6 a−→ ∧q′2 a−→.
Thus we know that w1u1a ∈ MIT1, (w1u1a, out(w1u1a)) ∈ MIP1 ⊆ EP1 and
w2u2a ∈ L2 ⊆ EPL2. By definition of |, we get wu ∈ w1u1 | w2u2 = w1u1a |
w2u2a and (wu,X) ∈ EP1 | EPL2 by Lemma 22.2. As above prune(wu,X) =
(w,X) ∈ prune(EP1 | EPL2) which is in the r.h.s. set.
1.b) ‘⊇’:
Again it suffices to consider a prefix-minimal element (x,X) of the r.h.s., i.e.
(x,X) ∈ prune((EP1 | EPL2) ∪ (EPL1 | EP2)) with x ∈ {ε} ∪Σ∗12 · I12.
Since x is the result of the prune function, we consider (xy,X) ∈ (EP1 | EPL2)∪
(EPL1 | EP2) with y ∈ O∗12. W.l.o.g we assume (xy,X) ∈ EP1 | EPL2, i.e. there
is (w1, X1) ∈ EP1 and w2 ∈ EPL2 with (xy,X) ∈ (w1, X1) | w2. Furthermore,
there is some (w, Y ) ∈ (w1, X1) ‖ w2 such that (w|Σ12 , Y ∩Σ12) = (xy,X); note
that Y = X1 ∪ out(w2) by definition and thus out(w) = out(w1)∪ out(w2) ⊆ Y .
We will show that there is a (v, V ) ∈ PrP (S1 ‖ S2) ∪MIP (S1 ‖ S2) with
(v, V ) v (w, Y ) such that v ends on some b ∈ I12 or is ε. In both cases, we have
(v|Σ12 , V ∩Σ12) v (x,X): We have already argued in the corresponding part of
the proof for Theorem 9 that v|Σ12 v x; furthermore, V ∩Σ12 ⊆ Y ∩Σ12 = X.
Therefore (x,X) has a prefix in PrP (S1 | S2)∪MIP (S1 | S2) and we are done.
Let (v1, V1) be a minimal prefix of (w1, X1) in PrP1 ∪MIP1. If w2 ∈ L2,
let v2 = w2; otherwise, let (v2, V2) be a minimal prefix of (w2, out(w2)) in
PrP2 ∪ MIP2. We now assume that v2 = w2 ∈ L2 or v1 ends in w before,
or with the same action as, v2; cf. the proof of Theorem 9. Otherwise, v2 ends
before v1, and this is analogous to the case where v1 ends before v2: For this case,
the proof below needs in particular (v1, V1) ∈ PrP1 ∪MIP1 and V1 ⊆ Y , and
if v2 6= w2 ends before v1 then we have symmetrically (v2, V2) ∈ PrP2 ∪MIP2
and V2 ⊆ Y due to V2 ⊆ out(w2).
If v1 = ε, then choose v
′
2 = v
′ = ε.
If v1 6= ε, then by choice v1 ends with some a ∈ I1 by definition of PrP and
MIP , i.e. v1 = v
′
1a. Let v
′ be the prefix of w that ends with the last action of
v1 and let v
′
2 = v
′|Σ2 .
If v2 = w2 ∈ L2 or (v2, V2) ∈ PrP2, then v′2 is a prefix of v2. If (v2, V2) ∈
MIP2, then v2 ends with some b ∈ I2, i.e. b 6= a; thus, according to the above
assumption, in this case v1 must end before v2 and v
′
2 is a proper prefix of v2.
19
Either way (also for v1 = ε) the following claims hold:
– q02
v′2⇒ (*)
– v′2 = v
′|Σ2 v v2
– v′ ∈ v1 ‖ v′2 is prefix of w and thus out(v′) ⊆ out(w) ⊆ Y
Now we have to consider two cases:
In the first case, (v1, V1) ∈MIP1 – and therefore v1 6= ε and V1 = out(v1).
In this case we have q01
v′1⇒ q1 6 a−→ and we let v′ = v′′a. We have to consider two
subcases:
(i) If a is not a synchronizing action, i.e. a /∈ Σ2, then by (*) q02 v
′
2⇒ q2 with
v′′ ∈ v′1 ‖ v′2. Therefore (q01, q02) v
′′
⇒ (q1, q2) 6 a−→ with a ∈ I12. Thus we can
choose (v, V ) = (v′′a, out(v′)) ∈ MIP (S1 ‖ S2), since v′′a = v′ is a prefix
of w and out(v′) ⊆ Y .
(ii) If a ∈ Σ2, then a ∈ O2 and v′2 = v′′2a. By (*) q02
v′′2⇒ q2 a−→ with v′′ ∈ v′1 ‖ v′′2 .
Thus, (q01, q02)
v′′⇒ (q1, q2) with q1 6 a−→, a ∈ I1, q2 a−→ and a ∈ O2; hence
(q1, q2) ∈ E12. In this case we choose (v, V ) := (prune(v′′), out(v′′)) ∈
PrP (S1 ‖ S2) and hence v v v′′ v v′ v w and out(v′′) ⊆ Y .
The second case is (v1, V1) ∈ PrP1.
In this case ∃u1 ∈ V ∗1 ⊆ O∗1 : q01 v1⇒ q1 u1⇒ q′1 with q′1 ∈ E1; furthermore,
out(v1u1) = V1 ⊆ X1 ⊆ Y .
Again we have q02
v′2⇒ q2, and hence (q01, q02) v
′
⇒ (q1, q2).
We have two subcases.
(i) q2 cannot accept the sequence of inputs of S2 contained in u1, i.e. there is
some u2 ∈ (O1 ∩ I2)∗ and some c ∈ (O1 ∩ I2) such that u2c is a prefix of
u1|I2 with q2 u2⇒ q′2 6 c−→.
Consider the prefix u′1c of u1 with u
′
1c|I2 = u2c. We know that q1
u′1⇒ q′′1 c−→.
Then u′1 ∈ u′1 ‖ u2 and (q1, q2)
u′1⇒ (q′′1 , q′2) ∈ E12, i.e. we get a new error.
We can choose (v, V ) := (prune(v′u′1), out(v
′u′1)) ∈ PrP (S1 ‖ S2). Then
v v v′ v w and out(v′u′1) ⊆ out(w) ∪ V1 ⊆ Y and we are done.
(ii) Otherwise we have q2
u2⇒ q′2 with u2 = u1|I2 . Then u1 ∈ u1 ‖ u2 and
(q1, q2)
u1⇒ (q′1, q′2) ∈ E12. This is an error inherited from S1, since q1 ∈ E1.
Similarly, we choose (v, V ) := (prune(v′u1), out(v′u1)) ∈ PrP (S1 ‖ S2),
which again is a prefix of (w, Y ).
2) First we check that (*) EPT1 | EPL2 ⊆ EPT12 (EPT2 | EPL1 ⊆ EPT12
is analogous):
Consider w ∈ EPT1 | EPL2. By projection w ∈ w1 | w2 ∧ w1 ∈ EPT1 ∧ w2 ∈
EPL2. Therefore (w1, out(w1)) ∈ EP1. Because of this and Lemma 23.2 we get
that (w, out(w)) ∈ (w1, out(w1)) | w2 ⊆ EP1 | EPL2 ⊆ EP12. Thus w ∈ EPT12
20
by definition of EPT .
Now we prove the second item from left to right (for better readability). For the
indicated inclusions, we need (*) and L1 ⊆ EPL1, L2 ⊆ EPL2 and EPT1 ⊆
EPL1.
(EPL1 | EPL2) ∪ EPT12
=
(
(L1 ∪ EPT1) | (L2 ∪ EPT2)
) ∪ EPT12
= (L1 | L2) ∪ (L1 | EPT2)︸ ︷︷ ︸
⊆EPT12
∪ (EPT1 | L2)︸ ︷︷ ︸
⊆EPT12
∪ (EPT1 | EPT2)︸ ︷︷ ︸
⊆EPT12
∪EPT12
= (L1 | L2) ∪ EPT12 = L12 ∪ EPT12 = EPL12uunionsq
The above theorem implies that vint is a precongruence. Again the main
point is now to show that it is the coarsest one. To show this, we will construct
a test environment U for each relevant trace or error pair of Impl that reveals
that it is also a suitable trace or error pair of Spec. We cannot use the same
environment we used for Theorem 10, as can be seen in this counterexample:
I(Impl) = I(Spec) = O(U) = {a} and O(Impl) = O(Spec) = I(U) = {b} .
qI0
Impl
qI1
qI0
a?
b!
qU0
U
qU1
qUn
a!
b? b?
b?
qS0
Spec
qS1
qS2
a?
b!
Fig. 4.
(a?, ∅) ∈ EP (Impl), but even though Impl | U and Spec | U both have an
error reachable by internal actions alone, (a?, ∅) /∈ Spec.
Theorem 24 (Full Abstractness for Internal Error Semantics) For two
systems Impl and Spec with the same signature it holds that:
Impl vcint Spec⇔ Impl vint Spec
Proof. As just noted, it follows easily from Theorem 23 that vint is a precongru-
ence. Furthermore, (ε, ∅) ∈ EP (S) signifies that an error is internally reachable
in S, since this can only result from (ε, ∅) ∈ PrP (S), which can only be if
ε ∈ StT (S). Hence, Impl vint Spec implies that (ε, ∅) ∈ EP (Spec) whenever
(ε, ∅) ∈ EP (Impl), and thus also that Impl vBint Spec.
21
It remains to show that Impl vcint Spec ⇒ Impl vint Spec. Since Impl
and Spec have the same signature, we will write I for IImpl = ISpec and O for
OImpl = OSpec throughout this proof.
We assume Impl vcint Spec, hence Impl vBint Spec and Impl | U vBint Spec | U
for all EIOs U composable with Impl.
We have to show the following inclusions:
– EP (Impl) ⊆ EP (Spec)
– EPL(Impl) ⊆ EPL(Spec)
For the first inclusion we consider a prefix-minimal element (w,X) ∈ EP (Impl).
It suffices to show that (w,X) or any of its prefixes is in EP (Spec).
We first consider the case w 6= ε. So for w = x1 · · ·xnxn+1 ∈ Σ+ with n ≥ 0 and
xn+1 ∈ I we define the following process U(see Fig. 5):
– QU = {q0, q1, . . . qn+1}
– IU = X
– OU = I
– q0U = q0
– EU = ∅
– δU = {(qi, xi+1, qi+1) | 0 ≤ i ≤ n} ∪ {(qi, a, qn+1) | a ∈ IU\{xi+1}, 0 ≤ i ≤
n} ∪ {(qn+1, a, qn+1) | a ∈ IU}
q0 q1 · · · qn
qn+1
x1 x2 xn
a? 6=
x
1
a
? 6=
x
2
a?
∈ X
xn+
1!
a? ∈ X
a? 6= xi indicates all a ∈ X\{xi}
xn+1! indicates xn+1 ∈ OU
Fig. 5.
Note that a, xi ∈ (I ∪X)∗ holds for all a and xi and thus, by construction,
they are hidden in the parallel composition.
First we show, that (ε, ∅) ∈ EP (Impl | U), i.e. that Impl | U has an in-
ternally reachable error. Because of (w,X) ∈ EP (Impl) we can distinguish two
cases, both resulting in (ε, ∅) ∈ EP (Impl | U):
If (w,X) ∈ MIP (Impl) then we have (q0Impl, q0) x1···xn⇒ (q′, qn) in Impl ‖ U
and thus (q0Impl, q0)
ε⇒ (q′, qn) in Impl | U . We also have q′ 6 xn+1−−−→ and qn xn+1−−−→.
Therefore (q′, qn) ∈ EImpl|U and (ε, ∅) ∈ StP (Impl | U).
If (w,X) ∈ PrP (Impl), then we have in Impl: q0Impl w⇒ q′′ u⇒ q′ ∈ EImpl
with u ∈ X∗ by definition of EP . Thus in Impl ‖ U we get: (q0Impl, q0) w⇒
22
(q′′, qn+1)
u⇒ (q′, qn+1) ∈ EImpl‖U . Since all actions of w and u are in I ∪X ⊆
Synch(Impl, U) we get: (q0Impl, q0)
ε⇒ (q′′, qn+1) τ
|u|
⇒ (q′, qn+1) ∈ EImpl|U in
Impl | U . Thus we get (ε, ∅) ∈ StP (Impl | U).
Thus Impl | U has an internal error and because of Impl | U vBint Spec | U ,
Spec | U must also have one, i.e. (ε, ∅) ∈ EP (Spec | U). This error must be due
to an error state, which is either new or inherited.
Since each state of U enables every x ∈ X = IU and all synchronized out-
puts of Spec are in X, an internally reachable new error has to be one where
U enables an output x ∈ OU which is currently not enabled in Spec. By con-
struction qn+1 enables no outputs, therefore such a new error state has to be of
the form (q′, qi) with i ≤ n, q′ 6 xi+1−−−→ and xi+1 ∈ OU = I. Thus, by projection
q0Spec
x1···xi⇒ q′ 6 xi+1−−−→ and therefore (x1 · · ·xi+1, out(x1 · · ·xi+1) ∈ MIP (Spec).
Since (x1 · · ·xi+1, out(x1 · · ·xi+1) v (w,X) we get (w,X) ∈ MIP (Spec) ⊆
EP (Spec) and are done.
If the internally reachable error is due to an inherited error state, then by pro-
jection U has performed some x1 · · ·xiu with u ∈ I∗U = X∗ and hence so has
Spec. With this, Spec has reached some state in ESpec. Therefore
prune((x1 · · ·xiu, out(x1 · · ·xiu))) = (prune(x1 · · ·xiu), out(x1 · · ·xiu)) =
(prune(x1 · · ·xi), out(x1 · · ·xiu)) ∈ StP (Spec). Again this is a prefix of (w,X)
which is therefore in EP (Spec) and we are done.
For w = ε, i.e. (w,X) = (ε,X) we choose U as follows:
– QU = {q0}
– IU = X
– OU = I
– q0U = q0
– EU = ∅
– δU = {(q0, x, q0) | x ∈ IU}
Again we first show, that (ε, ∅) ∈ EP (Impl | U). We know that (ε,X) /∈
MIP (Impl), since ε does not end in an input action. Therefore (ε,X) ∈
PrP (Impl). Thus we have q0Impl
u⇒ q′ ∈ EImpl with u ∈ X∗ as above. Anal-
ogously we get: (q0Impl, q0)(q
′′, q0)
ε⇒ (q′, qn+1) ∈ EImpl|U in Impl | U , and
(ε, ∅) ∈ StP (Impl | U).
Since Impl | U has an internal error, Spec | U must also have one. Since the
state of U enables every x ∈ X = IU and all synchronized outputs of Spec are
in X, and since U has no outputs whatsoever, this error canonly be due to an
inherited error state.
Thus by projection, U and Spec can perform some u ∈ I∗U = X∗, with
Spec reching an error state. Therefore prune((u, out(u))) = (prune(u), out(u)) =
(ε, out(u)) ∈ StP (Spec). Again this is a prefix of (w,X) which is therefore in
EP (Spec) and we are done.
For the second inclusion it suffices to show that L(Impl) \ EPT (Impl) ⊆
EPL(Spec), since EPT (Impl) ⊆ EPT (Spec) follows from the first inclusion.
23
For this we consider a w ∈ L(Impl)\EPT (Impl) with w = x1 · · ·xn. For n = 0
we are done, since ε ∈ L(Spec) always holds. Note that q0Impl w⇒ q′ and 6 ∃w′ v
w : q0Impl
w′⇒ q′′ ∈ EImpl.
Now consider U with:
– QU = {q, q0, q1, . . . qn}
– IU = out(w)
– OU = IImpl
– q0U = q0
– EU = {qn}
– δU = {(qi, xi+1, qi+1) | 0 ≤ i < n} ∪ {(qi, x, q) | x ∈ IU\{xi+1}, 0 ≤ i ≤
n} ∪ {(q, x, q) | x ∈ IU}
q0 q1 · · · qn−1 qn ∈ EU
q
x1 x2 xn−1 xn
x? 6=
x
1
x
? 6=
x
2
x?
6= xn
x? ∈ IU
x? indicates some x ∈ IU
Fig. 6.
Because of q0Impl
w⇒ q we know that Impl | U has an internally reachable
error. Thus, because of Impl | U vcint Spec | U , Spec also has to have a inter-
nally reachable error state. Firstly this could be a new error because of some
xi ∈ OU and q0Spec x1···xi−1⇒ q′ 6 xi−→. In this case x1 · · ·xi ∈MIT (Spec) and there-
fore (x1 · · ·xi, out(x1 · · ·xi)) ∈ MIP (Spec). Since (x1 · · ·xi, out(x1 · · ·xi)) v
(w, out(w)), we get (w, out(w)) ∈ EP (Spec) and thus w ∈ EPT (Spec) ⊆
EPL(Spec). Note, that outputs of U are only enabled along this trace. Therefore
there are no other outputs of U , which could lead to a new error.
Secondly it could be a new error due to some a ∈ IU , which U could not match.
But the only state of U in which not all inputs are enabled is qn, which already
is an error state. Therefore this would be an inherited error, which is described
next.
Thirdly it can be an error inherited from U . Since the only state in EU is qn,
this is only possible if q0Spec
x1···xn⇒ . In this case w ∈ L(Spec) and we are done.
Finally, the error could have been inherited from Spec. In this case we have
q0Spec
x1···xiu⇒ q′ ∈ ESpec, for some i ≥ 0 and u ∈ out(w)∗ (no other outputs of
Spec are synchronized and consequently hidden). This means that (x1 · · ·xiu,
out(x1 · · ·xiu)) ∈ StP (Spec) and therefore prune((x1 · · ·xiu, out(x1 · · ·xiu))) =
(prune(x1 · · ·xi), out(x1 · · ·xiu)) ∈ PrP (Spec) ⊆ EP (Spec). Because of u ∈
24
out(w)∗ we get out(x1 · · ·xiu) ⊆ out(w). Together with x1 · · ·xi v w we get
(w, out(w)) ∈ EP (Spec) and therefore w ∈ EPT (Spec) ⊆ EPL(w).
References
[1] Sebastian S. Bauer, Philip Mayer, Andreas Schroeder, and Rolf Hennicker. On weak
modal compatibility, refinement, and the mio workbench. In Tools and Algorithms
for the Construction and Analysis of Systems, TACAS 2010, LNCS 6015, pages
175–189. Springer, 2010.
[2] Stephen D. Brookes, C. A. R. Hoare, and A. W. Roscoe. A theory of communicating
sequential processes. J. ACM, 31(3):560–599, 1984.
[3] Luca de Alfaro and Thomas A. Henzinger. Interface automata. In ESEC / SIG-
SOFT FSE 2001, pages 109–120, 2001.
[4] Luca de Alfaro and Thomas A. Henzinger. Interface-based design. In M. et al.
Broy, editor, Engineering Theories of Software Intensive Systems, volume 195 of
NATO Science Series, pages 1–148. Springer, 2005.
[5] D. Dill. Trace Theory for Automatic Hierarchical Verification of Speed-Independent
circuits. MIT Press, Cambridge, 1989.
[6] Kim Guldstrand Larsen. Modal specifications. In J. Sifakis, editor, Automatic
Verification Methods for Finite State Systems, LNCS 407, pages 232–246. Springer,
1990.
[7] Kim Guldstrand Larsen, Ulrik Nyman, and Andrzej Wasowski. Modal i/o automata
for interface and product line theories. In R. de Nicola, editor, ESOP, LNCS 4421,
pages 64–79. Springer, 2007.
[8] N. Lynch. Distributed Algorithms. Morgan Kaufmann Publishers, 1996.
25
