Tackling the Dagstuhl '94 specification problem with I/O automata by Romijn, J.M.T. (Judi)
Centrum voor Wiskunde en Informatica
REPORTRAPPORT
Tackling the Dagstuhl’94 specification problem with I/O automata
J.M.T. Romijn
Computer Science/Department of Software Technology
CS-R9617 1996
Report CS-R9617
ISSN 0169-118X
CWI
P.O. Box 94079
1090 GB  Amsterdam
The Netherlands
CWI is the National Research Institute for Mathematics
and Computer Science. CWI is part of the Stichting
Mathematisch Centrum (SMC), the Dutch foundation
for promotion of mathematics and computer science
and their applications.
SMC is sponsored by the Netherlands Organization for
Scientific Research (NWO). CWI is a member of
ERCIM, the European Research Consortium for
Informatics and Mathematics.
Copyright © Stichting Mathematisch Centrum
P.O. Box 94079, 1090 GB  Amsterdam (NL)
Kruislaan 413, 1098 SJ  Amsterdam (NL)
Telephone +31 20 592 9333
Telefax +31 20 592 4199
Tackling
the
Dagstuhl Specication Problem
with
IO Automata
Judi Romijn
CWI
PO Box   GB Amsterdam The Netherlands
judicwinl
Abstract
An IO automata solution to the problem posed by Broy  Lamport at the Dagstuhl Workshop on Reactive
Systems is presented The problem which concerns components that communicate by means of a procedure
interface consists of an untimed and a timed part In this paper both parts are solved completely
AMS Subject Classi	cation 
 Q	 Q

 Q
	 Q
CR Subject Classi	cation 
 C

 D
 F F
Keywords  Phrases Concurrency protocol verication IO automata fairness liveness real time
Note The results reported in this paper have been obtained as part of the research project Specication
Testing and Verication of Software for Technical Applications which is being carried out by the Stichting
Mathematisch Centrum for Philips Research Laboratories under Contract RWCPS	ps
  Introduction
An example of an distributed system specication problem was stated at the Workshop on
Reactive Systems held in Dagstuhl Germany in September  The problem concerned
the specication of a memory component and a procedure interface component and the
implementation of both The specication problem is stated in full in 	
 In the remainder
of this paper we assume that the reader is familiar with that document
The workshops main intention was to compare dierent formalisms by applying them to
this example in order to understand the similarities and dierences of the various approaches
as well as their strengths and weaknesses The problem has been solved completely in  
    
 Other papers on this topic are      
 which only solve the
untimed part and 
 which simplies the problem to a situation with only one sender and
one receiver
This paper is the result of a successful attempt to model and verify the Dagstuhl problem
with the IO automata model   	 
 The next two sections dwell on the obstacles
that were encountered during the birth of this paper and on the merits of IO automata
    Notes on the problem specication
Ambiguities The informal descriptions of the Memory component in Problem  and the RPC
component in Problem  are slightly ambiguous It is not clear whether these components
may issue a failure when a bad call is received In both cases we have chosen to allow this
because it yields a more general specication For the Memory component this decision
conforms with the implementation proposed in Problem 
Observable versus internal behaviour Problem  requires to prove that a composition of
components implements the Memory component The Memory component can perform at
most one internal read action between call and return The proposed implementation how
ever can do this an arbitrary but nite number of times The proof for the implementation
relation is simplied substantially if one assumes that the Memory component can perform
an arbitrary number of internal read actions instead of at most one The solution of Abadi
Lamport  Merz 
 uses such a more convenient Memory component and apparently adopts
the assumption that the two Memory components are observationally equivalent We prove
formally that this assumption is correct which requires a backward simulation proof of about
four pages
In the solution of Hooman 
 the correctness of this assumption is also proved with
seemingly much less eort This is due to a dierence in view on executions Hooman
introduces safety restrictions on the set of all possible executions In this manner unwanted
behaviour is avoided His approach also allows executions with an innite number of internal
actions between two external actions Our executions are built in an operational manner
by concatenating states and transitions Hence safety restrictions are posed only on single
actions and not on executions Besides since each execution contains at most a countable
number of actions there is at most a nite number of actions between any two actions We
feel that the operational view is more natural and closer to any true implementation of this
problem specication
Fairness and real time In Problem  a timed implementation is compared with an untimed
specication The untimed behaviour is restricted by fairness whereas the timed behaviour
is completely determined by timing constraints To be able to compare these behaviours we
dened the fair timed IO automaton This ad hoc notion is explained in Section 	
  Notes on the IO automata model
Benets IO automata provide a natural way to describe processes with an inputoutput
behaviour Most distributed systems can be specied in this way The specications are
highly readable and can be explained without too much trouble to most nonexperts
The Dagstuhl problem includes a lot of rather exotic data types The IO automata model
can handle such extensive use of data
In the untimed part of our solution simulation relations provide the major part of proofs
for implementation relations the rest is taken care of by inclusion of fairness properties All
these are standard ingredients of verications with IO automata
Real time aspects of specications are also captured in IO automata quite easily When
comparing timed specications simulation relations prove implementation relations in a
straightforward way
Imperfections When reasoning about an IO automaton with over ve state variables and
over ve locally controlled actions proofs for safety properties involve an enormous amount
of tedious detail and are prone to typos and more serious errors The amount of paper
needed to get these proofs done in a semireadable way is terrifying whereas in general the
properties being proved seem so trivial and intuitively correct However we are not aware of
the existence of a similar formalism without this problem
An inconvenient gap in current IO automata theory is that it is not possible to impose
restrictions on the behaviour of the environment Especially when using timed IO automata
one sometimes needs to assume that certain events will happen within certain time bounds
There is no formal framework yet for assumptions of this kind
What we added to the classic model The Dagstuhl problem requires strong fairness re
strictions on the behaviour of the proposed implementation of the Memory component in
Problem  but the IO automata model proposed by Lynch  Tuttle 
 only deals with
weak fairness Secondly the problem holds a parameter whose cardinality is unknown namely
the number of calling processes for a Memory or RPC component Wellknown results for
liveness with respect to fairness conditions deal with at most a countable number of fairness
sets or actions and cannot be applied to this problem
We overcome both diculties by using the fair IO automaton 
 This is a slight variant
of the IO automaton in 
 and a special case of the live IO automaton in 
 provided
that two conditions hold These conditions require that each reachable state enables at most
a countable number of fairness sets and that input actions do not disturb the enabledness of
these sets In this paper each specication is proved to be a live IO automaton by checking
these two conditions
In the solution of Abadi Lamport  Merz 
 fairness properties are used quite frequently
In a preliminary version of that paper liveness was proved for each specication with fairness
properties However the ne point on cardinality which we mentioned above was overlooked
In the last version of 
 the liveness proofs have been omitted
  Further remarks
The outline of this paper is as follows Section  lists some preliminaries which are necessary
for a good understanding of the specications as well as the proofs Sections  to 	 solve
parts  to  of the problem consecutively Appendix A lists the basics of the IO automata
model
Since endless listings of highly detailed proofs guarantee a boring paper instead of a higher
degree of understanding we have omitted unnecessary detailed proofs and replaced some by
sketches The full formal proofs can be obtained by email request to the author
Acknowledgements Frits Vaandrager put me on the Dagstuhl problem to get to know the
eld of protocol verication We both thought that it would take much less time and energy
than it did Yet I have learned so much about protocol verication in general and more
specically about IO automata that I have almost developed a taste for obstacles While
I was working on this paper enlightening email correspondence has taken place with Jozef
Hooman Leslie Lamport and Stephan Merz
 Preliminaries
  Fair IO automata
The setup of specication and verications is as follows All untimed specications use the
fair IO automata model from 
 The basics of this model are listed in Appendix A The
model is a generalization from the classic model by Lynch  Tuttle 
 and under two
restrictions a special case of the live IO automaton model by Gawlick et al 

The timed specications use the timed IO automata model in 	

We prove an implementation relation between two fair IO automata A and B by proving
that fairtracesA   fairtracesB To ease this proof we mostly start out by proving
inclusion on the ordinary and quiescent traces of A and B using renements and simulations
Since the only dierence between the fair and classic IO automata model lies in the
fairness properties all results in the latter that do not concern fairness carry over to the fair
IO automata model This is used when proving ordinary and quiescent trace inclusion
 Design and presentation of the fair IO automata
All fair IO automata are designed as follows
Each action is indexed with the process for which this action is performed Some of the
state variables are also indexed with a process The state space is roughly partitioned by the
value of the program counters the state variables pc
P
 These variables keep track of what
the automaton should be doing for process P  All automata initially wait for some action by
the environment and each pc
P
has a value that expresses this waiting condition As soon
as input is received for process P  pc
P
changes accordingly and each next input for P is
discarded the state is not changed if pc
P
does not satisfy the waiting condition For each
internal action the precondition requires pc
P
to have a specic value in order to ensure that
the right actions are taken at the right moment After the input for some process P has been
handled pc
P
is set to the waiting condition again
To give the values of each program counter the right meaning we assume that the inter
pretation of the domain of each program counter is free in the sense that dierent constants
symbols are mapped to dierent elements in its domain no confusion and each element
in the domain is denoted by some constant symbol no junk
In the presentation of fair IO automata we use the following conventions
 We omit the precondition of an input action since this equals true by denition
 In the eect part of transition types we omit assignments of the form x  x
 We write if c then z
 
 f
 
     z
k
 f
k

 as an abbreviation for
z
 
 if c then f
 
else z
 



z
k
 if c then f
k
else z
k
 We write x  fABCg for xA  xB  xC etc
 To improve readability we often use Lamports list notation for conjunction or disjunc
tion Thus we write
 b
 
 b




 b
n
for b
 
 b

    b
n

 Specifications and verifications for Problem  
  Problem  a	 Specication of two Memory Components
In this section we present the formal specication of the given components First we give
the fair IO automaton for the Memory component Memory  then for the Reliable Memory
component RelMemory 
   Data types We start the specication with a description of the various data types
that play a role We assume a typed signature 
 
and a 
 
algebra A
 
which consist of the
following components
 a type Bool of booleans with constant symbols true and false and a standard repertoire
of function symbols    all with the standard interpretation over the booleans
Also we require for all types S in  an equality inequality and ifthenelse function
symbol with the usual interpretation
  S	S Bool

  S	S Bool
if  then  else   Bool	S	S S
Note the harmless overloading of the constants and function symbols of type Bool
with the propositional connectives used in formulas We will frequently view boolean
valued expressions as formulas ie we use b as an abbreviation of btrue
 a type Process of process identiers We frequently use the variable P ranging over
Procs as a subscript
 a type MemLocs of legal memory locations
 a type MemVals of legal memory values with constant symbol InitVal None of the
memory values is equal to BadArg
 a type Locs of memory locations such that MemLocs   Locs and a function
memloc  Locs  Bool telling us whether an element of Locs is also an element
of MemLocs
 a type Vals of memory values such that MemVals   Vals and a function memval 
Vals Bool telling us whether an element of Vals is also an element of MemVals
 a type Ack of acknowledgement values such that Ack MemValsWriteOk
 a type Memory of functions fromMemLocs to MemValsWe need two functions to
actually access the memory nd  MemLocs	Memory MemVals and change 
MemLocs	MemVals	MemoryMemory These operations are fully character
ized by the axioms
ndlm  ml
changel vm  m
 
where m
 
lv  l
 
 l
 

 l m
 
lml
where l l
 
are variables of type MemLocs v is a variable of type MemVals and
mm
 
are variables of type Memory
 a type Mpc of program counter values of the Memory component with constant sym
bols WC R and W The intended meaning of these constants will be explained further
on in this section
  The Memory component We will now present the fair IO automatonMemory  which
models a Memory component The state variable pc
P
of Memory  gives the current value of
the program counter of the Memory component for calling process P  Note that there are
as many program counters as calling processes Each of them may have one of the following
values
 WC Wait for a READ
P
or WRITE
P
call
 R Reading memory
 W Writing to memory
Initially the program counter value is WC for every process P
Every possible action of Memory is indexed with the process that issued the call leading to
this action Since the state variables are also indexed in this manner except for memory
we can determine in any situation what is going on for each process P
READ
P
and WRITE
P
model an incoming read or write call from a process P They do
not change the state when Memory is still handling a previous call from the same process
In this case we call the input action discarded If Memory is ready for handling an incoming
call its state will be updated according to the parameters of the call
GET
P
actions model an atomic read operation PUT
P
actions model an atomic write
operation Reading is allowed only once between call and return writing is allowed for an
arbitrary number of times
A MEM FAILURE
P
action can occur in any busy state
BAD ARG
P
is the only action enabled if the parameters of the call from process P were
not legal RETURN
P
delivers the requested memory value or a general WriteOk acknowl
edgement after performed
P
has been set to true by a GET
P
or PUT
P
action The fact that
PUT
P
actions are in another weak fairness set than RETURN
P
and MEM FAILURE
P

ensures that writing will stop at some point
The code for Memory is listed in gure 
Input READ
P
 WRITE
P
Output RETURN
P
 BAD ARG
P
 MEM FAILURE
P
Internal GET
P
 PUT
P
WFair
S
P
ffGET
P
 PUT
P
g  fBAD ARG
P
 MEM FAILURE
P
 RETURN
P
gg
SFair 
State Variables  pc
P
  Mpc
loc
P
  Locs
val
P
  Vals
memory  Memory
performed
P
  Bool
legal args
P
  Bool
Initialization 
V
P
pc
P
WC
V
l
ndl memoryInitVal
READ
P
l   Locs
Eect 
if pc
P
WC then loc
P
  l
performed
P
  false
legal args
P
  memlocl
pc
P
  R
WRITE
P
l   Locs  v   Vals
Eect 
if pc
P
WC then loc
P
  l
val
P
  v
performed
P
  false
legal args
P
  memlocl memvalv
pc
P
  W
GET
P
Precondition 
pc
P
R  legal args
P
 performed
P
Eect 
val
P
  ndloc
P
 memory
performed
P
  true
PUT
P
Precondition 
pc
P
W  legal args
P
Eect 
memory   changeloc
P
  val
P
 memory
performed
P
  true
RETURN
P
a   Ack
Precondition 
pc
P
 fR Wg  performed
P
 aif pc
P
R then val
P
else WriteOk
Eect 
pc
P
  WC
BAD ARG
P
Precondition 
pc
P
 fR Wg  legal args
P
Eect 
pc
P
  WC
MEM FAILURE
P
Precondition 
pc
P
 fR Wg
Eect 
pc
P
  WC
Figure  Fair IO automaton Memory
Memory is live We will now show that fair IO automatonMemory is a live IO automaton
in the sense of 
 To do this we have to check that Memory satises two conditions After
this Theorem  from 
 applies immediately
The next lemma checks a restriction of one of the two conditions
Lemma  Each reachable state in Memory enables at most nitely many locally controlled
actions
Proof The initial states enable only input actions
Suppose state s enables n locally controlled actions It is trivial to see that for each
transition s
a
 s
 
 s
 
enables at most n   locally controlled actions  
Proposition  liveMemory is a live IO automaton
Proof We can apply Theorem  in 
 if we can show that  each reachable state of
Memory enables at most countably many weak and strong fairness sets and  each set in
sfairMemory is input resistant
Condition  is satised by Lemma  since each locally controlled action is in exactly
one weak fairness set Condition  is trivially satised since there are no strong fairness
sets  
  The Reliable Memory component We will now present the fair IO automaton
RelMemory  which models a Reliable Memory component This component behaves exactly
like the Memory component except for MEM FAILURE
P
actions which cannot occur
Since the code for RelMemory can be obtained from the code for Memory by omitting the
MEM FAILURE
P
action wfairRelMemory becomes
S
P
ffGET
P
PUT
P
g fBAD ARG
P
RETURN
P
gg
RelMemory is live Knowing that Memory is a live IO automaton it is easy to prove that
RelMemory is also a live IO automaton
Proposition  liveRelMemory is a live IO automaton
Proof The proof is almost identical to the proof of Theorem  since the only dierence
between Memory and RelMemory is the absence of MEM FAILURE
P
actions  
 Problem  b	 RelMemory implements Memory
We will show that fairtracesRelMemory   fairtracesMemory using the properties safety
and deadlock freeness
  Safety Since RelMemory and Memory are so very much alike a weak renement
appears the most natural construction for proving safety
Theorem  The function REF
 which is the identity function on state variables with the
same name
 is a weak renement from RelMemory to Memory
 with respect to the reachable
states in both RelMemory and Memory
	Proof The requirements in 
 are trivially fullled since REF is the identity function and
the actions in RelMemory form a subset of those in Memory   
Corollary  RelMemory is safe with respect to Memory
Proof Directly from Theorem  and 
s Theorem   
 Deadlock freeness
Theorem  For each reachable and quiescent state s of RelMemory
 REFs is a quiescent
state of Memory
Proof Suppose s is a quiescent state of RelMemory Observing the preconditions of
RelMemory  we see that s j
V
P
RelMemory pc
P
WC
Clearly REFs j
V
P
Memory pc
P
WC hence REFs is quiescent  
Corollary 	 RelMemory is deadlock free with respect to Memory
Proof By Theorems  and  we can for each quiescent execution of RelMemory construct
a corresponding quiescent execution of Memory with the same trace  
 Implementation
Theorem 
 RelMemory implements Memory
Proof
Assume that   fairtracesRelMemory We must prove   fairtracesMemory
Let   s

a
 
s
 
a

s

   be a fair execution of RelMemory with trace 
If  is nite then  is quiescent and it follows by Corollary 	 that Memory has a
quiescent execution with trace  Since each quiescent execution is also fair this implies
  fairtracesMemory So we may assume without loss of generality that  is innite
Using the fact that REF is a weak renement Theorem  we can easily construct an
execution 
 
 t

a
 
t
 
a

t

   of Memory with trace  if we let each t
i
 REFs
i
 It remains
to prove that 
 
is fair
The only diculty is caused by an innite sux of 
 
 in which MEM FAILURE
P
is
enabled continuously and no action from fRETURN
P
BAD ARG
P
MEM FAILURE
P
g is
performed In this case  must contain an innite sux in which PUT
P
occurs innitely
many times and is enabled continuously continuously Since  is weakly fair this is impossible
The interpretation of all the other actions are equal in both automata even with respect
to to the weak fairness sets so the weak fairness requirements for 
 
are satised by the weak
fairness requirements for 
Since Memory has no strong fairness sets the above shows that 
 
is fair  
 Problem  c	 Nothing but MEM FAILURE
P
actions
We can construct a very trivial automaton that implements Memory  and does nothing but
raise MEM FAILURE
P
actions It can have the same state variables as Memory  but only
actions READ
P
WRITE
P
andMEM FAILURE
P
 A weak renement like REF will provide
us safety and deadlock freeness results Such a renement is even enough to show that this


automaton implementsMemory  since each fair execution in this automaton can be imitated
by a fair execution in Memory  using the renement
Is it reasonable that such an implementation is possible! Since the specication of the
Memory component is presented as a black box that does not remember success nor failure
it is reasonable to think of it as a dice harbouring the same chances at success with every
throw So while one can expect such a Memory component to yield the right return at some
time in an innite sequence of trials the possibility of innitely many failures exists and must
therefore be included in the specication we have presented here
 Specifications and verifications for Problem 
  Problem 	 Specication of the RPC component
   Data types We assume a typed signature 

and a 

algebra A

which consist of
the following components
 the type Bool as dened in Section 
 a type Nat of natural numbers
 a type Procs of procedure names
 a type Names such that Procs   Names and a function legal proc  Names 
Bool telling us whether a given name is a legal procedure name that is an element
of Procs and a function arg num  Names  Nat giving the expected number of
arguments for each name
 a type Args of function arguments and a function num  Args  Nat giving the
number of actual arguments
 a type ReturnVal of possible return values All exceptions raised by remote procedure
calls are expected to be included in this type
 a type Rpc of program counter values of the RPC component with constant symbols
WC IC WR and IR
  Specication We will now present the fair IO automaton RPC  which models an
RPC component RPC stands for Remote Procedure Call RPCs program counters may
have one of the following values
 WC Wait for remote calls from the sender
 IC Issue a call to the receiver or an exceptional return to the sender
 WR Wait for a return from the receiver
 IR Issue a return possibly exceptional to the sender
Initially the program counter value is WC for every process P
As in the solution to Problem  every possible action of RPC is indexed with the process
that issued the call leading to this action



Input REM CALL
P
  I RETURN
P
Output I CALL
P
 REM RETURN
P
 BAD CALL
P
 RPC FAILURE
P
WFair
S
P
ffI CALL
P
 REM RETURN
P
 BAD CALL
P
 RPC FAILURE
P
gg
SFair 
State Variables  pc
P
  Rpc
proc
P
  Names
args
P
  Args
legal call
P
  Bool
return
P
  ReturnVal
Initialization 
V
P
pc
P
WC
REM CALL
P
p  Names  a   Args
Eect 
if pc
P
WC then proc
P
  p
args
P
  a
legal call
P
  legal procp  numaarg nump
pc
P
  IC
I CALL
P
p  Names  a   Args
Precondition 
pc
P
IC legal call
P
 pproc
P
 aargs
P
Eect 
pc
P
  WR
I RETURN
P
r   ReturnVal
Eect 
if pc
P
WR then pc
P
  IR
return
P
  r
REM RETURN
P
r   ReturnVal
Precondition 
pc
P
IR  rreturn
P
Eect 
pc
P
  WC
BAD CALL
P
Precondition 
pc
P
IC legal call
P
Eect 
pc
P
  WC
RPC FAILURE
P
Precondition 
pc
P
 fIC  IRg
Eect 
pc
P
  WC
Figure  Fair IO automaton RPC

 
The code for RPC is listed in gure 
We will now show that fair IO automaton RPC is a live IO automaton as before The
next lemma checks a restriction of one of the two necessary conditions
Lemma  Each reachable state in RPC enables at most nitely many locally controlled
actions
Proof The initial states enable only input actions Suppose state s enables n locally con
trolled actions It is trivial to see that for each transition s
a
 s
 
 s
 
enables at most n  
locally controlled actions  
Proposition  liveRPC  is a live IO automaton
Proof As before we apply Theorem  in 
 after showing that  each reachable state
of RPC enables at most countably many weak and strong fairness sets and  each set in
sfairRPC  is input resistant
Condition  is satised by Lemma  since each locally controlled action is in exactly
one weak fairness set Condition  is trivially satised since there are no strong fairness
sets  
 Specifications and verifications for Problem 
  Problem 	 Specication of the composition
   Data types We start the specication with a description of the various data types
that play a role We assume a typed signature 

and a 

algebra A

which imports A
 
section  and A

section  in such a way that
 Read andWrite are dierent constants of type Procs and therefore also of typeNames
 arg numRead   and arg numWrite  
 the domain ofReturnVal is equal to the domain ofAck plus an extra constant BadArg
 for each l of type Locs and v of type Vals l and l v are elements of type Args
numl   and numl v  
  A front end for the RPC component We need another component to make the RPC
component retry a call to the reliable memory component This component is a clerk which
can translate incoming calls to RPC s format and reissue such a call if RPC should fail
Therefore we present the fair IO automaton ClerkRPC  which models a front end to the
RPC component RPC  The program counters of ClerkRPC are of type Rpc and therefore
have the same possibilities as the program counters of RPC  Initially the program counter
value is WC for every process P
The code for ClerkRPC is listed in gure 
We will now show that fair IO automaton ClerkRPC is a live IO automaton as before
The next lemma checks a restriction of one of the two necessary conditions
Lemma  Each reachable state in ClerkRPC enables at most nitely many locally con
trolled actions


Input READ
P
 WRITE
P
 REM RETURN
P
 BAD CALL
P
 RPC FAILURE
P
Output REM CALL
P
 RETURN
P
 BAD ARG
P
 MEM FAILURE
P
WFair
S
P
ffREM CALL
P
 RETURN
P
 BAD ARG
P
 MEM FAILURE
P
gg
SFair
S
P
ffMEM FAILURE
P
gg
State Variables  pc
P
  Rpc
proc
P
  Names
loc
P
  Locs
val
P
  Vals
mf allowed
P
  Bool
return
P
  ReturnVal
Initialization 
V
P
pc
P
WC
READ
P
l   Locs
Eect 
if pc
P
WC then proc
P
  Read
loc
P
  l
mf allowed
P
  false
pc
P
  IC
WRITE
P
l   Locs  v   Vals
Eect 
if pc
P
WC then proc
P
  Write
loc
P
  l
val
P
  v
mf allowed
P
  false
pc
P
  IC
REM CALL
P
p  Names  a   Args
Precondition 
pc
P
IC pproc
P
 aif proc
P
Read then loc
P
 else loc
P
  val
P

Eect 
pc
P
  WR
REM RETURN
P
r   ReturnVal
Eect 
if pc
P
WR then return
P
  r
pc
P
  IR
BAD CALL
P
Eect 
if pc
P
WR then return
P
  BadArg
pc
P
  IR
RPC FAILURE
P
Eect 
if pc
P
WR then mf allowed
P
  true
pc
P
  IC
MEM FAILURE
P
Precondition 
pc
P
ICmf allowed
P
Eect 
pc
P
  WC
RETURN
P
r   ReturnVal
Precondition 
pc
P
IR  return
P
BadArg  rreturn
P
Eect 
pc
P
  WC
BAD ARG
P
Precondition 
pc
P
IR  return
P
BadArg
Eect 
pc
P
  WC
Figure  Fair IO automaton ClerkRPC


Proof The initial states enable only input actions Suppose state s enables n locally con
trolled actions It is trivial to see that for each transition s
a
 s
 
 s
 
enables at most n  
locally controlled actions  
Proposition  liveClerkRPC is a live IO automaton
Proof As before we apply Theorem  in 
 after showing that  each reachable state
of RPC enables at most countably many weak and strong fairness sets and  each set in
sfairClerkRPC is input resistant
Condition  is satised by Lemma  since each locally controlled action is in exactly
one weak fairness set
Condition  relies upon the input resistance of action MEM FAILURE  Suppose that
MEM FAILURE
P
is enabled in the reachable state s Clearly s j ClerkRPC pc
P
IC If
an input action a for P occurs in s by denition of ClerkRPC the transition s
a
 s is taken
and MEM FAILURE
P
is still enabled If an input action a for another P
 
occurs in s the
transition taken does not aect ClerkRPC pc
P
 Hence MEM FAILURE
P
is input resistant
and the second condition is satised  
  Renaming component RelMemory
Dening the front end ClerkRPC is not enough to establish the intended implementation
We also need to rename RelMemory  to avoid name clashing and to get the proper synchro
nization So we dene a new fair IO automaton RRMemory
 
 renameRelMemory where
for every P 
renameREAD
P
l  I CALL
P
Read l
renameWRITE
P
l v  I CALL
P
Write l v
renameRETURN
P
a  I RETURN
P
a
renameBAD ARG
P
  I RETURN
P
BadArg
renamex  x otherwise
l is a variable of type Locs v is a variable of type Vals a is a variable of type Ack and x
is a action variable
The code for RRMemory is listed in gure 
It is easily shown that RRMemory is a live IO automaton
Proposition  liveRRMemory is a live IO automaton
Proof Trivially liveRRMemory  renameliveRelMemory Combining this with Theo
rem  and 
s Proposition  we obtain that liveRRMemory is a live IO automaton
 
  The implementation MemoryImp is dened as the parallel composition of IO au
tomataClerkRPC  RPC and RRMemory  with all communication between those components
hidden
MemoryImp
 
 HIDE I IN ClerkRPCkRPCkRRMemory


Input I CALL
P
Output I RETURN
P
Internal GET
P
 PUT
P
WFair
S
P
ffGET
P
 PUT
P
g  fI RETURN
P
gg
SFair 
State Variables  pc
P
  Mpc
loc
P
  Locs
val
P
  Vals
memory  Memory
performed
P
  Bool
legal args
P
  Bool
Initialization 
V
P
pc
P
WC
V
l
ndl memoryInitVal
I CALL
P
Read  l   Locs
Eect 
if pc
P
WC then loc
P
  l
performed
P
  false
legal args
P
  memlocl
pc
P
  R
I CALL
P
Write  l   Locs  v   Vals
Eect 
if pc
P
WC then loc
P
  l
val
P
  v
performed
P
  false
legal args
P
  memlocl memvalv
pc
P
  W
GET
P
Precondition 
pc
P
R  legal args
P
 performed
P
Eect 
val
P
  ndloc
P
 memory
performed
P
  true
PUT
P
Precondition 
pc
P
W  legal args
P
Eect 
memory   changeloc
P
  val
P
 memory
performed
P
  true
I RETURN
P
a   Ack
Precondition 
pc
P
 fR Wg  performed
P
 aif pc
P
R then val
P
else WriteOk
Eect 
pc
P
  WC
I RETURN
P
BadArg
Precondition 
pc
P
 fR Wg  legal args
P
Eect 
pc
P
  WC
Figure  Fair IO automaton RRMemory


where I
 

S
P
fREM CALL
P
p aREM RETURN
P
rBAD CALL
P
RPC FAILURE
P

I CALL
P
p a I RETURN
P
rGET
P
PUT
P
j p in domain Names a in domain Args r in domain ReturnValg
Proposition  liveMemoryImp is a live IO automaton
Proof Using Propositions    we can apply 
s Proposition  and obtain that
liveClerkRPCkliveRPC kliveRRMemory is a live IO automaton By applying 
s
Theorem  twice we obtain that liveClerkRPCkRPCkRRMemory is a live IO automaton
Now 
s Proposition  shows us that HIDE I IN liveClerkRPCkRPCkRRMemory is a
live IO automaton and this automaton is trivially equal to liveMemoryImp  
 Setup for the verication
A direct proof of trace inclusion between MemoryImp and Memory is not very straightfor
ward This stems from the fact that Memory can only read its memory once for every read
call However by MemoryImps fail retrymechanism it is able to read multiple times for
one read call
An intermediate automaton To show trace inclusion we are apparently forced to use a
forward backward simulation However since this is rather complicated and 
s Theo
rem  states that we can just as well look for an intermediate automaton we will keep
things clear by constructing an intermediate automaton which we allow to read its memory
multiple times for one read call This intermediate automaton will be called Memory

 the 
indicating the possibility of multiple reads instead of one The code for Memory

is obtained
from Memory as follows The precondition for GET
P
is weakened and a new state variable
hist
P
is added in which the value of val
P
is stored each time a return is issued Figure 
lists the code for fair IO automaton Memory

 Boxes highlight the places where the code
for Memory

diers from Memory 
A forward simulation establishes trace inclusion between MemoryImp and Memory

" a
backward simulation does the same for Memory

and Memory  The new state variable
Memory

hist
P
substantially simplies the backward simulation and also makes it image
nite
Fair IO automaton Memory

is now shown to be a live IO automaton as before The
next lemma checks a restriction of one of the two necessary conditions
Lemma  Each reachable state in Memory

enables at most nitely many locally controlled
actions
Proof The initial states enable only input actions Suppose state s enables n locally con
trolled actions It is trivial to see that for each transition s
a
 s
 
 s
 
enables at most n  
locally controlled actions  
Proposition  liveMemory

 is a live IO automaton
Proof As before we apply Theorem  in 
 after showing that  each reachable state of
Memory

enables at most countably many weak and strong fairness sets and  each set in
sfairMemory

 is input resistant


Input READ
P
 WRITE
P
Output RETURN
P
 BAD ARG
P
 MEM FAILURE
P
Internal GET
P
 PUT
P
WFair
S
P
ffGET
P
 PUT
P
g  fBAD ARG
P
 MEM FAILURE
P
 RETURN
P
gg
SFair 
State Variables  pc
P
  Mpc
loc
P
  Locs
val
P
  Vals
memory  Memory
performed
P
  Bool
legal args
P
  Bool
hist
P
  Vals
Initialization 
V
P
pc
P
WC
V
l
ndl memoryInitVal
V
P
hist
P
val
P
READ
P
l   Locs
Eect 
if pc
P
WC then loc
P
  l
performed
P
  false
legal args
P
  memlocl
pc
P
  R
WRITE
P
l   Locs  v   Vals
Eect 
if pc
P
WC then loc
P
  l
val
P
  v
performed
P
  false
legal args
P
  memlocl memvalv
pc
P
  W
GET
P
Precondition 
pc
P
R  legal args
P
Eect 
val
P
  ndloc
P
 memory
performed
P
  true
PUT
P
Precondition 
pc
P
W  legal args
P
Eect 
memory   changeloc
P
  val
P
 memory
performed
P
  true
RETURN
P
a   Ack
Precondition 
pc
P
 fR Wg  performed
P
 aif pc
P
R then val
P
else WriteOk
Eect 
pc
P
  WC
hist
P
  val
P
BAD ARG
P
Precondition 
pc
P
 fR Wg  legal args
P
Eect 
pc
P
  WC
hist
P
  val
P
MEM FAILURE
P
Precondition 
pc
P
 fR Wg
Eect 
pc
P
  WC
hist
P
  val
P
Figure  Fair IO automaton Memory



Condition  is satised by Lemma  since each locally controlled action is in exactly
one weak fairness set
Condition  is trivially satised since there are no strong fairness sets  
 Problem 	 MemoryImp implements Memory
Section  shows thatMemory

implementsMemory  Section  shows thatMemoryImp
implementsMemory

 Both results are reached via safety and deadlock freeness Transitivity
of the implementation relation yields the desired result in Section 
  Memory

implements Memory We need an invariant to show that between the pre
vious output action and the next internal action Memory

s history variable hist
P
is up to
date with respect to val
P
for each P 
Lemma 	 The following property Inv is an invariant of Memory


V
P
pc
P
 fWCRg  performed
P
  val
P
hist
P
The next invariant expresses that Memory

will not read or write if it has received illegal
arguments
Lemma 
 The following property Inv is an invariant of Memory


V
P
pc
P

WC  legal args
P
 performed
P

A weak backward simulation enables us to construct the behaviour of Memory  given the
behaviour of Memory

 We can start in the last state of such a sequence and work our way
back to the beginning
Theorem  The relation BACK dened by the following formula is a weak backward sim
ulation from Memory

to Memory
 with respect to the reachable states in Memory


V
P
Memory pc
P
 Memory

pc
P
V
P
Memory loc
P
 Memory

loc
P
V
P
Memory val
P
 if Memory pc
P
R  Memory performed
P
then Memory

hist
P
else Memory

val
P
V
P
Memory legal args
P
 Memory

legal args
P
 Memory memory  Memory

memory
V
P
Memory

performed
P
 Memory performed
P
V
P
Memory

pc
P
fWCWg  Memory

performed
P
 Memory performed
P

Proof We satisfy the three requirements in 
 which is a bit complicated and takes a lot
of paper  
Corollary  Memory

is safe with respect to Memory
Proof The elaborate proof for Theorem  tells us that BACK is imagenite Combining
this observation with Theorem  and 
s Theorem  we obtain the desired result  

	
Theorem  For each reachable
 quiescent state s of Memory


 each state r  BACKs
is a quiescent state of Memory
Proof Considering the preconditions of Memory

 in each quiescent state s Memory

pc
P
must be equal to WC for every P  For each r  BACKs  r j
V
P
Memory pc
P
WC hence
r is quiescent  
Corollary  Memory

is deadlock free with respect to Memory
Proof By Theorems  and  we can construct for each quiescent execution ofMemory


a corresponding quiescent execution of Memory with the same trace  
Theorem  Memory

implements Memory
Proof Assume that   fairtracesMemory

 Let  be a fair execution of Memory

with
the same trace  If  is nite then  is quiescent and it follows by Corollary  that
Memory has a quiescent execution with trace  Since each quiescent execution is also fair
this implies   fairtracesMemory So we may assume without loss of generality that  is
innite
Using the fact that BACK is a weak imagenite backward simulation Theorem  we
can easily construct an execution 
 
of Memory with trace  It remains to prove that 
 
is
fair
We need to show that 
 
must be innite The only obstacle in this part is the GET
P
action since this is not always imitated by Memory  However fairness helps us establish
the fact that Memory

cannot do that continuously without issuing a return and Memory
imitates each last GET
P
before that return Innity is then inevitable
Using the above the fairness of 
 
is satised quite trivially because of three facts Firstly
wfairMemory  wfairMemory

 and sfairMemory  sfairMemory

   Secondly
if a weak fairness set is not enabled in Memory

 it is certainly not enabled in Memory 
Thirdly innitely many occurrences of action a in  cause innitely many occurrences of a
in 
 
  
 MemoryImp implements Memory

Invariants The following list of invariants is rather dull They are necessary for ensuring
that the arguments of an incoming call are transmitted properly among the components of
MemoryImp and no component will act before it receives permission to do so
Component RPC will remain quiescent until a request is issued by component ClerkRPC 
Lemma  The following property Inv is an invariant of MemoryImp
V
P
ClerkRPC pc
P

WR  RPC pc
P
WC
Component RRMemory will remain quiescent until a request is issued by component RPC 
Lemma  The following property Inv is an invariant of MemoryImp
V
P
RPC pc
P

WR  RRMemory pc
P
WC
 
Component ClerkRPC only handles read or write calls
Lemma  The following property Inv is an invariant of MemoryImp
V
P
ClerkRPC pc
P

WC   ClerkRPC proc
P
Read
 l  ClerkRPC loc
P
l
  ClerkRPC proc
P
Write
 l  ClerkRPC loc
P
l
 v  ClerkRPC val
P
v
Component RPC receives the same calls and arguments from ClerkRPC  as ClerkRPC re
ceived from the environment
Lemma 	 The following property Inv is an invariant of MemoryImp
V
P
RPC pc
P

WC   RPC proc
P
ClerkRPC proc
P
 RPC args
P
 if ClerkRPC proc
P
Read
then ClerkRPC loc
P

else ClerkRPC loc
P
ClerkRPC val
P

Component RPC only receives read or write calls
Corollary 
 The following property Inv	 is an invariant of MemoryImp
V
P
RPC pc
P

WC   RPC proc
P
Read  l  RPC args
P
l
 RPC proc
P
Write  l v  RPC args
P
l v
Proof Directly from invariants Inv Inv and Inv  
Since Read and Write are proper procedure names and RPC receives no other procedure
calls the action BAD CALL
P
is never enabled
Corollary  The following property Inv is an invariant of MemoryImp
V
P
enabledBAD CALL
P

If RRMemory is busy it is by request of RPC  and the arguments have been transmitted
properly
Lemma  The following property Inv is an invariant of MemoryImp
V
P
RRMemory pc
P
R   RPC pc
P
WR
 RPC proc
P
Read
 RPC args
P
l RRMemory loc
P
l
V
P
RRMemory pc
P
W   RPC pc
P
WR
 RPC proc
P
Write
 RPC args
P
l v  RRMemory loc
P
l
 RRMemory val
P
v
RPC can only issue a return to ClerkRPC  following a possibly exceptional return by
RRMemory  and the return value is transmitted properly
 

Lemma  The following property Inv is an invariant of MemoryImp
V
P
RPC pc
P
IR   RRMemory performed
P
 RPC return
P
 if RPC proc
P
Read
then RRMemory val
P
else WriteOk
  RRMemory legal args
P
 RPC return
P
BadArg
Inv states the same result as Inv for component ClerkRPC 
Lemma  The following property Inv is an invariant of MemoryImp
V
P
ClerkRPC pc
P
IR   RRMemory performed
P
 ClerkRPC return
P
 if ClerkRPC proc
P
Read
then RRMemory val
P
else WriteOk
  RRMemory legal args
P
 ClerkRPC return
P
BadArg
RRMemory legal args
P
behaves just like we expect it to as long as RRMemory is busy
Lemma  The following property Inv is an invariant of MemoryImp
V
P
RRMemory pc
P
R  RRMemory legal args
P
memlocRRMemory loc
P

V
P
RRMemory pc
P
W  RRMemory legal args
P
 memlocRRMemory loc
P

memvalRRMemory val
P

RRMemory legal args
P
is not changed after RRMemory returns to RPC 
Lemma  The following property Inv is an invariant of MemoryImp
V
P
 RPC pc
P
fWR IRg    ClerkRPC proc
P
Write
 ClerkRPC pc
P
IR  RRMemory legal args
P
 memlocClerkRPC loc
P

memvalClerkRPC val
P

  ClerkRPC proc
P
Read
 RRMemory legal args
P
memlocClerkRPC loc
P

Memory

legal args
P
behaves just like we expect it to as long as Memory

is busy
Lemma  The following property Inv is an invariant of Memory


V
P
pc
P
R  legal args
P
memlocloc
P

V
P
pc
P
W  legal args
P
memlocloc
P
 memvalval
P

Safety We use a weak forward simulation instead of a weak renement In fact a weak
renement does not exist from MemoryImp to Memory

 Suppose RPC receives a call from
P for the rst time and MemoryImp transits to state s We can only ensure that Memory

returns the same value as RRMemory if they read and write simultaneously So in the image
state of sMemory

performed
P
must be false If RPC returns a fail to ClerkRPC  ClerkRPC
  
is allowed to retry the call This may lead to the same state s again However Memory

has
imitated the read or write actions performed by RRMemory  and Memory

performed
P
may
be true So a renement should map s onto a state in which Memory

performed
P
is both
true and false which is a contradiction
Theorem  The relation SIM dened by the following formula is a weak forward simula
tion from MemoryImp to Memory


 with respect to the reachable states in both MemoryImp
and Memory


V
P
Memory

pc
P
 if ClerkRPC pc
P
WC
then WC
else if ClerkRPC proc
P
Read then R else W
V
P
Memory

loc
P
 ClerkRPC loc
P
 Memory

memory  RRMemory memory
V
P
ClerkRPC proc
P
Write  Memory

val
P
ClerkRPC val
P
V
P
  RPC pc
P
fWR IRg  Memory

performed
P
 ClerkRPC pc
P
IR Memory

val
P
RRMemory val
P
 RRMemory performed
P
Proof We use the following property
For each two reachable states s in MemoryImp r in Memory


r s j
V
P
Memory

pc
P
R  Memory

legal args
P
memlocClerkRPC loc
P

V
P
Memory

pc
P
W  Memory

legal args
P
 memlocClerkRPC loc
P

memvalClerkRPC val
P

This follows directly from Inv Inv and the denition of SIM Using this property and
the invariants Inv Inv Inv Inv Inv Inv and Inv the proof is a straightforward
fulllment of the two requirements in 
  
Corollary 	 MemoryImp is safe with respect to Memory


Proof Directly from theorem  and 
s Theorem   
Deadlock freeness In order to establish that MemoryImp is deadlock free with respect to
Memory

 we need an additional invariant It expresses that as long as ClerkRPC is waiting
for a return RPC is busy Likewise if RPC is waiting for a return RRMemory is busy
Lemma 
 The following property Inv is an invariant of MemoryImp
V
P
ClerkRPC pc
P
WR  RPC pc
P

WC
V
P
RPC pc
P
WR  RRMemory pc
P
fRWg
Theorem  For each reachable and quiescent state s of MemoryImp
 each reachable state
r  Memory

such that r s j SIM is a quiescent state of Memory


Proof From the action types of MemoryImp and Inv we can conclude that MemoryImp
is quiescent in state s i s j ClerkRPC pc
P
WC Since r s j SIM obviously r j
Memory

pc
P
WC hence r is quiescent  
 
Corollary  MemoryImp is deadlock free with respect to Memory


Proof By Theorems  and  we can construct for each quiescent execution of Memo
ryImp a corresponding quiescent execution of Memory

with the same trace  
Theorem  MemoryImp implements Memory


Proof We prove fairtracesMemoryImp   fairtracesMemory


Assume that   fairtracesMemoryImp Let  be a fair execution of MemoryImp with
trace  If  is nite then  is quiescent and it follows by Corollary  that Memory

has
a quiescent execution with trace  Since each quiescent execution is also fair this implies
  fairtracesMemory

 So we may assume without loss of generality that  is innite
Using the fact that SIM is a weak forward simulation Theorem  we can easily con
struct an execution 
 
of Memory

with the same trace  It remains to prove that 
 
is
fair
First we show that 
 
is innite Then we observe that each nondiscarded call toMemory
Imp will lead to a return within a nite number of steps Using these two facts we can easily
show for each class in wfairMemory

 that 
 
satises the requirements for weak fairness
Since sfairMemory

 is empty this is enough to show that 
 
is fair  
 The main result
Theorem  MemoryImp implements Memory
Proof Theorems  and  yield fairtracesMemoryImp   fairtracesMemory  
 Specifications for Problem 
  Problem 	 Specication of a lossy RPC
The lossy RPC is a timed version of the RPC component as specied in section  The
dierence between timed and untimed IO automata is that timepassage is made explicit by
the action TIME  and that the fairness constraints are translated into timing restrictions
   Data types We reuse the ingredients of 

and A

 given in section  and add the
data type Time to obtain a typed signature 

and a 

algebra A

 Time is the set R

of
nonnegative real numbers with the usual interpretation and functions for addition   and
multiplication 
  We will now present the IO automaton LossyRPC  which models a lossy RPC
component It has a new state variable clock
P
for each calling process to keep track of the
time elapsed since the last call was received from the sender or issued to the receiver
Also a timepassing action TIME is added We let time increase without bounds except
in states where a certain output action should be issued within  seconds Here we forbid
time passing if it violates this bound
The code for IO automaton LossyRPC is given in gure  Since LossyRPC is very similar
to RPC  we highlight with boxes where the code diers
 
Input REM CALL
P
  I RETURN
P
Output I CALL
P
 REM RETURN
P
 BAD CALL
P
State Variables  pc
P
  Cpc
proc
P
  Names
args
P
  Args
legal call
P
  Bool
return
P
  ReturnVal
clock
P
  Time
Initialization 
V
P
pc
P
WC
REM CALL
P
p  Names  a   Args
Eect 
if pc
P
WC then proc
P
  p
args
P
  a
legal call
P
  legal procp  numaarg nump
pc
P
  IC
clock
P
   
I CALL
P
p   Procs  a   Args
Precondition 
pc
P
IC legal call
P
 pproc
P
 aargs
P
Eect 
pc
P
  WR
I RETURN
P
r   ReturnVal
Eect 
if pc
P
WR then pc
P
  IR
return
P
  r
clock
P
   
REM RETURN
P
r   ReturnVal
Precondition 
pc
P
IR  rreturn
P
Eect 
pc
P
  WC
BAD CALL
P
Precondition 
pc
P
IC legal call
P
Eect 
pc
P
  WC
TIME t   Time
Precondition 
V
P
pc
P
fIC  IRg  clock
P
 t  
Eect 
	P   clock
P
  clock
P
 t
Figure  IO automaton LossyRPC
 
Input REM CALL
P
 REM RETURN
P
Output RPC FAILURE
P
State Variables  pc
P
  Rpc
clock
P
  Time
Initialization 
V
P
pc
P
WC
REM CALL
P
p  Names  a   Args
Eect 
if pc
P
WC then pc
P
  WR
clock
P
  
RPC FAILURE
P
Precondition 
pc
P
WR  clock
P
 	  
Eect 
pc
P
  WC
REM RETURN
P
r   ReturnVal
Eect 
if pc
P
WR  clock
P
 	   then pc
P
  WC
TIME t   Time
Precondition 
true
Eect 
	P   clock
P
  clock
P
 t
Figure 	 Timed IO automaton ClerkLossy
 Specifications and verifications for Problem 
To model an implementation as specied we need more than the specication of LossyRPC 
There has to be some sort of monitoring component that signals the need for a failure output
action and issues this failure
  Problem 	 Specication of a clerk
   Data types We reuse the ingredients of 

and A

 given in Section  and add the
data types Cpc and Epc to obtain a typed signature 

 and a 

algebra A

 Cpc only
contains the constants WC and WR Epc only contains the constants WC and IR Note that
the domains of Cpc and Epc are subsets of the domain of Rpc
  Specication We will now present the timed IO automatonClerkLossy which models
a clerk for the lossy RPC component LossyRPC  The domain of ClerkLossypc
P
contains only
two possible values namely WC and WR It resets its clock when it signals that LossyRPC
receives a call from the environment Then it waits for LossyRPC to issue a return within
the given bound of   seconds If LossyRPC is not fast enough ClerkLossy assumes that
no return will occur and it issues a RPC FAILURE
P
 For this purpose ClerkLossy has a
clock for each process that might issue a call
Note that REM CALL
P
is an input action for both LossyRPC and ClerkLossy and that
the output action REM RETURN
P
should be received by both ClerkLossy and the environ
ment
The code for ClerkLossy is listed in gure 	
  The composition The implementation RPCImp is the composition of the two au
tomata
 
RPCImp
 
 ClerkLossykLossyRPC
 Problem b	 RPCImp implements RPC
What we have now is an implementation in with realtime aspects and an untimed speci
cation To compare these we can add time to the specication and prove an admissible
traceinclusion However when changing from untimed to timed IO automata one expects
the fairness restrictions on the automatons behaviour to be encoded in the realtime aspects
Clearly these restrictions are lost if we consider the timed specications admissible traces
A possible solution is to consider the traces that are both admissible and fair in the sense
that we know from the untimed model
Fair timed traces We need a yet undened notion of fair timed IO automata to be able
to consider only those executions that show a fair behaviour towards certain discrete actions
Although carrying fairness semantics over from the untimed model to a timed model is very
tricky in general we get away with the same denition as for the untimed case since in our
automata timepassing actions cannot change enabledness of discrete actions So we assume
that the addition of weak and strong fairness sets over discrete actions to a timed IO
automaton yields a fair timed IO automaton with fair executions as usual
We will denote the fair timed IO automaton constructed from timed IO automaton
A the collection of weak fairness sets W  and the collection of strong fairness sets S by
ftaAW  S
Given a fair timed IO automaton A the timed traces derived from fairexecsA are de
noted by fairttracesA
Another problem concerning the implementation relation is that we need to formalize the
restriction on the environment namely that each legal procedurecall that is forwarded by
LossyRPC  will return within  seconds
Since there is no straightforward way to express this type of restrictions in IO automata
theory we model this restriction by a very general timed IO automaton Env  that takes
each call from LossyRPC as input and returns some answer within  seconds
The code for Env is listed in gure  It receives a call instantaneously performs a symbolic
function compute with the parameters received and issues a return The timepassing action
TIME ensures that time will not proceed too far before the return has been issued
Note that we can easily regard the memory components as instances of this general receiver
Env 
The compositions and the inclusion The composition for implementation is
Imp
 
 RPCImpkEnvLossy
The timed IO automaton TimeRPC is the untimed RPC plus an extra action TIMEt 
Time The precondition of TIME is true the eect is empty no state variables change
The composition for the specication is
Spec
 
 TimeRPCkEnvRPC
The implementation relation will be proved by the inclusion
 
Input I CALL
P
Output I RETURN
P
State Variables  pc
P
  Epc
return
P
  ReturnVal
clock
P
  Time
Initialization 
V
P
pc
P
WC
I CALL
P
p   Procs  a   Args
Eect 
if pc
P
WC then return
P
  computep  a
clock
P
  
pc
P
  IR
I RETURN
P
r   ReturnVal
Precondition 
pc
P
IR  rreturn
P
Eect 
pc
P
  WC
TIME t   Time
Precondition 
V
P
pc
P
IR clock
P
 t  
Eect 
	P   clock
P
  clock
P
 t
Figure  Timed IO automaton Env
ttraces

Imp   ttraces

Spec  fairttracesftaSpecwfairRPC  
so we will rst prove ttraces

Imp   ttraces

Spec by means of a weak renement and
then ttraces

Imp   fairttracesftaSpecwfairRPC 
In the remainder we will mostly reason about sampling executions instead of timed
executions Since Lemmas    in 	
 state that both induce the same set of timed
traces and we only consider trace inclusion this does not make a dierence
  Admissible trace inclusion
Lemma 	 The following property InvT is an invariant of Imp	
V
P
LossyRPC pc
P
WC  ClerkLossypc
P
WC  EnvLossypc
P
WC
V
P
EnvLossypc
P

WC  LossyRPC pc
P
WR
Lemma 	 The following property InvT is an invariant of Imp	
V
P
LossyRPC pc
P
fIC IRg  LossyRPC clock
P
 
V
P
LossyRPC pc
P
WR  EnvLossyclock
P
 
Lemma 	 The following property InvT is an invariant of Imp	
V
P
LossyRPC pc
P
IC  ClerkLossyclock
P
LossyRPC clock
P

V
P
LossyRPC pc
P
WR  ClerkLossyclock
P
 EnvLossyclock
P
 
V
P
LossyRPC pc
P
IR  ClerkLossyclock
P
 LossyRPC clock
P
   
Corollary 	 The following property InvT is an invariant of Imp	
V
P
enabledRPC FAILURE
P

 
 Weak renement
Theorem 	 The function TREF which combines the identity functions on variables with
the same name from LossyRPC to TimeRPC
 and from EnvLossy to EnvRPC
 is a weak
timed renement from Imp to Spec
 with respect to the reachable states in Imp and Spec
Proof A straightforward fulllment of the requirements in 	
  
Corollary 	 ttraces

Imp   ttraces

Spec
Proof Directly from Theorem 	 and 	
s Theorem   
 Fairness is preserved To prove that each timed trace of Imp is also the timed trace
of a fair execution of Spec we prove rst that within Imp each call from the environment
leads to a return
Lemma 		 Let s

a
 
s
 
a

s

   be an admissible execution of LossyRPC
Then a
i
 REM CALL
P
and s
i 
j pc
P
WC implies that there is a j such that j  i

a
j
 fREM RETURN
P
BAD CALL
P
g
 and the sum of time passing between s
i 
and s
j 
is bounded
Proof Suppose   s

a
 
s
 
a

s

   is an admissible execution of LossyRPC
a
i
 REM CALL
P
and s
i 
j pc
P
WC
Clearly s
i
j pc
P
IC  clock
P
 By InvT and the denition of TIME we know that
each following TIMEstep leads to a state where either TIME and I CALL
P
are enabled or
only I CALL
P
is enabled Since the total time passing with subsequent TIMEtransitions is
bounded some a
k
must be equal to I CALL
P
k  i By applying a similar argument twice
we arrive at the obligatory occurrence of either REM RETURN
P
or BAD CALL
P
and the
boundedness of the sum of time passing  
Theorem 	
 ttraces

Imp   fairttracesftaSpecwfairRPC 
Proof Suppose  is a timed trace of Imp and   s

a
 
s
 
a

s

   is an admissible execution
of Imp such that ttrace   By Theorem 	 we know that Spec has an admissible
execution 
 
such that 
 
 TREFs

a
 
TREFs
 
a

TREFs

    and ttrace
 
   It
remains to prove that 
 
is fair
Lemma 		 helps us in proving that for each P   must contain innitely many occurrences
of states such that LossyRPC pc
P
 WC All start states satisfy this property and each
action that changes LossyRPC pc
P
from such a state must be an I CALL
P
and must be
followed within a bounded amount of time by a new state in which LossyRPC pc
P
 WC
Using this and InvT we observe that for each P   must contain innitely many occurrences
of states such that both LossyRPC pc
P
and EnvLossy are equal to WC
By denition for each P  
 
must contain innitely many occurrences of states such that
TimeRPC pc
P
and EnvRPC are equal to WC Since in such a state no discrete internal
actions are enabled 
 
must be weakly fair Combining this with the fact that there are no
strong fairness sets in ftaSpecwfairRPC  we obtain that 
 
is fair  
 	
References
 M Abadi and L Lamport An oldfashioned recipe for real time In JW de Bakker
C Huizing WP de Roever and G Rozenberg editors Proceedings REX Workshop
on RealTime	 Theory in Practice
 Mook The Netherlands June  volume  of
Lecture Notes in Computer Science pages #	 SpringerVerlag 
 M Abadi L Lamport and S Merz The Dagstuhl problem # a TLA solution Au
gust  Available through URL httpwwwresearchdigitalcomSRCperso
nalLeslie Lamportdagstuhldagstuhlhtml
 E Astesiano and G Reggio A case study in friendly specications of concurrent
systems The RPCMemory specication problem  Available through URL
httpwwwinformatiktumuenchendespieskDAGSTUHLSolutionshtml
 E Best A memory module specication using composable high level nets
 Available through URL httpwwwinformatiktumuenchendespiesk
DAGSTUHLSolutionshtml
 J Blom and B Jonsson Architecture oriented temporal logic specication
 Available through URL httpwwwinformatiktumuenchendespiesk
DAGSTUHLSolutionshtml
 M Broy A functional solution to the RPCMemory specication problem
 Available through URL httpwwwinformatiktumuenchendespiesk
DAGSTUHLSolutionshtml
	 M Broy and L Lamport Specication problem August  Available through the
URL httpwwwresearchdigitalcomSRCpersonalLeslie Lamportdagstuhl
allhtml
 JR Cu$ellar D Barnard and M Huber A solution relying on the model checking of
boolean transition systems  Available through URL httpwwwinformatik
tumuenchendespieskDAGSTUHLSolutionshtml
 R Gawlick R Segala JF S%gaardAndersen and N Lynch Liveness in timed and
untimed systems In S Abiteboul and E Shamir editors Proceedings 
th
ICALP

Jerusalem volume  of Lecture Notes in Computer Science SpringerVerlag  A
full version appears as MIT Technical Report number MITLCSTR	
 R Gotzhein Applying a temporal logic to the RPCMemory specication problem
 Available through URL httpwwwinformatiktumuenchendespiesk
DAGSTUHLSolutionshtml
 J Hooman Using PVS for an assertional verication of the RPCMemory specication
problem November  Available through URL httpwwwwintuenlwincs
tthoomanRPChtml
 H Hungar Using temporal logic & specication for verication draft
 Available through URL httpwwwinformatiktumuenchendespiesk
DAGSTUHLSolutionshtml
 R KurkiSuonio Incremental specication with joint actions The RPCMemory
specication problem  Available through URL httpwwwinformatik

tumuenchendespieskDAGSTUHLSolutionshtml
 KG Larsen B Steen and C Weise The methodology of modal constraints
 Available through URL httpwwwinformatiktumuenchendespiesk
DAGSTUHLSolutionshtml
 NA Lynch and MR Tuttle Hierarchical correctness proofs for distributed algorithms
In Proceedings of the 
th
Annual ACM Symposium on Principles of Distributed Comput
ing pages 	# August 	 A full version is available as MIT Technical Report
MITLCSTR	
 NA Lynch and MR Tuttle An introduction to inputoutput automataCWI Quarterly
# September 
	 NA Lynch and FW Vaandrager Forward and backward simulations # part II Timing
based systems Report CSR CWI Amsterdam March  Also MITLCSTM
	b Laboratory for Computer Science Massachusetts Institute of Technology Cam
bridge MA To appear in Information and Computation
 NA Lynch and FW Vaandrager Forward and backward simulations part I Untimed
systems Information and Computation # September 
 M Rinderspacher The solution of the RPCMemory specication problem us
ing reachability analysis  Available through URL httpwwwinformatik
tumuenchendespieskDAGSTUHLSolutionshtml
 JMT Romijn and FW Vaandrager A note on fairness in IO automata Report
CSR	 CWI Amsterdam December 
 K St%len RPCMemory specication problem  Available through URL
httpwwwinformatiktumuenchendespieskDAGSTUHLSolutionshtml
 RT Udink and JN Kok The RPCMemory specication problem UNITY
plus renement calculus  Available through URL httpwwwinformatik
tumuenchendespieskDAGSTUHLSolutionshtml


A Safe and Fair I	O automata
In this appendix we review some basic denitions from  

Safe IO automata A safe IO automaton B consists of the following components
 A set statesB of states possibly innite
 A nonempty set startB   statesB of start states
 A set actsB of actions  partitioned into three sets inB intB and outB of input 
internal and output actions respectively Actions in localB

 outB  intB are
called locally controlled 
 A set stepsB   statesB	actsB	 statesB of transitions with the property that
for every state s and input action a  inB there is a transition s a s
 
  stepsB
We let s s
 
 range over states and a over actions We write s
a

B
s
 
 or just s
a
 s
 
if
B is clear from the context as a shorthand for s a s
 
  stepsB
Enabling of actions An action a of a safe IO automatonB is enabled in a state s i s
a
 s
 
for some s
 
 Since every input action is enabled in every state safe IO automata are said
to be input enabled The intuition behind the inputenabling condition is that input actions
are under control of the environment and that the system that is modeled by an safe IO
automaton cannot prevent the environment from doing these actions
Executions An execution fragment of a safe IO automaton B is a nite or innite alter
nating sequence s

a
 
s
 
a

s

   of states and actions of B beginning with a state and if it is
nite also ending with a state such that for all i s
i
a
i
 s
i 
 An execution is an execution
fragment that begins with a start state We write execs

B for the set of nite executions
of B and execsB for the set of all executions of B A state s of B is reachable if it is the
last state of some nite execution of B
Fair IO automata A fair IO automaton A is a triple consisting of
 a safe IO automaton safeA and
 sets wfairA and sfairA of subsets of localsafeA called the weak fairness sets
and strong fairness sets  respectively
Enabling of sets Let U be a set of actions of a fair IO automaton A Then U is enabled
in a state s i an action from U is enabled in s Set U is input resistant if and only if for
each pair of reachable states s s
 
and for each input action a s enables U and s
a
 s
 
implies
s
 
enables U  So once U is enabled it can only be disabled by the occurrence of a locally
controlled action
 
Fair executions An execution  of a fair IO automaton A is weakly fair if the following
conditions hold for each W  wfairA
 If  is nite then W is not enabled in the last state of 
 If  is innite then either  contains innitely many occurrences of actions fromW  or
 contains innitely many occurrences of states in which W is not enabled
Execution  is strongly fair if the following conditions hold for each S  sfairA
 If  is nite then S is not enabled in the last state of 
 If  is innite then either  contains innitely many occurrences of actions from S or
 contains only nitely many occurrences of states in which S is enabled
Execution  is fair if it is both weakly and strongly fair In a fair execution each weak
fairness set gets turns if enabled continuously and each strong fairness set gets turns if
enabled innitely many times We write fairexecsA for the set of fair executions of A
We write liveA for the underlying safe IO automaton of A paired with fairexecsA
liveA

 safeA fairexecsA
