Vertical Implementation

Transcription

1 Information and Computation 70, (00) doi:0.006/inco , availale online at on Vertical Implementation Arend Rensink Faculty of Informatics, University of Twente, Postus 7, NL-7500 AE Enschede, The Netherlands and Roerto Gorrieri Dipartimento di Scienze dell Informazione, University of Bologna, Mura Anteo Zamoni 7, I-407 Bologna, Italy Received May 8, 998; final manuscript received Octoer 0, 000 We investigate criteria to relate specifications and implementations elonging to conceptually different levels of astraction. For this purpose, we introduce the generic concept of a vertical implementation relation, which is a family of inary relations indexed y a refinement function that maps astract actions onto concrete processes and thus determines the asic connection etween the astraction levels. If the refinement function is the identity, the vertical implementation relation collapses to a standard (horizontal) implementation relation. As desiderata for vertical implementation relations we formulate a numer of congruence-like proof rules (notaly a structural rule for recursion) that offer a powerful, compositional proof technique for vertical implementation. As a candidate vertical implementation relation we propose vertical isimulation. Vertical isimulation is compatile with the standard interleaving semantics of process algera; in fact, the corresponding horizontal relation is rooted weak isimulation. We prove that vertical isimulation satisfies the proof rules for vertical implementation, thus estalishing the consistency of the rules. Moreover, we define a corresponding notion of astraction that strengthens the intuition ehind vertical isimulation and also provides a decision algorithm for finite-state systems. Finally, we give a numer of small examples to demonstrate the advantages of vertical implementation in general and vertical isimulation in particular. C 00 Academic Press Key Words: astraction level, action refinement, isimulation, compositionality, process algera, vertical implementation. Contents.. Introduction.. Basic Definitions. 3. Proof Rules for Vertical Implementation. 4. Vertical Bisimulation. 5. Astraction. 6. Open Terms. 7. Examples. 8. Evaluation and Future Extension.. INTRODUCTION There is a long tradition in defining process refinement theories (see, e.g., [8,, 9]), essentially ased on the idea that, given two processes S and I, I is an implementation of S if I is more deterministic (or equivalent) according to the chosen semantics. Still, oth S and I elong conceptually to the same astraction level, as the actions they perform elong to the same alphaet. For this reason, we call such implementation relations horizontal. In the development of software components, however, it is quite often required to compare systems that realize essentially the same functionality ut elong to conceptually different astraction levels, where the change of the level is usually accompanied y a change in the alphaets of actions they perform. For Partially supported y the European HCM network EXPRESS (Expressiveness of Languages for Concurrency), while the author was employed at the University of Hildesheim /0 $35.00 Copyright C 00 y Academic Press All rights of reproduction in any form reserved.

2 96 RENSINK AND GORRIERI such components, we would like to develop vertical implementation relations that, given an astract process S and a concrete process I, tell us if I is a possile implementation for the specification S. This prolem is rather unexplored, with the exception of the work on action refinement in process algera [,,, 7, 35, 4, 4], which however is not satisfactory in some respects (to e discussed later). The main contriution of this paper is to single out some sensile criteria that any vertical implementation relation should satisfy. Furthermore, we introduce one specific instance of such a vertical relation, which we call vertical isimulation. The concept of a vertical implementation relation r entails the following:. It is parametric with respect to a refinement function r that maps astract actions of the specification to concrete processes, thus fixing the implementation of the asic uilding locks of the astract system.. It is flexile enough (i) to offer several possile implementations for any given specification and (ii) not to require that the ordering of astract actions is tightly preserved at the level of their implementing processes. To e more explicit, consider the following example: if S = a; and r(a) = a ; a, then we would like to accept as legal implementations oth a ; a ; and a ;(a ), where in the latter an ordering at the astract level (etween a and ) has een partially forgotten at the concrete level (as a and are in parallel). 3. It is simple enough to e defined on the standard interleaving models of classic laeled transition systems. This has the advantage of making it possile to reuse most existing techniques developed for interleaving semantics. 4. It is a generalization of existing (horizontal) implementation relations; i.e., if the refinement function is the identity, then the vertical implementation relation, id, should collapse to some horizontal relation. This has two consequences: (i) the theory of horizontal and vertical implementation can e integrated uniformly, and (ii) the numer of possile vertical relations is not less than the numer of horizontal relations, at least in principle. 5. It is deadlock-freedom-preserving: Typically, if the specification is deadlock-free, we would expect that also the implementation is so. 6. It comes equipped with a set of sound congruence-like proof rules. This gives rise to a powerful, compositional proof technique to verify whether a certain process I is an implementation for some specification S. The work on action refinement in process algera satisfies few of these requirements. For instance, the existing theories say that the implementation of a specification S is given y r(s) (the syntactic sustitution of concrete processes r(a) for actions a in S) [,,, 3] or y [r ]( [S ]) (the semantic sustitution of the semantics of concrete processes r(a) for actions a in the semantics of S) [, 8,, 35]. Hence, the asic assumption of these theories is that there is only one possile implementation for a given specification; in other words, the action refinement function is used as a prescriptive tool to specify the only way astract actions are to e implemented. Consequences of this are the following: The refinement function can e used as an operator of the language, as it also defines a function on processes. Hence, it ecomes immediately relevant to investigate the so-called congruence prolem: find an equivalence relation such that, if two processes S and S are equivalent, then also r(s ) and r(s ) are equivalent. Dating ack to [9], it is clear that it is then necessary to move to noninterleaving semantics: the parallel execution of actions a and, denoted a, is equivalent in interleaving semantics to their sequential simulation a; +; a; however, if we refine a to the sequence a ; a, then we otain a ; a and a ; a ; +; a ; a, which are not equivalent at all, as only the former may offer the execution sequence a ; ; a. In [4, 3, 4, 43] it is shown that the coarsest congruence for the operator of action refinement contained in standard interleaving semantics is the ST semantics [9], a notion of equivalence that, roughly, considers actions as nonatomic activities split into two consecutive phases (see also [6]). Because of the strong relation to the (syntactical or semantical) structure of the specification S, the implementation r(s) is quite rigidly defined. One of the typical constraints is that the possile causal relation etween two astract actions is strictly preserved among all the actions of the two implementing processes. For instance, if S = a; and r(a) = a ; a as aove, then the only possile implementation

3 VERTICAL IMPLEMENTATION 97 is r(s) = a ; a ; and not the alternative a ;(a ) where the causal relation etween a and is partially forgotten. This can e a serious drawack in practice, as pointed out in [8]. Some work has een devoted to define less rigid forms of action refinement that do allow some overlapping [3, 7, 34, 39, 44]. Still, in all these approaches, given a specification and a refinement function there is always only one possile implementation. By allowing more than one implementation for a given specification, we get that in our approach the congruence prolem simply disappears: since one single specification may admit nonequivalent implementations, a fortiori two equivalent specifications need not to have equivalent implementations. Hence, there is no longer a need to move to noninterleaving semantics. The paper is organized as follows. In Section, our investigation starts y introducing the language we use (a mixture of CCS and CSP, containing all the well-known operators), equipped with operational and ehavioural semantics (the standard notion of rooted weak isimulation equivalence, see [9]). Then we present the class of refinement functions we use, which are restricted in that they map astract actions to nonempty (i.e., not immediately terminating) processes that cannot deadlock. Section 3 introduces the set of desired proof rules we would expect any vertical implementation r to satisfy. We use r as the formal symol in the proof rules for a vertical implementation relation parameterized y r, and (without parameter) for the corresponding standard (horizontal) implementation relation. The rules can e divided into three main groups. The first group states the interplay etween r and : when r is the identity function, id reduces to ; moreover, r and compose, meaning that if, e.g., S S and S r I and I I, then S r I. The second group defines a set of congruence-like properties; e.g., if S i r I i for i =,, then S + S r I + I. Some of the congruence rules have sideconditions on r, in particular on the nature of the alphaets of processes refining distinct astract actions. These side-conditions are necessary in order to otain an intuitively sound (e.g., deadlock-freedompreserving) proof system; we give some examples to illustrate this. The third group consists of a single rule that relaxes precisely the causality preservation constraint discussed aove, and thus is a typical example of a rule that surmounts the intrinsic limitations of the standard approach to action refinement. An interesting consequence of the proof system is that the (almost) standard notion of action refinement as syntactic sustitution is a sound implementation technique (ut y no means the only one) for any vertical relation that enjoys the proof rules. Section 4 introduces vertical isimulation, r, as the concrete notion of vertical implementation we propose in this paper. Its main features are the following: The underlying horizontal implementation relation is rooted weak isimulation equivalence. Vertical isimulation is formed of three components: a down-simulation (each astract move must e matched y a sequence in the implementation), an up-simulation (each move of the implementation should find a justification either as the initial action of a new refined action or as a continuation of a pending refinement), and a residual simulation, requiring that each move of the pending refinements must e present in the implementation. r enjoys all the proof rules: if S r I then S r I. In particular, r reduces to rooted weak isimulation equivalence when no action is refined. (The prolem of finding a complete set of proof rules for r is outside the scope of this paper.) The proof system makes it possile to prove nontrivial facts in a completely proof-theoretic way. Alternatively, one may show directly that r holds etween two given (finite-state) systems, y providing an actual vertical isimulation relation over their states. Furthermore, in Section 5 we also report another model-theoretic approach to check r over finite-state transition systems: we introduce the astraction theorem, according to which (under some constraints) a concrete transition system can e mapped algorithmically to a corresponding astract transition system. Checking vertical isimulation is then equivalent to first mapping the concrete-laeled transition system to its corresponding astract one, and then checking (classical) rooted weak isimulation etween the two astract transition systems. Section 6 extends the result presented so far to the case of open terms. In particular, we discuss the proof rule of recursion congruence, which makes it possile to deduce vertical implementations of recursive, possily infinite-state systems. Under the assumption of strict guardedness, recursion congruence is proved to hold for r.

4 98 RENSINK AND GORRIERI Section 7 shows several variations of vertical implementation on an example taken from [7], as well as an example of a finite-state specification admitting an infinite-state implementation. Especially the latter demonstrates the fact that the proof rules can e used to deduce nontrivial vertical implementations. Finally, in Section 8 we discuss further extensions of our work, concerning possile variations of the notion of vertical implementation relation. The proofs of this paper s most interesting theorems can e found in the Appendix; all proofs are given in the full report version [38]. A preliminary version of this paper appeared as [37].. BASIC DEFINITIONS.. The Language We assume a universe of action names U, ranged over y a,, c, an invisile action τ / U, and a termination lael / U {τ}. Susets of U are denoted A, C, A, C (where we sometimes use A, A for astract and C, C for concrete actions, respectively). We denote A τ = A {τ}, A = A { }, and A τ, = A {τ, } for any A U. U τ, is ranged over y, β, γ. Furthermore, we consider a universe of process variales, X, ranged over y x, y, z; susets of X are denoted X, Y. We define a family of languages L A, indexed y the set of actions A U that may e used within terms and ranged over y t, u,v, according to the grammar t ::= 0 t + t t; t t A t t[φ] t/a x µx. t, where A τ (hence is not allowed in the language), A A, φ: A A and x X. We drop the index A if it equals U. The operators have the following intuitive meaning: 0 is a process that immediately deadlocks. is a process that immediately terminates with a transition laeled. indicates the execution of the action. t + u indicates a choice etween the ehaviors descried y the suterms t and u. The choice is decided y the first action (even if it is a ) that occurs from either suterm, after which the other suterm is discarded. t; u is the sequential composition of t and u; i.e., t proceeds until it terminates, after which u takes over. t A u is the parallel composition of the ehaviors descried y t and u; A is a set of actions over which t and u synchronize. That is to say, actions from A can only e performed y oth suterms in concert, whereas all other actions can e done y either suterm in isolation. In addition, we use the following special case of parallel composition: t u = t u. t [φ] ehaves as t, except that actions are renamed according to the function φ, extended when necessary with the mappings τ τ and. t/a ehaves as t, except that the actions in A are hidden, i.e., turned into internal actions. x X is a process variale, presumaly ound y some encompassing recursive operator (see next item), or to e replaced y syntactic sustitution: t u/x denotes the replacement within the term t of every (free) occurrence of x y the term u (see elow for the formal definition). µx. t with x X is a recursive term. It can e understood through its unfolding, t µx. t/x. The variale x is considered to e ound in µx. t, meaning that it cannot e not affected y sustitution. Therefore, the identity of ound variales is considered irrelevant; in fact, we apply the standard technique of identifying all terms up to renaming of the ound variales, meaning that if y is a fresh variale not occurring in t, then µx. t and µy. t y/x are identified in all contexts. We only consider recursion over guarded terms; see Definition. elow.

5 VERTICAL IMPLEMENTATION 99 TABLE Free Variales and Syntactic Sustitution t fv(t) t f 0 0 t + t fv(t, t ) t f +t f t ;t fv(t, t ) t f ; t f t A t fv(t, t ) t f A t f t [φ] fv(t ) t f [φ] t /A fv(t ) t f /A { f (x) if x dom( f ) x {x} x otherwise µx. t fv(t )\{x} µy. (t y/x f ) where y / fv(t) dom( f ) fv( f ) To formalize the notion of syntactic sustitution, we first define the free variales of a term t, denoted fv(t), as those variales that do not occur in the scope of a recursion operator; see Tale. We write fv(t, u) = fv(t) fv(u). If fv(t) = for a given term t L, we call t closed; in contrast, we sometimes call a term open if it is not (known to e) closed. We will use L A to denote the set of closed terms. A sustitution function f is a partial function from X to L A ; its domain of definition will e denoted dom( f ). We use X L A to denote the space of sustitution functions; if f is a sustitution function with dom( f ) = X, we write f : X L A or f : X L A. Tale defines the application of a sustitution function f to a term t, denoted t f, as the simultaneous replacement, within t, of every free occurrence of every variale x dom( f ) y its image f (x). Note the (standard) definition of sustitution for recursive terms in Tale : the ound variale is renamed to a variale not occurring in the term to e sustituted, in order to avoid the capture of free variales. Notation for Sustitutions. If dom( f ) ={x,...,x n } and f maps each x i to a term t i, we also write f as an explicit list of sustitutions: f = (t /x,...,t n /x n )or(t i /x i ) i n. Correspondingly, we write t f =t t /x,...t n /x n or t t i /x i i n. The notion of free variales is extended to sustitution functions y defining fv( f ) = x dom( f ) fv( f (x)). As with terms, f is called closed if fv( f ) =. Guardedness. We can now also formalize the notion of guardedness, already mentioned aove. This is a syntactic property: in principle, a variale x X is said to e guarded in a term t L if every occurrence of x is within a suterm ; u of t. The precise definition is slightly more flexile than that: for instance, x (ut not y) is also considered to e guarded in (y; a); x. Furthermore, t is called well guarded if it contains only recursion over terms in which the recursion variale is guarded. Note that this does not imply that all variales are guarded in t; for instance, t = x is well guarded ut x is not guarded in t. DEFINITION.. First we define when an aritrary term (in L) is called a guard: 0 and are guards (for all A τ ); t + u is a guard if oth t and u are guards; t; u and t A u are guards if either t or u is a guard; t/a, t[φ], and µx. t are guards if t is a guard; and x are not guards (for all x X). Next we define when a variale is called guarded in a term: x is guarded in 0, and (for all A τ ); x is guarded in t + u and t A u if x is guarded in oth t and u; x is guarded in t; u if x is guarded in t and either t is a guard or x is guarded in u;

6 00 RENSINK AND GORRIERI x is guarded in t/a, t[φ], and µx. t if x is guarded in t; x is guarded in y ( X)ifx y. We call t L well guarded if in all suterms µx. u of t, x is guarded in u. The following proposition states that oth guardedness of a variale in a term and well-guardedness of a term are preserved y syntactic sustitution. PROPOSITION.. Let t, u L and x, y X.. If x is guarded in t and u, then x is guarded in t u/y.. If t and u are well guarded, then so is t u/y. The set of well-guarded terms will e denoted L wg A (and accordingly Lwg A for the closed fragment); however, where this does not give rise to confusion we will drop the superscript wg and simply assume all terms to e implicitly well guarded... Operational Semantics The operational semantics is given in terms of laeled transition systems (LTSs). An LTS is a triple, S, where is a set of laels, S is a set of states, and S Sis the so-called transition relation. As usual, we denote s s for (s,,s ), s for s. s s, and s for (s ). If, this plays the special role of modelling termination. Accordingly, in any LTS we impose as a requirement on termination transitions (i.e., -laeled ones) that they must lead to deadlocked states: s s. s. () The LTS for L A is otained as follows. The set of laels is A τ,. The set of states is given y the terms of L A. The transition relation is defined as the least relation satisfying the rules of Tale. Note that these rules apply to open as well as closed terms; for instance, a; x + y a x is a derivale transition. The termination lael is needed to give a satisfactory semantic treatment of sequential composition (see [4]). Note that a choice may terminate even if only one of the operands terminates (cf. [5]). Finally, cannot e hidden and must e synchronized upon. The following proposition shows the consequences of (well-)guardedness for the operational semantics: guarded variales are not used in initial transitions of a term, well-guardedness is preserved y transitions, and for well-guarded terms, the derivation rule for recursion can e replaced y another one in which the premise is structurally simpler than the conclusion (see also [3]). The latter fact has the consequence that more properties can e proved y induction on the term structure. t t t 0 t t; u t ; u / A t A u t A u t t / A t/a t /A TABLE Transition Rules t u u t t t + u t u u t + u u t u u t t t; u u t[φ] φ() t [φ ] / A t A u t A u t t A t/a τ t /A t t u u A t A u t A u t µx.t/x t µx.t t

7 PROPOSITION.. Let t, u L and x X.. If x is guarded in t and t u/x t, then t. If t is well guarded and t t, then t is well guarded. 3. If t is well guarded, then the set of derivale transitions t the last rule of Tale y VERTICAL IMPLEMENTATION 0 t t µx. t t µx. t/x. t for some t such that t = t u/x. t remains the same if we replace The following property expresses that the semantics satisfies the condition on -transitions imposed on an LTS. PROPOSITION.3. For all A U, A,τ, L wg A, is an LTS..3. Behavioral Semantics In an interleaving operational semantics such as the aove, a widely accepted τ-astracting equivalence relation is rooted (weak) isimilarity; see [9]. The definition is as follows. First, the asic, one-step transitions are extended to τ-astracting transitions in the usual fashion: if σ = n U τ, then t σ u : t τ τ τ n τ u. Furthermore, the definition relies on a function ˆ : U τ, U such that ˆτ = ε (the empty string, with ε t t for any t) and ˆ = for all U. Let T =, S, e a transition system. A weak simulation over T is a relation ρ S S such that for all s ρ s : if s s ˆ then s s such that s ρ s. DEFINITION.. ρ is a weak isimulation if ρ and ρ are weak simulations. A root of a relation ρ S S is a surelation ρ ρ such that for all s ρ s : τ if s s then s τ s such that s ρ s. ρ is a iroot of ρ if ρ is a root of ρ and ρ is a root of ρ. Weak isimilarity over T, denoted, is the largest weak isimulation over T, and rooted isimilarity, denoted, is the largest iroot of. Note that, ecause we will use the same rootedness condition several times, we have defined it in a generic fashion. The following few examples illustrate the role played y termination: The following result is well known (cf. [5, 9]): PROPOSITION.4. is a congruence over L. In particular, if t L and f, g: fv(t) L such that f (x) g(x) for all x fv(t), then t f t g. Restriction to Closed Terms. In the following sections, up to (ut not including) Section 6, we are only considering isimilarity of closed terms. We discuss the extension of isimilarity to open terms in Section Refinement Functions A refinement function maps astract actions to concrete processes, where the notions of astract and concrete are accompanied y a change of alphaet. For the purpose of this paper, in order to avoid

8 0 RENSINK AND GORRIERI unnecessary complications, we single out the L A -fragment R A of refinement terms that can e used as the refinement of astract actions. R A is generated y the following grammar t ::= a t + t t; t, where a A. Then, if A is the set of astract actions and C that of concrete actions (A and C not necessarily disjoint), a refinement function is of the form r: A R C, with dom(r) = A, with the property that r(a) a for only a finite numer of a (i.e., if A is infinite, then r is the identity almost everywhere). The restriction of refinement images to R (suscript omitted when clear from context) is largely technically motivated. At the same time, however, the terms of R satisfy a numer of intuitive sensiility criteria. Indeed, if a process t is to refine atomic action, then it is reasonale to require that t should e: nonempty, i.e., t. This comes down to the principle that a visile astract activity a (i.e., something the environment can synchronize on) cannot simply disappear during refinement. eventually terminating, i.e., after a finite numer of steps, t must terminate. This criterion essentially requires that the refinement of a given action cannot get stuck during execution. This seems quite reasonale in the light of the atomicity of the original (astract) action. Altogether, R is large enough to express sensile examples. Confusion in Refinement Functions. In some circumstances, it is important that the refinements of distinct astract actions themselves satisfy some distinctness criteria. The heart of the issue is confusion within the concrete system aout the origin of actions. EXAMPLE.. Consider a refinement function with a c; a and c;. On the astract level, the actions a and are distinct and cannot e confused. For instance, in t = (a + d) a, it is not possile that a and synchronize; hence t d; 0. On the concrete level, however, the proposed refinements of a and start with the same action; hence if a c occurs in the implementation, it is not a priori clear whether this reflects an astract a or an astract. This may e especially prolematic if parts of the concrete system synchronize over an occurrence of c, while one part intends the c to reflect an astract a-occurrence, whereas the other part intends it to reflect an astract -occurrence. As an example, consider u = (c; a + d) a,,c c; (this eing the direct, syntactic refinement of t aove). One possile run is u c a a,,c 0, resulting in a deadlocked state; this run does not have a counterpart in t. To avoid this and other types of confusion, we sometimes impose further restrictions on the refinement functions considered. To formulate these, first we define the alphaet of a refinement term t R, which equals the set of actions that may e executed y t during its lifetime; A(a) ={a} A(t+u)=A(t;u)=A(t) A(u). The intention of the alphaet is captured y the following (ovious) property: PROPOSITION.5. For all t R, A(t) ={a σ: t σa = }. Using the alphaet, we now define two properties of refinement functions that rule out confusion of the kind exemplified aove, to different degrees. DEFINITION.3. Let r: A R C and A A e given. r is said to preserve A if A(r(a)) A(r()) = for all a A and A\A; r is said to e distinct on A if the following conditions hold:. for all distinct a A and dom(r), A(r(a)) A(r()) = ;. for all a A and all suterms t + u and t; u of r(a), A(t) A(u) =. ris simply called distinct if it is distinct on A.

9 VERTICAL IMPLEMENTATION 03 In other words, a refinement function r preserves a certain set A dom(r) if there is no overlap etween the actions occurring in the refinements of (the elements of) A and of (the elements of) dom(r)\a. For instance, the function r in Example. does not preserve {a} or {}, ut it does preserve {a, } if a,, and c do not occur in r(d) for any d dom(r)\{a, }. On the other hand, r is distinct on A if also the refinements of different actions in A have disjoint alphaets, and the images of individual actions in A contain no more than a single instance of any action. Hence distinctness implies preservation, and r in Example. is not distinct on {a}, {} or {a, }. Active Domain and Active Range. In the following it will e useful to distinguish the active domain adom(r) of a refinement function r, as well as its active range arng(r), defined as arng(r) = A(r(a)) r(a) a adom(r) ={a r(a) a} (arng(r) dom(r)). Hence the active domain is a suset of the domain, consisting of two types of actions: those that are not mapped onto themselves, and those that are used in the image of any action different from themselves. Note that adom(r) is always finite, due to the fact that we required r to e the identity almost everywhere (see aove) and the fact that A(t) is a finite set for all t R. It is interesting to oserve that hence justifying the name of active range. arng(r) = A(r(adom(r))), EXAMPLE.. If A = C ={a,,c}and r: a a;,, c c then adom(r) ={a,}. Note that adom(r) is preserved y r. The preservation of the active domain is a general property, formulated in the following proposition; in fact, this property is the reason why we introduced the active domain. PROPOSITION.6. adom(r) is the smallest r-preserved set containing {a r(a) a}. Refinement Function Constants and Operations. We use id A : A R A to denote the identity refinement function on A (hence adom(id A ) = ), omitting the index A if it is clear from the context. In addition, we use the following construction on refinement functions: { a if a A r\a: a r(a) otherwise. Hence r\ A turns r into the identity over the actions in A. Note that r\adom(r) = id and if r preserves A then adom(r\a) = adom(r)\a. 3. PROOF RULES FOR VERTICAL IMPLEMENTATION We now introduce the central concept of this paper, namely the notion of vertical implementation. When we write t r u we mean that t is an astract system and u one of its possile implementations according to the (generic) vertical implementation relation r, where the correspondence etween actions of t and computations of u is set via the refinement function r. Similarly, when we write t t we mean that t and t are two systems at the same astraction level, related y the (generic) horizontal implementation relation (i.e., relating systems at the same astraction level), which could e one of those studied in, e.g., [5]. In this section we define a set of proof rules that any relation r should satisfy; in the proof rules, we use the syntactic symol r for r and for. The list of rules, expressing natural desiderata, is reported in Tale 3. Some of the proof rules have side conditions on their applicaility, concerning

10 04 RENSINK AND GORRIERI TABLE 3 Proof Rules for Vertical Implementation t id t R t id u t u R t t t r u u u t r R 3 u 0 r 0 R 4 r R 5 r r() R 6 t r u t r u t + t r u + u R 7 t r u t r u t r u φ adom(r) = id adom(r) t ; t r R 8 u ; u t[φ] r R 9 u[φ] t r u r preserves A t/a r\a u/a(r(a)) R 0 t r u t r u r is distinct on A t A t r u A (r(a)) u R r(a) = u ; u t r v a; t r R u ;(u v) distinctness and preservation on a set of actions y the refinement function r. To etter understand them, elow we present some examples showing that these side-conditions are really necessary. Note that the rules in Tale 3 range over closed terms only. The extension to open terms, including a structural rule for the congruence of the (second-order) recursion operator, is dealt with in the separate Section Motivation Before illustrating the need for the side conditions, we discuss the rules of Tale 3 in some detail. They can e divided in three groups. The first group of properties, consisting of rules R R 3, expresses our asic assumption of compatiility of horizontal and vertical implementation. Rule R simply states that every term implements itself as long as no proper refinement takes place, rule R says that id implies, while Rule R 3 explains the interplay etween horizontal and vertical implementation relations. Note that, as a consequence, we also have the derived rule t u t id u that, in conjunction with rule R, ensures that and id are indeed the same relation. Note also that Rules R and R imply that is reflexive, whereas Rules R R 3 together imply that is transitive; hence is a preorder, which indeed is the standard requirement for horizontal implementation relations. Later in this paper, we choose weak isimulation to e the horizontal implementation relation ; however, the interplay etween vertical implementation relations and horizontal implementation relations in no way should depend on this choice, and we feel that any of the τ-astracting relations studied in, e.g., [5] can, in principle, e used as a asis. The rules R 4 R essentially express congruence of vertical implementation with respect to the operators of our language. For instance, if the refinement functions in these rules are set to id, then the properties expressed y these rules collapse to the standard precongruence properties of for the operators of L. (In other words, the horizontal implementation relation needs to e a precongruence, at least.) Rules R 4 and R 5 simply express that deadlock and termination are independent of the astraction level. Rule R 6 is the core of the relationship etween the refinement function r and the vertical implementation relation. It expresses the asic expectation that r(a) should e an implementation for a. Rules R 7,R 8, and R are quite ovious, as they inductively go into the structure of the components. Note that in Rule R the synchronization set A of the specification is refined in the implementation. We will comment elow on its side condition.

11 VERTICAL IMPLEMENTATION 05 R 9 can e used for renaming terms when the renaming function φ is an identity on actions to e refined. Oserve that no proof rule for renaming is offered in case the renaming and refinement function interfere. There is some room for extension here; for instance, the following additional rule may e considered, t r u φ injective t[φ] ψ r φ u[ψ], where ψ r φ is a construction on the refinement function r with the ovious meaning. At this point, however, we have chosen not to e exhaustive ut rather to concentrate on the essential rules. Rule R 0 is a similar congruence-like rule for hiding, with the proviso that the refinement function has lost some of its active domain in correspondence to those actions that are hidden. We will comment later on its side condition. An interesting consequence of R 0 is given y the (derived) rule t r u t/adom(r) u/arng(r). (Note that in this case, the side condition can e dropped, since r always preserves adom(r).) Hence, y hiding all the actions that are refined, the vertical implementation is turned ack into a horizontal implementation relation. Rule R states that in certain circumstances, sequential composition in the specification need not e taken literally: there may e overlap etween the tail of (the refinement of) the first operand and (the implementation of) the second operand. In other words, this rule expresses a certain degree of weakening of the causal ordering during refinement in the sense discussed in the Introduction, reminiscent of the approaches of [8] and [44]. Note that, ecause of our choice of refinement language R, it is clear that u is not terminated in the premise r(a) = u ; u. This is indeed a necessary circumstance. To see why, note that we do also not expect the following generalization of R to hold: s r u ; u t r v s; t r u ;(u v). If a ; a (where = ), this more general rule which in fact also generalizes R 8 would allow one to derive a; id a and hence a; a ; this is not consistent with a deadlock-preserving horizontal implementation relation (a; cannot deadlock when synchronized with a; + a; 0 whereas a can). The use of Rule R is fairly limited; in the conclusion of this paper we discuss another, more general rule for the weakening of sequential composition. Nevertheless, there are nontrivial applications even of this limited version, as we show in Section 7. Two small illustrations of the rules are provided y the following examples, which were already discussed in the Introduction. The first one is ased on the assumption that we are working in an interleaving model, where a a; + ; a. EXAMPLE 3.. Using Tale 3, we can show that if a is split into r(a) = a ; a in the astract system S = a, this can e implemented either y treating (the implementation of) a and as independent, resulting in I = a ; a, R a r 6 a ; a r R 6 R S r, I or y imposing an ordering, as in I = a ; a ; + ; a ; a,.. S a; + ; a.. a; + ; a r I R 8, R 7 I id I R I I R S r I R 3. The second example concerns the weakening of the causality using R.

12 06 RENSINK AND GORRIERI EXAMPLE 3.. Consider again r: a a ; a,, and let S = a; and I = a ;(a ): r(a) = a ; a r R 6 R S r. I More interesting examples can e found in Section Side Conditions Although the side conditions on rules R and R 0 in Tale 3 seem ugly, it is not difficult to see that they are necessary, at least if one wants to meet the minimal requirement of choosing a horizontal implementation relation that preserves deadlock freedom (i.e., such that if t is deadlock-free and t u then u is deadlock-free). We show a few examples illustrating some of the most striking prolems. The first example concerns the side condition of Rule R 0 for hiding. EXAMPLE 3.3. Let r: A R C e a refinement function with active part a a; c and ; c (where c / A). Hence r preserves neither {a} nor {}. Then, if we use the proof rule ignoring the side conditions, we would get the derivation a, r a; c R 6 a/ r\ (a; c)/, c R 0 a r\ a; c R 6 R (a/) a a r\ ((a; c)/, c) a,c a; c ((a/) a a)/a (((a; c)/, c) a,c a; c)/a, c R 0, R. The left-hand term on the ottom line contains no deadlock (there is just one transition of synchronization, leading to the terminated state ((/) a )/a), whereas the right hand term has the transition (((a; c)/, c) a,c a; c)/a, c τ ((; c/, c) a,c ; c)/a, c to a deadlocked state. This contradicts the requirement that preserves deadlock freedom. The next few examples show prolems that derive from unintended effects of Rule R for parallel composition if we omit its side condition of distinctness. EXAMPLE 3.4. Let r e a refinement function with active part a c; + c; d. The rules of Tale 3 then allow the derivation a r c; + c; d R 6 a r c; + c; d R 6 a a a r (c; + c; d),c,d (c; + c; d) R (a a a)/a ((c; + c; d),c,d (c; + c; d))/, c, d R 0, R. The left-hand term on the ottom line contains no deadlock (there is just one transition of synchronization, leading to the terminated state ( a )/a), whereas the right-hand term has the transition ((c; + c; d),c,d (c; + c; d))/, c, d τ (;,c,d ; d)/, c, d to a deadlocked state. This contradicts the requirement that preserves deadlock freedom. It is clear that the prolem is related to the fact that r(a) isnondeterministic and that, in synchronization, local choices can show up inconsistent at a gloal level. The side condition of distinctness solves the prolem y invalidating the aove derivation, since r violates Condition of distinctness (Definition.3). Much the same prolem can also e generated if the refinements of two different astract actions start with the same concrete action (hence violating condition of Definition.3), as the following example shows.

13 VERTICAL IMPLEMENTATION 07 EXAMPLE 3.5. Let r e a refinement function with active part a c; a and c;. The rules of Tale 3 then allow the derivation a r c; a R 6 d r d R 6 R r c; R 6 d r d R 6 a + d r 7 R c; a + d + d r 7 c; + d R (a + d) a, ( + d) r (c; a + d) a,,c (c; + d) ((a + d) a, ( + d))/a, ((c; a + d) a,,c (c; + d))/a,, c R 0, R. The left-hand term on the ottom line contains no deadlock (all transition sequences lead to a terminated state), whereas the right-hand term has the transition ((c; a + d) a,,c (c; + d))/a,, c τ (; a a,,c ; )/a,, c to a deadlocked state. This contradicts the requirement that preserves deadlock freedom. To prevent this sort of things from occurring, it is necessary that distinct synchronizing astract actions are refined to terms having disjoint initial actions. Moreover, initial actions and later (i.e., noninitial) actions of a refinement image r(a) should also e kept distinct, as the following example shows. EXAMPLE 3.6. Given a refinement function r that is the identity everywhere except for a c; c,we have that (a; a ((a + ) (a + )))/a, is implemented y (c; c; c ((c; c + ) (c; c + )))/c,. However, while the former cannot deadlock, the latter can. Again, imposing the side condition of distinctness invalidates the derivation, since the refinement function r in this example violates Condition of Definition.3. The identification of suitale side conditions for rule R is related to the issue of syntactic versus semantic action refinement studied in [], where suitale conditions for syntactic sustitution to distriute over the parallel operator (with synchronization) have een singled out. Hence, different side conditions for different classes of refinale terms are possile, according to the results presented in that paper Syntactic Refinement Although the derivation rules in Tale 3 give no recipe for deriving implementations from specifications, one particular implementation can in many cases e otained through the syntactic sustitution of all astract actions y their refinements. For a given refinement function r: A R C, syntactic sustitution can e formalized as a partial function r : L A L C, defined in Tale 4. The partial definedness (originating in the rules for parallel composition, renaming and hiding) is necessary to ensure that syntactic refinement (if defined) always yields a valid r -implementation. We then have the following result: TABLE 4 Syntactic Refinement r (0):=0 r ():= r ():=r() r (t +u):=r (t)+r (u) r (t;u):=r (t); r (u) r (t A u):=r (t) A(r(A)) r (u) ifr is distinct on A r (t[φ]) := r (t)[φ] ifφ adom(r) = id adom(r) r (t/a):=r (t)/a(r(a)) if r preserves A r (x):=x r (µx.t):=µx.r (t)

14 08 RENSINK AND GORRIERI THEOREM 3.. For all recursion-free t L A and r: A R, if r is defined on t, then t r r (t). Proof. By induction on the structure of t, thanks to the rules in Tale 3. Note that this result is limited, not just to closed terms, ut to recursion-free terms, i.e., with finite ehavior. The reason is that our current proof system does not allow reasoning aout recursion. We will repair this omission in Section 6. One could turn the fact that syntactic refinement implies vertical implementation around and define a vertical implementation relation in terms of syntactic action refinement, taking care to interpret the specification and implementation up to some horizontal implementation relation or equivalence such as, for instance, isimulation. This gives rise to t r u : v:t v,r (v) u. r meets several of the requirements discussed in the Introduction; for instance, we have that a r a ; a as well as a r a ; a ; + ; a ; a if r: a a ; a (see also Example 3.), showing that a single specification can have incomparale vertical implementations. In fact, r satisfies all the proof rules of Tale 3, with the exception of R. A similar technique can e used to define a vertical implementation relation using semantic rather than syntactic refinement. This again gives rise to a relation that satisfies all proof rules ut R.It appears that R is typical of the flexiility one would like to have in implementing causality ut is excluded y the traditional approach to action refinement. 4. VERTICAL BISIMULATION We now define an actual vertical implementation relation that satisfies all the proof rules of Tale 3. This section starts y introducing the asic definition, uilt on rooted weak isimulation (see Definition.), chosen as the horizontal implementation relation. Then we present the main results of our vertical isimulation relation, namely soundness of the rules in Tale 3 (even if such a set of rules is not complete) and (as a consequence) soundness of syntactic refinement. 4.. The Relation As we have seen, rooted weak isimulation is defined using isimulation relations that connect states of the specification with states of the implementation and vice versa. In an analogous way, we define vertical isimulation as the comination of unidirectional simulations. However, in contrast to weak isimulation, the directions are no longer symmetric. To simulate the astract transitions of the specification y the implementation, we define the concept of down-simulation, according to which astract transitions are matched with complete runs of the corresponding refinements in the implementation. In the following definitions, T = U τ,, S, is a fixed transition system, and r: A R C a refinement function. DEFINITION 4.. s ρ s,ifs A down-simulation up to r over T is a inary relation ρ S S such that for all s then one of the following holds:. adom(r), and if r() = σ σ then s s such that s ρ s ;. ˆ / adom(r), and s s such that s ρ s It follows that down-simulation is a rather weak notion: w.r.t. the implementation, it regards only complete runs of the refined actions. The intermediate states of the implementation, traversed during such a complete run, are not investigated at all. This oservation is due to an anonymous referee.

15 VERTICAL IMPLEMENTATION 09 EXAMPLE 4.. Let r: a a ; a,, c c. There is a down-simulation etween S = a; and I = a ;(a ;+c), given y {(S, I ), (;, ; ), (, ), (0, 0)}; this does not investigate the intermediate state ;(a ;+c) that the implementation passes through while doing I = a a ;. To define the dual notion of up-simulation, we also must take into account that in any given state of the implementation, there may e associated refined actions whose execution has not yet terminated. These will e collected in a set of residual (or pending) refinements that will e used to parameterize the isimulation. To e precise, an r-residual set will e a multiset of nonterminated proper derivatives of r-images. Such a set is formally represented y a function R: L N. We will denote t R if R(t) > 0. To e precise, the collection of residual sets of r is defined as rsd(r) = { R: L N t R: a dom(r), σ U + : r(a) σ t }. (Note that we cannot require R: R N, even though r maps to R only, since the derivatives of terms in R may contain occurrences of.) We use the following constructions over residual sets: : u 0 { if u = t and t [t]: u 0 otherwise R R : u R (u) + R (u) R R : u max{r (u) R (u), 0}. The ehavior of a residual set corresponds to the synchronization-free parallel composition of its elements. Formally, R R : t R: t t :R =(R [t]) [t ]. Note the fact that terminated terms do not contriute to the residual set. The reason we can ignore terminated terms is that it is certain that such terms no longer display any operational ehavior. An up-simulation must maintain the multiset of residual refinements: either the implementation s move corresponds to the initial concrete action of a refined astract action, or it is an action of a residual refinement. The residual set forms an additional component to every pair of (specification and implementation) states; hence we have a ternary rather than a inary relation. 3 Notation for Ternary Relations. In the following, we will often work with ternary relations of the form ρ S S rsd(r) for some set of states S and refinement function r. We use the notation s ρ R s to areviate (s, s, R) ρ; in other words, ρ R is interpreted as the inary relation {(s, s ) (s, s, R) ρ}. DEFINITION 4.. An up-simulation up to r over T is a ternary relation ρ S S rsd(r) such that for all s ρ R γ s,ifs s then one of the following holds:. adom(r): s s and r() γ v such that s ρ R [v] s ; ε. s s and R γ R such that s ρ R s ; ˆγ 3. γ / arng(r) and s s such that s ρ R s. Note that when the implementation move is matched y the pending refinements in the residual set (item ), then the specification is allowed to move silently (i.e., with a τ-transition). See [38] for a discussion on variations on this definition, showing among other things that this is indeed necessary. To comine a (inary) down-simulation ρ and a (ternary) up-simulation ρ, we require that ρ equals the surelation ρ, i.e., where the residual set component is empty. (This is the natural choice, since in 3 Other ternary isimulation-ased relations are, for instance, history-preserving isimulation [6], and symolic isimulation [5].

16 0 RENSINK AND GORRIERI the definition of down-simulation we assumed to investigate only states of the implementation where all refinements had een simulated completely.) Unfortunately, such a comination does not yet give rise to a useful notion of vertical implementation, since there is no guarantee that refinements that were started (and hence are in the residual set) can e finished. EXAMPLE 4.. Letr: a a ; a and consider S = a and I = a ; 0 + a ; a. Down- and up-simulations etween S and I are given y ρ ={(S,I),(,),(0,0)} ρ ={(S,I, ),(,;0,[a ]), (, ; a, [a ]), (,, ), (0, 0, )}. Note that ρ = ρ. However, we certainly do not want I as an implementation of S, since I may e not ale to complete the sequence implementing a, and may deadlock instead. In particular, we have ρ [a] ; 0, which relates a terminated state with a deadlocked state. In fact, Rules R 0 and R would allow us to derive S/a I/a, a from S r I, which is false. Vertical isimulation, therefore, is determined y a relation that is oth a down-simulation, an upsimulation, and a residual simulation; the latter requires that any move of the pending refinement set must e matched y the implementation, without the specification moving at all. This implies that pending refinements can e worked off in any possile order, or indeed in parallel, y the implementation. This property can e construed as an operational formulation of atomicity: that which is started can always e finished. DEFINITION 4.3. Let r e a refinement function. A weak vertical isimulation up to r over T is a ternary relation ρ S S rsd(r) such that. ρ is a down-simulation;. ρ is an up-simulation; 3. {(R, s ) s ρ R s } is a weak simulation (called residual simulation) for all s S. Weak vertical isimilarity up to r over T, denoted r, is the largest weak vertical isimulation up to r over T, and rooted vertical isimilarity up to r over T, denoted r, is the largest iroot of r,. Figure shows an example of an actual vertical isimulation: given r: a a ; a, the figure shows vertical isimulations proving a; r a ; a ; and a; r a ;(a ). The dotted lines connect related states and their laeling is the residual set indexing the relation. 4.. Soundness Results Directly from Definition 4.3, the following consistency result follows: a ; a ; a; a ; (a ) [0] [0] a a a [0] a [a ] a [a ] [0] [0] [a ] [0] [0] [0] a FIG.. An example of vertical isimulation: with r: a a ; a.