Quiescence, Fairness, Testing, and the Notion of Implementation  by Segala, Roberto
File: DISTIL 265201 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 4006 Signs: 2496 . Length: 58 pic 2 pts, 245 mm
Information and Computation  IC2652
information and computation 138, 194210 (1997)
Quiescence, Fairness, Testing, and
the Notion of Implementation*
Roberto Segala
Dipartimento di Scienze dell ’Informazione, Universita di Bologna, Bologna 40127, Italy
Two formalisms for concurrency, the InputOutput automaton model and the
theory of testing, are compared and are shown to have common foundations. The
relationship between the fair and quiescent preorders of IO automata is
investigated and the two preorders are shown to coincide subject to some restric-
tions. IO automata are encoded into the theory of testing and the reversed must
preorder is shown to be equivalent to the quiescent preorder for strongly con-
vergent, finitely branching IO automata up to encoding. Conversely, a theory of
testing is defined directly on IO automata, and the new reversed must preorder is
shown to coincide with the quiescent preorder on strongly convergent, finitely
branching IO automata. ] 1997 Academic Press
1. INTRODUCTION
The algorithms used in modern computers and networks are becoming more and
more complex. Since chances of erroneous design or implementation increase with
the complexity of a system, the problem of specifying and verifying concurrent
systems is receiving increasing attention. The main idea is to specify a system, build
an implementation, and then verify that the implementation meets the specification.
Implicitly, it is assumed that there is a formalism for the representation of the
specification and the implementation, and that there is a notion of implementation
within the formalism.
In this paper we compare the notions of implementation that appear in two of
the main formalisms for concurrent and distributed systems. Specifically, we com-
pare general labeled transition systems equipped with testing and failure preorders
[DH84, DeN85, Hen88] and IO automata equipped with fair and quiescent
preorders [LT87, Vaa91, Seg92]. The former formalism was developed within pro-
cess algebras with the aim of defining an observational equivalence on labeled
transition systems with less discriminating power than bisimulation [Par81] and
with a strong intuition of when two processes should be considered equivalent; the
latter formalism was developed for the scope of specifying and verifying distributed
article no. IC972652
1940890-540197 25.00
Copyright  1997 by Academic Press
All rights of reproduction in any form reserved.
* This is a full and revised version of [Seg93].
File: DISTIL 265202 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 3978 Signs: 3635 . Length: 52 pic 10 pts, 222 mm
systems. Our main result is that, although the two formalisms originate from
different backgrounds and apparently address different classes of problems, in many
cases the two formalisms capture the same idea.
The main intuition for the testing preorders is that processes should be compared
based on their interaction with an external environment, and thus they should be
compared based on the success or failure of experiments the external environment
performs on them. An experiment E may succeed on an object O if there is a
sequence of possible interactions between E and O for which E is successful; an
experiment E must succeed on an object O if all possible interactions between E and
O lead to a success of E. Two preorders can be defined over objects: the may preor-
der, consisting of inclusion of experiments that may succeed, and the must preorder,
consisting of inclusion of experiments that must succeed.
In [DeN85] it is shown that the must preorder coincides with the reversed
failure preorder of CSP [Hoa85] on objects that never diverge, i.e., objects that
never perform infinite computation not visible from the external environment. The
failure preorder is proposed as an implementation relation within CSP [BHR84,
BR85] and the intuitive idea for its use is that an implementation has to be more
deterministic than its specification. Therefore the result of [DeN85] also suggests
a possible use of the must preorder as an implementation relation.
Within the theory of IO automata each object is associated with an interface
with the external environment. An interface specifies the set of communication
actions an IO automaton can engage in, and partitions the communication actions
into input, output, and internal. Input actions are always enabled, i.e., they can
occur from everywhere, and output actions cannot be blocked by the external
environment, i.e., the external environment of an IO automaton A should always
be ready to engage in any output action of A. In other words, the output and inter-
nal actions of an IO automaton A, also said to be locally controlled, are under the
sole control of A. An IO automaton has also subcomponents that are identified
through a partition of its locally controlled actions.
The notion of implementation for IO automata is expressed through fair trace
inclusion, where a fair trace of an IO automaton A is a sequence of actions
(possibly infinite) that originate from a computation where every subcomponent of
A has infinitely many chances to communicate. Trivial implementations are
avoided by input enabling, since each implementation must accept its external
stimuli, and by fairness, since whenever a specification must perform some output
action the implementation must do the same.
The main criticism against the IO automaton model is that it is too restrictive:
conditions such as input enabling and actions under the control of at most one
component do not allow the specification of several devices at a sufficiently high
level of abstraction. A classical example is that of a buffer blocking its inputs when-
ever it is full. Moreover, since fair traces are not closed under limit, fixpoint reason-
ing is not possible in general within IO automata, while fixpoint reasoning is one
of the key features of the algebraic theory of processes based on testing preorders.
On the other hand, fairness allows us to capture some liveness properties [AS85] that
are not captured in general by using testing preorders and that have revealed to be
important for the verification of many distributed systems [LT87, WLL88, SLL93].
195NOTION OF IMPLEMENTATION
File: DISTIL 265203 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 3859 Signs: 3520 . Length: 52 pic 10 pts, 222 mm
A first step toward the study of the relationship between the process algebraic
approach and the IO automaton approach is in [Vaa91], where the impact of
input enabling on the operators of a generic process algebra is analyzed. The
analysis of [Vaa91] includes the definition of several preorder relations that
gradually approximate the fair preorder. Among these is the quiescent preorder,
which is a reduction of the fair preorder to the finitary behavior of a system.
A quiescent trace is a sequence of actions leading a system to a state from which
only input actions can occur. In [Seg92] the quiescent preorder is studied within
a process algebraic theory of IO automata and a fixpoint theorem is put forward.
In [Seg92] there is also an attempt at using the quiescent preorder as an implemen-
tation relation; however, it is shown that the quiescent preorder does not provide
an intuitively reasonable notion of implementation in general; some restrictions are
necessary.
In this paper we study the relationship between the fair preorder and the theory
of testing by using the quiescent preorder as an intermediate relation. We first show
that the fair and quiescent preorders coincide whenever some continuity properties
hold for fair traces. Then we encode IO automata into the testing framework by
expliciting the ideas of internal and external choices that are embedded within the
InputOutput structure, and we show that for strongly convergent and finitely
branching systems the quiescent preorder of IO automata coincides with the
reversed must preorder of the testing theory up to encoding of the former model
into the latter. Finally, we define a theory of testing similar to that of [Hen88]
directly on IO automata. The new testing scenario is simple and natural since an
experimenter is just an IO automaton. Once again, the main result is that for
strongly convergent and finitely branching IO automata the quiescent preorder
coincides with the reversed must preorder.
A problem that we leave open is the issue of divergences. Our equivalence results
show that our understanding of convergent processes is sufficiently strong; however,
since the theories studied in this paper are different when divergent processes are
considered, we do not understand yet how to deal with divergences. The theory that
seems to better deal with divergences is that of IO automata, since it allows one
component of a system to diverge while the rest of it is working properly; however,
a deadlocked process is equivalent to a divergent process when fair traces are
considered, while a key point of the theory of testing is that a divergent process
is distinct from a deadlocked process. One of the reasons the approach to diver-
gences of IO automata is not used within process algebraic theories is that there
is no nice mathematical theory for fairness. In particular, there is no fixpoint
theorem.
The rest of the paper is organized as follows. Section 2 gives a standard definition
of transition systems; Sections 3 and 4 give an overview of IO automata and the
theory of testing; Section 5 studies the relationship between the quiescent and the
fair preorders; Section 6 encodes IO automata into general labeled transition
systems and studies the relationship between the quiescent and the must preorders;
Section 7 defines a theory of testing directly on IO automata and shows the equiv-
alence of the quiescent and the reversed must preorders; Section 8 gives some con-
cluding remarks.
196 ROBERTO SEGALA
File: DISTIL 265204 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 3661 Signs: 2727 . Length: 52 pic 10 pts, 222 mm
2. PRELIMINARIES
In this section we give a definition of transition systems in the style of [LT87].
This section is intended mainly as a reference for the terminology and the notation
that we use.
Definition 2.1. (Transition Systems). A transition system T consists of four
components:
v a set states(T ) of states.
v a nonempty set start(T )states(T ) of start states.
v an action signature sig(T )=(ext(T ), int(T )) where ext(T ) and int(T ) are
disjoint sets of external and internal actions, respectively. We denote by acts(T ) the
set ext(T ) _ int(T ) of actions.
v a transition relation steps(T )states(T )_acts(T )_states(T ).
A transition (q, a, q$ ) # steps(T ) is also denoted by q wa q$. We extend the notion
of transition to finite sequences of symbols by saying that q www
a1 } } } an q$ iff there
is a collection q0 , ..., qn of states with q0=q and qn=q$ such that q0 ww
a1 q1
ww
a2 } } } ww
an qn . A derived transition relation, abstracting from internal computa-
tion, is defined as q ====O
a1 } } } an q$ iff there is a collection s0 , s1 ,..., sn of finite sequences
of internal actions such that q wwwww
s0a1s1 } } } ansn q$.
An execution fragment of a transition system T is a (finite or infinite) sequence
of alternate states and actions :=q0 a1 q1a2 q2 } } } starting with a state and, if the
execution fragment is finite, ending in a state, where each (qi , ai+1 , qi+1) is an
element of steps(T ). An execution is an execution fragment whose first state is a
start state.
The external trace of an execution fragment : of a transition system T, written
etraceT (:), or just etrace(:) when T is clear, is the list obtained by restricting : to
the set of external actions of T, i.e., etrace(:)=: W ext(T ). We say that s is an
external trace of a transition system T if there exists an execution : of T with
etrace(:)=s. We denote by etraces*(T ), and etraces(T ) the sets of finite, and all
external traces of T, respectively.
A state q of a transition systems T is said to enable a transition if there is an
action a and a state q$ such that (q, a, q$ ) # steps(T ). A transition system T is
finitely branching iff each state of T enables finitely many transitions. Finite
branching is an important property for transition systems since it guarantees that
the finite external traces of a transition system are sufficient to characterize the
infinite external traces as well.
Proposition 2.2. [LV91]. Let T be a finitely branching transition system, and
let s be an infinite sequence of external actions of T. Suppose that each prefix of s
is an external trace of T. Then s is an external trace of T. K
Transition systems can be composed in parallel. We use the CSP synchronization
style [Hoa85], where two transition systems synchronize on their common actions
197NOTION OF IMPLEMENTATION
File: DISTIL 265205 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 3184 Signs: 2361 . Length: 52 pic 10 pts, 222 mm
and evolve independently on the others. Two transition systems T1 , T2 are com-
patible iff int(T1) & acts(T2)=acts(T1) & int(T2)=<. The parallel composition




3. sig(T )=(ext(T1) _ ext(T2), int(T1) _ int(T2)), and
4. ((q1 , q2), a, (q$1 , q$2 )) # steps(T ) iff either
(a) (q1 , a, q$1 ) # steps(T1) and (q2 , a, q$2 ) # steps(T2),
(b) (q1 , a, q$1 ) # steps(T1), a  acts(T2), and q2=q$2, or
(c) (q2 , a, q$2 ) # steps(T2), a  acts(T1), and q1=q$1 .
3. IO AUTOMATA
In this section we give a definition of IO automata. The reader interested in
more information on IO automata is referred to [LT87].
Given a transition system T, an action a # acts(T ) is enabled from a state
q # states(T ) iff there exists a state q$ # states(T ) such that (q, a, q$ ) # steps(T ). The
set of enabled actions from a state q # states(T ) is denoted by enabled(q).
Definition 3.1. (IO Automata). An IO automaton A is a transition system
with the following extra structure:
v A partition of ext(A), called external action signature, esig(A)=(in(A),
out(A)) consisting of input and output actions, respectively. We denote by
local(A) the set int(A) _ out(A) of locally controlled actions of A.
v A partition part(A) of local(A).
Furthermore, every state of A enables all input actions. We say that A is input
enabled.
Informally, the input actions of an IO automaton model the events that are under
the control of the external environment (and thus are always enabled), while output
actions model external events that are under the control of the system. The parti-
tion of the locally controlled actions models the subcomponents of an IO
automaton. Specifically, an IO automaton A can be thought of as a collection of
subcomponents, each one controlling a part of the locally controlled actions of A.
Parallel composition can be extended easily to IO automata: the compatibility
condition needs to be strengthened by requiring two IO automata not to have any
common output actions. The output actions of the composition are the output
actions of the components; the partition of the locally controlled actions of the
composition is the union of the partitions of the components. This last condition
ensures that the subcomponents of the new IO automaton are those of the two
components.
198 ROBERTO SEGALA
File: DISTIL 265206 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 3678 Signs: 2714 . Length: 52 pic 10 pts, 222 mm
Definition 3.2. (Quiescent Preorder [Vaa91]). The set of quiescent traces of an
IO automaton A is the set of finite external traces of A that lead to a state from
which only input actions are enabled, i.e.,
qtraces(A)=[s # ext(A)* | _q0 # start(A) _q # states(A) q0 =O
s q and enabled(q)=in(A)].
A state q such that enabled(q)=in(A) is also called a quiescent state.
Given two IO automata A1 and A2 with the same external action signature, the
quiescent preorder is defined as
A1 C=Q A2 iff etraces*(A1)etraces*(A2) and qtraces(A1)qtraces(A2).
Definition 3.3. (Fair Preorder [LT87]). An execution : of an IO automaton A
is fair iff either : is quiescent, or : is infinite and for each class p # part(A), either
actions from p appear infinitely often in : or states from which no action from p
is enabled appear infinitely often in :. A fair trace of A is the external trace of a
fair execution of A. The set of fair traces of an IO automaton A is denoted by
ftraces(A).
Given two IO automata A1 and A2 with the same external action signature, the
fair preorder is defined as
A1 C=F A2 iff ftraces(A1)ftraces(A2).
Based on the fair preorder, [LT87] introduces a notion of implementation on IO
automata: A1 implements A2 iff A1 C=F A2 . Input enabling guarantees that each
implementation accepts all external stimuli, while fairness guarantees that each
implementation provides some output whenever the specification must provide
some output. Mark Tuttle [LT87] writes: ‘‘The requirement that input be con-
stantly enabled ensures that our solutions are able to respond to all patterns of
input. The use of fairness ensures that the correctness of a solution will be judged
only by those behaviors in which the system is actually given the chance to make
progress.’’ The above justification is rather intuitive; in this paper we enforce it by
relating the fair and quiescent preorders to the theory of testing.
4. THE THEORY OF TESTING
Another method for comparing transition systems is based on the observation of
the interactions between a transition system and an external experimenter [DH84,
DeN85, Hen88]. An experimenter for a transition system T is a transition system
E, compatible with T, whose external actions are those of T plus an action w, called
the success action. The experimenter E synchronizes with T on all external actions
except for w. In other words, E runs in parallel with T. An experiment x is an execu-
tion of T & E which is infinite or ends in a deadlocked state (complete execution of
T & E ). An experiment x is successful if w is enabled in at least one state of x. We
say that T may E if there is a successful experiment of T & E. We say that T must E
if each experiment of T & E is successful.
199NOTION OF IMPLEMENTATION
File: DISTIL 265207 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 3776 Signs: 2656 . Length: 52 pic 10 pts, 222 mm
Definition 4.1. (Testing Preorders). Given two transition systems T1 , T2 ,
define the following preorders:
1. T1 C=may T2 iff \E T1 may E implies that T2 may E
2. T1 C=must T2 iff \E T1 must E implies that T2 must E.
The may and must preorders can be characterized differently without referring to
a notion of external experimenter [DeN85]. In particular the may preorder
coincides with external trace inclusion; for the must preorder we need some more
structure.
Definition 4.2. (Convergence). Given a transition system T and a state




{3 ..., where each {i is an internal action. We write qa if q has no infinite internal
computation. If qa we say that q is convergent and if qA we say that q is divergent.
The same notion can be relativized to sequences of actions by defining
v q a = iff q a
v q a as iff q a and q =Oa q$ implies q$ a s.
We write q - if q a s for each s # ext(T )* and we write T - if q - for each
q # start(T ). If T - we say that T is strongly convergent. In other words, T - means
that no divergent state is reached for any sequence of actions s.
Definition 4.3. (Auxiliary Functions). Given a transition system T, a state
q # states(T ), a set of states Qstates(T ), a sequence of external actions
s # ext(T )*, and a set of external actions A, we give the following definitions:
1. wenabled(q)=[a # ext(T ) | q =Oa q$ for some q$ # states(T )]
2. q after s=[q$ # states(T ) | q =Os q$]
3. Q after s=q # Q (q after s)
4. T after s=start(T ) after s
5. Q must A iff wenabled(q) & A{< for each q # Q.
Proposition 4.4. (DeN85) Given two finitely branching and strongly convergent
transition systems T1 and T2 with the same external actions, T1 C=must T2 iff, for each
s # ext(T1)* and each Aext(T1), T1 after s must A implies T2 after s must A. K
The must preorder can be characterized also for non strongly convergent trans-
ition systems. We are not interested in such characterization in this paper, and we
refer the interested reader to [DeN85, Hen88]. Another characterization of the
must preorder for strongly convergent transition systems is given by the failure
preorder [Hoa85]. The failure preorder was first introduced to give a semantics to
CSP which is able to detect deadlocks and distinguish between internal and exter-
nal choice. The observations are based on failures, i.e., finite external traces
augmented with sets of actions that a process may refuse to perform afterward. In
[BHR84] the failure preorder is claimed to provide some notion of implementation
with the informal justification that an implementation is more deterministic than its
specification. In [DeN87] the failure preorder is shown to be equivalent to the
200 ROBERTO SEGALA
File: DISTIL 265208 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 3064 Signs: 2207 . Length: 52 pic 10 pts, 222 mm
reversed must preorder on strongly convergent transition systems. Thus, the rever-
sed must preorder expresses the same idea of implementation as the failure preorder
on strongly convergent transition systems.
5. QUIESCENT AND FAIR PREORDERS
The fair preorder is the only preorder relation among those we consider that
observes the infinite behavior of an IO automaton. It is the basic notion of
implementation for IO automata. The intuitive idea behind its use is that, due to
input enabling, an implementation must accept all external stimuli; moreover, due
to fairness, an implementation must provide output whenever the specification must
do so. However, the infinite fair traces of an IO automaton cannot be derived from
its finite fair traces. This is the main reason for the difference between the fair and
quiescent preorders.
Example 5.1. Consider the IO automata
where a is an input action, b is an output action, { is an internal action, and the
partitions of the locally controlled actions contain a single class. It is easy to
observe that each finite sequence an is a quiescent (and thus fair) trace of A2 since
it is enough to loop n times on q0 to then move to q1 . The sequence a, however,
is not a fair trace of A2 since in any execution action b is enabled in all states but
at most one. Therefore, A1 C=Q A2 while A1 C=3 F A2 .
Example 5.2. Consider the IO automata
where a is an input action, b is an output action, { is an internal action, and the
partitions of the locally controlled actions contain a single class. The IO automata
A1 and A2 are equivalent according to the quiescent preorder since they have the
same external traces and their quiescent traces are all finite external traces con-
taining at least a b action. The external trace a, however, is a fair trace of A1 but
not a fair trace of A2 .
The problem outlined in Example 5.1 is that the limit of a chain of fair traces of
an IO automaton A is not necessarily a fair trace of A; the problem outlined in
Example 5.2 is that an infinite fair trace of an IO automaton A is not necessarily
the limit of a chain of finite fair traces of A, i.e., it is not necessarily approximable
with finite fair traces.
201NOTION OF IMPLEMENTATION
File: DISTIL 265209 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 3622 Signs: 2351 . Length: 52 pic 10 pts, 222 mm
Definition 5.3. (Fair Continuity). An IO automaton A is fair continuous if
the limit of any chain of fair traces of A is a fair trace of A.
Definition 5.4. (Fair Approximability). An IO automaton A is fair
approximable if each infinite fair trace of A is the limit of a chain of finite fair traces
of A.
Another problem derives from the fact that a finite fair trace is not necessarily a
quiescent trace.
Example 5.5. Consider the IO automata
where a and b are output actions and the partitions of the locally controlled actions
contain a single class. The IO automata A1 and A2 are equivalent according to the
quiescent preorder, but not equivalent according to the fair preorder: the trace a is
a fair trace of A1 but not a fair trace of A2 . K
Definition 5.6. (Quiescent Detectability). An IO automaton A is quiescent
detectable if each finite fair trace of A is also a quiescent trace of A.
Quiescent detectability is implied trivially by strong convergence. In our analysis
we study strongly convergent systems only, and thus quiescent detectability is not
an important issue.
Theorem 5.7. (Fair versus Quiescent Preorder). Consider two strongly con-
vergent IO automata A1 and A2 . Then
1. A1 C=F A2 implies A1 C=Q A2 ;
2. if A1 is fair approximable, and A2 is fair continuous, then A1 C=Q A2 implies
A1 C=F A2 .
Proof. Let A1 C=F A2 and let s be a quiescent trace of A1 . By definition, s is
finite and is a fair trace of A1 , and hence a fair trace of A2 . Since A2 is strongly
convergent, and thus quiescent detectable, s is a quiescent trace of A2 . External
trace inclusion follows directly from the facts that each prefix of a fair trace of an
IO automaton A is an external trace of A and each external trace of A can be
extended to a fair trace of A [LT87].
Let A1 C=Q A2 and let s be a fair trace of A1 . If s is a quiescent trace of A1 , then,
from the hypothesis, s is a quiescent trace of A2 , and therefore s is trivially a fair
trace of A2 . If s is not quiescent, then, since A1 is strongly convergent, and thus
quiescent detectable, s is an infinite trace. From fair approximability of A1 , s is the
limit of a chain s1 , s2 , ... of finite fair traces of A1 , and from quiescent detectability
of A1 , each si is a quiescent trace of A1 . Since A1 C=Q A2 , each si is a quiescent, and
thus fair, trace of A2 . From fair continuity of A2 , s is a fair trace of A2 . K
202 ROBERTO SEGALA
File: DISTIL 265210 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 2960 Signs: 1913 . Length: 52 pic 10 pts, 222 mm
6. QUIESCENT AND MUST PREORDERS
In this section we compare the quiescent and must preorders. We do not consider
explicitly the partitions of the locally controlled actions of an IO automaton, since
the partitions do not affect the quiescent traces of an IO automaton nor the must
preorder defined on labeled transition systems.
We start by encoding IO automata into the testing framework. The main intui-
tion behind IO automata is that input actions are under the control of the external
environment while output actions are under the control of the system. In other
words, a nondeterministic choice between input actions is intended to be an exter-
nal choice, while a nondeterministic choice between output actions is intended to
be an internal choice. The following definition formalizes the intuition above by
providing an encoding of IO automata onto general labeled transition systems.
The encoded object is still an IO automaton; however, the IO structure is
exploited. We assume the existence of at least one internal action, denoted by {.
Definition 6.1. (IO Explicit Automata). Let A be an IO automaton. The IO
explicit automaton associated with A is defined as F (A)=(Q, start(A),
((in(A), out(A)), int(A)), steps) where
1. Q=states(A) _ [qq$a |q w
a q$ # steps(A), a # local(A)], where for each
pair q, q$ # states(A) and each a # local(A) the expression qq$a denotes a new state
not occurring in states(A),
2.
steps=[q w{ qq$a | q # states(A), qq$a # Q] _
[qq$a w
a q$ | qq$a # Q] _
[qq$a w
b q" | q wb q" # steps(A), qq$a # Q, b # in(A)] _
[qwb q$ # steps(A) | b # in(A)].
At each state q an automaton decides which locally controlled action to perform
by moving internally to a new state from which only the selected locally controlled
action is enabled. The new state also enables all input actions since only the exter-
nal environment can decide which input to provide.
FIG. 1. An example of encoding. in(A)=[b], out(A)=[a, c].
203NOTION OF IMPLEMENTATION
File: DISTIL 265211 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 3901 Signs: 2638 . Length: 52 pic 10 pts, 222 mm
Example 6.2. Figure 1 shows an example of encoding. The left IO automaton
A is converted into the IO automaton F (A). Actions a and c are output actions,
while b is an input action. From state q0 of A there are two outgoing transitions
labeled with an output action (q0 w
a q1 and q0 w
a q3), thus two new states
((q0 q1)a and (q0 q3)c) are introduced, and from state q0 of F(A) there are two
internal transitions to the new states plus all the original transitions labeled with
input actions. Thus, the transition system F(A) decides internally which output
action to perform. From the new states there is the preselected outgoing output
transition together with all the outgoing input transitions of q0 .
Proposition 6.3. Let A be an IO automaton. Then
1. traces(A)=etraces(F(A))
2. qtraces(A)=qtraces(F(A)).
Proof. The left to right inclusions are trivial since, if q wa q$ in A, then q =Oa q$
in F(A). For the converse inclusions it is enough to observe that none of the states
of the form qq$a is quiescent and that, if q w
{ qq$a w
b q$ in F(A), then q wb q$
in A. K
It is already known from [Hen88] that the may preorder coincides with external
trace inclusion. Here we concentrate on our main theorem, which states that, for
strongly convergent and finitely branching IO automata, the quiescent preorder of
IO automata is equivalent to the reversed must preorder up to encoding.
Theorem 6.4. (Quiescent versus must Preorder). Let A1 and A2 be strongly con-
vergent, finitely branching IO automata. Then
A1 C=Q A2 iff F(A2) C=must F(A1).
Proof. Let A1 , A2 be strongly convergent and finitely branching. Let A1 C=Q A2
and suppose by contradiction that F(A2) C=3 must F(A1). From Proposition 4.4
there is a sequence of actions s and a set of actions A such that F(A2) after s
must A and not F(A1) after s must A. Since A1 and A2 are input enabled, the set
A contains no input actions. We distinguish two cases:
1. A=<.
Then s is not a trace of A2 (A2 after s must <) while s is a trace of A1 (not A1
after s must <), a contradiction.
2. A contains at least one output action.
Since by construction of F each stable state of F(A2) (a state is stable if it does
not enable any internal action) enables at most one output action, A has to be a
superset of A$=[a # out(A2) | sa # etraces(A2)]. Observe that s is not a quiescent
trace of A2 since in each state reachable with s it is still possible to perform at least
one output action (A2 after s must A and Aout(A2)). On the other hand, since
each external trace of A1 is an external trace of A2 , no state of A1 after s can enable
an output action which is not in A$, and therefore, since there is a state of F(A1)
204 ROBERTO SEGALA
File: DISTIL 265212 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 3497 Signs: 2431 . Length: 52 pic 10 pts, 222 mm
after s from which no action of A can be performed, and since A1 is strongly con-
vergent, there is a quiescent state in F(A1) after s. Thus, s is a quiescent trace of
A1 , which contradicts A1 C=Q A2 .
Conversely, let F(A2) C=must F(A1) and suppose by contradiction that
A1 C=3 Q A2 . Since from [Hen88] the must preorder implies the reverse external
trace inclusion on strongly convergent transition systems, there exists a quiescent
trace s of A1 which is an external trace of A2 but not a quiescent trace of A2 . Thus,
from each state of F(A2) reachable via s it is possible to perform at least one out-
put action, which means that F(A2) after s must out(A2). On the other hand, since
s is a quiescent trace of A1 , there is a state of F(A1) reachable via s from which
no output action is possible; therefore, not F(A1) after s must out(A2). This con-
tradicts F(A2) C=MUST F(A1). K
7. TESTING FOR IO AUTOMATA
In Section 6 we have related the quiescent preorder of IO automata to the
theory of testing by encoding IO automata into general labeled transition systems.
However, we can also reduce the power of an experimenter according to the inter-
action schemas of IO automata and define a theory of testing directly on IO
automata. In this section we show that also this approach leads to the quiescent
preorder when dealing with strongly convergent and finitely branching IO
automata. Thus, by reducing the power of an experimenter we can eliminate the
encoding.
An experimenter E for an IO automaton A is an IO automaton compatible
with A whose input actions are the output actions of A (in(E)=out(A)) and
whose output actions are the input actions of A plus an action w, called the success
action (out(E)=in(A) _ [w]). The experimenters for IO automata are less power-
ful than those of Section 6: an experimenter E can only control the input actions
of an automaton A. We denote the new testing preorders by C=$may , C=$must ,
and C=$test .
The alternative characterization of the must preorder given in Proposition 4.4 is
still valid; however, the definition of Q must A has to take into account that an
automaton is in full control of its output actions and does not have any control on
its input actions.
Definition 7.1. Given an IO automaton A, a set of states Qstates(A), and
a set of external actions A, we say that Q must$ A iff either
1. A & in(A){< or
2. for each q # Q,
(a) wenabled(q) & out(A)A, and
(b) wenabled(q) & A{<.
205NOTION OF IMPLEMENTATION
File: DISTIL 265213 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 3144 Signs: 2134 . Length: 52 pic 10 pts, 222 mm
Item 1 says that any IO automaton must perform its input actions; Item 2 says
that any IO automaton internally decides which one of its possible output actions
to perform.
Proposition 7.2. Given two finitely branching and strongly convergent IO
automata A1 and A2 with the same external signature, A1 C=$must A2 iff A1 C=$m A2 ,
where A1 C=$m A2 iff for each s # ext(A1)* and each Aext(A1), A1 after s must$ A
implies A2 after s must$ A.
Proof. Let out denote out(A1). Suppose that A1 C=$must A2 . Let s=a1 } } } an be a
sequence of external actions, let A be a set of external actions, and suppose that A1
after s must$ A. If A & in(A1){<, then A2 after s must$ A trivially. Thus, suppose
that A & in(A1)=<. Consider the experimenter E,
Claim. For each finitely branching and strongly convergent IO automaton A
with the same external signature as A1 , A after s must$ A iff A must$ E.
Proof. Suppose that A after s must$ A, and suppose by contradiction that there
exists an unsuccessful execution : of A & E. Since both A and E are strongly con-
vergent, : does not diverge. If : is of infinite length, then the trace of : is an exten-
sion of s followed by an action from out&A. This means that there is a state of A
after s that enables some action from out&A, contradicting the fact that A after
s must$ A. Thus, : is finite and leads to a state not enabling any action. This means
that E ends either in the state reached after an , or in the state reached after the
occurrence of w, or in the state reached after performing s followed by an action
from out&A. In the first case there is a state of A after s that does not enable any
output action, and thus not A after s must$ A; in the second case : would be
successful; in the third case it would not be the case that A after s must$ A once
again since an output action not in A is enabled after s. In all cases we have a
contradiction.
Conversely, suppose that not A after s must$ A. We build an unsuccessful execu-
tion of A & E. First of all, observe that s is a trace of A. If there is a state q of A
after s that does not enable any action from out, then the unsuccessful computation
206 ROBERTO SEGALA
File: DISTIL 265214 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 4129 Signs: 2664 . Length: 52 pic 10 pts, 222 mm
spans s and then moves A to q; otherwise, there is at least one state q of A after s
that enables some action of out&A. In this case the unsuccessful computation is
any complete extension of the execution that spans s, moves A to q, and then per-
forms an action from out&A.
Since A1 after s must$ A, then A1 must$ E. Since A1 C=MUST$ A2 , then A2 must$ E.
Thus, A2 after s must$ A. K
Conversely, suppose that A1 C=$m A2 . We show that for each experimenter E, if
not A2 must$ E, then not A1 must$ E as well. Specifically, we show that if there
exists an unsuccessful execution : of A2 & E, then there exists an unsuccessful execu-
tion :$ of A1 & E. An unsuccessful execution : can exist for two reasons.
1. :=(q0 , e0) a1(q1 , e1) } } } an(qn , en), (qn , en) does not enable any action, and
none of the ei ’s enable w.
2. :=(q0 , e0) a1(q1 , e1) } } } an(qn , en) an+1(qn+1 , en+1) } } } where none of the
ei ’s enable w.
In each one of the cases above we build a nonsuccessful execution of A1 & E.
1. In this case there exists a finite trace s=etrace(:) such that
(q0 , e0) =O
s (qn , en). Since en enables all the output actions of A, then qn does not
enable any action from out, which means that not q0 after s must$ out. Thus, since
A1 C=$m A2 , there is a start state q$0 of A1 such that not q$0 after s must$ out. This
means that there is a finite execution from q$0 whose trace is s and whose final state
does not enable any output action of A1 . Thus, by keeping the same execution of
E from e0 , we obtain an unsuccessful execution from (q$0, e0).
2. In this case there is a trace s=etrace(:) spanned by :. Let s$ be any prefix
of s. Then, s$ is a trace of q0 , which means that not q0 after s$ must$ <. Since
A1 C=$m A2 , then not A1 after s$ must$ <, which means that s$ is a trace of A1 . From
Proposition 2.2, s is a trace of A1 ; i.e., there is a start state q$0 of A1 such that s is
a trace of q$0. Thus, we can build an unsuccessful execution of A1 & E from (q$0, e0)
by keeping the same execution of E from e0 . K
The equivalence theorem is then straightforward.
Theorem 7.3. (Quiescent versus must preorder). Let A1 and A2 be finitely
branching and strongly convergent IO automata. Then
A1 C=Q A2 iff A2 C=$must A1 .
Proof. We use the alternative characterization of the must preorder. Suppose
that A1 C=Q A2 , and suppose by contradiction that there exist s and A such that A2
after s must$ A and not A1 after s must$ A. If A=<, then s is a trace of A1 and
not a trace of A2 . This leads to a contradiction since each finite trace of A1 is also
a trace of A2 . Thus A{<. Furthermore, since not A1 after s must$ A, s is a trace
of A1 and there is a state q # A1 after s such that not q must$ A. We distinguish two
cases.
207NOTION OF IMPLEMENTATION
File: DISTIL 265215 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 3746 Signs: 2863 . Length: 52 pic 10 pts, 222 mm
1. q is a quiescent state.
In this case s is a quiescent trace of A1 , which means that s is a quiescent trace
of A2 (A1 C=Q A2). Thus, there is a quiescent state in A2 after s, which means that
not A2 after s must$ A, a contradiction.
2. q enables an output action b  A.
In this case sb is a trace of A1 , which means that sb is a trace of A2 (A1 C=Q A2).
Thus, there is a state q$ of A2 after s that enables action b, which means that not
A2 after s must$ A, again a contradiction.
Conversely, suppose that A2 C=$must A1 , and suppose by contradiction that
A1C=3 Q A2 . If there exists s which is a trace of A1 but not a trace of A2 , then A2
after s must$ < and not A1 after s must$ <, a contradiction. Thus, trace inclu-
sion holds and there exists an s such that s is a quiescent trace of A1 but not a
quiescent trace of A2 . Then A2 after s must$ out, while not A1 after s must$ out,
again a contradiction. K
8. CONCLUDING REMARKS
We have analyzed the fair and quiescent preorders of IO automata and the
theory of testing in the common framework of transition systems. The two theories,
although apparently different, are based on similar intuitions. We have given a class
of IO automata for which the quiescent preorder is equivalent to the fair preorder.
Secondly, we have shown the relationship between the theory of IO automata and
the theory of testing both by encoding the information contained in the interfaces
of IO automata into general labeled transition systems and by defining testing
preorders directly on IO automata. Our main result is that for strongly convergent
and input enabled transition systems the quiescent preorder of IO automata coin-
cides with the reversed must preorder.
The problem is still open for divergent systems since the theories we have studied
are quite different in this respect. The must preorder considers a divergent state as
chaotic, and therefore nothing is guaranteed to happen after a divergence has
occurred. A purely divergent process is the minimal element of the must preorder;
hence, any other transition system is considered to be an implementation of it. The
fair preorder of IO automata has some distinguishing power even in the presence
of divergences. For example, within the IO automata theory it is possible to verify
the correctness of a component which runs in parallel with a purely divergent com-
ponent. As a consequence of the fair preorder, a purely divergent process is equiv-
alent to a deadlocked process. In fact, any hypothetical external process which is
waiting for some output does not distinguish between a pure divergence and a
deadlock. The quiescent preorder does not represent any intuition when dealing
with divergent processes. It is just a finite approximation of the fair preorder which
does not seem to work properly in the presence of divergences. Its usefulness is due
208 ROBERTO SEGALA
File: DISTIL 265216 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 5286 Signs: 3043 . Length: 52 pic 10 pts, 222 mm
to the fact that it allows fixpoint reasoning and that it represents a well known
intuition when the involved transition systems satisfy the conditions of Section 5.
It is difficult at this stage to say what is the best approach to divergent transition
systems. The approach of testing leads to a neat theory while the approach of IO
automata leads to a notion that is closer to our intuition. Further research should
focus on clarifying the issue of divergence. Is there a unifying theory that deals with
divergences in the way of IO automata and that at the same time enjoys most of
the nice algebraic properties of the theory of testing? What is the correct interpreta-
tion of a divergence?
In summary, IO automata and testing express the same notion of implementa-
tion whenever fairness is not essential and the IO structure is either encoded or
enforced on transition systems. Whenever a system is verified through testing, live-
ness has to be considered aside unless results like Theorem 5.7 hold; whenever a
system is verified through IO automata, liveness is implicit, but some IO structure
must be imposed. The choice of the formalism to use depends on the system to
analyze: if some IO structure can be imposed, then IO automata appear to be
more suitable; if no IO structure can be imposed, then only testing can be used.
However, if conditions like those stated in Section 5 hold, then testing appears to
be preferable to IO automata due to the availability of powerful algebraic tools.
Two such cases are the delay insensitive circuits verified by Dill [Dil88] and
Josephs [Jos92]. For the circuits analyzed by Josephs a comparison between pro-
cess algebras and IO automata is carried out in [LS95].
ACKNOWLEDGMENTS
The author thanks the anonymous referees for insightful comments.
Received August 3, 1995; final manuscript received June 3, 1997
REFERENCES
[AS85] Alpern, B., and Schneider, F. B. (1985), Defining liveness, Inform. Process. Lett. 21(4),
181185.
[BHR84] Brookes, S. D., Hoare C. A. R., and Roscoe, A. W., (1984), A theory of communicating
sequential processes, J. Assoc. Comput. Mach. 31(3), 560599.
[BR84] Brookes, S. D., and Roscoe, A. W. An improved failures model for communicating processes,
in ‘‘Seminar on Concurrency’’ (S. D. Brookes, A. W. Roscoe, and G. Winskel, Eds.), Lecture
Notes in Computer Science, Vol. 197, pp. 281305, Springer-Verlag, BerlinNew York.
[DeN85] De Nicola, R. (1985),‘‘Testing Equivalence and Fully Abstract Models for Communicating
Processes,’’ Ph.D. Thesis, Department of Computer Science, University of Edinburgh.
[DeN87] De Nicola, R. (1987), Extensional equivalence for transition systems, Acta Informat. 24,
211237.
[DH84] De Nicola, R., and Hennessy, M. (1984), Testing equivalence for processes, Theoret. Comput.
Sci. 34, 83133.
[Dil88] Dill, D. (1988), ‘‘Trace Theory for Automatic Hierarchical Verification of Speed-Independent
Circuits,’’ ACM Distinguished Dissertations, MIT Press, Cambridge, MA.
209NOTION OF IMPLEMENTATION
File: DISTIL 265217 . By:DS . Date:08:07:01 . Time:04:13 LOP8M. V8.0. Page 01:01
Codes: 5723 Signs: 2424 . Length: 52 pic 10 pts, 222 mm
[Hen88] Hennessy, M. (1988), ‘‘Algebraic Theory of Processes,’’ MIT Press, Cambridge, MA.
[Hoa85] Hoare, C. A. R. (1985), ‘‘Communicating Sequential Processes,’’ PrenticeHall International,
Englewood Cliffs, NJ.
[Jos92] Josephs, M. B. (1992), Receptive process theory, Acta Informat. 29(1), 1731.
[LS95] Lynch, N. A., and Segala, R. (1995), A comparison of simulation techniques and algebraic
techniques for verifying concurrent systems, J. Formal Aspects Comput. Sci. 7(3), 231265.
[LT87] Lynch, N. A., and Tuttle, M. R. (1987), Hierarchical correctness proofs for distributed algo-
rithms, in ‘‘Proceedings of the 6th Annual ACM Symposium on Principles of Distributed
Computing, Vancouver, 1987,’’ pp. 137151. A full version is available as MIT Technical
Report MITLCSTR-387.
[LV91] Lynch, N. A., and Vaandrager, F. W. (1991), Forward and backward simulations for timing-
based systems, in ‘‘Proceedings of the REX Workshop Real-Time: Theory in Practice,’’
(J. W. de Bakker, C. Huizing, W. P. de Roever, and G. Rozenberg, Eds.), Lecture Notes in
Computer Science, Vol. 600, pp. 397446, Springer-Verlag, BerlinNew York.
[Par81] Park, D. M. R. (1981), Concurrency and automata on infinite sequences, in ‘‘5th GI Con-
ference’’ (P. Deussen, Ed.), Lecture Notes in Computer Science, Vol. 104, pp. 167183,
Springer-Verlag, BerlinNew York.
[Seg92] Segala, R. (1992), ‘‘A Process Algebraic View of IO Automata,’’ Technical Report
MITLCSTR-557, MIT Laboratory for Computer Science, Cambridge, MA.
[Seg93] Segala, R. (1993), Quiescence, fairness, testing and the notion of implementation, in
‘‘Proceedings of CONCUR 93, Hildesheim’’ (E. Best, Ed.), Lecture Notes in Computer
Science, Vol. 175, Springer-Verlag, BerlinNew York.
[SLL93] So% gaard-Andersen, J. F., Lampson, B., and Lynch, N. A. (1993), Correctness of at-most-once
message delivery protocols, in ‘‘FORTE’93Sixth International Conference on Formal
Description Techniques.’’
[Vaa91] Vaandrager, F. W. (1991), On the relationship between process algebra and InputOutput
automata, in ‘‘Proceedings of the Sixth Annual Symposium on Logic in Computer Science.’’
[WLL88] Welch, J. L., Lamport, L., and Lynch, N. A. (1988), ‘‘A Lattice-Structured Proof Technique
Applied to a Minimum Spanning Tree Algorithm,’’ Technical Report MITLCSTM-361,
MIT Laboratory for Computer Science.
210 ROBERTO SEGALA
