Component Based Testing with ioco

CTIT Technicl Report TR CTIT 03 34, University of Twente, 2003 Component Bsed Testing with ioco Mchiel vn der Bijl 1, Arend Rensink 1 nd Jn Tretmns 2 1 Softwre Engineering, Deprtment of Computer Science, University of Twente P.O. Box 217, 7500 AE Enschede, The Netherlnds {vdbijl,rensink}@cs.utwente.nl 2 Softwre Technology Reserch Group, University of Nijmegen P.O. Box 9010, 6500 GL Nijmegen, The Netherlnds tretmns@cs.kun.nl Abstrct. Component bsed testing concerns the integrtion of components which hve lredy been tested seprtely. We show tht, with certin restrictions, the ioco-test theory for conformnce testing is suitble for component bsed testing, in the sense tht the integrtion of fully conformnt components is gurnteed to be correct. As consequence, there is no need to re-test the integrted system for conformnce. This result is lso relevnt for testing in context, since it implies tht every filure of system embedded in test context cn be reduced to fult of the system itself. Contents 1 Introduction................................................... 2 2 Forml preliminries........................................... 3 3 Approch..................................................... 6 3.1 Testing scenrio........................................... 6 3.2 Component-bsed testing................................... 7 3.3 Exmple................................................. 8 4 Compositionlity for synchroniztion nd hiding................... 10 4.1 Synchroniztion........................................... 10 4.2 Hiding................................................... 11 5 Demonic completion............................................ 13 6 Conclusions................................................... 17 A Appendix: proofs.............................................. 19 A.1 Proofs of section 4.1 (Congruence properties for synchroniztion) 19 A.2 Proofs of Section 4.2 (Congruence properties for hiding)........ 24 A.3 Proofs of section 5......................................... 33 References....................................................... 43 This reserch ws supported by Ordin Finnce nd by the dutch reserch progrmme PROGRESS under project: TES5417: Atomyste ATOm splitting in embedded systems TEsting.

1 Introduction Testing is n importnt ctivity in ssessing nd controlling the qulity of systems, in prticulr in distributed nd communicting systems. Idelly, tests re developed from specifiction of required behvior, nd subsequently executed, be it mnully or utomticlly. The outcome of the test is nlyzed leding to verdict bout the correctness of the implementtion under test (iut) with respect to its specifiction. Test tools my support this testing process. When forml specifiction of the system is vilble, this opens wys towrd utomtic, specifiction bsed test genertion. For this purpose severl theories of forml testing nd test genertion, with corresponding tools, hve been developed. One of these theories is the so-clled ioco-test theory, which works on the bsis of lbeled trnsition systems [11, 12]. The nme ioco, which stnds for input/output conformnce, refers to the implementtion reltion (i.e., notion of correctness) on which the theory nd the test genertion lgorithm hve been built. A number of tools implement this lgorithm, mong which there re tgv [5], TestGen [6] nd TorX [1]. Two open issues in testing theory in generl, nd the ioco-theory in prticulr, re component bsed testing lso referred to s compositionl testing nd testing in context. For instnce, for the testing theory bsed on Finite-Stte- Mchines (FSM) this issue hs been studied in [9]. Component bsed testing considers integrtion testing of components which hve lredy been tested seprtely. The question is wht cn be concluded from the individul tests of the seprte components, nd wht should be (re)tested on the integrtion or system level. The im is to determine whether the composition of (correct) component implementtions lwys conforms to the composition of their specifictions. In the forml domin, the question is whether the implementtion reltion is pre-congruence for composition of components. Another scenrio, with similr chrcteristics, is testing in context. This refers to the sitution tht tester cnnot directly ccess the interfce of the implementtion under test but there is third system in between, such s network or protocol unit. This intermedite system is clled the test context [7, 8, 10]. The tester cn only indirectly observe nd control the iut vi the test context. This mkes testing weker, in the sense tht there re fewer possibilities for observtion nd control of the iut. With testing in context, the question is wht cn be concluded with respect to conformnce of the iut from testing the composition of iut nd its context: whether fults in the iut cn be detected by testing the composition of iut nd test context, nd whether filure of this composition lwys indictes fult of the iut. This question is the converse of component bsed testing: when testing in context we wish to detect errors in the iut component by testing it in composition with the test context, wheres in component bsed testing we wish to infer correctness of the integrted system from conformnce of the individul components. In the forml domin, both boil down to the question whether the implementtion reltion is pre-congruence for the composition opertors. 2

This pper studies pre-congruence properties of ioco for two opertions on lbeled trnsition systems (prllel composition nd hiding) tht model integrtion of components either different prts of the iut or the iut nd the test context. If ioco is pre-congruence for these opertions, it follows tht correctness of the prts (the components) implies correctness of the whole (the system), or tht fult in the whole (iut nd test context) implies fult in the component (iut). We show tht ioco is pre-congruence in the bsence of implicit underspecifiction. One wy to stisfy this condition is to only llow specifictions which re input enbled. Another wy is to mke the underspecifiction explicit by completion. We show tht, in prticulr, demonic completion is suitble for this purpose. This leds to new implementtion reltion, bptized ioco U, which is slightly weker thn ioco. Overview. The next section reclls some bsic concepts nd definitions bout trnsition systems nd ioco. Section 3 sets the scene nd formlizes the problems of component bsed testing nd testing in context. Section 4 studies the pre-congruence properties of ioco for prllel composition nd hiding. Section 5 discusses underspecifiction, nd pproches to complete specifictions with implicit underspecifiction. Section 6 concludes with some finl remrks nd n ssessment of the results. The proofs of theorems nd propositions used in this pper cn be found in the ppendix. 2 Forml preliminries This section reclls the spects of the theory behind ioco tht re used for this pper; see [11] for more detiled exposition. Lbeled Trnsition Systems. A lbeled trnsition system (LTS) description is defined in terms of sttes nd lbeled trnsitions between sttes, where the lbels indicte wht hppens during the trnsition. Lbels re tken from globl set L. We use specil lbel τ / L to denote n internl ction. For rbitrry L L, we use L τ s shorthnd for L {τ}. We devite from the stndrd definition of lbeled trnsition systems in tht we ssume the lbel set of n LTS to be prtitioned in n input nd n output set. Definition 1. A lbeled trnsition system is 5-tuple Q, I, U, T, q 0 where Q is non-empty countble set of sttes; I L is the countble set of input lbels; U L is the countble set of output lbels, which is disjoint from I; T Q (I U {τ}) Q is set of triples, the trnsition reltion; q 0 Q is the initil stte. We use L s shorthnd for the entire lbel set (L = I U); furthermore, we use Q p, I p etc. to denote the components of n LTS p. We commonly write q λ for 3

(q, λ, ) T. Since the distinction between inputs nd outputs is importnt, we sometimes use question mrk before lbel to denote input nd n exclmtion mrk to denote output.we denote the clss of ll lbeled trnsition systems over I nd U by LTS(I, U). We represent lbeled trnsition system in the stndrd wy, by directed, edge-lbeled grph where nodes represent sttes nd edges represent trnsitions. A stte tht cnnot do n internl ction is clled stble. A stte tht cnnot do n output or internl ction is clled quiescent. We use the symbol δ ( L τ ) s pseudo-lbel to represent quiescence: tht is, p δ p stnds for the bsence of ny trnsition p λ p with λ U τ. For n rbitrry L L τ, we use L δ s shorthnd for L {δ}. An LTS is clled strongly responsive if it lwys eventully enters quiescent stte; in other words, if it does not hve ny infinite U τ -lbeled pths. For technicl resons we restrict LTS(I, U) to strongly responsive trnsition systems. A trce is finite sequence of observble ctions. The set of ll trces over L ( L) is denoted by L, rnged over by, with ɛ denoting the empty sequence. If 1, 2 L, then 1 2 is the conctention of 1 nd 2. We use the stndrd nottion with single nd double rrows for trces: q 1 n q denotes q 1 n, q = ɛ denotes q τ τ nd q ====== 1... n q denotes q = ɛ 1 = ɛ ɛ n = (where i L τδ ). We will not lwys distinguish between lbeled trnsition system nd its initil stte: if p = Q, I, U, T, q 0, then we will identify the process p with its initil stte q 0, nd we write, for exmple, p = q 1 insted of q 0 = q 1. Input-output trnsition systems. An input-output trnsition system (IOTS) is lbeled trnsition system tht is completely specified for input ctions: tht is, ll ctions in I re enbled in ny stte of the trnsition system. Definition 2. An input-output trnsition system p = Q, I, U, T, q 0 is lbeled trnsition system for which ll inputs re enbled in ll sttes: q Q, I : q = The clss of input-output trnsition systems with input ctions in I nd output ctions in U is denoted by IOTS(I, U) ( LTS(I, U)). Composition of lbeled trnsition systems. The integrtion of components cn be modeled lgebriclly by putting the components in prllel while synchronizing nd internlizing their common ctions. In process lgebr, the synchroniztion nd internliztion re typiclly regrded s two seprte opertions; the ltter is commonly clled hiding. Since we hve modeled the components s LTS s, these opertions trnslte to constructions over LTS. Concretely, for two given LTS s p nd q nd given set of ctions V we define The synchroniztion of p nd q, denoted p q. This is defined only if the input nd output ctions of p nd q re distinct (in wy mde precise 4

below). The sttes of the resulting trnsition system re lso denoted p, where p nd re sttes of p nd q, respectively. The hiding in p of the ctions in V, denoted hide V in p. This is defined only if V consists of output ctions of p (see below). The sttes of the resulting trnsition system re lso denoted hide V in p, where p is stte of p. Note tht hiding input ctions does not mke sense. Note tht these constructions re only prtil: there re constrints on the input nd output sets. Moreover, prllel composition my give rise to n LTS tht is not strongly responsive, even if the components re. For the time being, we do not try to nlyze this but implicitly restrict ourselves to cses where the prllel composition is strongly responsive (thus, this is nother source of prtility of the construction). Definition 3. For i = 1, 2 let p i = Q i, I i, U i, T i, p i be trnsition system. If I 1 I 2 = U 1 U 2 = then p 1 p 2 = def Q, I, U, T, p 1 p 2 where Q = {q 1 q 2 q 1 Q 1, q 2 Q 2 }; I = (I 1 \ U 2 ) (I 2 \ U 1 ); U = U 1 U 2. T is the miniml set stisfying the following inference rules (µ L τ ): q 1 µ q 2 µ q 1 µ q 1, µ L 2 q 1 q µ 2 q 1 q 2 q 2, µ L 1 q 1 q µ 2 q 1 q 2 q 1, q µ 2 q 2, µ τ q 1 q µ 2 q 1 q 2 If V U 1, then hide V in p 1 = def Q, I 1, U 1 \ V, T, hide V in p 1 where Q = {hide V in q 1 q 1 Q 1 }; T is the miniml set stisfying the following inference rules (µ L τ ): q 1 µ q 1 µ q 1, µ V hide V in q µ 1 hide V in q 1 q 1, τ µ V hide V in q 1 hide V in q 1 The following proposition sttes tht these constructions yield LTS s, nd IOTS s when pplied to IOTS s. Proposition 4. Let p, q LTS with I p I q = U p U q =, nd let V U p. 1. If p q is strongly responsive then p q LTS((I p \ U q ) (I q \ U p ), U p U q ); moreover, p q IOTS if p, q IOTS. 2. hide V in p LTS(I 1, U 1 \V ); moreover, hide V in p IOTS if p IOTS. Conformnce. The testing scenrio on which ioco is bsed ssumes tht two things re given: An LTS constituting specifiction of required behvior; An implementtion under test. We tret the iut s blck box. In order to reson bout it we ssume it cn be modeled s n IOTS (n iut is n object in the rel world). This ssumption is referred to s the test hypothesis [2, 7]. We wnt to stress tht we do not need to hve this model when testing the iut. We only ssume tht the implementtion could be modeled s n IOTS. 5

Given specifiction s nd n (ssumed) model of the iut i, the reltion i ioco s expresses tht i conforms to s. Whether this holds is decided on the bsis of the suspension trces of s: it must be the cse tht, fter ny such trce, every output ction (nd lso quiescence) tht i is cpble of should be llowed ccording to s. This is formlized by defining p fter (the set of sttes tht cn be reched in p fter the suspension trce ), out(p) (the set of output nd δ-ctions of p) nd Strces(p) (the suspension trces of p). Definition 5. Let p LTS(I, U), let P Q p be set of sttes in p, let i IOTS(I, U), s LTS(I, U) nd let L δ. 1. p fter = def { p p = p } 2. out(p) = def {x U p x } {δ p δ } 3. out(p ) = def { out(p) p P } 4. Strces(p)= def { L δ p = } The following defines the implementtion reltion ioco, modulo function F tht genertes set of testble trces from specifiction. In this definition 2 X denotes the powerset of X, for n rbitrry set X. Definition 6. Given function F : LTS(I, U) 2 L δ, we define iocof IOTS(I, U) LTS(I, U) s follows: i ioco F s F(s) : out(i fter ) out(s fter ) We will use the nottion ioco s the nottion for ioco Strces. For more detils bout ioco we refer to [11]. 3 Approch To clrify our pproch, we briefly recpitulte the testing frmework. We focus on the wy testing is trnslted to forml setting ccording to the ioco-theory. We present the results in this section in the context of compositionl testing. The consequences for testing in context will be discussed in the finl section. We ssume tht implementtions cn be modeled s input-output trnsition systems. Thus, we require implementtions to be input enbled, to reflect the fct tht input ctions cnnot relisticlly be refused. Specifictions re given s generl lbeled trnsition systems (with distinguished input nd output sets), which mens tht they re not necessrily input enbled. This reflects the ide tht specifiction my be prtil: the bsence of n input trnsition from certin stte of the specifiction mens tht the behvior fter this input is unconstrined nything goes. 3.1 Testing scenrio We study systems tht re obtined by integrting independently implemented (nd tested) components, or (in the cse of testing in context) n iut nd its test 6

context. The behvior of such system is described by the prllel composition of the individul trnsition systems. Output ctions of one component tht re in the input lbel set of nother component re synchronized, resulting in single, internl trnsition of the overll system. Actions of component tht re not in the lbel set of nother component re not synchronized, resulting in single observble trnsition of the overll system. I p U p p L pq L qp r r = hide L pq L qp in p q q U q I q Fig. 1. Prllel composition of components with hiding This gives rise to the scenrio depicted in figure 1, which shows the composition of components p nd q, with input nd output lphbets I p nd U p, nd I q nd U q, respectively, such tht I p I q = U p U q =. The sets I p, U p, L pq, L qp, I q, U q re derived from the input/output lphbets s follows: L pq = U p I q : outputs of p tht re synchronized with inputs of q; L qp = U q I p : outputs of q tht re synchronized with inputs of p; I p = I p \ U q : remining (i.e., unsynchronized) inputs of p; U p = U p \ I q : remining (i.e., unsynchronized) outputs of p; I q = I q \ U p : remining (i.e., unsynchronized) inputs of q; U q = U q \ I p : remining (i.e., unsynchronized) outputs of q. Formlly, this type of composition is modeled by prllel composition, s embodied in the opertor, followed by hiding, s embodied in hide V in, where V = L pq L qp is the set of synchronized ctions. An implicit ssumption in this composition scenrio is tht different components my not hve overlpping input or output sets; tht is, no ction cn be n input to two different components or n output from two different components. 3.2 Component-bsed testing We now prphrse the question of component-bsed testing, discussed in the introduction, s follows: Given tht the components p nd q hve been tested to be ioco-correct (ccording to their respective specifictions), my we conclude tht their integrtion is lso ioco-correct (ccording to the integrted specifiction)? If the component specifictions re LTS s, the component implementtions re modeled by IOTS s, nd their integrtion by prllel composition 7

followed by hiding, this boils down to the following questions in our forml frmework (where i k IOTS(I k, U k ) nd s k LTS(I k, U k ) for k = 1, 2, with I 1 I 2 = U 1 U 2 = ): Q1: Given i k ioco s k for k = 1, 2, is it the cse tht i 1 i 2 ioco s 1 s 2? Q2: Given i 1 ioco s 1, is it the cse tht (hide V in i 1 ) ioco (hide V in s 1 ) for rbitrry V U 1? If the nswer to both questions is yes, then we my conclude the following: Corollry 7. If i k IOTS(I k, U k ) nd s k LTS(I k, U k ) for k = 1, 2 with I 1 I 2 = U 1 U 2 = nd V = (I 1 U 2 ) (U 1 I 2 ), then i 1 ioco s 1 i 2 ioco s 2 (hide V in i 1 i 2 ) ioco (hide V in s 1 s 2 ). This is equivlent to sying tht ioco is suitble for component bsed testing. We study the bove congruence questions in the next section. We will show tht the nswer to Q1 nd Q2 in generl is no. Insted, we cn show tht the nswer to Q1 nd Q2 is yes if s 1 nd s 2 re completely specified. 3.3 Exmple 0.50, 1.00 mke coffee mke te coffee, te 0.50, 1.00 s mon error s drk s cof = hide {mke coffee, mke te, error} in s mon s drk i cof = hide {mke coffee, mke te, error} in i mon i drk Fig. 2. Architecture of coffee mchine in components. To illustrte component bsed testing, we use two components of coffee mchine: money component tht hndles the inserted coins nd drink component tht tkes cre of prepring nd pouring the drinks, see Figure 2. The money component ccepts coins of 1 nd of 0.50 s input from the environment. After insertion of 0.50 coin (respectively 1 coin), the money component orders the drink component to mke te (respectively coffee). The drink component interfces with the money component nd the environment. If the money component orders it to mke te (respectively coffee) it outputs te (respectively coffee) to the environment. If nything goes wrong in the drink mking process, the component gives n error signl. 8

The coffee mchine is the prllel composition of the money component nd the drink component, in which the mke coffee commnd, the mke te commnd nd the error signl re hidden. One cn think of the prllel composition s estblishing the connection between the money component nd the drink component, wheres hiding mens tht the communiction between the components is not observble nymore; only communiction with the environment cn be observed.!mke coffee?1.00 s mon?0.50!mke te!coffee?mke coffee?mke te?mke coffee!error s drk?mke?mke coffee te!error!error!te?mke te?mke coffee?mke te?mke coffee?mke te money component specifiction drink component specifiction Fig. 3. Specifiction of money nd drink components s LTS s. Models In Figure 3 we show the behviorl specifiction of the components s LTS s. Note tht the money component is underspecified for the error input lbel nd tht the drink component cnnot recover from n error stte, nd while in the error stte it cnnot produce te or coffee. Figure 4 shows implementtion models of the money component, i mon, nd the drink component, i drk. We hve used trnsitions lbeled with? s n bbrevition for ll the non-specified input ctions from the lphbet of the component. The money component hs input lbel set, I mon = {0.50, 1.00, error}, output lbel set U mon = {mke coffee, mke te, 0.50, 1.00 }; s mon LTS(I mon, U mon ), i mon IOTS(I mon, U mon ). For the drink component I drk = {mke coffee, mke te} nd U drk = {coffee, te, error} re the input nd output lbel sets; s drk LTS(I drk, U drk ), i drk IOTS(I drk, U drk ). In the implementtions of the components we choose to improve upon the specifiction, by dding functionlity. This is possible since, s we hve discussed, the specifiction my in plces be under-specified. The extr functionlity of i mon compred to its specifiction s mon is tht it cn hndle error signls: it rects by returning 1.00. i drk is lso chnged with respect to its specifiction s drk : mking te never produces n error signl. Since implementtions re input 9

enbled, we hve chosen tht ll non specified inputs re ignored, i.e., the system remins in the sme stte. We hve i mon ioco s mon nd i drk ioco s drk. The question now is whether the integrted specifictions nd implementtions, s given by s cof nd i cof in Figure 2, re lso ioco correct. We discuss this in the next section, to illustrte the compositionlity properties discussed there. i mon i drk!mke coffee??1.00?0.50!1.00?error!mke te?!coffee?!error?mke?mke coffee te!te??mke coffee!error?mke te? money component implementtion drink component implementtion? Fig. 4. Implementtion of the money nd drink components s IOTS s. 4 Compositionlity for synchroniztion nd hiding In this section we ddress the questions Q1 nd Q2 formulted bove (Section 3.2), using the coffee mchine exmple to illustrte our results. 4.1 Synchroniztion The property tht we investigte for prllel composition is: if we hve two correct component implementtions ccording to ioco, then the implementtion remins correct fter synchronizing the components. It turns out tht in generl this property does not hold, s we show in the following exmple. Exmple 8. Regrd the LTS s in figure 5. On the left hnd side we show the specifictions nd on the right hnd side the corresponding implementtions. The models hve the following lbel sets: s 1 LTS({x}, ), i 1 IOTS({x}, ), s 2 LTS(, {x}), i 2 IOTS(, {x}). The suspension trces of s 1 re given by δ δ?xδ nd the suspension trces of s 2 re given by {ɛ,!x}!x!xδ. We hve i 1 ioco s 1 nd i 2 ioco s 2. 10

After we tke the prllel composition of the two specifictions we get s 1 s 2, see figure 5 (the corresponding implementtion is i 1 i 2 ). From this specifiction the suspension trces re: {ɛ}!xδ. We see tht out(i 1 i 2 fter!x) = {!x} out(s 1 s 2 fter!x) = {δ}; in other words: i 1 i 2 ioco / s 1 s 2. Anlysis shows tht i 1 ioco s 1, becuse ioco llows underspecifiction of input ctions. However, the semntics of the prllel composition opertor does not tke underspecifiction of input ctions into ccount. Although s 2 cn output second x, it cnnot do so in s 1 s 2, becuse s 1 cnnot input the second x. We sy tht s 1 is underspecified for the second x, becuse lthough n implementtion is llowed to ccept second x s input, the correct behvior fter the second x is not specified. In other words the specifiction is underspecified for the second x s input. It turns out tht if we forbid underspecifiction, i.e., if the specifiction explicitly prescribes for ny possible input wht the llowed responses re, then we do not hve this problem. In fct in tht cse we hve the desired compositionlity property. This property is expressed in the following theorem. For proof see the ppendix. Theorem 9. Let s 1, i 1 IOTS(I 1, U 1 ), s 2, i 2 IOTS(I 2, U 2 ), with I 1 I 2 = U 1 U 2 =. i 1 ioco s 1 i 2 ioco s 2 i 1 i 2 ioco s 1 s 2 Our running exmple (Section 3.3) shows the sme problem illustrted in exmple 8. Although the implementtions of the money component nd the drink component re ioco correct with respect to their specifictions, it turns out tht the prllel composition of i mon nd i drk is not: out(i mon i drk fter?1.00!mke coffee) = {!coffee,!error} out(s mon s drk fter?1.00!mke coffee) = {!coffee} Note tht the internl signls re still visible s output ctions. To turn them into internl ctions is the tsk of the hiding opertor, discussed below. 4.2 Hiding The property tht we investigte for hiding is the following: if we hve correct implementtion ccording to ioco, then the implementtion remins correct f- s 1 s 2 s 1 s 2 i 1 i 2 i 1 i 2?x!x!x?x!x!x!x?x!x!x Fig. 5. Counter exmple to compositionlity for prllel composition; see Exmple 8. 11

ter hiding (some of the) output ctions. It turns out tht, s for synchroniztion, in generl this property does not hold. Exmple 10. Consider the implementtion i nd specifiction s in Figure 6, both with input set {} nd output set {x, y}. {ɛ}?δ!xδ re the suspension trces of s. We see tht i ioco s. After hiding the output ction x, we get the specifiction hide x in s, nd implementtion hide x in i; now the specifiction hs suspension trces?δ δ. We hve out(hide x in i fter ) = {δ, y} out(hide x in s fter ) = {δ}; in other words, (hide x in i) ioco / (hide x in s). s i hide x in s hide x in i?!x???!y!x??? τ?? τ?!y?? Fig. 6. Counter-exmple to compositionlity for hiding; see Exmple 10. An nlysis of the bove exmple shows tht s ws underspecified, in the sense tht it fils to prescribe how n implementtion should behve fter the trce!x?. The proposed implementtion i uses the implementtion freedom by hving n unspecified y-output fter!x?. However, if x becomes unobservble due to hiding, then the trces!x? nd? collpse nd become indistinguishble: in hide x in s nd hide x in i they both msquerde s the trce?. Now hide x in s ppers to specify tht fter?, only quiescence (δ) is llowed; however, hide x in i still hs this unspecified y-output. In other words, hiding cretes confusion bout wht prt of the system is underspecified. It follows tht if we rule out underspecifiction, i.e., we limit ourselves to specifictions tht re IOTS s then this problem disppers. In fct, in tht cse we do hve the desired congruence property. This is stted in the following theorem. Theorem 11. If i, s IOTS(I, U) with V U, then: i ioco s (hide V in i) ioco (hide V in s) Using our running exmple, we show tht the problem illustrted by Exmple 10 is not unrelistic. The integrted coffee system implementtion i cof, consisting of the money nd drink component implementtions, fter hiding the 12

synchronized ctions (mke coffee, mke te, error), cn do the trce?1.00!1.00 (ejecting 1.00 fter hidden error). Hence!1.00 out(i cof fter?1.00) wheres!1.00 out(s cof fter?1.00) (where?1.00 Strces(s cof )) (see Figure 2 for s cof, i cof ). So we cn conclude tht lthough the component implementtions re ioco correct with respect to their specifictions, the integrted system is not. 5 Demonic completion We hve shown in the previous section tht ioco is pre-congruence for prllel composition nd hiding when restricted to IOTS IOTS. However, in the originl theory [11] ioco IOTS LTS; the specifictions re LTS s. The intuition behind this is tht ioco llows underspecifiction of input ctions. In this section we present function tht trnsforms LTS s into IOTS s in wy tht complies with this notion of underspecifiction. We will show tht this leds to new implementtion reltion tht is slightly weker thn ioco. Underspecifiction comes in two flvors: underspecifiction of input ctions nd underspecifiction of output ctions. Underspecifiction of output ctions is lwys explicit; in n LTS it is represented by non-deterministic choice between severl output ctions. The intuition behind this is tht we do not know or cre which of the output ctions is implemented, s long s t lest one is. Underspecifiction of input ctions is lwys implicit; it is represented by bsence of the respective input ction in the LTS. The intuition behind underspecifiction of input ctions is tht fter n unspecified input ction we do not know or cre wht the behvior of the specified system is. This mens tht in n underspecified stte i.e., stte reched fter n unspecified input ction every ction from the lbel set is correct, including quiescence. Following [3] we cll this kind of behvior chotic. In trnslting LTS s to IOTS s, we propose to model underspecifiction of input ctions explicitly. Firstly, we model chotic behvior through stte q χ λ (where χ stnds for chos) with the property: λ U : q χ = q χ nd λ δ λ I : q χ === q χ. Secondly, we dd for every stble stte q (of given LTS) tht is underspecified for n input trnsition (q,, q χ ). This turns the LTS into n IOTS. After [4] we cll this procedure demonic completion s opposed to ngelic completion, where unspecified inputs re discrded (modeled by dding self-loop trnsitions). Definition 12 (demonic completion). : LTS(I, U) IOTS(I, U) is defined by Q, I, U, T, q 0 Q, I, U, T, q 0, where Q = Q {q χ, q Ω, q }, where q χ, q Ω, q Q T = T {(q,, q χ ) q Q, I, q /, q / } {(q χ, τ, q Ω ), (q χ, τ, q )} {(q Ω, λ, q χ ) λ L} {(q, λ, q χ ) λ I} τ 13

specifiction (LTS) demoniclly completed specifiction (IOTS)!mke coffee s mon!mke te!mke coffee s mon!mke te?1.00?0.50?1.00?0.50 q 1 q 2 q 1 q 2?error?error?error chotic IOTS?0.50?0.50?1.00?1.00 q χ I U q χ I I U I τ τ τ τ q Ω q q Ω q Fig. 7. Demonic completion of n LTS specifiction. Exmple 13. To illustrte the demonic completion of implicit underspecifiction, we use the money component of section 3.3. The LTS specifiction of the money component is given in the top left corner of Figure 7. The IOTS tht models our chos property is given in the bottom left corner. For every stble stte of the specifiction, the function dds n rrow for every unspecified input, from tht stte to stte q χ. For exmple, every stte is underspecified for input ction error, so we dd trnsition from every stte to q χ for error. The sttes q 1 nd q 2 re underspecified for 0.50 nd 1.00, so we dd trnsitions for these inputs from q 1 nd q 2 to q χ. The resulting demoniclly completed specifiction is given on the right hnd side of Figure 7. The chotic IOTS cn do every trce tht n LTS cn do. However it is esy to see tht the chotic IOTS cnnot do every imginble trce. For exmple it cnnot do δ λ, where λ U. We need the following property to show tht the chotic IOTS cn do every (sub)trce tht n rbitrry LTS cn do. The regulr set (U δ I) δ contins ll the elements of L δ except those tht contin the trce δ followed by n output. By definition this is of course n impossible trce for n LTS. Proposition 14. Let s LTS(I, U). Strces(s) : (U δ I) δ An importnt property of demonic completion is tht it only dds trnsitions from stble sttes with underspecified inputs in the originl LTS to q χ. More- 14

over, it does not delete sttes or trnsitions. This is expressed in the following proposition. Proposition 15. Let s LTS(I, U). L δ, Q s : s = (s) = Furthermore, the chotic IOTS cts s kind of sink: once one of the dded sttes (q χ, q Ω or q ) hs been reched, they will never be left nymore. Together with proposition 14 it is esy to see tht q χ cn do ll the (sub)trces tht n rbitrry LTS cn do. Proposition 16. Let s LTS(I, U) nd q χ be the chotic stte in the demoniclly completed LTS (s). (U δ I) δ : q χ = Q s We use the nottion ioco to denote tht before pplying ioco, the LTS specifiction is trnsformed to n IOTS by ; i.e., i(ioco )s i ioco (s). Theorem 17. ioco ioco Note tht the opposite is not true, i.e., i (ioco ) s i ioco s. Figure 8 shows tht the counter-exmple for the pre-congruence of hiding is lso counterexmple for the reverse direction of this proposition. On the left hnd side we see the specifiction s, next to it is the demoniclly completed specifiction (s) nd on the right is the implementtion. Now we hve tht i(ioco )s nd i ioco / s. Thus, ioco is strictly weker reltion thn ioco. We wnt to stress two spects of this observtion: Our investigtion, which strted with component-bsed testing, hs led to new vrition in the notion of conformnce tht is different from the reltion implemented in, e.g., the TorX tool; This new vrition considers ll previously tested, ioco-conformnt systems correct, but my consider system correct tht ws rejected by ioco. Thus, the vrition is reltively hrmless. These properties re consequence of our choice of the demonic completion function. Other forms of completion, such s ngelic completion, result in vrints of ioco which re incomprble to the originl reltion (i.e., neither weker nor stronger). The difference between ioco nd ioco occurs when there is nondeterminism in the underspecifiction, i.e. when the specifiction cn nondeterministiclly go to two or more different sttes. In one stte the input is specified, wheres in nother stte the input is underspecified. For exmple, in Figure 8, s cn nondeterministiclly tke the τ-trnsition. Before the τ-trnsition, input? is specified, while fter the τ-trnsition input? is underspecified. In cse of nondeterminism in the underspecifiction, ioco tkes the specified side, while ioco tkes the underspecified side. 15

s (s) i? τ? τ? τ I? I I I U q χ I!y τ τ q Ω q I I Fig. 8. i(ioco )s i ioco s. Testing The testing scenrio is now such tht n integrted system cn be tested by compring the individul components to their demoniclly completed specifictions. If the components conform, then the composition of implementtions lso conforms to the composition of the demoniclly completed specifictions. Corollry 18. Let s 1, s 2 LTS(I, U) nd i 1, i 2 IOTS(I, U) i 1 ioco (s 1 ) i 2 ioco (s 2 ) i 1 i 2 ioco (s 1 ) (s 2 ) Test restriction A disdvntge of demonic completion is tht it destroys informtion bout underspecified behvior. On the bsis of the underspecified LTS, one cn conclude tht trces including n unspecified input need not be tested becuse every implementtion will lwys pss; fter completion, however, this is no longer visible, nd so utomtic test genertion will yield mny spurious tests. In order to void this, we chrcterize ioco directly over LTS s. In other words, we extend the reltion from IOTS IOTS to IOTS LTS, in such wy s to obtin the sme testing power but void these spurious tests. For this purpose, we restrict the number of trces fter which we test. Definition 19. Let s LTS(I, U). Utrces(s) = def { L δ s = (, 1 2 = : I s == 1 = )} Intuitively, the Utrces re the Strces without the underspecified trces. A trce is underspecified if there exists prefix 1 of, with I, for which s == 1 nd = /. The following proposition puts it differently: Utrces(s) re the Strces(s) for which the demoniclly completed specifiction, (s), never leds to chotic stte. Proposition 20. Let s = Q, I, U, T, q 0 be n rbitrry LTS. Utrces(s) = { Strces(s) ((s) fter ) Q} 16

We use ioco U s shorthnd for ioco Utrces. In the following proposition we stte tht ioco U is equivlent to ioco. Theorem 21. ioco U = ioco This equivlence is quite intuitive. ioco uses fresh sttes to hndle underspecified behvior, which re constructed so s to disply chotic behvior. If (s) reches such stte, then ll behvior is considered correct. ioco U, on the other hnd, circumvents underspecified behvior, becuse it uses Utrces, which re Strces from which ll underspecified trces hve been removed. 6 Conclusions The results of this pper imply tht ioco cn be used for component bsed testing: if components re tested seprtely nd then integrted, the resulting system will lso conform to the integrted specifiction. The integrtion of components is modeled by the successive ppliction of two lgebric opertions: prllel composition followed by hiding. However, s we hve shown, there re some constrints to this scenrio. Summrizing the results of this pper: We hve shown tht component-bsed ioco-testing works smoothly if the component specifictions re input-enbled (i.e., given s input-output trnsition systems); see theorems 9 nd 11. We hve shown tht if the component specifictions re not input enbled, both prllel composition nd hiding re non-compositionl (see exmple 8 nd 10): the integrted system my not conform to the integrted specifiction in spite of the fct tht the individul components re fully conformnt. A solution to this is to complete the component specifictions before using them for testing purposes; this involves dding input trnsitions where they re missing. Completion turns the specifictions into IOTS s, so tht the bove result becomes pplicble. Completion cn be done in mny different wys; we hve shown tht demonic completion is consistent with the existing ioco theory (see theorem 17). Testing fter completion is in principle (much) more expensive since, due to the nture of IOTS s, even the completion of finite specifiction lredy displys infinite testble behvior. As finl result of this pper, we hve shown how to use the originl component specifictions for testing, before completion (see theorem 21). Note tht the correctness of the integrted system is still only gurnteed with respect to the completed component specifictions; thus, completion is still n unvoidble step. The result of this pper is lso relevnt for testing in context, since it implies tht every filure of system embedded in test context cn be reduced to fult of the system itself. Interprettion. The insights gined from these results cn be recst in terms of underspecifiction. ioco recognizes two kinds of underspecifiction: omitting 17

input ctions from stte (which implies don t cre if n input does occur) nd including multiple output ctions from stte (which llows the implementtion to choose between them). It turns out tht the first of these two is not comptible with prllel composition nd hiding. To mke it comptible we hve hd to modify the theory t two points: The underlying set of trces for ioco hs been redefined, resulting in slightly weker notion of conformnce; previously conformnt implementtions re still conformnt, but it might be tht previously non-conformnt implementtions re llowed under the modified notion of conformnce. The integrtion (i.e., prllel composition nd hiding) of component specifictions hs been moved to the domin of IOTS s. Thus, we no longer consider these s constructions on generl lbeled trnsition systems; insted, component specifictions hve to be completed prior to their integrtion. Testing in context We hve discussed the pre-congruence properties minly in the context of component bsed testing, but the results cn esily by trnsposed to testing in context. Suppose n implementtion under test i is tested vi context c. The tester intercts with c, nd c intercts with i; the tester cnnot directly interct with i. Then we hve I i U c nd U i I c, nd L i is not observble for the tester, i.e., hidden. The tester observes the system s n implementtion in context: C[i] = hide I i U i in c i Now theorem 9 nd 11 directly led to the following corollry for testing in context. Corollry 22. Let s, i IOTS occur in test context C[ ] C[i] ioco / C[s] i ioco / s Hence, n error detected while testing the implementtion in its context is rel error of the implementtion, but not the other wy round: n error in the implementtion my not be detectble when tested in context. Future work. The current stte of ffirs is not yet completely stisfctory, becuse the notion of composition tht we require is not defined on generl lbeled trnsition systems but just on IOTS s. Testing ginst IOTS s is inferior, in tht these models do not llow the input underspecifiction discussed bove: for tht reson, testing ginst n IOTS cnnot tke dvntge of informtion bout don t cre inputs (essentilly, no testing is required fter don t cre input, since by definition every behvior is llowed). We intend to solve this issue by extending IOTS s with predicte tht mkes the notion of input underspecifiction explicit, by designting some sttes s chotic. Testing cn stop when the specifiction hs reched chotic stte. 18

A Appendix: proofs A.1 Proofs of section 4.1 (Congruence properties for synchroniztion) Proposition A.1. Let p IOTS(I p, U p ), q IOTS(I q, U q ), r Q p q with I p I q = U p U q =. 1. L p \ L q : p q r p : p p r = p q 2. L q \ L p : p q r : q r = p 3. p q τ r ( p : p τ p r = p q) ( : q τ r = p ) 4. (L p L q ) {δ} : p q r p, : p p q r = p Proof. 1. Assume L p \ L q only if: p q r ( definition ) p : p p r = p q if: p : p p r = p q ( definition ) p q r 2. Anlogous to 1 3. Anlogous to 1 4. The cse L p L q is nlogous to 1. Here the proof for = δ is given. only if: First we show r = p q, then the remining prt of the proof is given. p q δ r ( Definition δ ) p q δ r r = p q (1) p q δ r ( Definition δ ) µ U p U q {τ} : p q / µ ( Definition ) µ (U p \L q ) {τ} : p / µ µ (U q \L p ) {τ} : q / µ µ L p L q : p / µ q / µ ( p, q IOTS (note tht µ I p : p µ µ I q : q µ ) ) µ U p {τ} : p / µ µ U q {τ} : q / µ ( definition δ nd r = p q (see 1) ) p δ p q δ q r = p q 19

if: Let r = p q p δ p q δ q ( definition δ ) µ U p {τ} : p / µ µ U q {τ} : q / µ ( definition ) µ U p U q {τ} : p q / µ ( definition δ ) p q δ p q ( Given: r = p q ) p q δ r We now introduce some nottion for the projection of trce on lbel set. Definition A.2. Let L δ, L δ, S L δ : ɛ S = ɛ { S S ( ) S = ( S) S To improve redbility we use L δ p to denote L p {δ}. Proposition A.3. Let p IOTS(I p, U p ), q IOTS(I q, U q ), r Q p q, L δ, with L = I p I q U p U q nd I p I q = U p U q =. p q = r p, : p Lδ p ==== p q Lδ q ==== r = p Proof. Only if: Proof by induction on the structure of. Bsic step: = ɛ. p q = ɛ r ( Proposition A.1.3 nd definition of p, : p = ɛ p q = ɛ r = p ( Definition A.2 of projection ) p, : p ɛ Lδ p === p q ɛ Lδ q === r = p ɛ = ) Induction step: We mke the ssumption tht the proposition holds for in =, with L δ. We identify three cses: 1. Assume L δ p L δ q (= (L p L q ) {δ}). 20

p q === r ( Definition === ) r 1, r 2 : p q = ɛ r 1 r 2 == r ( Bsic step ) p 1, q 1, r 2 : p = ɛ p 1 q = ɛ q 1 p 1 q 1 r 2 == r ( Proposition A.1.4 ) p 1, p 2, q 1, q 2 : p = ɛ p 1 q = ɛ q 1 p 1 p 2 q 1 q 2 p 2 2 == r ( Definition = ) p 2, q 2 : p = p 2 q = q 2 p 2 2 == r ( Induction ) p, p 2,, q 2 : p = L δ p p 2 ==== p q = L δ q q 2 ==== r = p ( Definition A.2 of projection ) p, : p ( ) L δ p ======= p q ( ) L δ q ======= r = p ( = ) p, : p Lδ p ==== p q Lδ q ==== r = p 2. Assume L δ p \ L δ q (= L p \L q ). p q === r ( Definition = ) r 1, r 2 : p q = ɛ r 1 r 2 == r ( Bsic step ) p 1, q 1, r 2 : p = ɛ p 1 q = ɛ q 1 p 1 q 1 r 2 == r ( Proposition A.1.1 ) p 1, p 2, q 1 : p = ɛ p 1 q = ɛ q 1 p 1 p 2 p 2 1 == r ( Definition of = ) p 2, q 1 : p = p 2 q = ɛ q 1 p 2 1 == r ( Induction ) p 2, p, q 1, : p = L δ p p 2 ==== p q = ɛ L δ q q 1 ==== r = p ( Definition A.2 of projection ) p, : p ( ) L δ p ======= p q ( ) L δ q ======= r = p ( = ) p, : p Lδ p ==== p q Lδ q ==== r = p 3. Assume L δ q \ L δ p. This is symmetric with the previous cse. 21

if: By induction on the structure of. Bsic step: = ɛ. p, : p ɛ Lδ p === p q ɛ Lδ q === ( Definition A.2 of projection ) p, : p = ɛ p q = ɛ ( Proposition A.1.3 nd definition of p, : p q = ɛ p ( = ɛ ) p, : p q = p ( Given r = p ) p q = r ɛ = ) Induction step: We ssume the proposition holds for in =, L δ. We identify three cses: 1. Assume L δ p L δ q (= (L p L q ) {δ}): p, : p ( ) L δ p ======= p q ( ) L δ q ======= ( Definition A.2 of projection ) p 2, p, q 2, : p = L δ p p 2 ==== p q = L δ q q 2 ==== ( Definition of = ) p 1, p 2, p, q 1, q 2, : L δ p L δ q p = ɛ p 1 p 2 ==== p q = ɛ q 1 q 2 ==== ( Bsic step ) p 1, p 2, p, q 1, q 2, : L δ p L δ q p q = ɛ p 1 q 1 p 1 p 2 ==== p q 1 q 2 ==== ( Proposition A.1.4 ) p 1, p 2, p, q 1, q 2, : L δ p L δ q p q = ɛ p 1 q 1 p 2 q 2 p 2 ==== p q 2 ==== ( Definition of = ) L δ q p 2, p, q 2, : p q = L δ p p 2 q 2 p 2 ==== p q 2 ==== ( Induction ) p 2, p, q 2, : p q = p 2 q 2 p 2 2 == p ( Definition of = ) p, : p q === p ( = ) p, : p q = p ( Given r = p ) p q = r 22

2. Assume L δ p \ L δ q (= L p \L q ): p, : p ( ) L δ p ======= p q ( ) L δ q ======= ( Definition A.2 of projection ) p 2, p, : p = L δ p p 2 ==== p L δ q ==== ( Definition of = ) L δ p p 1, p 2, p, : p = ɛ p 1 p 2 ==== p L δ q ==== ( Bsic step ) L δ p p 1, p 2, p, : p q = ɛ p 1 q p 1 p 2 ==== p L δ q ==== ( Proposition A.1.1 ) L δ p p 1, p 2, p, : p q = ɛ p 1 q p 2 q p 2 ==== p L δ q ==== ( Definition of = ) p 2, p, : p q = L δ p p 2 q p 2 ==== p L δ q ==== ( Induction ) p 2, p, : p q = p 2 q p 2 q == p ( Definition of = ) p, : p q === p ( = ) p, : p q = p ( Given r = p ) p q = r 3. Assume L δ q \ L δ p. This is symmetric with the previous cse. Lemm A.4. Let i, s IOTS(I, U), then: Proof. i ioco s Strces(i) Strces(s) only if: Proof by induction on the structure of, let Strces(i). Bsic Step: = ɛ. ɛ Strces(s) trivilly holds. Induction step : We identify two cses: 1. = ρ with I: By induction ρ Strces(s), so s : s = ρ s, nd since s IOTS(I, U), s = lwys holds. Hence, ρ Strces(s). 2. = ρ x with x U {δ}: If i == ρ x then by definition 5 x out(i fter ρ), nd since i ioco s nd by induction ρ Strces(s) we cn conclude tht x out(sfterρ). Hence, s == ρ x, nd ρ x Strces(s). if: Let Strces(s) nd x out(i fter ), then i === x, which implies x Strces(i), hence x Strces(s) nd s === x, from which it follows tht x out(s fter ). 23

Theorem 9 Let s 1, i 1 IOTS(I 1, U 1 ), s 2, i 2 IOTS(I 2, U 2 ) with I 1 I 2 = U 1 U 2 =. i 1 ioco s 1 i 2 ioco s 2 i 1 i 2 ioco s 1 s 2 Proof. To be proved ccording to lemm A.4: Strces(i 1 ) Strces(s 1 ) Strces(i 2 ) Strces(s 2 ) Strces(i 1 i 2 ) Strces(s 1 s 2 ) Strces(i 1 i 2 ) ( Definition of Strces ) i 1 i 2 = ( Proposition A.3 ) L δ i L δ i 1 i 1 ==== 2 i2 ==== ( premise ) L δ s L δ s 1 s 1 ==== 2 s2 ==== ( Proposition A.3 ) s 1 s 2 = ( Definition of Strces ) Strces(s 1 s 2 ) A.2 Proofs of Section 4.2 (Congruence properties for hiding) Definition A.5. The hiding of L δ with A L, denoted s \A, is defined s follows: ɛ = ɛ \A = \A = with A def ( \A) = with / A δ ( \A) = δ Proposition A.6. Let p LTS(I, U) where U is prtitioned in sets U 1 nd U 2. 1. p p with I U 1 hide U 2 in p hide U 2 in p 2. p p with U 2 hide U 2 in p τ hide U 2 in p 3. p τ p hide U 2 in p τ hide U 2 in p 4. p δ p hide U 2 in p δ hide U 2 in p 5. hide U 2 in p q with I U 1 p : p p q = hide U 2 in p 6. hide U 2 in p τ q ( p : p τ p q = hide U 2 in p ) ( p, U 2 : p p q = hide U 2 in p ) 7. hide U 2 in p δ q p δ p q = hide U 2 in p 24

Proof. 1. p p I U 1 ( Definition of hide ) hide U 2 in p hide U 2 in p 2. p p U 2 ( Definition of hide ) hide U 2 in p τ hide U 2 in p 3. p τ p ( Definition of hide ) hide U 2 in p τ hide U 2 in p 4. p δ p ( Definition of quiescence ) ( µ U {τ} : p / µ ) ( Definition of hide ) ( µ U 1 {τ} : hide U 2 in p / µ ) ( Definition of quiescence ) hide U 2 in p δ hide U 2 in p 5. hide U 2 in p q ( Definition of hide ) p : p p q = hide U 2 in p 6. hide U 2 in p τ q ( Definition of hide ) ( p : p τ p q = hide U 2 in p ) ( p, U 2 : p p q = hide U 2 in p ) 7. hide U 2 in p δ q ( Definition of quiescence ) µ U 1 {τ} : hide U 2 in p / µ q = hide U 2 in p ( Definition of hide ) ( µ U 1 : p / µ ) ( µ U 2 : p / µ ) p / τ q = hide U 2 in p ( Logicl xioms ) µ U {τ} : p / µ q = hide U 2 in p ( Definition of quiescence ) p δ p q = hide U 2 in p Proposition A.7. Let p LTS(I, U) where U is prtitioned into U 1 nd U 2 ; let L δ be rbitrry. 1. p = p hide U 2 in p \U2 ==== hide U 2 in p 2. hide U 2 in p = q p, L δ : p == p q = hide U 2 in p = \U 2 25

Proof. 1. By induction on the structure of : = ɛ: Using ɛ\u 2 = ɛ, the proposition reduces to: p ɛ = p hide U 2 in p ɛ = hide U 2 in p (2) which, using the definition of ɛ =, is rewritten to: p τ n p hide U 2 in p ɛ = hide U 2 in p (3) which is proved by induction on n: n = 0: p τ n p ( n = 0 nd from definition of p = p ɛ ( definition of = ) hide U 2 in p = ɛ hide U 2 in p n = n + 1: p τ n p ( n = n + 1 nd definition of p 1 : p τ τ p 1 p n 1 p ( proposition A.6.3 ) ɛ = : p τ 0 p p = p ) ɛ = ) hide U 2 in p τ τ hide U 2 in p 1 p n 1 p ( induction on eqution (3) ) hide U 2 in p τ ɛ hide U 2 in p 1 hide U 2 in p 1 = hide U 2 in p ɛ ( definition of = ) hide U 2 in p = ɛ hide U 2 in p 26

= ρ, with I U 1, ρ L δ : p = p ( = ρ ) p == ρ p ρ ( definition of == ) p 1, p 2 : p = ɛ ρ p 1 p 1 p 2 p 2 = p ( eqution (2) ) p 1, p 2 : hide U 2 in p = ɛ ρ hide U 2 in p 1 p 1 p 2 p 2 = p ( proposition A.6.1 ) p 1, p 2 : hide U 2 in p = ɛ hide U 2 in p 1 ρ hide U 2 in p 1 hide U 2 in p 2 p 2 = p ( induction ) p 1, p 2 : hide U 2 in p = ɛ hide U 2 in p 1 hide U 2 in p 1 hide U 2 in p 2 ρ\u 2 hide U 2 in p 2 ==== hide U2 in p (ρ\u 2) ( definition of ====== ) hide U 2 in p ====== (ρ\u2) hide U 2 in p ( definition A.5 ) hide U 2 in p ( ρ)\u2 ====== hide U 2 in p ( = ρ ) hide U 2 in p \U2 ==== hide U 2 in p 27

= ρ, with U 2, ρ L δ : p = p ( = ρ ) p == ρ p ρ ( definition == ) p 1, p 2 : p = ɛ ρ p 1 p 1 p 2 p 2 = p ( eqution (2) ) p 1, p 2 : hide U 2 in p = ɛ ρ hide U 2 in p 1 p 1 p 2 p 2 = p ( proposition A.6.2 ) p 1, p 2 : hide U 2 in p = ɛ hide U 2 in p 1 τ ρ hide U 2 in p 1 hide U 2 in p 2 p 2 = p ( induction ) p 1, p 2 : hide U 2 in p = ɛ hide U 2 in p 1 τ hide U 2 in p 1 hide U 2 in p 2 ρ\u 2 hide U 2 in p 2 ==== hide U2 in p ( definition of ρ\u 2 ==== ) hide U 2 in p ρ\u2 ==== hide U 2 in p ( definition A.5 ) hide U 2 in p ( ρ)\u2 ====== hide U 2 in p ( = ρ ) hide U 2 in p \U2 ==== hide U 2 in p 28

= δ ρ, with ρ L δ : p = p ( = δ ρ ) p == δ ρ p δ ρ ( definition == nd definition of quiescence ) p 1 : p = ɛ δ ρ p 1 p 1 p 1 p 1 = p ( eqution (2) ) p 1 : hide U 2 in p = ɛ δ ρ hide U 2 in p 1 p 1 p 1 p 1 = p ( proposition A.6.4 ) p 1 : hide U 2 in p = ɛ hide U 2 in p 1 δ ρ hide U 2 in p 1 hide U 2 in p 1 p 1 = p ( induction ) p 1 : hide U 2 in p = ɛ hide U 2 in p 1 δ hide U 2 in p 1 hide U 2 in p 1 ρ\u 2 hide U 2 in p 1 ==== hide U2 in p δ (ρ\u 2) ( definition of ====== ) hide U 2 in p ====== δ (ρ\u2) hide U 2 in p ( definition A.5 ) hide U 2 in p (δ ρ)\u2 ====== hide U 2 in p ( = δ ρ ) hide U 2 in p \U2 ==== hide U 2 in p 2. By induction on the structure of (Note tht (I U 1 {δ}) ): = ɛ: The proposition reduces to: hide U 2 in p = ɛ q p, L δ : (4) p == p q = hide U 2 in p ɛ = \U 2 which, using the definition of ɛ =, is rewritten to: hide U 2 in p τ n q p, L δ : (5) p == p q = hide U 2 in p ɛ = \U 2 which is proved by induction on n: n = 0: hide U 2 in p τ n q ( n = 0 nd from definition of ɛ = : p τ 0 p p = p ) p = p, = ɛ : p == p q = hide U 2 in p ɛ = \U 2 29