Calculating τ-confluence Compositionally

Transcription

1 INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE Clculting -Confluence Compositionlly Gordon Pce Frédéric Lng Rdu Mteescu N 4918 Septembre 2003 THÈME 1 ISSN ISRN INRIA/RR FR+ENG pport de recherche

2

3 Clculting -Confluence Compositionlly Gordon Pce, Frédéric Lng, Rdu Mteescu Thème 1 Réseux et systèmes Projet VASY Rpport de recherche n 4918 Septembre pges Abstrct: -confluence is reduction technique used in exolicit stte model-checking of lbeled trnsition systems to void the stte explosion problem. In this report, we propose new on-the-fly lgorithm to clculte prtil -confluence, nd propose new techniques to do so on lrge systems in compositionl mnner. Using informtion inherent in the wy lrge system is composed of smller systems, we show how we cn deduce prtil -confluence in computtionlly chep mnner. Finlly, these techniques re pplied to number of cse studies, including the rel/rel tomic multicst protocol. Key-words: brnching bisimultion, compositionlity, composition expression, concurrency, explicit stte verifiction, lbeled trnsition system, model checking, network of communicting systems, prtil order reduction technique, -confluence This work hs been prtilly supported by the Europen Reserch Consortium in Informtics nd Mthemtics (ERCIM). A short version of this report is lso vilble s Clculting -Confluence Compositionlly, in W. A. Hunt, Jr. nd F. Somenzi, editors, Proceedings of the 15th Computer-Aided Verifiction conference CAV 2003 (Boulder, Colordo), July 8-12, gordon.pce@um.edu.mt Frederic.Lng@inri.fr Rdu.Mteescu@inri.fr Unité de recherche INRIA Rhône-Alpes 655, venue de l Europe, Montbonnot-St-Mrtin (Frnce) Téléphone : Télécopie

4 Clcul compositionnel de l -confluence Résumé : L -confluence est une technique de réduction utilisée en vérifiction énumértive sur les systèmes de trnsitions étiquetées pour éviter le problème d explosion d étts. Dns ce rpport, nous proposons un nouvel lgorithme à l volée pour clculer l -confluence, et nous proposons de nouvelles techniques pour le fire sur de grnds systèmes de mnière compositionnelle. A l ide d informtions sur l fçon dont un grnd système est composé de systèmes plus petits, nous montrons comment il est possible de déduire l -confluence efficcement. Finlement, ces techniques sont ppliquées à plusieurs études de cs, en prticulier le protocole rel/rel de diffusion tomique. Mots-clés : bisimultion de brnchement, compositionnlité, concurrence, expression de composition, model checking, réseu d utomtes communicnts, système de trnsitions étiquetées, -confluence, technique de réduction bsée sur ordres prtiels, vérifiction énumértive

5 Clculting -Confluence Compositionlly 3 1 Introduction An importnt re of reserch in model checking is the genertion of restricted models using intuition nd nlysis of the system in question to produce smller stte spces smll enough to enumerte nd mnipulte. In prctice, different techniques hve been developed. Of interest to this report, we note: on-the-fly model genertion, where only the interesting prt of the model is generted; prtil-order reduction [17] nd the relted -confluence [12, 22] reduction techniques which exploit independence of certin trnsitions in the system to discrd unnecessry prts; nd compositionl techniques [10, 9] where model is decomposed into smller prts, prtilly generted using knowledge bout future interfce components to void intermedite explosion. In this report, we re minly interested in deriving techniques which use structurl informtion of the system to perform -confluence reduction. Extrcting generl -confluence of flttened system cn be costly nd imprcticl. However, the user usully lso provides the system in the form of symbolic description, which we ttempt to exploit t low cost to clculte -confluence. The informtion we use is the connection pttern of the network of communicting trnsition systems composition expressions. At the leves, we hve trnsition system components, usully vrious mgnitudes of size smller thn the whole system (especilly if techniques such s projection [14] re first pplied). Using the structure of the network, we cn immeditely deduce certin independence between trnsitions to be used for model reduction. We propose new lgorithm to clculte prtil -confluence on-the-fly similr in spirit to [3], but optimized in prticulr for flt trnsition systems. We then prove correct number of lws which llow us to deduce -confluence in composition expression without the need of expensive clcultions. We implemented severl tools bsed on this work in Cdp [7]. We show their performnce when pplied on number of cse studies, including the rel/rel tomic multicst protocol. Pln of the report. Section 2 presents relted work deling with -confluence detection nd more generlly the use of prtil-order techniques in process lgebr. Section 3 defines the bsic notions used throughout the report, in prticulr -confluence nd the -prioritiztion technique. In Section 4, the lgorithm to clculte -confluence on-thefly using boolen eqution systems is presented. Composition expressions re defined in Section 5, nd Section 6 presents our method to deduce -confluence in such expressions. Implementtions nd experimentl results re presented in Section 7. We conclude in Section 8. We then provide proofs of the min results in Appendix A. 2 Relted Work An extensive nd thorough study of -confluence in process lgebr nd Lts verifiction cn be found in [12]. In [22], the results re developed further, extending wek confluence conditions for divergent trnsition systems. RR n 4918

6 4 G. Pce, F. Lng, R. Mteescu The ides we develop in this report hevily borrow from [11], in which globl (not on-the-fly) lgorithm is given for clculting mximl -confluence sets. The lgorithmic complexity is of the order O(m fnout 3 ), where m is the number of trnsitions in the Lts, nd fnout is the mximum number of trnsitions exiting from stte. The pper lso uses -prioritiztion nd -compression (where chins of trnsitions re collpsed), used to reduce n Lts, once -confluence set hs been clculted. We use the sme notion of -confluence s in this pper minly since discovering -confluence sets under this definition is well-trctble. Our lterntive lgorithm to evlute mximl -confluence set hs complexity of the order O(m fnout fnout ) nd works on-the-fly. Furthermore, we use deduction to prtilly identify -confluence in lrge systems by nlyzing their components. [2, 3] build upon the results of [22] nd re closely relted to our work, except tht they concentrte on wek confluence. The lgorithms work eqully well with the stronger confluence condition we use. To clculte -confluent set, they use the symbolic description of the Lts (s gurded ction/event systems) nd feed conditions to n utomted theorem prover to prove the independence of certin gurds. In certin sense, our lgorithm to clculte the mximl -confluent set cn be seen s n extreme cse of this pproch the Lts expnded to the ctul description of the Lts trnsitions, nd given the trivil nture of the resulting gurds nd trnsitions, we replce the utomted theorem prover by Bes solver. Our symbolic description, bsed on composition expressions, differs from theirs, nd llows for certin independence to be concluded esily, but does not llow symbolic reduction s is possible in their cse. -confluence is closely connected to prtil-order reduction techniques [17]. The fct tht trnsitions re prtilly invisible under brnching [21] nd other wek bisimultions, mens tht independence of trnsitions preserving bisimultion is possible, nd cn be useful in prctice. In [20] is n nlysis of prtil-order methods pplied to process lgebr, tht includes set of conditions sufficient to gurntee brnching bisimultion equivlence fter reduction. As remrked in [3], these conditions re stronger thn wek -confluence. The conditions re not comprble to the notion of prtil confluence we use, since we llow for confluence, but closing up to one step hed. [20] llows for multiple invisible trnsitions, but not for confluence. The conditions, however, closely relte to the conditions used in this nd other -confluence ppers. Severl prtil-order reduction techniques pplied to compositions of Ltss hve been proposed. Of interest re the -dimond elimintion technique presented in [19] (implemented for Csp in the Fdr 2 tool) nd technique bsed on the detection of so-clled -inert trnsitions presented in [18] (implemented for Ccs in the Concurrency Fctory). Both consist in identifying -trnsitions tht do not need be interleved with concurrent trnsitions, since the obtined behviour would be equivlent (for some reltion) to the one in which the -trnsition is tken first. The difference relies on the properties being preserved under bisimultion in the cse of behviour equivlence preserved under reduction: wek bisimultion in [18], nd filure/divergence in [19], both of which do not preserve brnching properties of the system. Additionlly, our pproch works on-the-fly, in combintion with ny verifiction tool of Cdp, nd for ny lnguge with front-end for Cdp. INRIA

7 Clculting -Confluence Compositionlly 5 3 Bsic Definitions Definition 1 (Lbeled Trnsition System) A Lbeled Trnsition System (Lts) is qudruple Q, Act,, q 0 where Q is the set of sttes of the system, Act is the set of possible ctions the system my tke (including specil invisible ction ), Q Act Q is the set of trnsitions nd q 0 Q is the initil stte of the system. Using stndrd conventions, we will write q q to sy tht (q,, q ), nd for set of ctions G Act, G is the trnsition reltion restricted to ctions in G. ctions(q) is the set of ctions possible from stte q. If we my wnt to ignore invisible trnsitions, q q, mens tht either q q, or q = q nd = (note tht this cse does not necessrily imply tht q q since q q is true for ny q). is the reflexive trnsitive closure of {}. Finlly, we sy tht n Lts is divergent if there exists n infinite sequence of sttes q i such tht for ll i, q i qi+1. Definition 2 (Brnching Bisimultion) Given two Ltss S 1 nd S 2 defined by S i = Q i, Act, i, q 0,i, reltion between the sttes of the two Ltss Q 1 Q 2 is sid to be brnching bisimultion if for ny q 1 q 2, the following two properties re stisfied: 1. for ny q 1 q 1, there exist q 2, q 2 with q 2 q 2 q 2 nd q 1 q 2, q 1 q for ny q 2 q 2, there exist q 1, q 1 with q 1 q 1 q 1 nd q 1 q 2, q 1 q 2. The mximl brnching bisimultion is well-defined equivlence reltion ( b ). We sy tht two Ltss re brnching bisimilr (S 1 b S 2 ) if their initil sttes re brnching bisimilr q 0,1 b q 0, Confluence -confluence corresponds to the intuition tht certin silent trnsitions do not chnge the set of trnsitions tht cn be undertken now or in the future. If we cn clculte set of silent trnsitions with this property, we cn then reduce the Lts to obtin smller system. Different levels of -confluence hve been defined in the literture. Some encompss more trnsitions (nd hence llow more powerful reductions), but re more expensive to clculte n pproprite confluent set. Others re more restrictive, but llow chep - confluence set deduction. In this report we will concentrte on so-clled strong confluence which we will refer to in the rest of the report simply s confluence. The interested reder is referred to [12, 22] for whole hierrchy of -confluence notions. Definition 3 (-Confluence) Given n Lts S = Q, Act,, q 0, nd T {}, we sy tht T is -confluent in S if for every q 1 q2 T nd q 1 q3, there exists stte q 4 such tht q 2 q4 nd q 3 q4 T. RR n 4918

8 6 G. Pce, F. Lng, R. Mteescu The intuition is tht every other outgoing trnsition of q 1 cn be emulted fter the -confluent trnsition. Grphiclly, the -confluence cn be seen in the following figure. Norml line trnsitions re given (universlly quntified), wheres dshed trnsitions indicte tht their existence must be proved: q 1 q 2 q 3 q 4 Since the brred trnsitions cn be confusing, the different wys in which the hlfdimond with distinct trnsitions cn be completed is split in different cses below: q 1 q 1 q 1 q 2 q 2 q 3 q 4 T q 3 T T q 2 q 3 Proposition 1 If q q is -confluent trnsition in S, then q b q. Proposition 2 The union of two -confluent sets of n Lts S is itself -confluent set of S. We cll the union of ll -confluent sets the mximl -confluent set, nd write it s T(S). The proofs of these propositions cn be found in [11] prioritiztion -prioritiztion is technique to replce n Lts with smller one by giving priority to -confluent trnsitions over other trnsitions. Definition 4 (-Prioritiztion) Given two Ltss S 1 nd S 2 (S i = Q i, Act, i, q 0,i ), we sy tht S 2 is -prioritiztion of S 1 with respect to -confluent set T, if 2 1 nd for every q 1 q, either q 2 q or for some q, q 2 q T. The following figures show two exmples of -prioritiztion (with unrechble sttes removed): q 0 q 0 b Proposition 3 If S 1 is -prioritiztion of non-divergent Lts S 2 with respect to T, then S 1 b S 2. b q0 b q 0 INRIA

9 Clculting -Confluence Compositionlly 7 The proof cn be found in [11]. -prioritiztion thus llows reduction of non-divergent systems with respect to -confluent set, mintining equivlence modulo brnching bisimultion. The min problem with -prioritiztion is tht it is restricted to non-divergent systems. However, one cn ugment the prioritiztion to clculte nd eliminte on-the-fly cycles. Alterntively, other reduction techniques [2, 16] hve been defined in the literture (see Section 2) nd cn be used. 4 Clculting -Confluence using Boolen Equtions In this section, we present n on-the-fly lgorithm to clculte the mximl -confluent set. Definitionl boolen eqution systems without negtion re well-known nd studied field. The following is short summry of definitions nd results to set the picture for the trnsltion lgorithm we propose for on-the-fly -confluence clcultion. 4.1 Boolen Eqution Systems Definition 5 (Boolen Eqution System) A boolen eqution system (Bes) is set of vribles V split into two disjoint subprts V d nd V c, with their definition δ V 2 V. Vribles in V d re defined in terms of disjunction over the definition set, while those in V c re defined s conjunction. Definition 6 (BES Interprettion) An interprettion I of Bes is subset of vribles V of the eqution system, I V. Vrible v is sid to be stisfied in I if v I. An interprettion is sid to be vlid if the definition function holds: ( v V d ) δ(v) I ( v V c ) δ(v) I In words, t lest one vrible in the definition of every disjunctive vrible nd ll vribles in the definition of every conjunctive vrible must be stisfied. Proposition 4 The union of ll vlid interprettions of Bes Eq is itself vlid interprettion. This is clled the gretest fixed point solution: (νv. Eq). Stndrd lgorithms exist to evlute the gretest fixed point of boolen eqution system. In prticulr, we re minly interested in n on-the-fly lgorithm locl one resolving only the necessry vribles we my require. Such lgorithms cn be found in [15, 1] nd work in both bredth-first nd depth-first fshion. This problem cn be solved in time proportionl to the number of vribles nd the size of the definition sets. 4.2 Trnslting -Confluence of Ltss into Boolen Equtions It is rther strightforwrd to trnslte the definition of -confluence in Section 3.1 into Bes whose vlidity implies the confluence of individul trnsitions. RR n 4918

10 8 G. Pce, F. Lng, R. Mteescu Definition 7 Given n Lts S, we introduce conjunctive vrible for every trnsition, nd disjunctive vrible for every hlf-terminted dimond in the -confluence digrm: d q 2,q 3 V c df = {cq1,q 2 ( q 1, q 2 Q) q 1 q2 } V d df = {d q2,q 3 ( q 1, q 2, q 3 Q) q 1 q2, q 1 q3 } The intuitive interprettion we will use is tht: 1. Every confluent trnsition hs to be ble to close ll hlf-dimonds (conjunction). 2. Every hlf-dimond hs to be closed by some other confluent trnsition (disjunction). The boolen vribles c q1,q 2 will be stisfible if nd only if q 1 q2 is confluent, while is stisfible if nd only if the corresponding hlf-dimond cn be stisfctorily closed. Conjunctive vribles: c q1,q 2 should be stisfible if nd only if ll extended hlf-dimonds which re not trivilly closed (vi direct trnsition from q 2 to q 3 ) cn be closed: δ(c q1,q 2 ) df = {d q 2,q 3 q 1 q2, q 1 q3, q 2 q 3 } Disjunctive vribles: d q 2,q 3 is stisfible if nd only if there is some trnsition from q 3 to some q 4 which closes the dimond nd is -confluent: δ(d q 2,q 3 ) δ(d q 2,q 3 ) df = {c q3,q 4 q 2 q4, q 3 q4 } df = {c q3,q 4 q 2 q4, q 3 q4 } {c q3,q 2 q 3 q2 } Note tht in the cse of =, the dimond my be closed s tringle (see the figures depicting how -confluence digrms cn be closed in Section 3.1.) Proposition 5 (Soundness nd Completeness of the Trnsltion) Given vlid interprettion I of trnslted Lts S, {q 1 q2 c q1,q 2 I} is -confluent set (soundness), nd for ny -confluent set T, there is vlid interprettion I such tht I V c = {c q1,q 2 q 1 q2 T } (completeness). Proof: See Appendix A. Theorem 1 then follows from this proposition: Theorem 1 Clculting the gretest fixed point of the Bes obtined by trnslting n Lts gives the mximl -confluent set. Proof: See Appendix A. INRIA

11 Clculting -Confluence Compositionlly Complexity Consider vribles V c. We hve m (the number of trnsitions) such vribles. Furthermore, the definition set of ech vrible is bounded bove by fnout fnout (fnout is the mximum number of successors of stte in the Lts, fnout is the mximum number of -successors). Now consider the disjunctive vribles V d. We hve m fnout such vribles (for ech trnsition, we hve n entry for ech other trnsition which cn be tken from the source node). The definition sets of these vribles never exceeds fnout entries. Recll tht Bes cn be solved in time proportionl to the number of vribles plus the size of the definition sets. The complexity of resolving -confluence using our lgorithm is thus O(m fnout fnout ). This compres fvorbly with the lgorithm given in [11] which hs complexity O(m fnout 3 ). However, this is pessimistic view of the complexity. Due to the regulr nture of the equtions (conjunctions of disjunctions), nd the fct tht we lso know tht the disjunctive vribles re never reused ( disjunctive vrible is revisited only through conjunctive one), we cn hone the lgorithm to work more efficiently (for exmple, by not cching disjunctive vribles). 5 Composition Expressions We introduce in this section the notion of composition expression, used in the reminder of the pper. The composition expressions considered here re built upon Lotos [13] prllel composition nd hiding opertors. Definition 8 (Composition Expression) Composition expressions, noted E, E, E 0,..., re defined s follows: E ::= Lts hide G in E 0 E 1 [G] E 2 The bsic building blocks re Ltss, together with the hiding opertor (renmes ny lbel in the ction set G to ) nd synchronous composition (ctions in G re synchronized, the rest must hppen independently). One cn dd other opertors to this fmily, but these usully suffice for decomposed view of system. For the ske of brevity, in contexts where we spek of expressions, unless otherwise stted, the Lts generted by expression E will be Q, Act,, q 0, nd tht of expression E i will be Q i, Act i, i, q 0,i. A composition expression describes the wy fmily of Ltss communicte together, but cn be seen itself s n Lts. Definition 9 (Composition Expression Semntics) The Lts resulting of the composition expression (hide G in E 0 ) is Q, Act,, q 0 where is the smllest reltion generted by the following structured opertionl semntics rules: RR n 4918

12 10 G. Pce, F. Lng, R. Mteescu q 1 0 q 1, / G q 1 0 q 1, G q 1 q 1 q 1 q 1 The Lts resulting of (E 1 [G] E 2 ) is Q 1 Q 2, Act 1 Act 2,, (q 0,1, q 0,2 ) where is the smllest reltion generted by the following structured opertionl semntics rules: q 1 1 q 1, / G (q 1, q 2 ) (q 1, q 2 ) q 2 2 q 2, / G (q 1, q 2 ) (q 1, q 2) q 1 1 q 1, q 2 2 q 2, G (q 1, q 2 ) (q 1, q 2) Definition 10 (Subterm) The subterm reltion over composition expressions is defined to be the reflexive, trnsitive closure of the smllest reltion 1 stisfying: E 1 hide G in E, E 1 E [G] E, E 1 E [G] E We sy tht trnsition q q of E is immeditely generted from trnsition q q 1 of E 1 (E 1 1 E) if the derivtion of the former trnsition using the opertionl semntic rules requires the use of the ltter. Thus, for exmple, q 1 q2 in (hide in E) is immeditely generted from q 1 q2 in E. We re minly interested in the trnsitive closure of this reltion: E2 E (where E 1 E 2 ), which reltes trnsitions in 2 (of E 2 ) with the trnsitions in 1 (of E 1 ) contributing to their genertion. For this definition to mke sense, we will mke the simplifying ssumption tht n expression will not contin common subexpressions (ll the lef Ltss re different). This is done to simplify the presenttion but cn be esily remedied either by tgging different lef nodes (different tg for every lef) or by resoning in terms of expression contexts. = E1 E 3 The decomposition lw sttes tht if E 1 E 2 E 3 then E2 E 3 E1 E 2 the reltion composition of r nd s). Similrly, we cn tlk bout trnsition generting nother, written t E1 we sy tht t is genertor of t. E1 E 2 is simply the inverse of E1 E 2. We define reltion ppliction s usul: R(X) df = {y x X. x R y}. (where r s is E 2 t. In this cse, Definition 11 (Hidden Above, Synchronized Above, Eventully ) Given composition expression E, the ctions hidden bove, nd synchronized bove subexpression E 1 re defined s: df Hidden E (E 1 ) = {G hide G in E 2 E, E 1 E 2 } Synchronized E (E 1 ) df = {G E 2 [G] E 3 E, E 1 E 2 E 1 E 3 } Given E 1 E, we define Tu E (E 1 ) to be the set of lbels such tht trnsitions in E 1 whose lbel ppers in Tu E (E 1 ) re gurnteed to be trnsformed into trnsitions in E: Tu E (E 1 ) df = Hidden E (E 1 ) \ Synchronized E (E 1 ) Proposition 6 Given E 1 E, every trnsition lbeled by Tu E (E 1 ) genertes t lest one trnsition, nd nothing but trnsitions: INRIA

13 Clculting -Confluence Compositionlly 11 ( t TuE(E1) ) E E 1 (t) E E 1 (t) {} Proof: The proof follows from structurl induction with the inductive hypothesis tht in expression E 2 (E 1 E 2 E), non-empty set of {} Tu E (E 1 ) trnsitions genertes non-empty set of {} Tu E (E 2 ) trnsitions. Furthermore, since by definition, Tu E (E) =, the conclusion follows. We will write the expression obtined by replcing in E the occurrence of sub-expression E 2 by E 1 s E[E 1 /E 2 ]. Proposition 7 Brnching bisimilrity is preserved in composition expressions: If E 1 E nd E 1 b E 2 then E b E[E 2 /E 1 ]. Proposition 8 Actions in Tu E (E 1 ) cn be hidden immeditely in E 1. Given E 1 E nd G Tu E (E 1 ): E[hide G in E 1 /E 1 ] b E. Consider trnsition in lef Lts, which is not confluent. Just by looking t the lef in question, we cn sometimes deduce tht the trnsition cn never become confluent. Trnsitions bout which we cnnot gurntee this will be clled potentil -confluent trnsitions. We identify set of trnsitions which we will lter prove tht ll trnsitions generted higher up in the expression tree will be generted by trnsitions in this set. The intuition is the following: trnsition is potentilly confluent if (i) either it is lredy invisible, or its ction will be hidden higher up in the expression tree, (ii) hidden, it stisfies the -confluence conditions on ll other outgoing trnsitions except (iii) it my not stisfy the -confluence conditions with respect to trnsitions which my lter dispper (synchronized bove). Definition 12 Given E 1 E, P 1 G 1 (where G = Hidden E (E 1 ) {}) is sid to be po- b tentil -confluence set if, for ll q 1 1 q 2 P 1 nd q 1 1 q 3 with b / Synchronized E (E 1 ),?? b? then either q 3 1 q 2 P 1 or there exists q 4 such tht q 3 1 q 4 P 1 nd q 2 1 q 4. q? q is defined s q q ( G G. q q ). Proposition 9 The union of ll potentil -confluence sets of E 1 with respect to E (where E 1 E) is itself potentil -confluence set. We cll this the mximl potentil - confluence set nd write it s P E (E 1 ). Proposition 10 If T is -confluent set of E 1 (where E 1 -confluence set of E 1 with respect to E. E), T is lso potentil Proof: Consider q 1 q2 T. Since it is -confluent trnsition, for ny q 1 q3, there exists q 4 such tht q 2 q4 nd q 3 q4 T. Consider the different cses for nd : (i) RR n 4918

14 12 G. Pce, F. Lng, R. Mteescu =, q 2 = q 4, q 3 = q 4 (ii) =, q 2 = q 4, q 3 q2 T (iii) q 2 q4, q 3 = q 4 (iv) q 2 q4, q 3 q4 T. These stisfy the property required of potentil -confluence. T is thus potentil -confluence set. Proposition 11 If E 1 E, then T(E 1 ) P E (E 1 ). Proof: The proof follows immeditely from Propositions 2, 9 nd Clculting -Confluence in Composition Expressions We now give number of results to deduce -confluence in composition expressions without pplying the lgorithm on the top-level Lts, which cn be very lrge. 6.1 Discovering -confluence in composition expressions The bsic result we will pply to reduce composition expressions, is tht -confluent trnsitions cn only generte -confluent trnsitions. This cn be very useful, especilly if the lef Ltss re reduced using -prioritiztion, where in the resultnt Lts, the -confluent trnsitions become the only trnsitions leving stte, mking them trivilly recognizble s -confluent ones. Theorem 2 If T 1 is -confluent trnsition set of E 1 (E 1 E) then E E 1 (T 1 ), the set of trnsitions of E generted from T 1, is -confluent trnsition set of E. Proof: See Appendix A. Theorem 2 together with the reduction techniques given in Section 3 provides us with two pproches to reduce n Lts in compositionl mnner. One wy is to clculte nd lbel confluent trnsitions in the leves, nd use this informtion to deduce confluence set in the top level Lts nd perform reduction on-the-fly s the top level Lts is generted (using either -prioritiztion or ny other technique). Another pproch is to reduce the leves using mximl -prioritiztion (leving only one confluent outgoing trnsition, when one is vilble), thus mking sure tht s the top level Lts is generted, confluent trnsitions in the leves re esily recognizble (unique trnsitions leving stte) nd use this informtion to generte the reduced Lts. The ltter hs the dvntge tht confluence informtion needs not be stored. INRIA

15 Clculting -Confluence Compositionlly Doing more thn trnsitions One wy in which new -confluence cn mnifest itself is vi new trnsitions ppering from the hide opertor. In generl, we cnnot just tret trnsitions which re eventully hidden s invisible trnsitions, becuse if they re synchronized before being hidden, they my dispper due to the other brnch not complementing the required trnsition. In the cse of hidden trnsitions which re not synchronized, we cn either push the hide opertor into the expression to generte trnsitions s erly s possible, or tret them s invisible trnsitions (despite the fct tht they re not trnsitions). The second solution is preferble, since it does not destroy the structure of the expression s given by the user, nd voids dding new expression nodes, resulting in slower nlysis. The following result justifies their tretment nlogous to trnsitions. Theorem 3 Given E 1 E nd T 1 TuE(E1) 1 which stisfies the confluence conditions if replced by trnsitions, nd E 2, -prioritiztion of E 1 with respect to T 1, then E[E 2 /E 1 ] b E. Proof: See Appendix A. 6.3 Some trnsitions re not worth the bother Finlly, we cn not only identify trnsitions which re, nd will remin confluent, but lso ones which cn under no circumstnces become confluent. Since within composition expressions we cn only prtilly identify -confluent trnsitions, we my wnt to pply the -confluence lgorithm t the top-most level once gin. If certin trnsitions cn be identified s certinly not being -confluent during the expression tree trversl, we cn pply the -confluence detection lgorithm on smller set of trnsitions. Theorem 4 below llows us to do precisely this by using the notion of potentil -confluence. Lemm 1 If P 2 is potentil -confluent set of E 2 with respect to E (E 1 E 2 E) then E2 E 1 (P 2 ) is potentil -confluent set of E 1 with respect to E. Proof: See Appendix A. Lemm 2 If E 1 E 2 E, then P E (E 2 ) E E 1 (P E (E 1 )) Proof: See Appendix A. Theorem 4 Some trnsitions need never be checked for confluence. If E 1 E: T(E) ( 1 \ E E 1 (P E (E 1 ))) = RR n 4918

16 14 G. Pce, F. Lng, R. Mteescu Proof: From Lemm 2 nd Proposition 10 we cn now conclude tht: T(E) E E 1 (P E (E 1 )) from which the theorem directly follows. Thus, by identifying nd mrking the complement of the mximl potentil -confluent set in the lef nodes, we cn mrk trnsitions which they generte t higher levels in the expression tree. Using this theorem, we re gurnteed tht these trnsitions re not confluent, nd we cn thus reduce the computtion required to identify -confluent set of the Lts generted by the whole composition expression. 7 Tools nd Applictions We hve implemented the techniques described within the Cdp toolkit [7] 1 in the Open/Cæsr environment [5]. A collection of front-ends enble the compiltion of source lnguges into C code, which includes function to ccess the Lts described by the system, explored on-the-fly by the verifiction bck-ends. Exp.Open is front-end for composition expressions, while Cæsr.Open is front-end for the Lotos lnguge nd Genertor is bck-end tht explicitly genertes the rechble stte spce of system. A vrint of Genertor, nmed -Confluence, detects nd prioritizes -confluent trnsitions on-the-fly, using Boolen Eqution Systems. Exp.Open hs been extended to enble -confluence detection (brnching option), by tking n ccount of the composition expression s stted in Theorems 2 nd 3. More precisely, in globl Lts of composition expression E, Exp.Open prioritizes the trnsitions tht were detected s -confluent in the components of E. Additionlly, some loclly visible trnsitions re lso prioritized, knowing tht they will led to -confluent trnsitions in the globl Lts of E. Exp.Open flttens the composition expression into tuple of Ltss nd set of so-clled synchroniztion vectors. If n is the size of the Lts tuple, ech synchroniztion vector is tuple of size n + 1, whose elements re either lbels or specil null vlue. The first n elements represent lbels of trnsitions tht must be fireble from the corresponding Lts current stte components (none if element is null), wheres the lst element (which must not be null) is the lbel of the resulting trnsition in the produced Lts. Working globlly on the expression lso llows us to identify certin loclly confluent trnsitions which do not fll under the frmework proposed in this report. Exp.Open lso clcultes trnsitive closures of -confluent trnsitions (to void entering circuits of -confluent trnsitions), nd hence compresses successive -confluent trnsitions into single, prioritized one. These tools hve been used to generte the stte spce of the rel/rel protocol previously studied in [4, 14]. The rel/rel protocol is n tomic multicst protocol between trnsmitter nd severl receivers. This protocol is relible in the sense tht it llows rbitrry filures of the sttions involved in the communiction. The protocol gurntees the following 1 INRIA

17 Clculting -Confluence Compositionlly 15 two properties: (1) when messge M is sent by the trnsmitter, either every functioning sttion correctly receives M, or M is not received by ny of the sttions, nd (2) messges re received in the sme order s they re sent. Two underlying ssumptions re needed to gurntee correctness: tht crshed sttions stop sending nd receiving messges, nd tht functioning sttions cn lwys communicte with ech other. The overll compositionl structure of the system with two receivers is given by the following composition expression: hide R T1, R T2, R1, R2, DEPOSE1, DEPOSE2 in CRASH TRANSMITTER {R T1, R T2} ( (RECEIVER THREAD1 {R T1, R1, R2, GET, CRASH, DEPOSE1} FAIL RECEIVER1) {R1, R2} (RECEIVER THREAD2 {R T2, R1, R2, GET, CRASH, DEPOSE2} FAIL RECEIVER2) ) The composition of Ltss RECEIVER THREADn nd FAIL RECEIVERn (n = 1, 2) defines the behviour of receiver n, including the possibility of crsh. The Lts CRASH TRANSMITTER describes the behviour of the trnsmitter. These Ltss re generted from Lotos description of the system, detiled in [4]. In our experiments, performed using Svl scripts [6], we hve compred two stte-spce genertion pproches for the rel/rel protocol: Norml genertion: the lef Ltss nd the composition expression re generted normlly, without optimiztion (using respectively the Cæsr.Open/Genertor nd Exp.Open/Genertor tools). -prioritized genertion: the lef Ltss re generted using the Cæsr.Open/- Confluence tools nd the composition expression is generted using Exp.Open with brnching option, together with Genertor. Experiment results re displyed in Tbles 1 nd 2. From these results, -prioritiztion techniques on composition expressions seem very promising. Vrious resons contribute to the success of -prioritiztion. Although both FAIL RECEIVERs re purely sequentil, RECEIVER THREADs nd CRASH TRANSMITTER use prllel composition of processes performing silent trnsitions. This genertes mny -confluent trnsitions, which re detected by the -confluence tool. Also, s consequence of successful -prioritiztion in three of the five leves of the composition expression, Exp.Open voids the cretion of new -confluent dimonds. Additionlly, lot of trnsitions present in leves re hidden t the top-level of the composition expression, some of which re confluent. Note tht pplying -prioritiztion t the top-level gives no further reduction showing tht we hve identified the mximl -confluent set. To see wht gin cn be obtined on exmples less dpted with respect to these observtions, we hve pplied the -confluence technique to systems with purely sequentil lef components. We hve chosen exmples from the Cdp distribution: two versions of the Alternting Bit Protocol nd five versions of Distributed Leder Election Protocol [8]. Tble 3 shows the results. Note tht in this cse, compring execution times is irrelevnt, since -prioritiztion of sequentil components is known to be useless. It is very encourging RR n 4918

18 16 G. Pce, F. Lng, R. Mteescu Norml -prioritized Difference % sttes trns. sttes trns. sttes trns. CRASH TRANSMITTER % 22% RECEIVER THREADn % 31% FAIL RECEIVERn % 0% Tble 1: Lef Lts sizes using norml nd -prioritized genertion. Norml -prioritized Difference % Number of sttes % Number of trnsitions % Exp.Open execution time % Exp.Open memory consumption (Kb) % Svl execution time % Tble 2: Cost of norml nd -prioritized composition expression genertion. Exp.Open Stte Spce Difference % time memory sttes trns Alternting Bit(1) 9% 0% 4% 25% Alternting Bit(2) 4% 0% 6% 27% Distributed Leder Election(1) 57% 3% 11% 24% Distributed Leder Election(2) 21% 0% 12% 23% Distributed Leder Election(3) 88% 5% 5% 11% Distributed Leder Election(4) 90% 1% 0% 8% Distributed Leder Election(5) 102% 1% 0% 0% Tble 3: Difference rtios for severl cse studies to note tht in ll experiments, the overhed in memory consumption is negligible, since memory more thn time is usully the bottleneck in verifiction. 8 Conclusions -confluence cn be n effective technique to reduce trnsition systems with respect to brnching bisimultion t resonble cost. When treting lrge systems, minimiztion cn be fr too costly, but -confluence bsed reduction my yield sufficiently smller systems, menble to minimiztion. However, even -confluence set deduction comes t price, nd one usully hs to settle for techniques which prtilly recognize -confluence, but my still be effective in prctice. INRIA

19 Clculting -Confluence Compositionlly 17 We propose to use composition expressions to help identify independent trnsitions resulting in -confluence t negligible cost. The leves of the composition expression need to be nlyzed using trditionl methods, which is usully possible, since one rrely finds huge components t this level. A heuristic pproch is used to identify necessrily confluent nd non-confluent trnsitions t low cost. One nturl question rising from this work is whether we cn do better by enriching the set of composition opertors. In the Cdp toolset, the leves of the composition expressions re Lotos specifictions which themselves use the opertors in the composition expressions together with others such s sequentil composition nd disbling. In this report we concentrte on results for strong confluence, minly becuse we hve no efficient wy of recognizing wek confluence t the lef nodes. However, it would be useful to extend these results, especilly since certin lef nodes my be smll enough to clculte lrger sets of more wekly confluent trnsitions. Overll, we believe tht composition structure informtion cn, in vrious contexts, be used to improve existing lgorithms. In this report, we hve presented one such ppliction, where we improve on Lts genertion, nd -confluence reduction using this informtion. References [1] H.R. Andersen. Model Checking nd Boolen Grphs. Theoreticl Computer Science, 126(1):3 30, [2] S.C.C. Blom. Prtil -Confluence for Efficient Stte Spce Genertion. Technicl Report SEN R0123, Centrum voor Wiskunde en Informtic, [3] Stefn Blom nd Jco vn de Pol. Stte Spce Reduction by Proving Confluence. In Computer Aided Verifiction 2002, volume 2404 of Lecture Notes in Computer Science, [4] Jen-Clude Fernndez, Hubert Grvel, Lurent Mounier, Anne Rsse, Crlos Rodríguez, nd Joseph Sifkis. A Toolbox for the Verifiction of LOTOS Progrms. In Lori A. Clrke, editor, Proceedings of the 14th Interntionl Conference on Softwre Engineering ICSE 14 (Melbourne, Austrli), pges ACM, My [5] Hubert Grvel. OPEN/CÆSAR: An Open Softwre Architecture for Verifiction, Simultion, nd Testing. In Bernhrd Steffen, editor, Proceedings of the First Interntionl Conference on Tools nd Algorithms for the Construction nd Anlysis of Systems TACAS 98 (Lisbon, Portugl), volume 1384 of Lecture Notes in Computer Science, pges 68 84, Berlin, Mrch Springer Verlg. Full version vilble s INRIA Reserch Report RR [6] Hubert Grvel nd Frédéric Lng. SVL: Scripting Lnguge for Compositionl Verifiction. In Myungchul Kim, Byoungmoon Chin, Sungwon Kng, nd Dnhyung Lee, editors, Proceedings of the 21st IFIP WG 6.1 Interntionl Conference on Forml RR n 4918

20 18 G. Pce, F. Lng, R. Mteescu Techniques for Networked nd Distributed Systems FORTE 2001 (Cheju Islnd, Kore), pges IFIP, Kluwer Acdemic Publishers, August Full version vilble s INRIA Reserch Report RR [7] Hubert Grvel, Frédéric Lng, nd Rdu Mteescu. An Overview of CADP Europen Assocition for Softwre Science nd Technology (EASST) Newsletter, 4:13 24, August Also vilble s INRIA Technicl Report RT-0254 (December 2001). [8] Hubert Grvel nd Lurent Mounier. Specifiction nd Verifiction of Vrious Distributed Leder Election Algorithms for Unidirectionl Ring Networks. Science of Computer Progrmming, 29(1 2): , July Specil issue on Industrilly Relevnt Applictions of Forml Anlysis Techniques. Full version vilble s INRIA Reserch Report RR [9] S. Grf, B. Steffen, nd G. Lüttgen. Compositionl Minimiztion of Finite Stte Systems using Interfce Specifictions. Forml Aspects of Computtion, 8(5): , September [10] Susnne Grf nd Bernhrd Steffen. Compositionl Minimiztion of Finite Stte Systems. In R. P. Kurshn nd E. M. Clrke, editors, Proceedings of the 2nd Workshop on Computer-Aided Verifiction (Rutgers, New Jersey, USA), volume 531 of Lecture Notes in Computer Science, pges Springer Verlg, June [11] J.F. Groote nd J. vn de Pol. Stte Spce Reduction using Prtil -Confluence. In Mogens Nielsen nd Brnislv Rovn, editors, Proceedings of the 25th Interntionl Symposium on Mthemticl Foundtions of Computer Science MFCS 2000 (Brtislv, Slovki), volume 1893 of Lecture Notes in Computer Science, pges , Berlin, August Springer Verlg. Also vilble s CWI Technicl Report SEN-R0008, Amsterdm, Mrch [12] J.F. Groote nd M.P.A. Sellink. Confluence for process verifiction. Theoreticl Computer Science, 170(1 2):47 81, December [13] ISO/IEC. LOTOS A Forml Description Technique Bsed on the Temporl Ordering of Observtionl Behviour. Interntionl Stndrd 8807, Interntionl Orgniztion for Stndrdiztion Informtion Processing Systems Open Systems Interconnection, Genève, September [14] Jen-Pierre Krimm nd Lurent Mounier. Compositionl Stte Spce Genertion from LOTOS Progrms. In Ed Brinksm, editor, Proceedings of TACAS 97 Tools nd Algorithms for the Construction nd Anlysis of Systems (University of Twente, Enschede, The Netherlnds), volume 1217 of Lecture Notes in Computer Science, Berlin, April Springer Verlg. Extended version with proofs vilble s Reserch Report VERIMAG RR INRIA

21 Clculting -Confluence Compositionlly 19 [15] Rdu Mteescu. A Generic On-the-Fly Solver for Alterntion-Free Boolen Eqution Systems. In John Htcliff nd Hubert Grvel, editors, Proceedings of the 9th Interntionl Conference on Tools nd Algorithms for the Construction nd Anlysis of Systems TACAS 2003 (Wrsw, Polnd), volume 2619 of Lecture Notes in Computer Science, pges Springer Verlg, April Full version vilble s INRIA Reserch Report RR [16] Rtn Nlumsu nd Gnesh Goplkrishnn. An Efficient Prtil Order Reduction Algorithm with n Alterntive Proviso Implementtion. Forml Methods in System Design, 20(3), My [17] D.A. Peled, V.R. Prtt, nd G.J. Holzmnn, editors. Prtil Order Methods in Verifiction, volume 29 of DIMACS Series in Discrete Mthemtics nd Theoreticl Computer Science. Americn Mthemticl Society, [18] Y.S. Rmkrishn nd S.A. Smolk. Prtil-Order Reduction in the Wek Modl Mu- Clculus. In A. Mzurkiewicz nd J. Winkowski, editors, Proceedings of the 8th Interntionl Conference on Concurrency Theory CONCUR 97, volume 1243 of Lecture Notes in Computer Science, pges Springer Verlg, [19] Andrew W. Roscoe, Poul H.B. Grdiner, Michel H. Goldsmith, Json R. Hulnce, Dvid M. Jckson, nd J. Bryn Scttergood. Hierrchicl compression for modelchecking CSP or how to check dining philosophers for dedlock. In Tools nd Algorithms for the Construction nd Anlysis of Systems (TACAS), [20] A. Vlmri. Stubborn Set Methods for Process Algebrs. In Workshop on Prtil Order Methods in Verifiction, volume 29 of DIMACS Series in Discrete Mthemtics nd Theoreticl Computer Science. Americn Mthemticl Society, [21] Rob J. vn Glbbeek nd W. Peter Weijlnd. Brnching Time nd Abstrction in Bisimultion Semntics. Journl of the ACM, 43(3): , My [22] Mingsheng Ying. Wek confluence nd -inertness. Theoreticl Computer Science, 238(1 2): , My RR n 4918

22 20 G. Pce, F. Lng, R. Mteescu A Proofs of theorems Proposition 5 The trnsltion is sound nd complete: Given vlid interprettion I of trnslted Lts S, {q 1 q2 c q1,q 2 I} is -confluent set (soundness), nd for ny -confluent set T, there is vlid interprettion I such tht I V c = {c q1,q 2 q 1 q2 T } (completeness). Proof: The soundness proof follows directly from the definition of -confluence nd the dditionl interprettion tht d q 2,q 3 is in I if q 1 q2 is confluent with respect to the trnsition q 1 q3. For the completeness proof, we note tht the rest of the interprettion cn be constructed by dding: {d q 2,q 3 q 1 q2, q 1 q3, q 4. q 2 q4, q 3 q4 T } Agin flling bck to the definition of -confluence nd the interprettion of the vribles, the confluence of the given set gurntees the solution. Theorem 2 If E 1 E nd T 1 is -confluent trnsition set of E 1, then E E 1 (T 1 ) form -confluent trnsition set of E. Proof: We prove tht -confluent trnsitions remin -confluent through the hiding nd synchroniztion opertors. The result then follows by structurl induction. Hiding: Consider E = hide G in E 1, nd T 1, set of -confluent trnsitions of E 1. We will prove tht the set of trnsitions T, generted by T 1 is -confluent trnsition set of E. Consider q 1 q2 T. This cn only be generted by trnsition q 1 1 q 2 which is thus in T 1. Consider trnsition q 1 q3 in E. This is generted from q 1 1 q 3 in E 1 (where either / G nd = or G nd = ). In either cse, from the confluence of q 1 1 q 2, we cn deduce tht there exist q 4 with q 2 1 q 4 nd q 3 1 q 4 T 1. These generte the trnsitions q 2 q4 nd q 3 q4 T. Hence, T stisfies the -confluence conditions. Synchronous composition: Consider E = E 1 [G] E 2, nd T 1, set of -confluent trnsitions of E 1. We will prove tht the set of trnsitions T generted by T 1 is -confluent trnsition set of E. Consider trnsition in T, (q 1, r 1 ) (q 2, r 1 ), generted from q 1 1 q 2 T 1. Now consider trnsition (q 1, r 1 ) (q 3, r 3 ). From the opertionl semntic rules, this cn be generted from one of three scenrios: (i) / G, q 1 1 q 3, r 1 = r 3, (ii) / G, r 1 2 r 3, q 1 = q 3 or (iii) G, q 1 1 q 3, r 1 2 r 3. INRIA

23 Clculting -Confluence Compositionlly 21 Cse (i), is strightforwrd. Since q 1 1 q 2 is -confluent, there exists q 4 such tht q 2 1 q 4 nd q 3 1 q 4, which generte (q 2, r 1 ) (q 4, r 1 ) nd (q 2, r 1 ) (q 4, r 1 ). Furthermore, the ltter is in T. Cse (ii), when the second component cts independently is lso strightforwrd. From the semntic rules nd / G, the trnsitions (q 2, r 1 ) (q 2, r 3 ) nd (q 1, r 3 ) (q 2, r 3 ) exist in E. Furthermore, the ltter is in T. This completes cse (ii). Finlly, cse (iii), note tht q 1 1 q 3 is trnsition of E 1. Since q 1 1 q 2 is - confluent, there exists q 4 such tht q 2 1 q 4 ( G mens tht = ) nd q 3 1 q 4, which generte (q 2, r 1 ) (q 4, r 3 ) nd (q 3, r 3 ) (q 4, r 3 ). Furthermore, the ltter is in T. Hence, in ll cses, we cn close the -confluence dimond conditions. The cse nlysis for E 2 is symmetric. By structurl induction, the proof is complete. Theorem 3 Given E 1 E nd T 1 TuE(E1) 1 which stisfies the confluence conditions if replced by trnsitions, nd E 2 the -prioritiztion of E 1 with respect to T 1, then E[E 2 /E 1 ] b E. Proof: The result is bsed on the fct tht: hide Tu E (E 1 ) in E 1 b hide Tu E (E 1 ) in E 2 This cn be proven by showing tht the trnsitions generted by T 1 form -confluent set in hide Tu E (E 1 ) in E 1 nd tht hide Tu E (E 1 ) in E 2 is -prioritiztion of hide Tu E (E 1 ) in E 1 with respect to the trnsitions generted by T 1. The result then follows from Propositions 7 nd 8: E b using Proposition 8 E[hide Tu E (E 1 ) in E 1 /E 1 ] b using Proposition 7 E[hide Tu E (E 1 ) in E 2 /E 1 ] b using Proposition 8 nd the fct tht Tu E (E 1 ) = Tu E[E2/E 1](E 2 ) E[E 2 /E 1 ] Lemm 1 If E 1 E 2 E nd P 2 is potentil -confluent set of E 2 with respect to E, then E2 E 1 (P 2 ) is potentil -confluent set of E 1 with respect to E. Proof: We prove this by structurl induction. If we cn prove the three cses: (i) E 2 = hide G in E 1 (ii) E 2 = E 1 [G] E 3 nd (iii) E 2 = E 3 [G] E 1, the proof then follows from the decomposition rule. RR n 4918

24 22 G. Pce, F. Lng, R. Mteescu The proofs of these three cses follow through uninspiring cse nlysis. Here we will give n outline of cse (ii). The others follow very similrly. Let us cll P 1 = E1 [G] E3 E 1 (P 2 ). We thus wnt to prove tht P 1 is potentil -confluent set of E 1 with respect to E. We first note the following property: If (q, r)? 2 (q, r ) P 2, nd Hidden E (E 2 ) {}, then q? 1 q P 1. Note tht Hidden E (E 2 ) implies tht Hidden E (E 1 ). Now, either r does the? trnsition synchronously, or q prticiptes. In the first cse, q = q, nd thus, since Hidden E (E 2 ), it trivilly follows tht q? 1 q P 1. In the second cse, it follows tht q? 1 q which is genertor of (q, r)? 2 (q, r ) P 2, nd thus in P 1. With this result in hnd, we cn strt the min proof. Consider (q 1, r 1 ) 2 (q 2, r 2 ) P 2. By definition of genertorsof nd syncgenleftof, n element of the whole expression bove is in: {q 1 q2 (q 1, r 1 ) (q 2, r 1 ) P 2, q 1 1 q 2, / G, r 1 Q 3 } {q 1 q2 (q 1, r 1 ) (q 2, r 2 ) P 2, q 1 1 q 2, r 1 3 r 2, G} The proof now proceeds by cse nlysis over the two possibilities: Asynchronous trnsition: q 1 1 q 2, / G, (q 1, r 1 ) (q 2, r 1 ) P 2, r 1 Q 3. Since n trnsition ppers in P 2, Hidden E (E 2 ) {} nd thus, Hidden E (E 1 ) {}. We now require to prove tht q 1 1 q 2 is potentil -confluent trnsition. Consider b trnsition q 1 1 q 3, b / Synchronized E (E 1 ). Since b / Synchronized E (E 1 ) it follows tht b / G, nd thus (q 1, r 1 ) b 2 (q 3, r 1 ). Since (q 1, r 1 ) 2 (q 2, r 1 ) is in the potentil -confluence set P 2, it follows from the definition tht either (i) (q 3, r 1 )? 2 (q 2, r 1 ) P 2 or (ii) there exists (q 4, r 4 ) such tht (q 2, r 1 ) b? 2 (q 4, r 4 ) nd (q 3, r 1 )? 2 (q 4, r 4 ) P 2. Cse (i) is esy, since it follows from q 3? 1 q 2 P 1, proved bove. Consider cse (ii). Agin we note tht q 3? 1 q 4 P 1. Now, looking t (q 2, r 1 ) b? b? 2 (q 4, r 4 ), nd noting tht b / G, either q 2 1 q 4, which? stisfies the second property of potentil -confluence, or q 2 = q 4 (nd thus q 3 s 1q 2 ), which closes the digrm s desired. In ll the cses, it follows tht q 1 b 1 q 3 does not brek potentil -confluence of q 1 1 q 2. Synchronized trnsition: q 1 1 q 2, r 1 3 r 2, G, (q 1, r 1 ) (q 2, r 2 ) P 2. INRIA

25 Clculting -Confluence Compositionlly 23 As before, it follows from (q 1, r 1 ) (q 2, r 2 ) P 2 tht Hidden E (E 2 ) {} nd thus, Hidden E (E 1 ) {}. We now require to prove tht q 1 1 q 2 is potentil -confluent trnsition. Consider b trnsition q 1 1 q 3, b / Synchronized E (E 1 ). Since b / Synchronized E (E 1 ) it follows tht b / G, nd thus (q 1, r 1 ) b 2 (q 3, r 1 ). Since (q 1, r 1 ) (q 2, r 2 ) P 2, the definition of potentil -confluence tells us tht either (i) (q 3, r 1 )? 2 (q 2, r 2 ) P 2 or (ii) there exists (q 4, r 4 ) such tht (q 2, r 2 ) b? 2 (q 4, r 4 ) nd (q 3, r 1 )? 2 (q 4, r 4 ) P 2. Let us look t cse (i) (q 3, r 1 )? 2 (q 2, r 2 ). By the property we strted by proving,? b q 3 1 q 2 P 1. Hence, q 1 1 q 3 does not brek potentil -confluence. In cse (ii) there exists (q 4, r 4 ) such tht (q 2, r 2 ) b? 2 (q 4, r 4 ) nd (q 3, r 1 )? 2 (q 4, r 4 )? P 2. Agin, it follows tht q 3 1 q 4 P 2. But in (q 2, r 2 ) b? 2 (q 4, r 4 ), either q 2 prticiptes, or not. If it does not, q 2 = q 4, nd? b? thus q 3 1 q 2, stisfying potentil -confluence. If it does prticipte, then q 2 1 q 4, gin stisfying the conditions. Agin, in this cse, q 1 b 1 q 3 does not brek potentil -confluence. As cn be seen from this prt of the proof, it is n esy but uninspiring proof. The two remining cses for the right brnch of synchronized composition nd hiding follow on similr lines, nd re left out. By structurl induction, we cn conclude tht E2 E 1 (P 2 ) is potentil -confluent set of E 1 with respect to E, completing the proof. Lemm 2 If E 1 E 2 E, then P E (E 2 ) E E 1 (P E (E 1 )) Proof: By Lemm 1, nd Proposition 9: E2 E 1 (P E (E 2 )) P E (E 1 ) Using monotonicity of it then follows tht: Which implies tht: E2 E 1 ( E2 E 1 (P E (E 2 ))) E2 E 1 (P E (E 1 )) P E (E 2 ) E2 E 1 (P E (E 1 )) RR n 4918