On the Refinement of Liveness Properties of Distributed Systems

On the Reﬁnemen t of Liv eness Prop erties of Distributed Systems 1 P aul C. A ttie Departmen t o f Computer Science American Univ ersit y of Beirut and Cen ter fo r Adv ance d Mathematical Sciences American Univ ersit y of Beirut paul.att ie@aub.e du.lb Octob er 2 9, 2018 Abstract W e presen t a new approach for reas oning ab out liveness prop er ties of dis tr ibuted systems, represented as automa ta. Our a pproach is based on simulation relations, and r equires r easoning only ov er ﬁnite execution fr agments. Current sim ulation- relation based metho ds for re asoning ab out liveness pro p erties of a utomata r equire reaso ning ov er entire executions, since they in- volv e a pro o f obligation of the form: if a concrete and abs tract execution “co r resp ond” via the simulation, and the concr ete exe c ution is live, then so is the abstra ct execution. Our con tribution consists of (1) a formalism f o r deﬁning liveness prop er ties, (2) a pro of metho d for liveness prop er ties bas ed o n that fo r malism, and (3) tw o ex pr essive co mpleteness results: ﬁrs tly , our formalism can expre s s any liveness prop er ty whic h sa tisﬁes a natural “robust- ness” condition, and secondly , our forma lism can express any liveness pr op erty at all, provided that history v ariables can be us ed. T o deﬁne liveness, we generalize the notion of a complemented-pairs (Streett) a utomaton to an inﬁnite s ta te-space, and a n inﬁnite num b er o f complemented-pairs. Our pro of metho d provides tw o main techniques: one for reﬁning liveness prop er ties a c r oss levels of abstraction, and the o ther for reﬁning liveness prop erties within a level of abstr action. The ﬁrs t is based on extending simulation relations so that they relate the liveness pr op erties of an abstr act (i.e., higher level) automaton to those o f a co ncrete (i.e., lower level) automaton. The seco nd is based on a deductive metho d for inferr ing new liveness prop erties of an automaton from alr e ady estab- lished liv enes s pro p erties of the same auto ma ton. This deductive metho d is dia grammatic, a nd is ba sed o n construc ting “lattices” of liveness pro p er ties. Thus, it supp orts pr o of decomp o sition and separa tion of concer ns. 1 In tro d uction and Ov erview One of th e ma jor approac hes to the construction of correct distributed systems is the use of an op erational sp eciﬁcation, e.g., an automaton or a lab ele d tr ansition system , wh ic h is successiv ely reﬁned, via sev eral in termediate lev els of abstraction, into an implementa tion. The implement ation is consid ered correct if and only if eac h of its externally visible b eha viors, i.e., tr ac es , is also a trace of the sp eciﬁcation. This “trace inclusion” of th e implemen tation in the sp eciﬁcation is usu ally established transitiv ely by means of establishing the trace inclus ion of the system d escription at eac h leve l of abs tr action in the system d escription at the next higher level. When r easoning at any particular lev el, w e call the lo wer lev el the concrete leve l, and the higher lev el the abstract leve l. The correctness prop erties of a distrib u ted system are classiﬁed int o safety and livene ss [27]: safet y p rop erties state th at “nothin g b ad h app en s ,” for example, that a database system nev er 1 Some of the results in this p ap er app eared in the eightee nth ACM Symp osium on Principles of Distributed Computing, (PODC’99), u nder the title “Liv eness-preserving Simulation Relations”. 1 pro du ces incorrect resp onses to queries, while liv eness p rop erties state that “progress o ccurs in the system,” for example, eve r y query sen t to a database system is ev entually resp ond ed to. Safet y prop er ties are c haracterized by the fact that th ey are violated in ﬁ nite time: e.g., once a database has return ed an incorrect resp onse to an external user , there is no wa y to r eco ver to wh ere the safet y p r op erty is satisﬁed. Liv eness p rop erties, on the other hand, are c haracterized by the fact that there is alw a ys the p ossibilit y of satisfying them: th e database alw a ys has the opp ortunit y of resp onding to p ending queries. Thus, an op er ational sp eciﬁcation deﬁnes the required safety prop er ties by means of an automaton, or lab eled transition s y s tem. The reac hable states and transitions of th e automaton are the “go o d ” states/transitions, whose o ccurr ence do es not violate safet y . An y u nreac hab le states, if presen t, are “bad,” i.e., they r epresent a violation of the safety prop er ties, e.g., due to a fault. The o ccurrence of such a “bad” state is something that happ ens in ﬁnite time, an d so constitutes the violatio n of a safety prop erty . Th e liv eness prop erties are sp eciﬁed b y designating a sub s et of the executions of the automaton as b eing the “liv e” executions, leading to the notion of live exe cution pr op erty . These are the executions along which ev entually , all the necessary actions are executed, e.g., the actio n s that resp ond to p ending queries. T o express the idea that th ere is alwa ys the p ossibilit y of satisfying a liv eness pr op ert y , this subset of the executions must hav e the prop ert y that any ﬁ nite execution can b e extended to an execution in the sub set [1]. Distributed sys tems consist of man y sequen tial pr o cesses whic h execute concurrentl y . T o r eason eﬀectiv ely ab out such large systems, researc hers hav e prop osed th e use of c omp ositional r e ason i ng : global prop erties of th e entire system are inferred by ﬁrs t dedu cing lo cal pr op erties of the con- stituen t pr o cesses or s u bsystems, and then com binin g th ese lo cal prop erties to establish the global prop er ties. In particular, we desire that r eﬁnement is comp ositional: when a particular p ro cess P i is reﬁn ed to a new pro cess P ′ i , we wish to reason only ab out w hether P ′ i is a correct reﬁnement of P i , without having to engage in global reasoning inv olving all of the other pr o cesses in th e system. The n eed for comp ositional r easoning, as w ell as n otions su c h as b eha vioral subtyping [30] and information hiding, motiv ated the d ev elopment of the n otion of external ly visible b ehavior , e.g., the set of traces of an automaton, where a trace is a sequence of “external” actions, visible at the in terface, whic h the au tomaton can engage in. Typicall y , a trace is ob tained b y taking an execution and remo vin g all the i nternal information, i.e., the states and the inte r n al actions. The notion of externally visible b eha v ior then leads naturally to notions of extern al s afet y and liveness prop er ties, which are sp eciﬁed o v er the traces of an automaton, rather than o ver the (in ternal) states and executions. The external safet y prop ert y is the set of all traces, since this is the external “pr o jection” of all the executions, w h ic h deﬁne the r eac hable states and transitions, whic h in tu r n giv e u s the s afet y prop erties, as discussed ab ov e. The extern al liv eness pr op erty is obtained b y taking the traces of all the liv e executions. Th ese are called the live tr ac es , an d the set of all liv e traces is a liv e tr ac e pr op erty . T r ace inclusion usu ally means that every tr ace of the concrete automaton is a trace of th e abstract automaton. Thus, trace inclusion deals with safet y pr op erties: ev ery safet y pr op erty of the set of traces of the concrete automaton is also a safety p rop erty of the set of traces of the abs tract automaton. T hus, external safet y prop erties are preserved by the reﬁnement from the abs tr act to the concrete. T race in clusion d o es not address liv eness prop erties, h ow ev er. Th e appropr iate notion of inclusion for external liv en ess prop erties is live tr ac e inclusion [17, 18]: ev ery live trace of the concrete automaton is a liv e trace of th e abstract automaton. Consider again th e d atabase example, with the external liveness p rop erty that eve r y query submitted is ev ent u ally pro cessed. Let B b e a high-lev el sp eciﬁcation of such a system. By u sing 2 state v ariables that record requests and resp onses, this prop ert y can b e easily stated in terms of the executions of B , whic h resu lts in a liv e execution p rop erty . The s et of traces of the liv e executions then give s the corresp onding liv e trace prop ert y . P r o vided that the state v ariables whic h record requests and r esp onses are up dated correctly , the liv e trace pr op erty will only contai n traces in whic h ev ery input of a query to the database (e.g., from an external “u s er”) is even tually follo wed b y an output of a resp onse f rom the database (to th e user). Let A b e an implementa tion of B . Th e liv e executions of A are d eﬁned by the liv eness prop er- ties that typically can b e guaranteed by reasonable im p lemen tations, e.g., “fair sc heduling” [15]— ev ery con tinuously enabled action (or pr o cess) is ev entually executed, and fair p olling of message c hannels—every message sent is even tually r eceiv ed 2 . The set of traces of the liv e executions then giv es the liv e trace prop ert y corresp onding to this action/pro cess fairness and reliable message de- liv ery in the u nderlying execution b eha vior. Ho wev er, the live trace pr op erty that w e wish to ve r ify for A is not this prop ert y p er se, b ut the same live trace prop ert y whic h B h as, n amely that ev ery input of a query to the database is eve ntually follo wed by an appr opriate outp ut from the database. This pap er add r esses the problem of verifying suc h liv eness p rop erties for an imp lemen tation A . It is clear that v erify in g that the liv e tr aces of A are con tained in the live traces of B immed iately yields the desired conclusion, namely that A has the desired live trace p rop erty . Thus, liv e trace inclusion app lied to the ab ov e example implies that eve r y trace of an execution of A in whic h all messages sent are ev entually receiv ed, and all con tinuously enabled actions (p ro cesses) are ev ent u ally executed, i.e., a liv e trace of A , is also a liv e tr ace of B , i.e., a trace in which all queries receiv e a resp onse. This is exactly what is requ ired, since the liv eness prop erties of A along executions where, for example, m essages sent are not receiv ed, are not of interest. Con versely , a liv e execution of A , in whic h all messages sen t are receiv ed, and scheduling is fair, should pro duce an external b eha vior w hic h has the desired liveness p r op erties: ev ery query receiv es a resp onse. More generally , live tr ace inclusion implies that external liveness prop erties are p reserv ed by the reﬁnement from the sp eciﬁcation B to the implementa tion A . One of the main p ro of tec hn iques f or establishing trace inclusion is that of establishin g a simu- lation [34] or bisimulation [43] b et we en the concrete and the abstract automata. A simulatio n (or bisim u lation) establishes a certain corresp ondence (dep ending on th e p recise type of simulatio n ) b et ween the states/ tr an s itions of the concrete automaton and the states/transitions of the abstract automaton, w hic h th en implies trace inclusion. An imp ortan t adv ant age of the simulat ion-b ased approac h is that it only r equ ires reasoning ab out individu al states and ﬁnite execution fragmen ts, rather than r easoning ab out entire (inﬁn ite) executions. Unfortunately , th e end-resu lt, namely th e establishmen t of trace in clusion, do es n ot, as w e establish in the s equ el, imp ly liv e trace inclusion, since the set of liv e traces is, in general, a pr op er subset of the set of traces. Our con tributions. In this pap er, we sho w ho w to use sim ulation relations to r eason ab out liv eness. Our app roac h uses a state-based tec hniqu e to sp ecify live execution prop erties: a live ness c ondition is giv en as a (p ossibly inﬁnite) set of ordered pairs h h h Red i , Green i i i i , w here Red i , Green i are sets of states. An execution is considered to satisfy a single pair h h h Red , Green i i i iﬀ whenever it con tains in ﬁnitely many states in Red , then it also cont ains in ﬁ nitely man y states in Green . An execution is liv e iﬀ it satisﬁes all the pairs in the live n ess condition. A trace is liv e iﬀ it is the trace of some liv e execution. Our n otion of liv eness condition is akin to the acceptance condition of a c omplemente d-p airs (or Str e ett) automaton [4, 13, 20], exce p t th at we allo w an 2 W e do not address fault-tolerance for the time b eing, thus messages are alw ays receiv ed along a live execution. See Section 7.2 for a discussion of how th e techniques presented in th is pap er can b e applied to fault-tolerance. 3 inﬁnite n umb er of pairs, and also our au tomata can ha v e an inﬁnite num b er of states and tr ansitions. W e then presen t the notion of live ne ss- pr ese rvi ng simulation r elation , w hic h app r opriately relates the states men tioned in the concrete automaton’s liveness condition to those mentio n ed in the abstract automaton’s liv eness condition. T his is done in tw o stages. The ﬁ r st stage r eﬁnes the liv eness condition of the abs tract automaton into a “derived” liv eness cond ition of the concrete automaton. This deriv ed condition m a y con tain complemented-pairs that are not dir ectly sp eciﬁed in the live n ess condition of the concrete automaton. The second stage then prov es that the derived condition is implied by the dir ectly sp eciﬁed liv eness condition of the concrete automaton (using a “lattic e” construction). The use of su ch a derive d liv eness condition allo ws us to b r eak do wn the reﬁnement problem at eac h lev el in to t wo simpler sub problems, s ince th e derived liv eness condition of the concrete automaton can u sually b e form u lated to b etter matc h with the liv eness condition of th e abstract automaton. Establishing a liv eness-p r eserving simulat ion relation then allo ws us to conclude that eve r y liv e trace of the concrete automaton is also a liv e trace of the abstract automaton. As d iscu ssed ab o ve , our metho d can b e applied to m u ltiple lev els of abstraction, where the sp eciﬁcation is successiv ely reﬁned in stages, pro du cing sev eral in termediate descriptions of the sp eciﬁed system, until a description that is dir ectly implement able on th e desired target arc hitecture and has adequate p erformance and fault-tolerance prop erties is derive d . Th u s, w e address the problem of pr eserving liv eness p r op erties in the successiv e reﬁn emen t of a sp eciﬁcation in to an imp lementati on, which con tributes to making the metho d scalable, as our extended example in Section 6 sh o ws. W e establish t wo expr essive completeness results for complemente d -pairs liv eness conditions. The ﬁrst sho w s that an y live execution prop er ty wh ic h satisﬁes a natur al “robustness” condition can b e sp eciﬁed by a complemen ted-pairs liv eness condition. The second sho ws that an y liv e execution prop er ty whatso ever can b e sp eciﬁed by a complemen ted-pairs liv en ess condition, provided that history v ariables can b e u sed. The pap er is organized as follo ws. Section 2 pro vides tec h nical b ac kground on automata and sim ulation r elations fr om [17] and [34]. Section 3 give s our k ey technical notion of a liv e automaton, i.e., an automaton equipp ed with a liv eness condition, and also deﬁnes live executions, liv e traces, and derive d liv eness p rop erties. S ection 4 presen ts our deﬁ n itions for liv eness-pr eserving simulatio n relations, and sho ws that liv eness-preservin g simulat ion relations imp ly liv e trace inclusion. Sec- tion 5 sho ws ho w a deriv ed liv en ess condition can b e d educed f r om the directly sp eciﬁed condition. T ogether, th ese t wo sections give our m etho d for reﬁning live n ess prop erties. Section 6 applies our results to the ev entually-se r ializable data service of [14, 26]. Sectio n 7 examines some alternativ e c hoices for expressing liv eness, sho ws that our m etho d can also b e applied to fault-tolerance pr op er- ties, and b rieﬂy discusses the mec hanization of our metho d. S ection 8 d iscusses th e exp ressiv eness of complemented-pairs for liv eness prop erties, and presents t wo relativ e completeness results. Sec- tion 9 discus s es related w ork. Finally , Section 10 pr esen ts our conclusions and d iscusses a v enues for fu r ther researc h. App endix A giv es some b ac kground on sim ulation relations, App endix B giv es some bac kgroun d on temp oral logic, and App endix C presents I/O automaton p seudo co d e for the ev ent u ally-serializa b le data service of [14, 26]. 2 T ec hnical B ac kground The deﬁnitions and theorems in th is section are tak en from [17] and [34], to wh ic h the reader is referred for details and pro ofs. 4 2.1 Automata Deﬁnition 1 (Automaton) An automaton A c onsists of four c omp onents: 1. a set states ( A ) of states, 2. a nonempty set start ( A ) ⊆ states ( A ) of start states, 3. an action signatur e sig ( A ) = ( ext ( A ) , int ( A )) wher e e xt ( A ) and int ( A ) ar e disjoint sets of external and internal actions, r esp e ctively ( let acts ( A ) denote the set ext ( A ) ∪ i nt ( A )) , and 4. a tr ansition r elation steps ( A ) ⊆ states ( A ) × acts ( A ) × states ( A ) . Let s, s ′ , u, u ′ , . . . range ov er states and a, b, . . . range ov er actions. W r ite s a − → A s ′ iﬀ ( s, a, s ′ ) ∈ steps ( A ). W e say that a is enable d in s . An execution fragment α of automaton A is an alternating sequence of states and actions s 0 a 1 s 1 a 2 s 2 . . . su c h that ( s i , a i +1 , s i +1 ) ∈ steps ( A ) f or all i ≥ 0, i.e., α conform s to the tr ansition r elation of A . F u rthermore, if α is ﬁnite then it en d s in a state. If α is an execution f r agmen t, then fstate ( α ) is the ﬁ r st state along α , and if α is ﬁnite, then lstate ( α ) is the last state along α . If α 1 is a ﬁ nite execution fr agment, α 2 is an execution fragment , and lstate ( α 1 ) = fstate ( α 2 ), then α 1 ⌢ α 2 is the concatenation of α 1 and α 2 (with lstate ( α 1 ) rep eated only once). Let α = s 0 a 1 s 1 a 2 s 2 . . . b e an execution fr agmen t. T h en the length of α , d enoted | α | , is the num b er of actions in α . | α | is inﬁnite if α is inﬁnite, and | α | = 0 if α consists of a sin gle state. Also, α | i df = = s 0 a 1 s 1 . . . a i s i . If α is a p reﬁx of α ′ , we write α ≤ α ′ . W e also w rite α < α ′ for α ≤ α ′ and α 6 = α ′ . An execution of A is an execution f ragmen t that b egins with a state in start ( A ). The set of all executions of A is denoted b y exe cs ( A ) , and the set of all inﬁn ite executions of A is denoted b y exe cs ω ( A ). A state of A is r e achable iﬀ it o ccurs in some execution of A . The trace tr ac e ( α ) of execution fr agmen t α is obtained by r emo ving all the states and inte r nal actions from α . T he set of traces of an automaton A is deﬁ ned as the set of traces β s u c h that β is the trace of some execution of A . It is den oted b y tr ac es ( A ). If ϕ is a set of executions, then tr ac es ( ϕ ) is the set of traces β suc h that β is the trace of some execution in ϕ . If a is an action, then we deﬁne tr ac e ( a ) = a if a is external, and tr ac e ( a ) = λ (the empt y sequence) if a is internal. If a 1 a 2 · · · a n is a s equ ence of actions, then tr ac e ( a 1 · · · a n ) = tr ac e ( a 1 ) tr ac e ( a 2 ) · · · tr ac e ( a n ), wh ere ju xtap osition denotes concatenation. If R is a relation o ver S 1 × S 2 (i.e., R ⊆ S 1 × S 2 ) and s 1 ∈ S 1 , then we deﬁn e R [ s 1 ] = { s 2 | ( s 1 , s 2 ) ∈ R } . W e use ↾ to denote the r estriction of a m apping to a subset of its d omain. 2.2 Sim ulation Relations W e shall study ﬁv e diﬀerent sim ulation r elations: forward simulat ion, reﬁnement mapping, bac k- w ard sim u lation, history r elation, and p rophecy r elation. Th ese r elations all preserve safet y p r op- erties. In Section 4, w e extend these simulatio n relations s o th at they preserve liv eness as well as safet y . A forw ard simulati on requir es th at (1) eac h execution of an external action a of A is matc hed b y a ﬁnite execution fragmen t of B con taining a , and all of wh ose other actions are in ternal to B , and (2) eac h execution of an in ternal action of A is matc hed b y a ﬁnite (p ossibly empty) execution fragmen t of B all of whose actions are in tern al to B (if th e f r agmen t is emp ty , then w e ha ve u ∈ f [ s ′ ], i.e., u and s ′ m us t b e related b y the simulati on). It follo ws that forward sim u lation 5 implies trace inclusion (also r eferred to as the safe pr e or der b elow), i.e., if there is a forward sim u - lation from A to B , then tr ac es ( A ) ⊆ tr ac es ( B ). Likewise, the other sim u lation r elations all imply trace inclusion (the bac kward sim u lation and prop h ecy relation must b e image-ﬁnite) for similar reasons. See Lemma 6.16 in [17] for a formal p r o of of this r esult. W e use F , R, iB , H , iP to denote forw ard sim u lation, reﬁ nemen t mappin g, image-ﬁnite bac kw ard sim ulation, h istory relation, image-ﬁnite proph ecy relation, resp ectiv ely . Th u s, when we write X ∈ { F , R, iB , H, iP } , we mean th at X is one of these relations. W e write A ≤ F B if there exists a forw ard sim ulation from A to B w.r.t. some in v arian ts, and A ≤ F B via f if f is a forward sim u lation from A to B w.r .t. s ome inv ariants. Sim ilarly for the other simulatio n relations. App endix A gives formal deﬁn itions f or all of these simulati on relations. 2.3 Execution Corresp ondence Sim u lation r elations indu ce a corresp ondence b et wee n the executions of th e concrete and the ab- stract automata. This corresp ondence is captur ed b y the notion of R -relation. If α ′ = u 0 b 1 u 1 b 2 u 2 · · · is an execution of automaton B , then deﬁne tr ac e ( α ′ , j, k ) to b e tr ac e ( b j · · · b k ) if j ≤ k , and to b e λ (the empty sequence) if j > k . Deﬁnition 2 ( R -relation and Index Mappings) L et A and B b e automata with the same ex- ternal actions and let R b e a r elation over states ( A ) × states ( B ) . F urthermor e, let α and α ′ b e exe cutions of A and B , r esp e ctively: α = s 0 a 1 s 1 a 2 s 2 · · · α ′ = u 0 b 1 u 1 b 2 u 2 · · · Say that α and α ′ ar e R -related , written ( α, α ′ ) ∈ R , if ther e exists a total, nonde cr e asing mapping m : { 0 , 1 , . . . , | α |} 7→ { 0 , 1 , . . . , | α ′ |} such that: 1. m (0) = 0 , 2. ( s i , u m ( i ) ) ∈ R for al l i , 0 ≤ i ≤ | α | , 3. tr ac e ( α ′ , m ( i − 1) + 1 , m ( i )) = tr ac e ( a i ) for al l i , 0 < i ≤ | α | , and 4. for al l j, 0 ≤ j ≤ | α ′ | , ther e exists an i , 0 ≤ i ≤ | α | , such that m ( i ) ≥ j . The mapping m is r eferr e d to as an index mapping fr om α to α ′ with r esp e ct to R . Write ( A, B ) ∈ R if for every exe cution α of A , ther e exists an exe cution α ′ of B such that ( α, α ′ ) ∈ R . Theorem 1 (Execution Corresp ondence The orem) L et A and B b e automata with the same external actions. Supp ose A ≤ X B via S , wher e X ∈ { F , R, iB , H, iP } . Then ( A, B ) ∈ S . Lemma 2 L et A and B b e automata with the same external actions and let R b e a r elation over states ( A ) × states ( B ) . If ( α, α ′ ) ∈ R , then tr ac e ( α ) = tr ac e ( α ′ ) . Theorem 1 and Lemm a 2 app ear in [17] as Th eorem 6.11 and Lemma 6.15, r esp ectiv ely . 6 2.4 Linear-time T emp oral Logic W e u se the fragment of linear-time temp oral logic consisting of the ✷ (alw a ys ) and ✸ (ev entually) op erators o v er state assertions [47, 39]. In particular, we u se the “inﬁnitary” op erators ✷✸ (in- ﬁnitely often) and ✸✷ (eve ntually alw ays). W e sp ecify state assertions as a set of states, the state in question satisfying the assertion iﬀ it b elongs to the set. F or example, if U is a set of s tates, then α | = ✷✸ U means “ α conta in s inﬁn itely m an y states from U ,” and α | = ✸✷ U means “all but a ﬁn ite n u mb er of states of α are from U .” T hese op erators can b e com bined with p rop ositional connectiv es ( ¬ , ∧ , ∨ , ⇒ ) so that, f or example, α | = ✷✸ U ′ ⇒ ✷✸ U ′′ means “if α conta in s inﬁn itely many states from U ′ , then it also con tains inﬁn itely many states from U ′′ , and α | = ✸✷ ¬ U means “all bu t a ﬁnite n u m b er of states of α are n ot from U .” App end ix B pro vid es a formal deﬁnition of the synta x and semant ics of the temp oral logic that w e use. 3 Liv e Automata W e ﬁrst formalize the notions of live execution prop erty and liv e trace p rop erty , that discussed in the introdu ction. Deﬁnition 3 (Liv e Execution Prop erty) L et A b e an automato n, and ϕ ⊆ exe cs ω ( A ) . Then, ϕ is a live execution prop ert y for A if and only if for every ﬁnite exe cution α of A , ther e exists an inﬁnite exe cution α ′ of A su ch that α < α ′ and α ′ ∈ ϕ . In other w ords, a liv e execution prop ert y is a set of inﬁn ite executions of A suc h that ev er y ﬁnite execution of A can b e extended to an inﬁn ite execution in the set. Th is requirement was prop osed in [1], wh ere it is called machine closur e . Note that we do not consider interacti on with an environmen t in this p ap er. T His is why w e use automata r ather than I/O automata, i.e., we hav e external actions without an inp ut/output distinction. T his issue is treated in detail in [18], where a liv eness pr op erty is deﬁned as a set of executions (ﬁn ite or inﬁn ite) suc h that an y ﬁnite execution can b e extended to an execution in th e set. Thus, an extension m a y b e ﬁnite, unlike our approac h . T h is is b ecause r equ iring extension to an in ﬁnite execution ma y constrain the environmen t: an execution ending in a s tate with no enabled in tern al or output action w ill then requir e the environmen t to execute an action that is an output of the environmen t and an inpu t of the automaton, so that the execution can b e extended to an inﬁnite one. W e defer treating this iss ue to another o ccasion. Deﬁnition 4 (Liv e T race Prop ert y) L et A b e an automat on, and ψ ⊆ tr ac es ( A ) . Then, ψ is a live trace prop ert y for A if and only if ther e exists a live exe cution pr op erty ϕ for A such that ψ = tr ac es ( ϕ ) . In [17, 18], the notion of liv e execution prop ert y w as the basic liv eness notion, and a liv e automaton was deﬁned to b e an automaton A together with a liv e execution pr op erty . T his use of an arbitrary s et of executions as a liveness p r op erty , sub ject only to the mac hin e closure constrain t resulted in a p ro of metho d in [17] which requires r easoning o v er entire executions. S ince w e wish to av oid this, we tak e as our basic liv en ess notion th e c ompl e mente d-p airs c ondition of Streett 7 automata, with the proviso that we extend it to an in ﬁnite state-space and an inﬁn ite num b er of complemen ted-pairs. In the next section, we s h o w that this app r oac h to sp ecifying liveness entails no loss of exp r essiv eness, pr o vided that w e can use history v ariables. Let A b e an automaton. W e say that p is a c omplemente d-p air 3 o v er A iﬀ p is an ordered pair h h h Red , Green i i i wher e Red ⊆ states ( A ), Green ⊆ states ( A ). Giv en p = h h h Red , Green i i i , we d eﬁne the selectors p. R = R ed and p. G = G reen . Let α b e an inﬁnite execution of A . Then , we wr ite α | = h h h Red , Green i i i iﬀ α | = ✷✸ R ed ⇒ ✷✸ Green , i.e., if α cont ains inﬁn itely man y states in Red , then it also con tains inﬁn itely many states in Green . W e also write α | = p in this case. Our goal is a metho d for reﬁn in g liv eness pr op erties using reasoning ov er states and ﬁn ite execution f r agmen ts only , in particular, a v oiding reasoning o ver entire (inﬁnite) executions. W e therefore formulate a liv eness condition based on s tates r ather than executions. Deﬁnition 5 (Liv e Automat on w ith C omplemen ted-pa irs L iveness Condition) A liv e au- tomaton is a p air ( A, L ) wher e: 1. A is an automat on, and 2. L is a set of p airs {h h h Red i A , Green i A i i i | i ∈ η } wher e Red i A ⊆ states ( A ) and Green i A ⊆ states ( A ) for al l i ∈ η , and η is some c ar dinal, which serves as an index set, and A , L satisfy the fol lowing c onstr aint: • for every ﬁnite exe cution α of A , ther e exists an inﬁnite exe cution α ′ of A such that α < α ′ and ( ∀ p ∈ L : α ′ | = p ) . ( A, L ) inherits all of the attributes of A , namely the states, start states, actio n signature, and tr an- sition r elation of A . T he executions (execution fragmen ts) of ( A, L ) are the executions (execution fragmen ts) of A , resp ectiv ely . W e say that L is a c omp lemente d-p airs liveness c ondition ov er A . Often we use jus t “liveness condition” instead of “complemente d -pairs liv eness cond ition.” The constrain t in Deﬁnition 5 is th e mac hine closur e requiremen t, that ev ery ﬁnite execution can b e extended to a liv e execution. Deﬁnition 6 (Liv e Execution) L et ( A, L ) b e a live automaton. An exe cution α of ( A, L ) is a liv e execution iﬀ α is inﬁnite and ∀ p ∈ L : α | = p . We deﬁne lexe cs ( A, L ) = { α | α ∈ exe cs ω ( A ) and ( ∀ p ∈ L : α | = p ) } . Our notion of liv eness condition is essentially the acc ep tance cond ition for ﬁnite-state complemen ted- pairs automata on inﬁnite str in gs [13], w ith the imp ortan t diﬀerence that we generalize it to an arbitrary (p ossib ly inﬁn ite) state space, and allo w a p ossibly inﬁn ite set of pairs. Despite the p os- sibilit y that Red i A and Green i A are inﬁnite sets of states, it is nevertheless very conv enien t to ha ve an inﬁn ite num b er of complemen ted-p airs. Using the database example of the in tro d uction, w e can express the liv eness prop er ty “ev ery qu ery submitted is ev ent u ally pr o cessed” as the in ﬁnite set of pairs {h h h x ∈ wait , x 6∈ wait i i i | x is a query } , and where wait is the set of all queries that hav e b een su bmitted bu t not yet pro cessed ( x is remo ved fr om wait when it is pro cessed). Being able 3 When it is clear from context, we just sa y “pair”. 8 to allo cate one pair for eac h query facilitates the v er y straigh tforward expr ession of this liv eness prop er ty . Our extended example in S ection 6 also uses an in ﬁ nite n u m b er of pairs in this manner. The ab o ve discussion applies to an y sys tem in whic h there are an inﬁn ite n umb er of distinguishe d op erations, e.g., eac h op eration has a unique id entiﬁer, as opp osed to, for example mutual exclusion for a ﬁxed ﬁ nite num b er of p ro cesses,, where there are an inﬁnite num b er of en tries in to the critica l section b y some pro cess P i , but these need not b e “distinguished,” since the single liv eness prop ert y ✷ ( r eq uest ( P i ) = ⇒ ✸ critical ( P i )) is s u ﬃcien t to accoun t for all of these. The key p oin t is that only a b ounded n u m b er of outstanding requests m u s t b e dealt with ( ≤ the n u m b er of pro cesses) , whereas in a system in wh ic h there are an inﬁnite n umb er of distinguished op erations, an unb ounded n u m b er of outstand in g requests m ust b e dealt w ith. W e conjecture th at the liv eness prop ert y “ev ery request is ev entually satisﬁed” cannot ev en b e stated using a ﬁnite num b er of complemen ted pairs. The safe pr eorder, live pr eorder [17] embo dy our notions of correct implemen tation w ith resp ect to safet y , liveness, resp ectiv ely . Deﬁnition 7 (Safe preorder, Liv e preorder) L et ( A, L ) , ( B , M ) b e live automata with the same external actions ( ext ( A ) = e xt ( B )) . We deﬁne: Safe pr e or der: ( A, L ) ⊑ s ( B , M ) iﬀ tr ac es ( A ) ⊆ tr ac es ( B ) Live pr e or der: ( A, L ) ⊑ ℓ ( B , M ) iﬀ tr ac es ( lexe cs ( A, L )) ⊆ tr ac es ( lexe cs ( B , M )) F rom [34, 17], w e ha ve that sim u lation relations imply the safe preorder, i.e., if A ≤ X B where X ∈ { F , R, iB , H, iP } , then ( A, L ) ⊑ s ( B , M ). Returning to the d atabase example of the introd uction, if α is some liv e execution of the implemen tation A , then, along α , ev ery contin uously enabled action is even tually executed (action fairness) and ev ery message sent is even tually receiv ed (message fairness). T h e trace β of α is then an externally visib le liv e b eha vior of A : β ∈ tr ac es ( lexe c s ( A, L )). If A is a correct implementa tion, then we exp ect that the enforcement of action fairness and m essage fairness in A then guaran tees the required liv eness prop erties of the sp eciﬁcation, namely that ev ery quer y is ev entual ly pro cessed. Th u s, the externally visible live b eha vior β of A m ust satisfy the required liveness p rop erties of the sp eciﬁcation, i.e., β ∈ tr ac es ( lexe cs ( B , M )). This is exactly what the liv e preorder requir es. Deﬁnition 8 (Seman tic Closure of a Liveness Condition) L et ( A, L ) b e a live automaton. The semantic closur e b L of L i n A is given by b L = {h h h R , G i i i | ∀ α ∈ lexe cs ( A, L ) : α | = h h h R , G i i i} . b L is the set of complemente d -pairs o v er A w hic h are “seman tically en tailed” b y the complemen ted- pairs in L , with resp ect to th e executions of A . In general, b L − L is nonempty . Ev ery pair in b L − L represent s a “deriv ed” liv en ess prop ert y , since it is not directly sp eciﬁed b y L , but nev ertheless can b e dedu ced from th e pairs in L , w hen considering only the executions of A . Deﬁnition 9 (Deriv ed Pair) L et ( A, L ) b e a live automaton, and let p ∈ b L − L . Then p is a deriv ed p air of ( A, L ) . Prop osition 3 L ⊆ b L . Pr o of. Let p b e any complemen ted-pair in L . Hence, by deﬁnition of lexe cs ( A, L ), we hav e ∀ α ∈ lexe cs ( A, L ) : α | = p . Hence p ∈ b L . ✷ 9 Prop osition 4 lexe cs ( A, b L ) = lexe cs ( A, L ) . Pr o of. lexe cs ( A, b L ) ⊆ lexe cs ( A, L ) follo ws immediately fr om Prop osition 3 and the relev an t deﬁni- tions. Sup p ose α ∈ lexe cs ( A, L ). By Deﬁnition 8, ∀ p ∈ b L : α | = p . Hence, α ∈ lexe cs ( A, b L ). Hence lexe cs ( A, L ) ⊆ lexe c s ( A, b L ). ✷ F rom Prop osition 4, it follo ws th at ( A, b L ) is a liv e automaton. 4 Reﬁning L iv eness Prop erties Across Lev els of Ab straction: Liv eness- preserving Sim ulation Relations The sim u lation relations given in Section 2.2 indu ce a r elationship b et we en the concrete automato n A and abstract automaton B whereby for eve r y execution α of A th ere exists a corresp onding, in the sense of Deﬁnition 2, execution α ′ of B . This corresp ondence b et we en executions do es n ot ho wev er take liv eness in to account. So, if w e w ere dealing with live automata ( A, L ) and ( B , M ) in- stead of automata A and B , th en it w ould b e p ossible to hav e α ∈ lexe cs ( A, L ), α ′ 6∈ lexe cs ( B , M ), and ( α, α ′ ) ∈ S w here S is a sim u lation relation from A to B . So, β ∈ tr ac es ( lexe cs ( A, L )) and β / ∈ tr ac es ( lexe cs ( B , M )), where β = tr ac e ( α ), is p ossible. Hence establishin g A ≤ X B via S , where X ∈ { F , R, iB , H, iP } do es not allo w one to conclude tr ac es ( lexe cs ( A, L )) ⊆ tr ac es ( lexe c s ( B , M )), as d esired, whereas it do es allo w one to conclude tr ac es ( A ) ⊆ tr ac es ( B ), [17, Lemma 6.16]. F or example, consider Figures 1 and 2 w hic h r esp ectiv ely giv e a sp eciﬁcation and a “ﬁrst lev el” reﬁne- men t of the sp eciﬁcatio n , for a to y database system. T he database tak es input requests of the form request ( x ), where x is a query , computes a resp on s e for x u sing a function v al (wh ic h presumably also refers to th e u nderlying database s tate, w e d o not mo del this to k eep the example simple), and outputs a resp onse ( x, v ) w h ere v = v al ( x ). Th is b eha vior is dictated by the sp eciﬁcation in Figure 1, where receiv ed queries are placed in th e set r e q ueste d , and queries resp onded to are placed in the set r esp onde d (this p rev ents multiple resp onses to the same quer y ). The ﬁ rst-lev el reﬁnement of the sp eciﬁcation (Figure 2) is identica l to the sp eciﬁcation except that it can “lose” p end ing requests: the request ( x ) nondeterministically c ho oses b et ween add in g x to r e que ste d , or doing n othing, as represente d by [ ] sk ip in Figure 2. Despite this fault, it is p ossible to establish a forw ard sim ulation F fr om DB- Imp to DB- Sp e c , as follo ws. A state s of DB- Imp and a state u of DB-Sp e c are related b y F if and only if s. r e queste d ⊆ u. r e queste d and s. r esp onde d = u. r esp onde d (where s.v ar denotes th e v alue of v ariable v ar in state s ). No w supp ose w e add th e f ollo wing live - ness condition to b oth DB-Imp and of DB-Sp e c : {h h h x ∈ r e queste d , x ∈ r esp onde d i i i | x is a query } . Th u s, an op eration x that has b een requ ested must ev en tu ally b e resp ond ed to, since x ∈ r e queste d is stable; once true, it is alwa y s true, and therefore it is true inﬁnitely often. No w let α , α ′ b e executions of DB - Imp , DB-Sp e c , resp ectiv ely , whic h are related b y F in the sense of Deﬁnition 2. Supp ose some query x 0 is lost along α , and no other query is lost. Let α b e liv e, i.e., if a query is placed int o r e queste d , and is not lost, th en it will even tually b e resp onded to. W e no w see that α ′ cannot b e liv e, sin ce x 0 ∈ r e qu este d holds along an inﬁnite suﬃ x of α ′ , but x 0 ∈ r esp onde d n ev er holds along α ′ . Hence, establishing a forw ard simulatio n fr om DB-Imp to DB- Sp e c is not suﬃcien t to establish live tr ace in clusion from DB-Imp to DB-Sp e c . This example d emons trates that th e s im ulation relations of S ection 2.2 do not imply liv e trace inclusion. The p r oblem is that these sim u lation r elations do not reference the live n ess cond itions of the concrete and abstract automata. T o remedy th is, we augment the simulat ion relations so that ev ery pair q in the abs tr act live n ess condition M is r elated to a pair p in the concrete liv eness condition L . The idea is that the simulatio n relation r elates o ccurrences of states in q . R , q . G in 10 Automaton DB-Sp e c Signature External: request ( x ), where x is a q u ery response ( x, v ), where x is a query and v is a v alue State r e queste d , a s et of receiv ed queries, initially empt y r esp onde d , a set of computed resp onses to queries, initially empt y Actions External request ( x ) Pre: true Eﬀ: r e queste d ← r e queste d ∪ { x } External resp onse ( x, v ) Pre: x ∈ r e queste d − r esp onde d ∧ v = v al ( x ) Eﬀ: r esp onde d ← r esp onde d ∪ { x } Figure 1: Sp eciﬁcation of a simple database system transitions of the abstr act automaton ( B , M ) with o ccurr ences of states in p. R , p. G in transitions of the concrete au tomaton ( A, L ). Th e relationship is d eﬁned so that the augmen ted simulat ion implies that, in “corresp onding” executions α of ( A, L ), α ′ of ( B , M ), if α satisﬁes p , then α ′ m us t satisfy q . In m ore detail, an o ccurrence of a q . R state in an abstract (live ) execution α ′ m us t b e matc hed b y at least one p. R state in the corresp ondin g concrete (liv e) execution α , and an o ccurrence of a p. G state in α must b e matc hed by at least one q . G state in α ′ . Thus, if α ′ | = ✷✸ q . R , then α | = ✷✸ p. R , and if α | = ✷✸ p . G , then α ′ | = ✷✸ q . G . Assuming α is liv e, we get α | = ✷✸ p. R ⇒ ✷✸ p. G . This and the p revious t wo imp lications yields α ′ | = ✷✸ q . R ⇒ ✷✸ q . G . Hence α ′ is live. Hence we can show that if an abstract execution α ′ and concrete execution α corresp ond (acco r ding to the sim u lation), and α is liv e, then α ′ is also live . The matc h ing th u s allo ws us to s ho w that eve r y live execution of ( A, L ) has a “corresp on d ing” liv e execution in ( B , M ). Liv e trace inclusion follo ws immediately . Since the seman tic closure b L of L sp eciﬁes the same set of liv e executions (Prop osition 4), as L do es, w e can relax the requiremen t p ∈ L to p ∈ b L . Since b L is in general a sup ers et of L , this can b e v ery helpful in reﬁning the abstract liveness cond ition. In particular, it enables us to split the reﬁnement task into tw o subtasks: reﬁnemen t across abstr action lev els (which w e add ress in this section) and reﬁ nemen t with in an abstraction lev el (which we address in the next section). Let ( A, L ) b e a liv e automaton, α b e a ﬁnite execution fragmen t of A , and p ∈ L . W e abuse notation and write α ∈ p. R iﬀ there exists a state s along α such that s ∈ p. R . α ∈ p. G i s deﬁned similarly . The ab ov e considerations lead to the follo wing deﬁnitions of liv eness-preservin g sim ulation r elations. Deﬁnition 10 (Liveness - preserving F orw a rd Simulation w .r.t. In v arian ts) L et ( A, L ) and ( B , M ) b e live automata with the same external actions. L et I A , I B b e invariants of A , B r esp e c- tively. L et f = ( g , h ) wher e g ⊆ states ( A ) × states ( B ) and h : M 7→ b L is a total mapping over M 4 . 4 That is, h ( q ) is deﬁned for all q ∈ M . 11 Automaton DB-Imp Signature External: request ( x ), where x is a q u ery response ( x, v ), where x is a query and v is a v alue State r e queste d , a s et of receiv ed queries, initially empt y r esp onde d , a set of computed resp onses to queries, initially empt y Actions External request ( x ) Pre: true Eﬀ: ( r e queste d ← r e queste d ∪ { x } ) [] sk ip External resp onse ( x, v ) Pre: x ∈ r e queste d − r esp onde d ∧ v = v al ( x ) Eﬀ: r esp onde d ← r esp onde d ∪ { x } Figure 2: First lev el r eﬁnement of the sp eciﬁcation of a simple d atabase sy s tem Then f is a live n ess-preserving forward simula tion fr om ( A, L ) to ( B , M ) with r esp e ct to I A and I B iﬀ: 1. If s ∈ start ( A ) , then g [ s ] ∩ start ( B ) 6 = ∅ . 2. If s a − → A s ′ , s ∈ I A , and u ∈ g [ s ] ∩ I B , then ther e exists a ﬁnite exe cution f r agment α of B such that fstate ( α ) = u , lstate ( α ) ∈ g [ s ′ ] , and tr ac e ( α ) = tr ac e ( a ) . F urthermor e, for al l q ∈ M , (a) if α ∈ q . R then s ∈ p. R or s ′ ∈ p. R , and (b) if s ∈ p. G or s ′ ∈ p. G then α ∈ q . G , wher e p = h ( q ) . 3. Cal l a tr ansition s a − → A s ′ alw a ys-silent iﬀ s ∈ I A and for every ﬁnite exe cution fr agment α of B such that fstate ( α ) ∈ g [ s ] ∩ I B , lstate ( α ) ∈ g [ s ′ ] , and tr ac e ( α ) = tr ac e ( a ) , we have | α | = 0 , i.e., α c onsists of a single state. In other wor ds, the tr ansition s a − → A s ′ is matche d only by the empty tr ansition in B . Then, g is such that every live exe cution of ( A, L ) c ontains an inﬁnite numb er of tr ansitions that ar e not always-silent. Clause 1 is the usual cond ition of a forw ard sim ulation requirin g th at ev ery start state of ( A, L ) b e related to at least one start state of ( B , M ). Clause 2 is the condition of a f orw ard simulatio n which requires that eve r y transition s a − → A s ′ of ( A, L ) b e “simulate d ” b y an execution fragmen t α of ( B , M ) wh ich has the same trace. W e also require that ev ery complemente d -pair q ∈ M is matc hed to a complemente d -pair p ∈ b L by the mapping h and that su c h corr esp onding pairs imp ose a constrain t on the transition s a − → A s ′ of ( A, L ) and the sim ulating execution fragmen t α of ( B , M ), as follo ws. If α cont ains some q . R s tate, then at least one of s, s ′ is a p. R state, and if at least one of s, s ′ is a p. G state, then α con tains 12 some q . G state. T his r equiremen t th us enforces the matc h ing discussed at the b eginn in g of this section, from wh ic h live trace inclusion follo ws. Clause 3 is needed to ensure that a liv e execution of ( A, L ) has at least one corresp onding inﬁnite execution in ( B , M ). This execution can then b e sho wn , using clause 2, to b e liv e (see Lemma 8 b elo w). If s a − → A s ′ is alw a ys-silent, then a m u st b e an int ern al action. Th u s, in p ractice, clause 3 holds, since executions with an (in ﬁ nite) suﬃ x consisting solely of inte r nal actions are not usually considered to b e liv e. Clause 3 can itself b e expressed as a complemen ted-pair (whic h is added to L ). Call an action a of A non-always-silent iﬀ no tr an s ition arising from its execution is alw a ys-silent. Thus, ev ery transition arising fr om the execution of a can b e matc hed with resp ect to g b y some nonempty execution fragmen t of B . It is also p ossible that the transition can b e matc hed b y the empty f r agmen t, but what is imp ortant is that it is alwa ys p ossible to cho ose a nonemp t y fragmen t to matc h with. Th is means that w e can alw a y s matc h a liv e execution α of ( A, L ) with some inﬁnite execution of ( B , M ), by alwa ys matc h ing the non-alw ays-silen t transitions in α with nonempt y execution fragment s of ( B , M ). By deﬁnition, an y external actio n of A is n on-alw a ys -silen t. An inte r nal action of A ma y or m a y not b e n on-alw a ys-silent. W e in tro duce an auxiliary b o olean v ariable nonalways si lent that is set to true eac h time a non-alw ays-sil ent action of A is executed, and is set to false inﬁnitely often b y a n ew in ternal action of A wh ose p recondition is true and wh ose eﬀect is nonalwayssilent := false (eve r y execution of this n ew action can b e simulated by the empt y transition in B , since nonalwayssilent has no eﬀect on an y other state comp onen t of A , nor on the execution of other actions in A ). Then the pair h h h true , nonalwa yssilent i i i expresses that a non-alw ays-silen t actio n of A is executed inﬁnitely often, which implies that eac h live execution of ( A, L ) con tains an inﬁn ite num b er of non -alwa ys- silen t transitions. The p air h h h true , nonalwayssilent i i i can th en b e reﬁn ed at the next lo wer lev el of abstraction in exactly the same wa y as all the other pairs in L . See Section 6 for an example of this tec hnique. It is clear from th e deﬁnitions that if ( g , h ) is a liveness-preserving forwa r d sim u lation from ( A, L ) to ( B , M ) w .r.t. inv arian ts, th en g is a forwa r d simulati on fr om A to B w.r.t. the same in v arian ts. W e write ( A, L ) ≤ ℓF ( B , M ) if there exists a liveness-preserving forward simulatio n from ( A, L ) to ( B , M ) w.r.t. in v arian ts, and ( A, L ) ≤ ℓF ( B , M ) via f if f is a liv eness-preservin g forw ard sim ulation fr om ( A, L ) to ( B , M ) w.r.t. inv arian ts. Deﬁnition 11 (Liveness - preserving Reﬁnemen t Mapping w .r.t. In v arian ts) L e t ( A, L ) and ( B , M ) b e live automat a with the same external actions. L et I A , I B b e invariants of A , B , r esp e c- tively. L et r = ( g , h ) wher e g : states ( A ) 7→ states ( B ) and h : M 7→ b L is a total mapping over M . Then r is a live n ess-preserving reﬁ nemen t mappin g fr om ( A, L ) to ( B , M ) with r esp e ct to I A and I B iﬀ: 1. If s ∈ start ( A ) , then g ( s ) ∈ start ( B ) . 2. If s a − → A s ′ , s ∈ I A , and g ( s ) ∈ I B , then ther e exists a ﬁnite e xe cution fr agment α of B such that fstate ( α ) = g ( s ) , lstate ( α ) = g ( s ′ ) , and tr ac e ( α ) = tr ac e ( a ) . F urthermor e, f or al l q ∈ M , (a) if α ∈ q . R then s ∈ p. R or s ′ ∈ p. R , and (b) if s ∈ p. G or s ′ ∈ p. G then α ∈ q . G , wher e p = h ( q ) . 13 3. Cal l a tr ansition s a − → A s ′ alw a ys-silent iﬀ s ∈ I A and for every ﬁnite exe cution fr agment α of B suc h that fstate ( α ) = g ( s ) , lstate ( α ) = g ( s ′ ) , and tr ac e ( α ) = tr ac e ( a ) , we have | α | = 0 , i.e., α c onsists of a single state. In other wor ds, the tr ansition s a − → A s ′ is matche d only by the empty tr ansition in B . Then, g is such that every live exe cution of ( A, L ) c ontains an inﬁnite numb er of tr ansitions that ar e not always-silent. W e write A ≤ ℓR B if there exists a liv eness-preservin g reﬁnement mapping f r om A to B w .r.t. in v arian ts, and A ≤ ℓR B via r if r is a live n ess-preserving reﬁn emen t mapping fr om A to B w.r.t. in v arian ts. It is clear from the deﬁnitions that a liv en ess-p reserving reﬁnement mapping is a sp ecial case of a liv eness-p r eserving forw ard simulat ion. F urther m ore, if ( g , h ) is a liv eness-pr eserving reﬁnement mapping from ( A, L ) to ( B , M ) w .r.t. some inv ariants, then g is a reﬁn emen t mapping from A to B w.r.t. the same in v ariant s . Deﬁnition 12 (Liveness - preserving Bac kw ard Sim ulat ion w .r.t. In v arian ts) L e t ( A, L ) and ( B , M ) b e live automata with the same external actions. L et I A , I B b e invariants of A , B r esp e c- tively. L et b = ( g , h ) wher e g ⊆ states ( A ) × states ( B ) and h : M 7→ b L is a total mapping over M . Then b is a liveness-preserving bac kward sim u lation fr om ( A, L ) to ( B , M ) with r esp e ct to I A and I B iﬀ: 1. If s ∈ I A , then g [ s ] ∩ I B 6 = ∅ . 2. If s ∈ start ( A ) , then g [ s ] ∩ I B ⊆ start ( B ) . 3. If s a − → A s ′ , s ∈ I A , and u ′ ∈ g [ s ′ ] ∩ I B , then ther e exi sts a ﬁnite exe cution fr agment α of B such that fstate ( α ) ∈ g [ s ] ∩ I B , lstate ( α ) = u ′ , and tr ac e ( α ) = tr ac e ( a ) . F urthermor e, for al l q ∈ M , (a) if α ∈ q . R then s ∈ p. R or s ′ ∈ p. R , and (b) if s ∈ p. G or s ′ ∈ p. G then α ∈ q . G , wher e p = h ( q ) . 4. Cal l a tr ansition s a − → A s ′ sometimes-silen t iﬀ s ∈ I A and f or some ﬁnite exe cution fr agment α of B such that fstate ( α ) ∈ g [ s ] ∩ I B , lstate ( α ) ∈ g [ s ′ ] , and tr ac e ( α ) = tr ac e ( a ) , we have | α | = 0 , i.e., α c onsists of a single state. In other wor ds, the tr ansition s a − → A s ′ c an b e matche d by the empty tr ansition in B . Then, g i s such that every live exe cution of ( A, L ) c ontains an inﬁnite numb er of tr ansitions that ar e not sometimes-silent. Clauses 1 and 2 are the u sual conditions of a b ac kw ard simulat ion requir ing that a state in the in v arian t I A of ( A, L ) is related to at least one state in the inv ariant I B of ( B , M ), and that eve r y start state of ( A, L ) is related only to start states of ( B , M ), ignoring states n ot in the inv ariant I B . These clauses are needed due to the “bac kwards” nature of the bisimulatio n , since, from a state u ′ in the inv arian t I B it is p ossible, when “going b ackw ards” along a transition to reac h a state u not in the inv arian t, i.e., u a − → B u ′ , u / ∈ I B , and u ′ ∈ I B is p ossible. Also, a start state in ( A, L ) m us t always b e matc h ed by a start state in ( B , M ), since the matc hing state in ( B , M ) cannot b e c hosen initially: it is constrained b y the succeeding transitions, i.e., it is “c hosen” last of all, and so the result must b e an initial state of B regardless of the c hoice. Clause 3 is the condition of a bac kward simulatio n which requires that every transition s a − → A s ′ of ( A, L ) b e “sim ulated” b y an execution fragment α of ( B , M ), except that w e also r equire that 14 ev ery complemen ted-pair q ∈ M is matc h ed to a complemen ted-pair p ∈ b L b y the map p ing h and that s uc h corresp ondin g pairs imp ose a constr aint on the transition s a − → A s ′ of ( A, L ) and th e sim ulating execution fragmen t α of ( B , M ), as follo ws. I f α con tains some q . R state, th en at least one of s , s ′ is a p. R state, and if at least one of s, s ′ is a p. G state, then α con tains some q . G state. This r equirement th us enforces the matc hing discussed at th e b eginning of this section, fr om which liv e trace inclusion follo ws. Clause 4 is needed to ensur e that a liv e execution of ( A, L ) h as at least one corresp ondin g inﬁnite execution in ( B , M ). This execution can then b e shown, using clause 3, to b e live (see Lemm a 8 b elo w). If s a − → A s ′ is sometimes-silen t, then a m u st b e an internal action. Thus, in p r actice, clause 4 holds, since executions with an (in ﬁ nite) suﬃ x consisting solely of inte r nal actions are not usually considered to b e liv e. Clause 4 can itself b e expressed as a complemen ted-pair (whic h is added to L ), wh ic h can then b e r eﬁ ned at the next lo we r lev el of abstraction. C all an action a of A non-sometimes-silent iﬀ n o tr ansition arising from its execution is sometimes-silen t. Thus, ev ery transition arising fr om the execution of a m ust always b e m atched w ith resp ect to g b y some nonempt y execution fragment of B . W e can n o w express the requirement that a n on-sometimes-silen t action of A is executed in- ﬁnitely often, as a complemente d -pair, and reﬁne this pair at the next lo w er lev el of abstraction. The details are similar to those discussed ab ov e for Clause 3 of Deﬁn ition 10, and are omitted. Note the diﬀerence with forw ard simulat ion; there, w e only h ad to ensure that it was inﬁ n itely of- ten p ossible to cho ose a nonempty execution fragment to matc h with. With bac kward s im ulations, w e ha v e to sh o w that in ﬁnitely often, al l the m atc hing execution fragmen ts are nonempty . It is clear fr om the deﬁnitions that if ( g , h ) is a live n ess-preserving bac k ward sim ulation from ( A, L ) to ( B , M ) w .r .t. some inv arian ts, then g is a bac kward sim ulation from A to B w.r.t. the same inv arian ts. W e wr ite A ≤ ℓB B if there exists a liv eness-preservin g bac kward simulat ion from A to B w.r.t. some inv arian ts, and A ≤ ℓB B via b if b is a liv eness-preservin g bac kward s im ulation from A to B w.r.t. some inv arian ts. If the bac k ward simulat ion g is image-ﬁnite, then w e write A ≤ iℓB B , A ≤ iℓB B via b , resp ectiv ely . Deﬁnition 13 (Liveness - preserving History Relation w.r.t. In v arian ts) L e t ( A, L ) and ( B , M ) b e live automat a with the same external a ctions. L et I A , I B b e invariants of A , B , r e sp e ctively. A history relation fr om A to B with r esp e ct to I A and I B is a r elation hs over states ( A ) × states ( B ) that satisﬁes: 1. hs is a liveness- pr eserving forwar d simulation fr om A to B w.r.t. I A and I B , and 2. hs − 1 is a r eﬁnement fr om B to A w.r.t. I B and I A . W e w r ite A ≤ ℓH B if there exists a liveness-preserving history relation from A to B w.r.t. s ome in v arian ts, and A ≤ ℓH B via h if h is a liv eness-pr eservin g history relation from A to B w .r.t. some in v arian ts. Deﬁnition 14 (Liveness - preserving Prophecy Relation w.r.t. Inv ariants) L et ( A, L ) and ( B , M ) b e live automata with the same external actions. L et I A , I B b e invariants of A , B , r e- sp e ctively. A p rophecy relation fr om A to B with r esp e ct to I A and I B is a r elation p over states ( A ) × states ( B ) that satisﬁes: 1. p i s a liveness-pr ese rvi ng b ackwar d simulation fr om A to B w.r.t. I A and I B , and 15 2. p − 1 is a r eﬁnement fr om B to A w.r.t. I B and I A . W e write A ≤ ℓP B if there exists a live n ess-preserving prophecy relation from A to B w.r.t. some in v arian ts, and A ≤ ℓP B via p if p is a liv en ess-p reserving prop h ecy relation from A to B w.r.t. s ome in v arian ts. If the liveness-preserving proph ecy relation is image-ﬁnite, then w e write A ≤ iℓP B , A ≤ iℓP B via p , resp ectiv ely . W e use ℓF , ℓR , iℓB , ℓH , iℓP to den ote liv eness-preservin g forward s imulation, liveness-preserving reﬁnement mappin g, image-ﬁnite liv en ess-p reserving bac kwa r d sim u lation, liv eness-preserving his- tory relation, im age-ﬁnite liveness-preserving p rophecy relation, resp ectiv ely . Thus, when w e write X ∈ { ℓF , ℓR, iℓB , ℓH , iℓP } , w e mean that X is one of these relations. Liv eness-pr eservin g simulatio n r elations induce a corresp ond ence b etw een the live executions of the concrete and the abs tr act automata. This corresp ond ence is captured by the notion of R ℓ - relation. W e remind the reader of the deﬁnition tr ac e ( α ′ , j, k ) = tr ac e ( b j · · · b k ) if j ≤ k , and = λ (the empt y sequence) if j > k . Deﬁnition 15 ( R ℓ -relation and Liv e Index Mappings) L et ( A, L ) and ( B , M ) b e live automata with the same external actions. L et R ℓ = ( R, H ) wher e R is a r elation over states ( A ) × states ( B ) and H : M 7→ b L is a total mapping over M . F urthermor e, let α and α ′ b e exe cutions of ( A, L ) and ( B , M ) , r e sp e ctively: α = s 0 a 1 s 1 a 2 s 2 · · · α ′ = u 0 b 1 u 1 b 2 u 2 · · · Say that α and α ′ ar e R ℓ -related , written ( α, α ′ ) ∈ R ℓ , if ther e exists a total, nonde cr e asing mapping m : { 0 , 1 , . . . , | α |} 7→ { 0 , 1 , . . . , | α ′ |} such that: 1. m (0) = 0 , 2. ( s i , u m ( i ) ) ∈ R for al l i , 0 ≤ i ≤ | α | , 3. tr ac e ( α ′ , m ( i − 1) + 1 , m ( i )) = tr ac e ( a i ) for al l i , 0 < i ≤ | α | , 4. for al l j, 0 ≤ j ≤ | α ′ | , ther e exists an i , 0 ≤ i ≤ | α | , such that m ( i ) ≥ j , and 5. for al l c omplem e nte d-p airs q ∈ M and al l i , 0 < i ≤ | α | : (a) if ( ∃ j ∈ m ( i − 1) . . . m ( i ) : u j ∈ q . R ) then s i − 1 ∈ p. R or s i ∈ p. R , and (b) if s i − 1 ∈ p. G or s i ∈ p. G then ( ∃ j ∈ m ( i − 1) . . . m ( i ) : u j ∈ q . G ) , wher e p = H ( q ) . The mapping m is r eferr e d to as a liv e index mapp ing fr om α to α ′ with r esp e ct to R ℓ . W rite (( A, L ) , ( B , M )) ∈ R ℓ if for e very live exe cution α of ( A, L ) , ther e exists a live exe cution α ′ of ( B , M ) such that ( α, α ′ ) ∈ R ℓ . Note that ( α, α ′ ) ∈ R ℓ do es n ot require α, α ′ to b e liv e executions. By Deﬁnitions 2 and 15, it is clear that, if R ℓ = ( R, H ), then ( α, α ′ ) ∈ R ℓ implies ( α, α ′ ) ∈ R . Th e follo wing lemma establishes a corresp onden ce b etw een the preﬁxes of a live execution of th e concrete automaton and an inﬁnite family of ﬁnite executions of the abstract automaton. 16 Lemma 5 L et ( A, L ) and ( B , M ) b e live automata with the same external actions, and su ch that ( A, L ) ≤ ℓF ( B , M ) via f for some f = ( g , h ) . L et α b e an arbitr ary live exe cution of ( A, L ) . Then ther e exists a c ol le ction ( α ′ i , m i ) 0 ≤ i of ﬁnite exe cutions of ( B , M ) and mappings such that: 1. m i is a live index mapping fr om α | i to α ′ i with r esp e ct to f , for al l i ≥ 0 , and 2. α ′ i − 1 ≤ α ′ i and m i − 1 = m i ↾ { 0 , . . . , i − 1 } for al l i > 0 , and 3. α ′ i − 1 < α ′ i for inﬁnitely many i > 0 . Pr o of. Let α = s 0 a 1 s 1 a 2 s 2 . . . and let I A , I B b e in v arian ts of A , B , r esp ectiv ely , su ch that f is a liveness-preserving f orw ard simulatio n from ( A, L ) to ( B , M ) with resp ect to I A and I B . W e construct α ′ i and m i b y induction on i . Since s 0 ∈ start ( A ), w e ha ve ( s 0 , v 0 ) ∈ g and v 0 ∈ start ( B ) for some state v 0 , by Deﬁnition 10, clause 1. Let α ′ 0 = v 0 and let m 0 b e the m apping that maps 0 to 0. T hen, m 0 is a live in dex mapping f rom α | 0 to α ′ 0 with resp ect to f (in p articular, clause 5 of Deﬁnition 15 holds v acuously , since | α | 0 | = 0). No w inductive ly assume that m i − 1 (for i > 0) is a liv e index mapping from α | i − 1 to α ′ i − 1 with resp ect to f . Let u 0 = lstate ( α ′ i − 1 ). Then, b y clause 4 of Deﬁn ition 15 and the fact that m i − 1 is nondecreasing, we hav e m i − 1 ( i − 1) = | α ′ i − 1 | and ( s i − 1 , u 0 ) ∈ g . S in ce s i − 1 , s i , and u 0 are reac hable, by deﬁnition, they satisfy their resp ectiv e inv arian ts. Hence, by Deﬁnition 10, clause 2, there exists a ﬁnite execution fragmen t u 0 b 1 − → B u 1 b 2 − → B · · · b n − → B u n of B such that u n ∈ g [ s i ], tr ac e ( b 1 · · · b n ) = tr ac e ( a i ), and for all complemented-pairs q ∈ M : 1. if ( ∃ j ∈ 1 . . . n : u j ∈ q . R ) th en s i − 1 ∈ p. R or s i ∈ p. R , and 2. if s i − 1 ∈ p. G or s i ∈ p. G then ( ∃ j ∈ 1 . . . n : u j ∈ q . G ), where p = h ( q ). Now deﬁne α ′ i = α ′ i − 1 ⌢ ( u 0 b 1 − → B u 1 b 2 − → B · · · b n − → B u n ), and d eﬁne m i to b e the mapping s u c h th at m i ( j ) = m i − 1 ( j ) for all j , 0 ≤ j ≤ i − 1, and m i ( i ) = | α ′ i | . W e argue that m i is a liv e index mappin g from α | i to α ′ i with r esp ect to f , i.e., that all clauses of Deﬁnition 15 hold. Clause 1 holds sin ce m i (0) = m i − 1 (0) by d eﬁnition, and m i − 1 (0) = 0 b y the indu ctiv e h yp othesis. Clause 2 h olds by the ind uctiv e h yp othesis and u n ∈ g [ s i ]. Clause 3 h olds by the ind u ctiv e h yp oth- esis and tr ac e ( b 1 · · · b n ) = tr ac e ( a i ). C lause 4 holds since m i ( | α | i | ) = m i ( i ) = | α ′ i | , by deﬁnition. Finally , clause 5 holds b y the indu ctiv e hyp othesis and th e conditions for all complemen ted-pairs q ∈ M jus t established ab ov e w.r.t. s i − 1 a i − → A s i and u 0 b 1 − → B u 1 b 2 − → B · · · b n − → B u n . Having estab- lished that m i is a live index map p ing from α | i to α ′ i with resp ect to f , w e conclud e that clause 1 of the lemma holds . Clause 2 of the lemma holds b y construction of α ′ i and m i , since α ′ i and m i are obtained by extending α ′ i − 1 and m i − 1 , resp ectiv ely . By Deﬁn ition 10, clause 3, f or inﬁ nitely many i > 0, we can select th e execution fragmen t u 0 b 1 − → B u 1 b 2 − → B · · · b n − → B u n that m atc hes s i − 1 a i − → A s i so that n > 0. Hence, f or inﬁ nitely man y i > 0, we ha ve α ′ i − 1 < α ′ i . Thus, clause 3 of the lemma holds. ✷ Deﬁnition 16 (Induced Digraph) L et ( A, L ) and ( B , M ) b e live automata with the same ex- ternal actions and assume A ≤ iℓB B via b = ( g , h ) with r esp e c t to invariants I A and I B . F or any exe cution α = s 0 a 1 s 1 a 2 s 2 . . . of A , let the digraph in d uced by α , b , I B , L , and M b e the dir e cte d gr aph G gi v en as fol lows: 17 1. The no des of G ar e the or der e d p airs ( u, i ) such that 0 ≤ i ≤ | α | , and u ∈ g [ s i ] ∩ I B , and 2. ther e is an e dge fr om ( u, i ) to ( u ′ , i ′ ) iﬀ i ′ = i + 1 and ther e exists a ﬁnite exe cution fr ag- ment α ′ of B such that fstate ( α ′ ) = u , lstate ( α ′ ) = u ′ , tr ac e ( α ′ ) = tr ac e ( a i +1 ) , and for al l c omplem e nte d-p airs q ∈ M : (a) if α ′ ∈ q . R then s i ∈ p. R or s i +1 ∈ p . R , and (b) if s i ∈ p . G or s i +1 ∈ p. G then α ′ ∈ q . G , wher e p = h ( q ) . Lemma 6 L et ( A, L ) and ( B , M ) b e live automata with the same external actions and assume A ≤ iℓB B via b with r esp e c t to invariants I A and I B . L et α b e any exe cution of A . Then the digr aph G induc e d by α , b , I B , L , and M satisﬁes: 1. F or e ach i , 0 ≤ i ≤ | α | , ther e is at le ast one no de in G of the form ( u, i ) . 2. The r o ots of G ar e exactly the no des of the form ( u, 0) . 3. G has a ﬁnite numb er of r o ots. 4. Each no de in G has ﬁnite outde gr e e. 5. Each no de of G is r e acha b le fr om some r o ot of G . Pr o of. Let b = ( g , h ). Then g is an image-ﬁnite b ac kwa r d simulati on from A to B . W e deal with eac h clause in turn. 1. Eac h state s i of α is r eac hable, and so b elongs to I A . Hence g [ s i ] ∩ I B 6 = ∅ b y Clause 1 of Deﬁnition 12. Hence b y Deﬁn ition 16, clause 1, there exist no d es of G of the form ( u, i ). 2. Eve r y no d e ( u, 0) is a r o ot of G (i.e., it h as no in coming ed ges). W e no w sho w that any no de ( u, i ) with i > 0 cannot b e a ro ot. No w u ∈ g [ s i ] ∩ I B b y Deﬁnition 16, clause 1. Also, s i − 1 ∈ I A and s i − 1 a i − → A s i b y assum p tion, h en ce by Deﬁnition 12, clause 3, there exists a ﬁnite execution f ragmen t α ′ of B su c h that fstate ( α ′ ) ∈ g [ s i − 1 ] ∩ I B , lstate ( α ′ ) = u , tr ac e ( α ′ ) = tr ac e ( a i ), and, for all q ∈ M , (a) if α ′ ∈ q . R then s i − 1 ∈ p. R or s i ∈ p. R , and (b) if s i − 1 ∈ p. G or s i ∈ p. G then α ′ ∈ q . G , where p = h ( q ). Hence, by Deﬁnition 16, clause 2, there exists an edge in G fr om ( fstate ( α ′ ) , i − 1) to ( u, i ). 3. Since g is image-ﬁnite, th e set g [ s 0 ] ∩ I B is ﬁ nite. By Deﬁnition 16, clause 1, all no des of G of the form ( u, 0) must satisfy u ∈ g [ s 0 ] ∩ I B . Hence, there are a ﬁn ite num b er of suc h no des. By clause 2 of the lemma (whic h has already b een established), these no d es are exactly the ro ots of G . Hence, the num b er of ro ots is ﬁnite. 4. Let ( u, i ) b e an arbitrary no d e of G . By Deﬁnition 16, clause 2, f rom an y no de of the form ( u, i ), all outgoing edges are to no des of the form ( u ′ , i + 1). Sin ce g is image-ﬁnite, the set g [ s i +1 ] ∩ I B is ﬁnite. By Deﬁn ition 16, clause 1, all n o des of G of the form ( u, i + 1) m u st satisfy u ∈ g [ s i +1 ] ∩ I B . Hence, there are a ﬁnite n umb er of suc h no d es. Hence, the outdegree of any no de of G of the form ( u, i ) is ﬁ nite. Since ( u, i ) was c hosen arbitrarily , the r esult follo ws. 18 5. W e establish this by indu ction on the second comp onent i of the no des ( u, i ) of G . F or the base case, i = 0 and no d es ( u, 0) are reac h able by d eﬁnition since they are ro ots. Assume the induction hyp othesis that all no d es of the form ( u, i ) are reac hable fr om some r o ot of G , and consider an arb itrary no de of the form ( u, i + 1). No w u ∈ g [ s i +1 ] ∩ I B b y Deﬁn ition 16, clause 1. Also, s i ∈ I A and s i a i +1 − → A s i +1 b y assu mption, hence by Deﬁnition 12, clause 3, there exists a ﬁ nite execution fragment α ′ of B suc h that fstate ( α ′ ) ∈ g [ s i ] ∩ I B , lstate ( α ′ ) = u , tr ac e ( α ′ ) = tr ac e ( a i +1 ), and , for all q ∈ M , (a) if α ′ ∈ q . R then s i ∈ p. R or s i +1 ∈ p. R , and (b) if s i ∈ p. G or s i +1 ∈ p. G then α ′ ∈ q . G , where p = h ( q ). Hence, by Deﬁnition 16, clause 2, there exists an edge in G from ( fstate ( α ′ ) , i ) to ( u, i + 1). By the ind uction h yp othesis, ( fstate ( α ′ ) , i ) is reac hable. Hence, so is ( u, i + 1). Since all the clauses are established, Lemma 6 holds. ✷ Lemma 7 L et ( A, L ) and ( B , M ) b e live automata with the same external actions, and su ch that ( A, L ) ≤ iℓB ( B , M ) via b for some b = ( g, h ) . L et α b e an arbitr ary liv e exe cution of ( A, L ) . Then ther e exists a c ol le ction ( α ′ i , m i ) 0 ≤ i of ﬁnite exe cutions of ( B , M ) and mappings such that: 1. m i is a live index mapping fr om α | i to α ′ i with r esp e ct to b , for al l i ≥ 0 , and 2. α ′ i − 1 ≤ α ′ i and m i − 1 = m i ↾ { 0 , . . . , i − 1 } for al l i > 0 , and 3. α ′ i − 1 < α ′ i for inﬁnitely many i > 0 . Pr o of. Let α = s 0 a 1 s 1 a 2 s 2 . . . and let I A , I B b e in v arian ts of A , B , resp ectiv ely , such that b is a image-ﬁnite liv eness-p reserving b ac kwa r d simulation from ( A, L ) to ( B , M ) with resp ect to I A and I B . Let G b e the d igraph indu ced b y α , b , I B , L and M . Sin ce α is in ﬁnite (all liv e executions are inﬁnite, by Deﬁnition 5), G is inﬁnite. Hence, by clauses 3 and 4 of L emm a 6, and Konig’s lemma, G con tains an in ﬁnite path. Fix p = ( u 0 , 0)( u 1 , 1) , . . . to b e any suc h path. By Deﬁnition 16, clause 1, u i ∈ g [ s i ] ∩ I B for all i ≥ 0. W e no w constru ct α ′ i and m i b y indu ction on i , with α ′ i suc h that lstate ( α ′ i ) = u i . No w s 0 ∈ start ( A ) since α is an execution of A . Also, by Deﬁnition 16, u 0 ∈ g [ s 0 ] ∩ I B . Hence, b y clause 2 of Deﬁnition 12, u 0 ∈ start ( B ). Let α ′ 0 = u 0 and let m 0 b e the mappin g that maps 0 to 0. T hen, m 0 is a live index mapping fr om α | 0 to α ′ 0 with resp ect to b (in particular, clause 5 of Deﬁnition 15 holds v acuously , since | α | 0 | = 0), and lstate ( α ′ 0 ) = u 0 . No w inductive ly assume that m i − 1 (for i > 0) is a liv e index mapping from α | i − 1 to α ′ i − 1 with resp ect to b , and that lstate ( α ′ i − 1 ) = u i − 1 . By construction of path p , there is an edge in G from ( u i − 1 , i − 1) to ( u i , i ). Hence, by Deﬁnition 16, there exists a ﬁnite execution fragmen t α ′′ suc h that fstate ( α ′′ ) = u i − 1 , lstate ( α ′′ ) = u i , tr ac e ( α ′′ ) = tr ac e ( a i ), and, for all complemented-pairs q ∈ M : 1. if α ′′ ∈ q . R then s i − 1 ∈ p. R or s i ∈ p. R , and 2. if s i − 1 ∈ p. G or s i ∈ p. G then α ′′ ∈ q . G , where p = h ( q ). No w d eﬁne α ′ i = α ′ i − 1 ⌢ α ′′ , and d eﬁne m i to b e th e mapp in g suc h that m i ( j ) = m i − 1 ( j ) for all j , 0 ≤ j ≤ i − 1, and m i ( i ) = | α ′ i | . W e argue that m i is a liv e index mappin g f rom 19 α | i to α ′ i with resp ect to b , i.e., that all clauses of Deﬁn ition 15 hold, and that lstate ( α ′ i ) = u i . Clause 1 holds sin ce m i (0) = m i − 1 (0) by d eﬁnition, and m i − 1 (0) = 0 b y the indu ctiv e h yp othesis. Clause 2 holds b y th e ind u ctiv e hypothesis, lstate ( α ′′ ) = u i , and u i ∈ g [ s i ] (which w e established ab o ve). Clause 3 holds by the indu ctiv e hypothesis and tr ac e ( α ′′ ) = tr ac e ( a i ). C lause 4 holds since m i ( | α | i | ) = m i ( i ) = | α ′ i | , by deﬁnition. Finally , clause 5 h olds by the inductive hyp othesis and the conditions for all complemente d -pairs q ∈ M established ab o ve w.r.t. s i − 1 a i − → A s i and α ′′ . Ha vin g established that m i is a liv e index mapp ing from α | i to α ′ i with resp ect to f , we conclud e that clause 1 of the lemma h olds . Also, lstate ( α ′ i ) = lstate ( α ′′ ) = u i , as required for th e in duction step to b e v alid. Clause 2 of the lemma holds b y construction of α ′ i and m i , since α ′ i and m i are obtained by extending α ′ i − 1 and m i − 1 , resp ectiv ely . By Deﬁnition 12, clause 4, for inﬁ n itely many i > 0, th e execution fragmen t α ′′ whic h matc hes s i − 1 a i − → A s i m us t h a ve length | α ′′ | ≥ 1. Hence, for inﬁ nitely man y i > 0, we h a ve α ′ i − 1 < α ′ i . Thus, clause 3 of the lemma holds. ✷ Our next lemma sho ws that, if inﬁnite concrete and abstract executions corresp ond in the sense of ( α, α ′ ) ∈ R ℓ , and the concrete execution is live, th en so is the abstract execution. Lemma 8 L et ( A, L ) and ( B , M ) b e live automata with the same external actions. L et R ℓ = ( R, H ) wher e R is a r elation over states ( A ) × states ( B ) and H : M 7→ b L is a total mapping over M . L e t α, α ′ b e arbitr ary inﬁnite exe cutions of ( A, L ) , ( B , M ) r esp e ctively. If ( α, α ′ ) ∈ R ℓ , then α ∈ lexe cs ( A, L ) implies α ′ ∈ lexe cs ( B , M ) . Pr o of. W e assum e the ant ecedents of the lemma and establish α ′ 6∈ lexe cs ( B , M ) implies α 6∈ lexe cs ( A, L ). Let: α = s 0 a 1 s 1 a 2 s 2 · · · α ′ = u 0 b 1 u 1 b 2 u 2 · · · Since ( α, α ′ ) ∈ R ℓ , there exists a liv e index mapp in g m : { 0 , 1 , . . . , | α |} 7→ { 0 , 1 , . . . , | α ′ |} satisfying the conditions in Deﬁnition 15. Su pp ose α ′ 6∈ lexe cs ( B , M ). Then, b y Deﬁnition 6, there exists a complemen ted-pair q ∈ M su c h th at α ′ | = ✷✸ q . R ∧ ✸✷ ¬ q . G . Let p = H ( q ). W e pro ve: α | = ✷✸ p. R ∧ ✸✷ ¬ p. G . (*) Since α ′ | = ✷✸ q . R , there exist an inﬁ nite n u m b er of pairs of states ( u m ( i − 1) , u m ( i ) ) along α ′ that con tain a q . R -state b et wee n them (inclusiv e, i.e., the q . R -state could b e u m ( i − 1) or u m ( i ) ). By clauses 2 and 3 of Deﬁnition 15, for eac h su c h p air there corresp onds a pair of s tates ( s i − 1 , s i ) along α such th at ( s i − 1 , u m ( i − 1) ) ∈ R and ( s i , u m ( i ) ) ∈ R . Also, b y clause 5a of Deﬁnition 15, s i − 1 ∈ p. R or s i ∈ p. R . Since th is holds for an inﬁnite num b er of v alues of the ind ex i , we conclude α | = ✷✸ p. R . (a) Since α ′ | = ✸✷ ¬ q . G , there exists a state u g along α ′ suc h that ∀ ℓ ≥ g : u ℓ 6∈ q . G . Now assume that α | = ✷✸ p. G . Since m is n ondecreasing and coﬁnal in { 0 , 1 , . . . , | α ′ |} (clause 4, Deﬁnition 15), there exists an s i − 1 along α suc h that s i − 1 ∈ p . G a n d m ( i − 1) ≥ g . By clauses 2 and 3 of Deﬁnition 15, ( s i − 1 , u m ( i − 1) ) ∈ R and ( s i , u m ( i ) ) ∈ R . Also, by clause 5b of Deﬁnition 15, at least one of u m ( i − 1) , u m ( i − 1)+1 , . . . , u m ( i ) is a q . G state. Sin ce m ( i − 1) ≥ g , this con tradicts ∀ ℓ ≥ g : u ℓ 6∈ q . G ab o ve. Hence the assu mption α | = ✷✸ p. G must b e false, and so: α | = ✸✷ ¬ p. G . (b) F rom (a) and (b), we conclude (*). F rom (*), w e h a v e α 6| = p . No w p ∈ b L , since H : M 7→ b L . Hence, α 6∈ lexe cs ( A, b L ) by Deﬁn ition 6. Hence, by Prop osition 4, α 6∈ lexe cs ( A, L ). ✷ W e can now establish a corresp on d ence theorem for liv e executions. Our theorem states that, if 20 a liveness-preserving simula tion relation S ℓ is established from a concrete automaton to an abstract automaton, then for ev ery liv e execution α of the concrete automaton, there exists a corresp ondin g (in the sense of ( α, α ′ ) ∈ S ℓ ) liv e execution α ′ of the abstract automato n . Our pro of uses Lemmas 5 and 7 to establish th e existence of an inﬁnite family of ﬁnite executions corresp ond ing to preﬁx es of α . W e then construct α ′ from this inﬁ nite family using the “diagonalizatio n ” tec hn iqu e of [17]. Finally , w e in vo ke Lemma 8 to sho w th at α ′ is liv e, giv en that α is live. Theorem 9 (Liv e Execution C orresp ondence Theorem) L et ( A, L ) and ( B , M ) b e liv e au- tomata with the same external actions. Supp ose ( A, L ) ≤ X ( B , M ) via S ℓ , wher e X ∈ { ℓF, ℓR , iℓB , ℓH , iℓP } . Then (( A, L ) , ( B , M )) ∈ S ℓ . Pr o of. W e pro ceed by cases on X . Case 1: X = ℓF . So S ℓ is a liv eness-pr eserving forward simulation f = ( g , h ), and ( A, L ) ≤ ℓF ( B , M ) via f . Let α = s 0 a 1 s 1 a 2 s 2 . . . b e an arbitrary live execution of ( A, L ), and let ( α ′ i , m i ) 0 ≤ i b e a collectio n of ﬁ nite executions of ( B , M ) and mapp ings as giv en by Lemma 5. By deﬁ nition of (( A, L ) , ( B , M )) ∈ f , w e must sh o w that there exists a liv e execution α ′ of ( B , M ) su c h that ( α, α ′ ) ∈ f . By Deﬁnition 6, α is in ﬁnite. Let m b e the unique mapping o ve r the natural n u m b ers deﬁn ed b y m ( i ) = m i ( i ), for all i ≥ 0. Let α ′ b e the limit of α ′ i under th e p reﬁx ordering, that is, α ′ is the unique execution of ( B , M ) deﬁned by α ′ | m ( i ) = α ′ i for all i ≥ 0, with the restriction that for any index j of α ′ , there exists an i s uc h th at α ′ | j ≤ α ′ i . By L emm a 5, clause 3, α ′ is inﬁn ite. W e n o w sho w that m is a live index mapping fr om α to α ′ with resp ect to f . The p ro of that m is nondecreasing and total and satisﬁes clauses 1–4 of Deﬁnition 15 pro ceeds in exactly the same wa y that the p ro of of the corresp onding assertions do es in the pro of of th e E x ecution C orresp ond ence Theorem in [17]. W e rep eat the details for s ake of completeness. Supp ose m is not nondecreasing. Then there exists an i suc h th at m ( i ) < m ( i − 1). Ho w ever, m ( i ) = m i ( i ) and m ( i − 1) = m i − 1 ( i − 1) = m i ( i − 1), so this con trad icts the fact that m i is an index mapp ing and is therefore n on d ecreasing. Lik ewise, we can see that the range of m is within { 0 , . . . , | α ′ |} . Clause 1 of Deﬁn ition 15 h olds sin ce m 0 is an index mapping and therefore satisﬁes m 0 (0) = 0. Hence m (0) = m 0 (0) = 0. Assu m e clauses 2 or 3 do not h old. Then, there m us t exist an i for whic h one of th e clauses is in v alidated. How ev er, this con tr adicts the fact that, for all i , m i is an index mapp ing from α | i to α ′ i with resp ect to f . No w assu me that clause 4 do es not hold. Hence, there is an index j in α ′ suc h that m ( i ) < j for all i . By deﬁnition of α ′ , there exists an i suc h that α ′ | j ≤ α ′ i . Thus | α ′ i | ≥ j . Now Lemma 5 giv es us m i ( i ) = | α ′ i | . Hence m ( i ) ≥ j , since m ( i ) = m i ( i ). This con trad icts m ( i ) < j . No w assume that m violates clause 5 of Deﬁnition 15. Then, there exists a pair q ∈ M and an i > 0 for which clause 5 is in v alidated. How ev er, this cont r adicts the fact that, for all i > 0, m i is a liv e index m apping from α | i to α ′ i with r esp ect to f (Lemma 5, clause 1). Hence m satisﬁes clause 5 of Deﬁn ition 15. Since m satisﬁes all clauses of Deﬁnition 15, m is a live index mapping from α to α ′ with r esp ect to f , and so ( α, α ′ ) ∈ f . Since α ∈ lexe cs ( A, L ), ( α, α ′ ) ∈ f , an d α, α ′ are b oth in ﬁnite, we can apply Lemma 8 to conclude α ′ ∈ lexe cs ( B , M ), i.e., α ′ is a live execution of ( B , M ), wh ich establishes the theorem in this case. Case 2: X = ℓR . So S ℓ is a liv eness-pr eserving reﬁ nemen t mappin g r = ( g , h ) and ( A, L ) ≤ ℓR ( B , M ) via r . Since a liv eness-p reserving reﬁnement mapping is a liv eness-pr eserving forward 21 sim ulation, the result follo w s from Case 1. Case 3: X = iℓB . So S ℓ is an im age-ﬁnite liv eness-preserving bac kward simulati on b = ( g , h ), and ( A, L ) ≤ iℓB ( B , M ) via b . The argum en t is iden tical to that of Case 1, except that we in vok e Lemma 7 instead of Lemma 5. Case 4: X = ℓH . So S ℓ is a liveness-preserving history relation hs and ( A, L ) ≤ ℓH ( B , M ) via hs . F r om Deﬁnition 13, hs is a liv eness-preservin g forward simulat ion from A to B . Hence, the argumen t of C ase 1 applies. Case 5: X = iℓP . So S ℓ is an image-ﬁnite liv eness-pr eserving prop h ecy relation p = ( g , h ), and ( A, L ) ≤ iℓP ( B , M ) via p . F rom Deﬁnition 14, p is an image-ﬁnite liv eness-preserving bac kward sim ulation f rom A to B . Hence, th e argu m en t of C ase 3 applies. Since all cases of X ha ve b een dealt with, the th eorem is established. ✷ W e n o w establish our main resu lt: liv eness-p reserving sim u lation relations im p ly th e live pre- order. Theorem 10 ( Liv eness) L et ( A, L ) and ( B , M ) b e live automata with the same external actions. Supp ose ( A, L ) ≤ X ( B , M ) , wher e X ∈ { ℓF , ℓR, iℓB , ℓH , iℓP } . Then ( A, L ) ⊑ ℓ ( B , M ) . Pr o of. F rom ( A, L ) ≤ X ( B , M ), we ha ve ( A, L ) ≤ X ( B , M ) via S ℓ for some S ℓ = ( g , h ). W e establish tr ac es ( lexe cs ( A, L )) ⊆ tr ac es ( lexe c s ( B , M )), wh ic h, by Deﬁnition 7, pro ves the theorem. Let β b e an arbitrary trace in tr ac es ( lexe cs ( A, L )). By deﬁnition, β = tr ac e ( α ) for some liv e execution α ∈ lexe cs ( A, L ). By the L iv e Execution Corr esp ond ence Theorem (9), there exists a liv e execution α ′ ∈ lexe cs ( B , M ) su c h that ( α, α ′ ) ∈ S ℓ . Since ( α, α ′ ) ∈ S ℓ , w e h a ve ( α, α ′ ) ∈ g b y Deﬁnitions 2 and 15. Hence, by Lemma 2, tr ac e ( α ) = tr ac e ( α ′ ). Hence β = tr ac e ( α ′ ), and so β ∈ tr ac es ( lexe c s ( B , M )), since α ′ ∈ lexe cs ( B , M ). Sin ce β was chosen arbitrarily , we conclude tr ac es ( lexe cs ( A, L )) ⊆ tr ac es ( lexe cs ( B , M )), as d esired. ✷ 5 Reﬁning Liv eness Prop erties Within the S ame Lev el of A bstrac- tion The previous section sho wed ho w to reﬁne an abstract liv eness condition M to a concrete liveness condition L : ev ery pair q ∈ M is mapp ed int o some pair p in the semantic closure b L of L , and then a liv eness-preserving sim u lation relation that relates the R and G sets of p, q appropr iately is devised. W e assum e th at the liv eness p r op erties L , M are directly sp eciﬁed, and so the pairs in M and in L are easy to iden tify . 5 Ho w ever, pairs in b L − L are not directly sp eciﬁed, but only giv en implicitly by A , L , and Deﬁnition 8. Thus, the question arises, given a pair q ∈ M that is m ap p ed to some pair p , h ow do w e establish p ∈ b L ? W e do so as follo ws. Giv en suc h a p air p , we reﬁn e it into a ﬁnite “latti ce” of p airs that are already kn o wn to b e in b L . Let P b e a ﬁnite s u bset of b L , an d let ≺ b e an irreﬂexive partial order o ver P 6 . If r ∈ P , deﬁne suc c ( r ) = { w ∈ P | r ≺ w ∧ ∀ w ′ : r  w ′ ≺ w ⇒ r = w ′ } , wh ere r  w df = = r ≺ w or r = w . Th u s, suc c ( r ) is the set of all “immediate successors” of r in ( P , ≺ ). W e now im p ose t wo 5 F or ex ample, if we we re attempting to mec hanize our met h od , we would assume that M , L are recursive sets. 6 F ollow ing conven tion, w e shall refer to this ordered set simply as P when no confusion arises. 22 tec hnical conditions on P : (1) f or ev ery pair r , the G set of r m u st b e a su bset of th e un ion of the R sets of all the immediate successors of r , i.e., r . G ⊆ S w ∈ suc c ( r ) w. R , and (2) P has a single ≺ -minim u m element b ottom ( P ), and a single ≺ -maxim um elemen t top ( P ), and b ottom ( P ) . R = p. R and top ( P ) . G = p. G . No w let α b e an arbitrary liv e execution of ( A, L ). T hen, α | = ✷✸ r . R ⇒ ✷✸ r . G and α | = ✷✸ w . R ⇒ ✷✸ w . G , for all w ∈ suc c ( r ). S in ce suc c ( r ) is ﬁnite and r . G ⊆ S w ∈ suc c ( r ) w. R , it follo ws that, if r . G h olds inﬁn itely often in α , then w. R holds inﬁn itely often in α , for some w ∈ suc c ( r ). Hence, by “c hainin g” the ab ov e implications, w e get α | = ✷✸ r . R ⇒ ✷✸ S w ∈ suc c ( r ) w. G . Thus, h h h r . R , S w ∈ suc c ( r ) w. G i i i ∈ b L by Deﬁnition 8. Thus, the ≺ ordering pro vides a w ay of rela tin g the complemen ted-pairs of P so that the complemen ted-pairs p r op erty (inﬁnitely often R im- plies inﬁnitely often G ) ca n b e generalized to enco m pass a p air a n d its immediate successor pairs. By starting w ith the ≺ -minimum pair b ottom ( P ), and applying the ab o ve argument induc- tiv ely (using ≺ as the underlying ordering), we can establish the complemented-pairs prop er ty for h h h b otto m ( P ) . R , top ( P ) . G i i i , i.e., α | = ✷✸ b ottom ( P ) . R ⇒ ✷✸ top ( P ) . G , and so h h h b ottom ( P ) . R , top ( P ) . G i i i ∈ b L . Since w e require b ottom ( P ) . R = p. R an d top ( P ) . G = p . G , we obtain the desired result that p ∈ b L . Deﬁnition 17 (Complemented-pairs Lattice) L et ( A, L ) b e a live automaton. Then ( P , ≺ ) is a complemented-pairs lattice o ver b L iﬀ 7 1. P is a ﬁnite subset of b L , 2. ≺ is an irr eﬂexive p artial or der over P , 3. P c ontains an element top ( P ) which satisﬁes ∀ r ∈ P : r  top ( P ) , and an element b ottom ( P ) which satisﬁes ∀ r ∈ P : b ottom ( P )  r , and 4. ∀ r ∈ P − { top ( P ) } : r. G ⊆ S w ∈ suc c ( r ) w. R . The elemen ts top ( P ) and b ottom ( P ) are necessarily unique, since ≺ is a partial order. L et lattic es ( b L ) denote the set of all complemented-pairs lattices o ver b L . Lemma 11 L et ( A, L ) b e a live automa ton, ( P , ≺ ) ∈ lattic es ( b L ) , ⊥ = b ottom ( P ) , and ⊤ = top ( P ) . Then h h h⊥ . R , ⊤ . G i i i ∈ b L . Pr o of. Let α b e an arb itrary liv e execution of ( A, L ). W e sho w α | = ✷✸ ⊥ . R ⇒ ✷✸ ⊤ . G . By Deﬁnition 8, this establishes the lemma. W e assume α | = ✷✸ ⊥ . R and establish α | = ✷✸ ⊤ . G . First, w e establish: If r ∈ P , r 6 = ⊤ , and α | = ✷✸ r. R , then α | = ✷✸ w . R for some w ∈ suc c ( r ). (*) Pro of of (*): Assume the an teceden t of (*). Since α is liv e and r ∈ b L , we ha ve α | = ✷✸ r . R ⇒ ✷✸ r . G by Deﬁnition 8. Hence α | = ✷✸ r. G . By Deﬁnition 17, r. G ⊆ S w ∈ suc c ( r ) w. R . Hence α | = ✷✸ S w ∈ suc c ( r ) w. R . S ince P is ﬁ nite, su c c ( r ) is ﬁ n ite. It follo ws that α | = ✷✸ w . R for some w ∈ suc c ( r ). (End of pro of of (*).) W e no w constru ct a sequence r 1 , r 2 , . . . , r i , . . . of p airs in P su c h that ∀ i ≥ 1 : α | = ✷✸ r i . R . W e let r 1 = ⊥ , noting that α | = ✷✸ ⊥ . R by assumption. W e derive r i +1 b y applying (*) to r i . It follo ws 7 Note that we use the term “lattice” in an informal sense, since our complemented-pairs lattices do not satisfy the mathematical deﬁ nition of a lattice. 23 b y ind u ction on the length of the d eriv ed sequence that α | = ✷✸ r i +1 . R ( r 1 = ⊥ sup plies the b ase case). No w s u pp ose ⊤ is not in r 1 , r 2 , . . . Then (*) can b e app lied in deﬁnitely . Since r i +1 ∈ suc c ( r i ), it follo w s that r j ≺ r i +1 for all j ∈ 1 ..i . Hence r j 6 = r i +1 for all j ∈ 1 ..i . Th u s r 1 , r 2 , . . . is an inﬁnite sequence of pairwise diﬀeren t complemen ted-pairs in P . But this is imp ossib le, since P is ﬁnite. Hence the assumption that ⊤ is not in r 1 , r 2 , . . . is f alse. It follo w s that r 1 , r 2 , . . . is a ﬁ n ite sequence of pairwise diﬀerent complement ed -pairs, with ⊤ as its last mem b er. Hence α | = ✷✸ ⊤ . R . Since α is liv e and ⊤ ∈ b L , α | = ✷✸ ⊤ . R ⇒ ✷✸ ⊤ . G . Hence α | = ✷✸ ⊤ . G , as desired. ✷ W e remark that when constructing a lattice to reﬁne a complemen ted-p air, we can use require- men t 4 of Deﬁnition 17 ( r . G ⊆ S w ∈ suc c ( r ) w. R ) as a constrain t that s uggests ho w to order the complemen ted-pairs of the lattice. Also, while Lemma 11 present s one metho d of establishing the mem b ership of complemen ted-pairs in b L , our o verall metho dology is not restricted to this particular metho d. Any app ropriate deductive tec h nique that su ﬃ ces can b e used, f or example that of [40], whic h is b ased on linear temp oral logic. Th is pro vid es a w ay of usin g deductiv e metho ds gener- ally , and those based on temp oral logic in particular, within a framewo r k whic h accommo dates the reﬁnement of liv en ess prop erties across m ultiple lev els of abstr action. 6 Example—The Ev en tually Serializable Data Service The ev entually-se r ializable data service (ESDS) of [14, 26] is a replicated, d istributed data ser v ice that trades oﬀ immediate consistency for im p ro ved eﬃciency . A shared data ob ject is replicated, and the r esp onse to an op eration at a p articular replica may b e out of date, i.e., not reﬂecting the eﬀects of other op erations that h a ve n ot y et b een receiv ed b y that replica. Thus, op erations ma y b e reordered after the resp onse is issued. Replicas communicate amongst eac h other the op erations they r eceiv e, so that even tually ev ery op eration “stabilizes,” i.e., its ordering is ﬁxed with resp ect to all other op erations. Client s may requ ire an op eration to b e strict , i.e., s table at the time of resp onse, and s o it cannot b e reordered after the resp onse is issued. Clients m a y also s p ecify , in an op eration x , a set x. pr ev of other op erations that should pr ecede x (clien t-sp eciﬁed constraint s, CSC ). W e let O b e the (counta b le) set of all op erations on the d ata ob ject, and V b e the set of all p ossib le results of op erations in O . R is th e set of all replicas, and client ( x ) is the clien t issuing op eration x . W e u se x, y to index o ver op erations, c to index o ver clien ts, and r, r ′ , i to index o ve r replicas. Eac h op eration x has a u nique ident iﬁ er x. id . I is the set of identiﬁers of op erations in O . In Ap p endix C , we giv e the I/O automata cod e (in “precondition-eﬀect” st yle) fr om [14]. I/O automata [33] add an in put/output distinction to the external actions, i.e, all external actions of an automaton are either inpu t actions (which m u s t fu rthermore b e enabled in all states), or output actions. Th is is n eeded to d eﬁne a parallel comp osition op erator k with go o d comp osi- tional prop er ties. Figure 7 give s the environmen t of the ESDS system: a s et of users, or client s , whic h outpu t requests request ( x ) to p erform op erations x , and in put resp onses resp onse ( x, v ) to the requests, with r etur ned v alue v . Figure 8 presents the sp eciﬁcation ESD S- I . As a high-leve l sp eciﬁcation, E SDS-I is a single automaton, and therefore it d o es not address issu es of concurrency and distrib u tion. The only concern is to sp ecify the set of correct tr aces, w hic h are by deﬁnition the traces of ESD S- I . ESD S-I inpu ts requests request ( x ), and outputs resp onses resp onse ( x, v ) to the requests, with return ed v alue v . Once request ( x ) h as b een receiv ed, it is “en tered” in to the current partial order p o , via in tern al action enter ( x, new-p o ), w h ic h up dates the v alue of p o to that giv en b y new-p o . This new v alue m ust in clude all op erations in x. pr ev , and all op erations that ha ve s tabilized, as preceding x . Note that sp an ( R ) = { x | xRy ∨ y R x } , where R is a binary rela- 24 tion. At any time, it is p ermissible to imp ose n ew ordering constrain ts, whic h is done by in ternal action add constraints ( new-p o ). The stabi lize ( x ) inte r nal action c h ec ks that x is totally ordered with resp ect to all other op erations ( ∀ y ∈ ops , y  p o x ∨ x  p o y ), and that all op erations that precede x ha ve already stabilized ( ops | ≺ p o x ⊆ stabilize d ). In th is case, x itself can b e stabilized. The calcula te ( x, v ) in ternal action computes a return v alue v for the op er ation x . If x is strict, then calculate ( x, v ) c hecks (in its p recondition) that x has stabilized. The valset ( x, ops , ≺ p o ) fun ction returns the set of all v alues for x wh ic h are consisten t with the set ops of all op erations that h a ve b een en tered, and th e partial ord er ≺ p o deﬁned by p o . T h e actual v alue r etur ned is then c h osen nondeterministically fr om this set. As an intermediate step, we reﬁn e ESDS-I to a second lev el sp eciﬁcation ESDS-II . This reﬁne- men t consists only of changing some of th e tr an s itions. The state s pace and the signature r emain the same. Figure 9 presents these c han ges, as c h anges to the “pr econdition-eﬀect ” deﬁn itions of some of the actions in the action list. The main diﬀerence with ESDS-I is that the precondition to stabilize an op eration x is relaxed: now, all op erations that precede x are not required to b e s table themselv es, but are only required to b e totally ordered with resp ect to all other ent ered op erations ( ≺ p o totally ord ers ops | ≺ p o x ). T his inte r mediate v ersion E SDS-II is useful, as it is easier to con- struct a simulation from the implementat ion to ESDS-II , and another simulatio n from ESD S-II to ESDS-I , than it is to construct a simulat ion from th e imp lemen tation directly to ESDS- I . The implemen tation consists of fron t-ends, replicas, and c hann els. E ac h clien t c has a fr on t-end F r ontend ( c ), see Figure 10, wh ich inpu ts requests request ( x ), and rela ys them on to one or more of the r eplicas R eplic a ( r ), via output action send cr ( h “request” , x i ). F r ontend ( c ) receiv es resp onses from th e replicas via inpu t action receive r c ( h “resp onse” , x, v i ), and rela ys the resp onse onto the clien t via output action resp onse ( x, v ). While the frontend can receiv e sev eral replies for x from v arious replicas, it only r ela ys one of these on to the clien t. A replica r (Figure 11) r eceiv es requests to p erform op eration x via inp ut action receive cr ( h “request” , x i ). It qu eues receiv ed op er ations in to a set p ending r of p end ing op erations. A p endin g op eration x can b e “p erformed ” by the inte r nal action do it r ( x, l ) if all op erations in x. pr ev hav e b een p erform ed . In this case, x is assigned a “la- b el” l larger than the lab els of all op erations k n o wn to b e d on e at replica r . This lab el d etermines the v alues that can b e returned for x , us in g the valset function. Once x has b een pro cessed by do it r ( x, l ), a v alue v for x can b e retur n ed by the output action send r c ( h “resp onse” , x, v i ). v is non- deterministically c hosen f r om among the set r etur ned b y valset ( x, done r [ r ] , ≺ lc r ), wh ic h computes all v alues for x that are consisten t w ith the set done r [ r ] of op erations done at r eplica r , and the partial order ≺ lc r on op erations that is determined b y the lab els assigned to eac h op eration. In ad- dition, r eplicas “gossip” amongst eac h other, b y means of the actions send r r ′ ( h “gossip” , R, D , L , S i ) and receive r ′ r ( h “gossip” , R, D , L , S i ). The purp ose of gossiping is to br ing eac h other up to d ate on the op erations that they h a ve executed. All communicat ion b et ween the front- en ds and the replicas is by means of reliable async h ronous channels. Figure 12 sho w s a c h annel f rom pro cess i to pro cess j with messages dra w n from some set M . W e w ill use ESDS-Alg to refer to the parallel comp osition of all replica s , fron t-ends , and c hannels, w ith all send and receive actions hidd en 8 . Since th e users must b e tak en into accoun t, the ﬁ rst-lev el sp eciﬁcation, second-lev el sp eciﬁcatio n , and implemen tation are the I/O automata ESDS-I k Users , E SDS-II k Users , and E SDS-Alg k Users , resp ectiv ely . W e refer the reader to [14] for a complete d escription of the ESDS s ystem. 8 I/O automata comp osed in parallel synchronize on actions with t he same name, and otherwise execute indep en- dently . An action is hidd en by remo ving it from the set of output actions and add ing it to the set of internal actions. W e refer the reader to [14, section 3] for formal deﬁnitions of parallel comp osition and hiding. 25 G is a relation b et ween states in ESDS-II k Users and ESDS-I k Use rs , suc h that ( s, u ) ∈ G if and only if s ∈ states ( ESDS-II k U sers ), u ∈ states ( ESDS-I k Users ), and: • u. wait = s. wait • u. r ept = s. r ept • u. ops = s . ops • u. p o = s. p o • u. stabilize d ⊇ s . stabilize d Figure 3: F orw ard Simulatio n from ESDS- II k Users to E SDS-I k Users The liv eness condition u sed in (the conference v ersion of ) [14] is that every r equest should ev ent u ally r eceiv e a resp onse, an d every op eration should stabilize. W e express this as the follo wing complemen ted-pairs liv eness condition M-I for th e s p eciﬁcation ESDS-I k Users : 9 • {h h h x ∈ wait , x 6∈ wait i i i | x ∈ O } , i.e., eve r y request even tually r eceiv es a resp onse. • {h h h x ∈ wait , x ∈ stabilize d i i i | x ∈ O } , i.e., ev ery op eration ev entually stabilizes. Because th e num b er of s ubmitted op erations x in general gro ws without b ound w ith time, a coun t- ably inﬁ nite num b er of pairs is needed to express this liveness condition in th e natur al manner illustrated ab ov e. Note that w e use predicates to denote s ets of states. 6.1 Reﬁnemen t from ESDS-I k Users to ESDS-II k Users The top-lev el sp eciﬁcatio n ESD S- I k Users and second-lev el sp eciﬁcatio n ESDS- II k Users hav e the same state-space, th ey only diﬀer in some actions, as sh o wn in Figure 9. Hence, w e let the liv eness condition M-II of ESDS-II k Users consist of the same complemen ted-p airs as those in M- I , and w e map eac h p air of M-I into the same pair of M-II . In [14], it is shown that the relation G giv en in Figure 3 is a forward s imulation relation from ESD S-II k Users to ESDS-I k Users . W e sho w that G is also a liv eness-preserving forward sim ulation. F or the pair h h h x ∈ wait , x 6∈ wait i i i it is clear that G satisﬁes clause 2 of Deﬁnition 10, since G only r elates states that agree on the v alue of wait . F or the pair h h h x ∈ wait , x ∈ stabilize d i i i , we see f rom Figure 3 that if s ∈ states ( ESDS-II k Users ) and u ∈ states ( ESDS-I k Users ) are r elated by G , and s satisﬁes x ∈ stabilize d , th en u also satisﬁes x ∈ stabilize d , sin ce s. stabilize d ⊆ u. stabilize d . Since s and u agree on th e v alue of wait , w e conclude that G satisﬁes clause 2 of Deﬁnition 10, for this pair to o. By insp ection, we ve r ify that, in ev er y liv e execution of ESDS- II , th ere is an inﬁ nite num b er of executions of non- stabiliz e actions. No w according to the deﬁnition of G in Figure 3, every action in ESDS-II is s im ulated by the same action in ESDS-I , except for the stabili ze action; a single stabi lize ( x ) action in ESDS- II can b e simulated b y a p ossibly empt y sequence of sta bilize 9 Throughout this section, our notation is consistent with [14]. 26 actions in ESD S-I . Hence, any transition generated b y executing any action other than stabil ize is not alw a ys -silent, b y clause 3 of Deﬁnition 10. Sin ce ev ery liv e execution of ESDS-II con tains an inﬁnite num b er of these transitions, clause 3 of Deﬁn ition 10 is satisﬁed. Since eac h pair of M-I is mapp ed into a pair of M -II itself, r ather th an the seman tic closure [ M-II of M -II , w e are done (i.e., there is no need to constru ct complemen ted-pairs lattices for th ese pairs). Since Deﬁnition 10 is n o w satisﬁed, w e ha ve established ( ESDS-II k Users , M- II ) ≤ ℓF ( ESDS-I k Users , M-I ). Hence, applyin g T heorem 10, w e conclude ( ESDS- II k U sers , M -II ) ⊑ ℓ ( ESDS-I k Users , M-I ). 6.2 Reﬁnemen t from ESDS-II k Users to ESDS-A lg k Us ers Let L b e the liv en ess condition of ESDS-Alg k U sers . Sin ce ESDS- Alg k Users is an implementa tion, w e tak e L to b e the follo wing: ev ery action that is con tinuously enabled from some p oin t onw ards is ev entually executed (fair scheduling), an d ev ery message that is sent is ev entuall y receiv ed (fair p olling of channels). T hese are reasonable liv eness p rop erties to exp ect of an implementa tion. W e map the pair h h h x ∈ wait , x 6∈ wait i i i of M -II in to the p air h h h x ∈ wait c , x 6∈ wait c i i i , w here c = client ( x ) is the client th at r equ ests op eration x . W e map the p air h h h x ∈ wait , x ∈ stabilize d i i i of M-II int o the pair h h h x ∈ wait c , x ∈ T i stable i [ i ] i i i . The pro of obligations are then to exhibit a liv en ess-p reserving forward simulatio n for this c hoice of pair-mapping, and to sh o w that th e pairs h h h x ∈ wait c , x 6∈ wait c i i i and h h h x ∈ wait c , x ∈ T i stable i [ i ] i i i are mem b ers of b L , since they are n ot mem b ers of L . 6.2.1 Establishing a Liv eness-preserving F orw a rd Sim ulation In [14], it is sh o wn that the relation F giv en in Figure 4 is a forwa r d sim ulation relation from ESDS-Alg k Users to ESDS-II k Users . W e establish that F is also a live n ess-preserving f orw ard sim ulation. W e ﬁrst By Deﬁnition 23, F already satisﬁes clause 1 of Deﬁnition 10. W e argue that F also satisﬁes clauses 2 and 3. Let SpR e q = h h h x ∈ wait , x 6∈ wait i i i , ImpR e q = h h h x ∈ wait c , x 6∈ wait c i i i , SpStab = h h h x ∈ wait , x ∈ stabilize d i i i , ImpStab = h h h x ∈ wait c , x ∈ T i stable i [ i ] i i i . Let B = ESDS-II k Users , and A = ESDS-Alg k Users . Let s , u r ange o ver the states of E SD S-Alg k Users , ESDS- II k Users resp ectiv ely . W e use the notation s.v to denote the v alue of state v ariable v in state s , and lik ewise for u.v . Establishing clause 2 of Deﬁnit ion 10 for the pairs SpR e q = h h h x ∈ wait , x 6∈ wait i i i ∈ M-I and ImpR e q = h h h x ∈ wait c , x 6∈ wait c i i i . F relates states s and u only if u.wait = S c s.w ait c . Hence x ∈ u. wait iﬀ x ∈ s . wait c , where c = c lient ( x ). Thus u is a SpR e q . R state iﬀ s is a ImpR e q . R state, and u is a SpR e q . G state iﬀ s is a ImpR e q . G state. Let s a − → A s ′ and consider all p ossibilities for a . If a is one of send (along an y c hannel), receive (from an y channel), or do it r (for an y r eplica r ), then a do es n ot c hange wait c (for an y clien t c ), and the actions of ESDS- II k Use rs that sim u late a do n ot c h ange wait . Hence if u 0 b 1 − → B u 1 b 2 − → B u 2 b 3 − → B · · · b n − → B u n is th e sim ulating execution fragmen t of ESDS-II k Users , cor- resp ond ing to s a − → A s ′ for the aforementio n ed cases of a , then we immediately conclude that (1) all 27 F is a relation b etw een s tates in ESDS-Alg k Users and ESDS-II k Users , i.e., F ⊆ states ( ESDS-Alg k U sers ) × states ( ESDS-II k U sers ), suc h that ( s, u ) ∈ F if and on ly if : • u. r e queste d = s. r e q ueste d • u. r esp onde d = s. r esp onde d • u. wait = S c s. wait c • u. r ept = S c s. r ept c ∪ s. p otential r e pt c • u. ops = s . ops = S r s. done r [ r ] • u. p o ⊆ s. p o • u. stabilize d = T r s. stable r [ r ] where s. p otential r e pt c = { ( x, v ) | h “resp onse” , x , v i ∈ S r s. channel r c ∧ s. wait c } is th e set of re- sp onses en route to F r ontend ( c ), and u. p o is the partial order indu ced by the v arious op eration constrain ts in th e implementa tion. See [14] for details. Figure 4: F orw ard simulat ion from ESDS-Alg k U se rs to ESDS-II k U sers u i , i ∈ 0 . . . n ha ve the same v alue of wait , and (2) s and s ′ ha ve the same v alue of S c wait c . T ogether with u 0 . wait = S c s. wait c , th is allo ws u s to conclud e ( ∃ i ∈ 0 . . . n : u i ∈ SpR e q . R ) iﬀ s ∈ ImpR e q . R or s ′ ∈ ImpR e q . R , and s ∈ ImpR e q . G or s ′ ∈ ImpR e q . G iﬀ ( ∃ i ∈ 0 . . . n : u i ∈ SpR e q . G ). Th u s clause 2 of Deﬁnition 10 is satisﬁed in th is case. If a is request ( x ), this is simulated b y the same action in ESDS-II k U se rs . request ( x ) adds x to wait c in ESD S- Alg k Users , and add s x to wait in ESDS- II k Users . Hence, usin g similar r easoning as ab o ve , w e easily v erify that clause 2 of Deﬁnition 10 is satisﬁed in this case. The argumen t for a = resp onse ( x, v ) is similar. T h is concludes our argum ent that clause 2 of Deﬁnition 10 h olds for the pairs SpR e q and ImpR e q . Establishing clause 2 of Deﬁnition 10 for the pairs SpStab = h h h x ∈ wait , x ∈ stabilize d i i i ∈ M-I a nd ImpStab = h h h x ∈ wait c , x ∈ T i stable i [ i ] i i i . F r elates states s and u only if u.w ait = S c s.w ait c and u. stabilize d = T i s. stable i [ i ] (deﬁnition of F in [14], and Figure 4). Hence x ∈ u. wait iﬀ x ∈ s. wait c , w here c = client ( x ), and x ∈ u. stabilize d iﬀ x ∈ T i s. stable i [ i ]. T hus u ∈ SpStab . R iﬀ s ∈ ImpStab . R , and u ∈ SpStab . G iﬀ s ∈ ImpStab . G . Let s a − → A s ′ and let u 0 b 1 − → B u 1 b 2 − → B u 2 b 3 − → B · · · b n − → B u n b e the executio n f ragmen t of ESDS-II k Users that sim ulates s a − → A s ′ . Give n the previous remarks, we conclude immediately th at clause 2 of Deﬁn ition 10 is satisﬁed when u 1 , . . . , u n − 1 are not presen t, i.e., the sim ulating fragmen t consists of either a single s tate or a single transition. The only case where u 0 b 1 − → B u 1 b 2 − → B u 2 b 3 − → B · · · b n − → B u n consists of more than on e transition is when a = receive r r ′ ( m ) . In th is case, th e actions b 1 , . . . , b n are add constraints ( s ′ .po ) , s tabiliz e ( x 1 ) , . . . , stabiliz e ( x k ), w here { x 1 , . . . , x k } = T i s ′ . stable i [ i ] (see [14], Section 8). Now T i s. stable i [ i ] ⊆ T i s ′ . stable i [ i ] by insp ection of th e receive r r ′ ( m ) action in Figure 11. Also, u 0 . stabilize d = T i s. stable i [ i ], and u n . stabilize d = T i s ′ . stable i [ i ] = { x 1 , . . . , x k } , by deﬁnition of F and x 1 , . . . , x k . 28 No w receive r r ′ ( m ) do es not aﬀect wait c , and add constraints ( s ′ .po ) , s tabiliz e ( x 1 ) , . . . , stabili ze ( x k ) do not aﬀect wait . Hence, ( ∃ i ∈ 0 . . . n : u i ∈ SpStab . R ) iﬀ s ∈ ImpStab . R or s ′ ∈ ImpStab . R . Also, supp ose s ∈ ImpStab . G or s ′ ∈ ImpStab . G , i.e., x ∈ T i s. stable i [ i ] or x ∈ T i s ′ . stable i [ i ]. Hence x ∈ T i s ′ . stable i [ i ] since T i s. stable i [ i ] ⊆ T i s ′ . stable i [ i ]. Sin ce u n . stabilize d = T i s ′ . stable i [ i ], we ha ve x ∈ u n . stabilize d . Hence u n ∈ SpStab . G . Hence ( ∃ i ∈ 0 . . . n : u i ∈ SpStab . G ). W e ha ve th u s established clause 2 of Deﬁnition 10 for the pairs SpStab and ImpStab . Establishing clause 3 of Deﬁnition 10. F rom Figure 11, it is clear that the action send r r ′ ( m ) (for some m ) is con tinuously en abled, and h en ce executed inﬁnitely often in an y live execution of ESDS-Alg k U sers . Hence, the action receive r r ′ ( m ) is also executed in ﬁ nitely often. No w , according to the d eﬁnition of F (see [14], Section 8), receive r r ′ ( m ) is sim ulated by the sequence of actions add constraints ( s ′ .po ), sta bilize ( x 1 ), . . . , stabiliz e ( x k ), wh ere { x 1 , . . . , x k } = T i s ′ . stable i [ i ], and s ′ is the s tate of ESDS- Alg k Users resulting from the execution of receive r r ′ ( m ). Th u s, receive r r ′ ( m ) is alw a ys matc h ed by at least one action, namely a dd constraints ( s ′ .po ). Hence, any transition generated by executing receive r r ′ ( m ) is n ot alwa y s -silen t, by clause 3 of Deﬁn ition 10. S in ce ev ery liv e execution of ESDS-Alg k Users con tains an inﬁnite num b er of these transitions, clause 3 of Deﬁnition 10 is satisﬁed. 6.2.2 Establishing Membership in b L Establishing h h h x ∈ wait c , x 6∈ wait c i i i ∈ b L . W e use a complemented-pairs lattice o v er b L , together with L emm a 11, to establish h h h x ∈ wait c , x 6∈ wait c i i i ∈ b L . Recall that L is the complemen ted- pairs liv eness condition for the implemen tation ESDS- Alg k U sers . A t the imp lemen tation level , the natural liv eness hypothesis is that eac h contin uously enabled action is ev entually executed, and eac h message in transit even tually arriv es. W e u se this hypothesis to justify the p airs in L (whic h are also in b L , by deﬁnition). Figure 5 shows the complement ed -p airs lattice that we u se. c = client ( x ) is the clien t that inv ok ed op eration x . W e displa y the p ortion of the lattice corr esp onding to a single replica r . The . . . indicate where isomorphic copies corresp on d ing to the other r eplicas o ccur (the num b er of replicas is ﬁnite). Let L consist of all th e pairs in Figure 5. It is straigh tforward to v erify that Figure 5 satisﬁes all the conditions of Deﬁnition 17. W e ju stify the complemen ted-pairs in Figure 5 as follo w s : 1. h h h x ∈ wait c , ∃ r : < “request” , x > ∈ channel cr i i i . send cr is con tinuously enabled and even tually hap p ens, for at least on e r eplica r . 2. h h h < “request” , x > ∈ channel cr , x ∈ p ending r ∩ r cvd r i i i . Liv eness of channel cr , and the deﬁnition of action receive cr in Figure 11. 3. h h h x ∈ p ending r ∩ r cvd r , x ∈ p ending r ∩ done r [ r ] i i i . If x. pr ev ⊆ done r [ r ] holds contin uously , then either do it r is contin uously enabled and ev en- tually happ ens (making x ∈ done r [ r ] tr ue), or do it r is disab led b ecause x ∈ done r [ r ] b ecomes true d ue to a gossip message. Establishing x. pr ev ⊆ done r [ r ] essentiall y requires a “su b lat- tice” for eac h x ′ ∈ x. pr ev . This sublattice is a “c hain” consisting of three pairs, with th e ordering (a) ≺ (b ) ≺ (c): (a) h h h x ∈ p e nding r ∩ r cvd r , x ′ ∈ p ending r ′ ∩ r cvd r ′ i i i is the b ottom elemen t. It is justiﬁed s ince eac h client includes in x. pr ev only op erations that ha ve already b een r equested. Thus 29 . . . . . . . . . . . . h h h x ∈ p ending r ∩ r cvd r , x ∈ p ending r ∩ done r [ r ] i i i h h h < “res p o nse” , x, v > ∈ channel r c , ( x, v ) ∈ r ept c i i i h h h x ∈ p ending r ∩ done r [ r ] ∧ x. st r ict , < “re sp onse” , x, v > ∈ channel r c i i i h h h x ∈ p ending r ∩ done r [ r ] ∧ ¬ x. strict , i i i < “resp onse ” , x, v > ∈ channel r c h h h < “req uest” , x > ∈ channel cr , x ∈ p ending r ∩ r cvd r i i i h h h x ∈ wait c , ∃ r : < “reques t” , x > ∈ channel cr i i i h h h ( x, v ) ∈ r ept c , x 6∈ wait c i i i Figure 5: Comp lemen ted-pairs lattice that establishes h h h x ∈ wait c , x 6∈ wait c i i i ∈ b L ( c = client ( x )). x ′ ∈ x. pr e v is ev en tually receiv ed b y some r ep lica r ′ , at wh ich p oint x ′ ∈ p ending r ′ ∩ r cvd r ′ holds. (b) h h h x ′ ∈ p ending r ′ ∩ r cvd r ′ , x ′ ∈ p ending r ′ ∩ done r ′ [ r ′ ] i i i is th e middle elemen t. It is j ustiﬁed “inductiv ely ,” i.e., it can b e exp anded into a sublattice in exactly th e same w ay as h h h x ∈ p ending r ∩ r cvd r , x ∈ p ending r ∩ done r [ r ] i i i . Th is “nested” expansion is guarantee d to terminate h o we ver, since x. pr ev is ﬁ nite, for all x . (c) h h h x ′ ∈ done r ′ [ r ′ ] , x ′ ∈ done r [ r ] i i i is the top elemen t. It is ju s tiﬁed since r ′ ev ent u ally sends a gossip message to r . By applying Lemma 11 to this sublattice, we conclude h h h x ∈ p ending r ∩ r cvd r , x ′ ∈ done r [ r ] i i i ∈ b L . No w done r [ r ] increases monotonically , x ′ ∈ done r [ r ] is stable—once tru e, it remains true. Hence, from the aforemen tioned pair for eac h x ′ ∈ x. pr e v , we conclude that x. pr ev ⊆ done r [ r ] ev ent u ally holds, and remains tru e subsequently , as required. Note that the condition l > l abel r ( y .id ) do es n ot need to b e veriﬁed as ev en tu ally holdin g, since it m er ely expresses a constrain t on the v alue of the “action parameter” l , i.e., the only instances of do it r ( x, l ) whic h are enabled are those ha vin g v alues of l that satisfy l > label r ( y .id ). That is, l is prop erly regarded as p art of the “name” of the action do it r ( x, l ). 4. h h h x ∈ p ending r ∩ done r [ r ] ∧ x. strict , < “resp onse” , x, v > ∈ channel r c i i i . This is jus tiﬁed b y the follo wing sub lattice, where the ordering r elation is (a) ≺ (b) ≺ (c) ≺ 30 (d) ≺ (e). x ∈ p ending r , x. strict , are im p licit conjun cts of all the predicates in the su blattice, except the Green p redicate of pair (e), and are omitted for clarit y . (a) h h h x ∈ ∩ done r [ r ] , x ∈ ∩ r ′ done r ′ [ r ′ ] i i i . Justiﬁed since r send s gossip messages to ev ery other replica r ′ . (b) h h h x ∈ ∩ r ′ done r ′ [ r ′ ] , x ∈ stable r [ r ] i i i . Justiﬁed since eac h r ′ sends gossip messages to r . (c) h h h x ∈ stable r [ r ] , x ∈ ∩ r ′ stable r ′ [ r ′ ] i i i . Justiﬁed since r sends gossip messages to ev ery other replica r ′ . (d) h h h x ∈ ∩ r ′ stable r ′ [ r ′ ] , x ∈ ∩ r ′ stable r [ r ′ ] i i i . Justiﬁed since eac h r ′ sends gossip messages to r . (e) h h h x ∈ ∩ r ′ stable r [ r ′ ] , < “resp onse” , x, v > ∈ channel r c i i i . Ju stiﬁed since x ∈ p ending r , x ∈ done r [ r ], and x ∈ ∩ r ′ stable r [ r ′ ] all hold contin uously , since done r [ r ] and stable r [ r ′ ] gro w monotonically . Hence send r c ( < “resp onse” , x, v > ) is cont inuously enabled, and so is ev entually executed. 5. h h h x ∈ p ending r ∩ done r [ r ] ∧ ¬ x. strict , < “resp onse” , x, v > ∈ c hannel r c i i i . send r c ( < “resp onse” , x, v > ) is cont inuously enabled and eve ntually happ ens. 6. h h h < “resp onse” , x, v > ∈ channel r c , ( x, v ) ∈ r e pt c i i i . Liv eness of channel r c , and the deﬁnition of action receive r c in Figure 10. 7. h h h ( x, v ) ∈ r ept c , x 6∈ wait c i i i . resp onse ( x, v ) is cont inuously enabled and even tually happ ens. Establishing h h h x ∈ wait c , x ∈ T i stable i [ i ] i i i ∈ b L . W e use the complemen ted-p airs lattice o v er b L giv en in Figure 6 together with Lemma 11. The b ottom three complemen ted-pairs in Figure 6 also o ccur in Figure 5, and ha ve therefore already b een ju s tiﬁed. W e justify the remaining pairs as follo ws. 1. h h h x ∈ done r [ r ] , x ∈ T i done i [ i ] i i i . Justiﬁed since r sends gossip messages to ev ery other replica. 2. h h h x ∈ T i done i [ i ] , x ∈ stable r [ r ] i i i . Justiﬁed since eac h i s ends gossip messages to r . 3. h h h x ∈ stable r [ r ] , x ∈ T i stable i [ i ] i i i . Justiﬁed s in ce r sends gossip messages to every other replica. Since Deﬁnition 10 is now satisﬁed, we hav e established ( ESDS-Alg k Users , L ) ≤ ℓF ( ESDS-II k Users , M-II ). Hence, app lying Th eorem 10, we conclude ( ESDS-Alg k Users , L ) ⊑ ℓ ( ESDS-II k Users , M-II ). T ogether with ( ESDS-II k Users , M-II ) ⊑ ℓ ( ESDS-I k Users , M- I ) established ab o ve, w e ha v e ( ESDS-Alg k Users , L ) ⊑ ℓ ( ESDS-I k Users , M- I ), as desired. W e hav e illus tr ated thr ee leve ls of abs traction, and tw o liv eness-preserving forward simulat ions, b et ween the top and middle, and middle and b ottom lev els. It is str aightforw ard to con tinue th is pro cess. F or example, an actual im p lemen tation wo u ld not simply route a request to an y replica, b ut w ould select the replica according to certain criteria, f or example load balancing/p erformance [44], or distance from the clien t [48]. Th u s, the fron t-ends and r eplicas w ould b e reﬁned to incorp orate a load-balancing/a nycast/replica (or mirror) lo cation “service” whic h , giv en a r equest from a clien t c , assigns some replica r to service that requ est. W e then map the complemen ted-pair h h h x ∈ wait c , ∃ r : < “request” , x > ∈ channel cr i i i into a pair at the next low er lev el whic h expr esses the 31 . . . . . . . . . . . . h h h x ∈ p ending r ∩ r cvd r , x ∈ p ending r ∩ done r [ r ] i i i h h h < “req uest” , x > ∈ channel cr , x ∈ p ending r ∩ r cvd r i i i h h h x ∈ wait c , ∃ r : < “reques t” , x > ∈ channel cr i i i h h h x ∈ done r [ r ] , x ∈ T i done i [ i ] i i i h h h x ∈ stable r [ r ] , x ∈ T i stable i [ i ] i i i h h h x ∈ T i done i [ i ] , x ∈ stable r [ r ] i i i Figure 6: Complemente d -pairs lattice that establishes h h h x ∈ wait c , x ∈ T i stable i [ i ] i i i ∈ b L ( c = client ( x )). liv eness of th e service: the service ev ent u ally assigns some rep lica r to ev ery request x . T his pair could then b e justiﬁed by constru cting a lattice whose element s are the sp eciﬁed or deriv ed liv eness prop er ties of the service. 7 Discussion 7.1 Alternativ e Choices for Sp ecifying Live ness Prop erties W e h a ve used the complemente d -pairs acceptance condition to sp ecify liv eness p rop erties. There are other acceptance conditions for ﬁnite automata ov er inﬁ nite strings that we could hav e c hosen: Buc hi, generalize d -Buc hi, Rabin , and Muller. W e brieﬂy discuss eac h in turn. A Bu chi condition is a single set Green of states, and th e compu tation m u st con tain an in ﬁnite n u m b er of states from Green . This can b e expressed as a single complemente d pair h h h true , Green i i i , and so is subsum ed by complement ed -p airs. A generalized-Buc hi condition is a set { Green i | i ∈ η } of sets of states, and f or eac h Green i , th e computation sh ould conta in an inﬁnite num b er of states from Green i . This can b e expressed as the s et of complemen ted-pairs {h h h true , Green i i i i | i ∈ η } and so is also sub sumed by complemen ted-pairs. The Rabin condition is a set {h h h true , Green i i i i | i ∈ η } of p airs, how ev er the acceptance condition 32 is diﬀeren t. A computation α is accepted iﬀ for s ome p air h h h Red i , Green i i i i , α do es n ot contai n an inﬁnite num b er of states in R ed i , and α d o es con tain an inﬁnite num b er of states in Green i . This condition is a “disj u nctiv e” one, it constrains a computation only with resp ect to an y one of the pairs, not all of them at once. Since, in writing sp eciﬁcations, conju nction is far more useful than disjunction, i.e., w e t ypically list some prop erties al l of wh ich m ust b e s atisﬁed, we feel th at this condition wo u ld not b e u s eful in practice. The Muller condition is a set { Green i | i ∈ η } of sets of states, and, the set of states that o ccur inﬁnitely often along the computation should b e exactly one of the Green i . This condition is not v ery suitable for an inﬁnite-state mo del, since it is p ossib le (and indeed, often the case) that an inﬁnite computation do es not cont ain an y particular s tate that recurs inﬁ nitely often, since the mo del usually con tains unb ound ed data, suc h as in tegers, reals, sequences, or s ets. Th u s, the set of states e ach of which o ccurs inﬁ nitely often along the compu tation, is usu ally emp t y . Finally , we consider the “temp oral leads-to” p rop erty . Roughly , p leads-to q means that, when- ev er p holds, then q su bsequently holds. In our framewo r k, leads-to pr op erties can b e expressed and v eriﬁed b y u sing h istory v ariables. Let ﬂag p b e a b o olean history v ariable that is initially false, is set whenever p ∧ ¬ q holds, and r eset whenever q holds. Then, th e complement ed -pair h h h ﬂag p , q i i i expresses “ p leads-to q .” Since ﬂag p is not used to aﬀect con trol ﬂ o w, it do es not need to b e “implemen ted.” Thus, the issue of atomically detecting the v alues of p and q at run time and up d ating ﬂag p , d o es not arise. 7.2 Application to F ault-tolerance Our metho d can b e applied to the veriﬁcatio n of fault toler anc e prop er ties. W e consider s itu ations in whic h the o ccurren ce of a fault can cause th e system to enter a “bad” state, i.e., one th at is unreac h able und er normal execution [5]. Let go o d denote the set of states that are reac hable under normal system execution from a s tart state, and let fault denote the set of states that r esult immediately after a fault o ccurs , i.e., the p ost-states of faults (the faults can o ccur in an y state, go o d or bad). I f follo ws that, un der norm al execution (no faults) only go o d states are reac h able from go o d states. W e are in terested in “non m asking” fault-tolerance prop erties of the t yp e: once faults stop o ccurring, the system will ev entual ly reco v er to a goo d state (and therefore remain forev er after in go o d states, sin ce only goo d states are reac hable fr om go o d states in the abs ence of faults). Expressed in temp oral logic, this is ( ✸✷ ¬ f aul t = ⇒ ✷✸ g ood ). Th is is logically equiv alen t to ✷✸ ( f ault ∨ g ood ). W e can express this as the complemented pair h h h true , f aul t ∨ g ood i i i . Hence, the liv eness condition h h h true , f aul t ∨ g ood i i i d eﬁnes the set of “liv e” executions to b e either (1) those along which an inﬁn ite num b er of faults o ccur (in whic h case we h a ve no obligation to reco v er to a go o d state) or (2) those along which an inﬁnite num b er of goo d states o ccur . In the latter case, w e may also assume that faults stop o ccurin g, sin ce the n egation of this is co v ered by case (1). Since only go o d states are reac h able from go o d states, it follo ws th at there is some suﬃx consisting en tirely of go o d states, and so the system has reco ve r ed . Th u s, “liv e” executions are those in which the s y s tem exhibits the desired fault-tolerance prop- ert y . The trace of su c h an execution is then an “external fault-tole r an t b eha vior.” W e can no w r eﬁ ne suc h nonmasking fault-tolerance prop erties, i.e., to establish that the exter- nal fault-toleran t b eha viors of an implemen tation are included in th ose of the sp eciﬁcation. O ur framew ork thus can take the place of theories that are sp ecialized to dealing w ith n onmasking 33 fault-tolerance, e.g., [12], whic h we h a ve shown is just a particular kind of liveness p rop erty . 7.3 Mec hanization Of Our Metho d Our metho d imp oses the follo wing pro of obligations: 1. Devise an app ropriate liveness-preserving simulatio n and c h ec k that it s atsiﬁes all of the conditions of its d eﬁnition (one of Deﬁnitions 10–14 ). 2. F or eac h derived pair, d evise a complement ed-p airs lattice and chec k that it s atisﬁes the conditions of Deﬁn ition 17. These conditions can b e formalized in a ﬁrst-order assertion language with in terpr eted symbols. W e refer the reader to [16, 19] for details. The conditions can b e v eriﬁ ed us in g theorem p ro vers suc h as PVS [46]. F or lac k of space, we omit an extended discussion of th ese issues, which can b e found, for example, in [19]. Th at p ap er presen ts norme d simulations , wh ere th e existence of a ﬁnite execution fr agmen t at the abstract lev el that matc hes a concrete transition is r ep laced by the existence of either a single matc hing transition, or an internal transition that d ecreases a supp lied norm (a function o ver a w ell-found ed domain). It s hould b e p ossible to extend the ideas in this pap er to norm ed sim u lations. F or example, if the concrete transition contai n s a Red state, then w e require that, by the time th at either the matc hing abs tract transition has b een generated, or the n orm f unction h as decreased to minimum, that a corresp onding R ed state has app eared at the abstract lev el. W e lea ve the d etails to another o ccasion. 8 Expressiv e Completeness of Complemen ted-pairs Liv eness Con- ditions W e no w in ve stigate the expressiv eness of complemented-pairs: what are the liv e execution prop erties whic h can b e expr essed by complemen ted-pairs conditions? First, we m ak e this n otion precise. Deﬁnition 18 L et A b e an automaton and let ϕ b e a live exe cution pr op erty f or A . Then we say that a liveness c ondition L exp r esses ϕ if and only if ( A, L ) is a live automaton and lexe cs ( A, L ) = ϕ . The u se of (complemen ted-pairs) liv eness conditions to sp ecify liv eness means th at the liv eness of an execution dep ends only on the set of states wh ich o ccur in that execution, and not on their ordering. This is n ecessary , to s atisfy the mac hine closure cond ition, since ordering is a safety prop er ty: once an ord ering is violated along a ﬁn ite execution, no extension can then satisfy the ordering. In S ection 8.1, w e sho w that, u n der some assumptions that are natural for inﬁ nite-state sys- tems, that the generalized Buchi cond ition is exp ressiv ely complete, i.e., they can expr ess any live execution pr op erty . S ince complemen ted pairs sub sumes generalized Bu c hi, the result then carries o v er to our framew ork. In S ection 8.2, we show th at complemen ted pairs are expressively complete if history v ariables can b e used. 34 8.1 Relativ e Expressiv e Completeness of Complemen ted-pairs Liv eness Condi- tions In inﬁn ite-state systems, it is often th e case that the o ccurrence of “signiﬁcan t” ev en ts is p erma- nen tly recorded by c hanges to the state. F or ins tance, in the ev ent u ally-serializa b le data service of Section 6, the execution of ev ery op eration on the data results in a p ermanen t record of that op eration’s unique identiﬁer. Any database system whic h main tains logs is also an example of th is. So is a r eal-time system in w hic h clocks main tain the time, if w e consider the passage of time to b e a signiﬁcan t eve nt. This large class of systems justiﬁes the assumption that a particular state cann ot rep eat inﬁ nitely often along a liv e execution, since we exp ect that signiﬁcan t ev en ts (e.g., op eration execution, transaction commit, time passage) o ccur inﬁnitely often along a live execution. Thus, w e assume the follo wing condition in this section: Assumption 1 (No inﬁnite rep etition) L et ( A, L ) b e a live automato n, and α = s 0 a 1 s 1 . . . b e a liv e exe cution of ( A, L ) . Then, ther e is no state s such that s = s i for an inﬁnite numb er of values for the index i . That is, no state o c c u rs inﬁnitely often along α . Since a generalized-Buc hi condition d ep ends only on the set of states whic h o ccur in that execution, w e tak e it as reasonable th at if one execution con tains “more” states than another, and the latter execution is liv e, then the former execution should also b e liv e. In this section, w e restrict atten tion to liv eness prop erties which satisfy th is condition, which we call r obust prop er ties. Ou r notion of one execution con taining “more” states th an another is captured b y a r elation ✁ b et w een executions. Deﬁnition 19 ( ✁ ) L et α = s 0 a 1 s 1 . . . and γ b e inﬁnite exe cutions of automaton A . Then γ ✁ α iﬀ ther e exists a suﬃx γ ′ = u 0 b 1 u 1 . . . of γ and a mapping m : { 0 , 1 , . . . } 7→ { 0 , 1 , . . . } such that 1. ∀ i ≥ 0 : s m ( i ) = u i , and 2. ∀ i ≥ 0 : m − 1 ( i ) is a ﬁnite set. Th u s, γ ✁ α iﬀ γ has some suﬃx γ ′ whic h can b e pu t into a corresp ondence with α as follo ws. If a state s o ccurs some ﬁn ite ( > 0) num b er of times in γ ′ , then state s also o ccurs some ﬁnite n u m b er of times in α . If s o ccurs inﬁn itely often in γ ′ , then s also o ccurs inﬁn itely often in α . Note that Assu mption 1 do es n ot rule this out, since it app lies only to live executions. ✁ is clearly reﬂexiv e an d transitiv e, and so is a preorder. W e formalize the condition discu s sed ab o ve as the class of r obust liv e execution prop erties. Deﬁnition 20 (Robust Liv e E xecution Prope rty) L et ϕ b e a live exe cution pr op erty for au- tomaton A . Then, ϕ is robus t for A if and only if: for al l γ , α ∈ exe cs ω ( A ) , if γ ✁ α and γ ∈ ϕ then α ∈ ϕ . Our r obustness condition corresp ond s more closely to us in g a generalized-Buc hi acceptance con- dition than a complemented-pairs acceptance condition (see Section 7.1 ab ov e). Since complemen ted- pairs s u bsume generalized-Buc hi, this is still within our f r amew ork, and also allo ws for a simp ler tec hnical dev elopment. The deﬁnition of liv e trace prop erties corresp onding to r obust liv e execution prop er ties is straightfo r w ard . 35 Deﬁnition 21 (Robust Liv e T race Prop ert y) L et A b e an automato n, and ψ ⊆ tr ac es ( A ) . Then, ψ is a robust liv e trace p r op erty for A if and only if ther e exists a r obust live exe cution pr op erty ϕ for A such that ψ = tr ac es ( ϕ ) . W e n o w sho w that an execution in ϕ can b e distinguish ed from an execution outside ϕ by means of a simp le Buc hi acceptance cond ition. F or an execution α , deﬁn e states ( α ) = { s | s o ccurs along α } . Prop osition 12 L et A b e an automaton, and let ϕ b e an arbitr ary r obust live exe cution pr op erty for A . L et γ , α ∈ exe cs ω ( A ) b e such that γ ∈ ϕ and α 6∈ ϕ . Then ther e exists a set G α,γ ⊆ states ( A ) such that γ | = ✷✸ G α,γ and α | = ✷ ¬ G α,γ . Pr o of. Since γ is an inﬁnite execution, we ha ve by Assumption 1 that states ( γ ) is an inﬁnite set. No w su p p ose that states ( γ ) − states ( α ) is a ﬁnite set. Then , by Assu mption 1, there exists a suﬃx γ ′ of γ whic h con tains no state in states ( γ ) − states ( α ). Hence states ( γ ′ ) ⊆ states ( α ). By Assumption 1 eac h state along γ ′ rep eats only a ﬁnite num b er of times. Hence we ha ve γ ′ ✁ α by Deﬁnition 19. Hence γ ✁ α , again by Deﬁnition 19. Th us by Deﬁnition 20, α ∈ ϕ , con trary to assu m ption. W e conclude that states ( γ ) − states ( α ) is an in ﬁnite set. Thus γ | = ✷✸ ( states ( γ ) − states ( α )). Also, α | = ✷ ¬ ( states ( γ ) − states ( α )), b y deﬁnition. So, letting G α,γ = states ( γ ) − states ( α ) establishes the prop osition. ✷ W e next sh o w that an execution outside ϕ can b e distinguished from eve r y execution inside ϕ b y m eans of a simple Buchi acceptance condition. Prop osition 13 L et A b e an automaton, and let ϕ b e an arbitr ary r obust live exe cution pr op erty for A . L et α ∈ exe cs ω ( A ) b e such that α 6∈ ϕ . Then ther e exists a set G α ⊆ states ( A ) su ch that α | = ✷ ¬ G α and ∀ γ ∈ ϕ : γ | = ✷✸ G α . Pr o of. Let γ b e an arbitrary execution in ϕ , and let G α,γ b e the set giv en b y Prop osition 12 for α , γ . Then γ | = ✷✸ G α,γ and α | = ✷ ¬ G α,γ . Let G α = S γ ∈ ϕ G α,γ . Then, ∀ γ ∈ ϕ : γ | = ✷✸ G α , since G α,γ ⊆ G α . Also, α | = ✷ ¬ G α since α | = ✷ ¬ G α,γ for ev ery G α,γ , γ ∈ ϕ . ✷ W e n o w present the relativ e completeness result: every execution outside ϕ can b e d istin gu ish ed from ev ery execution insid e ϕ by means of a generalized-Buc hi acceptance condition. Theorem 14 ( Relativ e Expressive Completeness of Generalized-Buc hi) L et A b e an au- tomaton , and let ϕ b e an arbitr ary r obust live exe cution pr op erty for A . Then ther e exists a gener alize d-Buchi c ondition L = { G i | i ∈ η } over A such that ϕ = { γ | ∀ i ∈ η : γ | = ✷✸ G i } . Pr o of. If ϕ = e xe cs ω ( A ) then letting L = { true } establishes the theorem. Hence we assume that ϕ is a prop er sub set of exe cs ω ( A ) for the rest of the pro of. Let α b e an arbitrary execution in exe cs ω ( A ) − ϕ , and let G α b e as giv en in Pr op osition 13 f or α . Let L = { G α | α ∈ exe cs ω ( A ) − ϕ } . Deﬁne lexe cs ( A , L ) = { γ | ∀ α ∈ exe cs ω ( A ) − ϕ : γ | = ✷✸ G α } . W e sh o w that ϕ = lexe cs ( A, L ). T he pro of is by doub le-con tainmen t. lexe cs ( A, L ) ⊆ ϕ : Cho ose arbitrarily α 6∈ ϕ . So α ∈ exe cs ω ( A ) − ϕ . Hence α | = ✷ ¬ G α b y Prop osition 13, and so α 6| = ✷✸ G α . Thus α 6∈ lexe cs ( A, L ) b y deﬁn ition of lexe cs ( A, L ). T aking the con trap ositive yields α ∈ lexe c s ( A, L ) implies α ∈ ϕ , i.e., lexe cs ( A, L ) ⊆ ϕ . ϕ ⊆ lexe cs ( A, L ): Ch o ose arbitrarily γ ∈ ϕ and α ∈ exe cs ω ( A ) − ϕ . Hence γ | = ✷✸ G α b y Prop osition 13. Hence ∀ α ∈ exe cs ω ( A ) − ϕ : γ | = ✷✸ G α . Hence γ ∈ lexe cs ( A, L ) by deﬁnition of lexe cs ( A, L ). Thus ϕ ⊆ lexe cs ( A, L ). ✷ 36 Corollary 15 ( Relativ e Expressive Completeness of Complemented-pairs) L et A b e an automato n, and let ψ b e an arbitr ary r obust live tr ac e pr op erty for A . Then ther e exists a c omp lemente d- p airs liveness c ondition L over A such that tr ac es ( lexe cs ( A, L )) = ψ . Pr o of. Let ψ b e an arbitrary r ob u st liv e trace pr op ert y for A . By Deﬁnition 21, there exists a robust live execution prop er ty ϕ for A s uc h that ψ = tr ac es ( ϕ ). By Theorem 14, there exists a generalized-Buc hi condition { G i | i ∈ η } o ver A su c h that ϕ = { γ | ∀ i ∈ η : γ | = ✷✸ G i } . Let L = {h h h true , G i i i i | i ∈ η } . Then lexe cs ( A, L ) = ϕ . Hence there exists a complemen ted-pairs liv eness condition L o ver A such that tr ac es ( lexe c s ( A, L )) = ψ . ✷ 8.2 Expressiv e Completeness of Complemen t ed-pairs for Liv eness Prop erties of F orest Automata An automaton A is a for est automaton iﬀ f or eac h reac hable state s of A , there is exactly one (ﬁnite) execution of A with last state s . Thus, if α, α ′ are arbitrary diﬀerent inﬁn ite executions of A , then they ha ve only a ﬁnite num b er of states in common. Any automaton can b e tur ned into a forest automaton b y ad d ing a history v ariable whic h records the execution up to the curr en t state. While this is ob vious ly impractical for a real implemen tation, su c h a v ariable is only needed for mo deling and analysis purp oses; it do es not hav e to b e implemen ted since it do es not aﬀect the actual execution of th e automaton. 10 Let α b e an arbitrary inﬁ n ite execution of A . Deﬁne p air ( α ) = h h h states ( α ) , ∅i i i . Prop osition 16 L et A b e a for est automaton. Then ∀ α, α ′ ∈ exe cs ω ( A ) : α ′ 6 = α iﬀ α ′ | = p air ( α ) . Pr o of. Let α, α ′ b e arbitrary elemen ts of exe cs ω ( A ). If α ′ 6 = α , then α ′ | = ✸✷ ¬ states ( α ), since α, α ′ ha ve only a ﬁn ite n umb er of states in common. Hence α ′ 6| = ✷✸ states ( α ), and so α ′ | = p air ( α ). If α ′ = α , then α ′ | = ✷✸ states ( α ), and so α ′ 6| = p air ( α ). ✷ W e sho w th at, if ϕ is a liv e execution pr op ert y for automaton A , then there exists a liv eness condition which expresses ϕ , i.e. suc h that an execution satisﬁes ev ery complemen ted-p air in the condition iﬀ it is a mem b er of ϕ . Theorem 17 ( Expressiv e Complete ne ss of C omplemented-pairs for F orest Automata) L et A b e a for est automaton, and let ϕ b e an arbitr ary live exe cution pr op erty for A . Then ther e exists a c omplemente d-p airs liveness c ondition L over A such that lexe cs ( A, L ) = ϕ . Pr o of. If ϕ = exe cs ω ( A ) then letting L = {h h h true , true i i i} establishes the theorem. Hence we assume that ϕ is a pr op er s u bset of exe cs ω ( A ) for th e rest of the pro of. Let L = { p air ( α ) | α ∈ exe cs ω ( A ) − ϕ } . W e sho w that lexe c s ( A, L ) = ϕ . Th e pro of is by doub le-con tainmen t. lexe cs ( A, L ) ⊆ ϕ : Ch o ose arbitrarily α ′ ∈ lexe cs ( A, L ) and α ∈ exe cs ω ( A ) − ϕ . Now lexe c s ( A, L ) ⊆ exe cs ω ( A ) by deﬁnition, and so α ′ ∈ exe cs ω ( A ). F rom th e deﬁn ition of L , we ha ve α ′ | = p air ( α ). Hence, by P r op osition 16, α 6 = α ′ . Since α w as c h osen arbitrarily fr om exe cs ω ( A ) − ϕ , w e conclude α ′ 6∈ exe cs ω ( A ) − ϕ . Hence α ′ ∈ ϕ , since α ′ ∈ exe cs ω ( A ). ϕ ⊆ lexe cs ( A, L ): Ch o ose arbitrarily α ′ ∈ ϕ an d α ∈ exe cs ω ( A ) − ϕ . Hence α 6 = α ′ . Hence, b y Prop osition 16, α ′ | = p air ( α ). Since α w as chosen arbitrarily from exe cs ω ( A ) − ϕ , we conclude, from the deﬁnition of L , that α ′ ∈ lexe cs ( A, L ). ✷ 10 The terms “ghost v ariable” and “auxiliary v ariable” hav e b een used in th e literature for t h is notion. 37 Corollary 18 ( Expressiv e Completeness of C omplemen ted-pairs for F orest Automata) L et A b e a for est automaton, and let ψ b e an arbitr ary live tr ac e pr op erty for A . Then ther e exists a c omplem e nte d-p airs liveness c onditio n L over A such that tr ac e s ( lexe cs ( A, L )) = ψ . Pr o of. Let ψ b e an arbitrary liv e trace prop ert y for A . By Deﬁnition 4, there exists a liv e execution prop er ty ϕ f or A su c h that ψ = tr ac es ( ϕ ). By Theorem 17, th ere exists a liv eness condition L o v er A such that lexe cs ( A, L ) = ϕ . Hence there exists a liv eness condition L o ve r A su c h th at tr ac es ( lexe cs ( A, L )) = ψ . ✷ 9 Related W ork The u s e of an inﬁn ite num b er of complemented p airs was pr op osed b y V ardi [53], which deﬁn es a r ecursiv e S treett automaton to b e one w hose trans ition r elation is recur siv e, and w hose com- plemen ted pairs are d eﬁned by recur siv e sets. Recursive Buc h i automata are deﬁned similarly . Recursiv e W olp er automata are those with a recursive transition relation and no acceptance con- ditions. Ev ery in ﬁnite run of the W olp er automaton is accepting. The p ap er sh o ws that Recursive W olp er, Buchi, an d Street automata all accept the same set of languages, namely Σ 1 1 . In our approac h, we make no restrictions on the set of complemen ted pairs. F or example, we allo w un- coun table sets of pairs, which could b e useful for sp eciﬁcations o v er u n coun table domains, e.g., the reals. The s afety-l iveness classiﬁcation wa s ﬁrs t prop osed in [27 ]. F ormal c haracterizations of safet y and live n ess, v ariously based on Buc hi automata, temp oral logic, or th e Borel hierarc hy , were giv en in [2, 37, 50]. Man y researc hers ha ve prop osed d eductiv e systems for p ro ving pr op erties of inﬁnite-state reactiv e and d istributed systems, includin g liv eness prop erties, e.g., [3, 28, 29, 38]. Some of the metho d s p r op osed to date incorp orate diagrammatic tec hniques, similar in spirit to our complemented-pairs lattices. In particular, Owic ki and Lamp ort [45] prop ose pr o of lattic es , and Mann a and Pnueli [36, 40] prop ose pr o of diagr ams , b oth for establishing liv eness pr op erties of concurrent programs. In [41], Manna and Pnueli p rop ose three d iﬀeren t kin d s of veriﬁc ation dia- gr ams , tw o for safet y pr op erties, and on e for liv eness pr op erties of the form ✷ ( U = ⇒ ✸ V ), where U, V are state-assertions, that is, temp oral leads-to prop erties. No d es in th is diagram are lab eled with state-assertio n s, and directed edges b et w een no d es repr esen t p rogram tr ansitions. S ome of these edges corresp ond to “helpful” transitions, w hic h are guarantee d to o ccur (using fairness) if execution ente r s their source no d e, and whose o ccurrence make s p rogress to wards making V true. Bro wne et. al. [8 ] and Manna et. al. [35] p resent gener alize d veriﬁc ation diagr ams , whic h can b e used to establish arb itrary temp oral prop erties of pr ograms, includ ing liv eness pr op erties. These are a particular kind of ω -automaton (“form ula automata”). Th ese metho ds relate a program, expressed in an op erational n otation, to a prop ert y expressed in temp oral logic, i.e., they relate t wo artifacts expressed in v ery diﬀeren t n otations. Th us, they cannot b e used to reﬁne liv en ess prop er ties in a m u lti-stage stepwise reﬁnement metho d that, starting with a high-leve l sp eciﬁcation, expressed in a particular (op erational) n otation, constructs a sequence of artifacts, all expr essed in th e same notation, and eac h a reﬁn emen t of the p revious one, and end ing with the detailed implemen tation. Our complemen ted-pairs lattices relate a liv eness p rop erty of an automaton, to a liv eness prop- ert y of a lo wer level automaton, i.e., the relationship is b etw een tw o artifacts expr essed in the same notation. Th is f orm s th e b asis for a multi-stag e pr o of tec hnique that reﬁnes high-lev el liv eness prop er ties do w n to th e liv eness prop erties of an implemen tation in sev eral manageable steps (our 38 use of “sublattices” in Section 6 is an example of this). F urth ermore, eac h indivu dual reﬁnement step is itself decomp osed into the tasks inv olv ed in constru cting lattices and discharging the asso ci- ated “v eriﬁcation conditions.” W e feel that this ability to decomp ose a liv eness pro of int o m u ltiple stages d irectly attac ks th e scalabilit y p r oblem, and is one of our main con tributions. UNITY [9] pro vid es a framew ork in whic h a sub class of general liv eness p rop erties, namely “leads-to” can b e v eriﬁed and reﬁ n ed. The approac h is pr o of theoretic, and also relies on fairness. W e show ed in Section 7.1 ab ov e ho w to deal with leads-to prop erties in our framewo r k. All of the aforemen tioned metho ds op erate only at th e level of executions, an d do not pro vide a notion of external b eha vior, suc h as a s et of traces. Ga wlic k et. al. [17, 18] presen ts a pr o of m etho d for live n ess pr op erties. In th at p ap er, a liveness prop er ty of an automaton A is mo d eled as a subset L of the executions of A . 11 Ho w ever, the metho d present ed there imp oses a p ro of obligatio n concerning the liveness of in dividual executions, without pro vid in g an y rule or metho d for discharging this obligation. S p eciﬁcally , in ad d ition to establishing a simulat ion, w e hav e to show that if an execution α of the implemen tation A corresp onds to an execution α ′ of the sp eciﬁcation B , and α is liv e (i.e., α is a m em b er of the liv eness prop ert y), then α ′ is also liv e 12 . Merely establishin g a sim u lation b et wee n A and B is insuﬃ cient to show this, since the simulation relation makes no reference to the liv eness conditions of A and B . The main concern in [17] is the inte r action b et ween liv eness prop erties and parallel comp osition; a notion of “environmen t-freedom” is introdu ced which enables the use of comp ositional ve r iﬁcation for liv eness. The p ublished version [18] omits the p ro of metho d . Lik ewise, Jensen [23] presents simula tion relations for p ro ving liveness p rop erties, a n d also requires that an “inclus ion” condition b e v eriﬁed. A diﬀerence is that the liv e executions are exactly the fair executio n s, and so the inclusion p rop erty b ecomes: if an execution α of th e implementa tion A corresp onds to an execution α ′ of the sp eciﬁcation B , and α is fair, then α ′ is also fair (Theorems 2.9 an d 2.10 in [23]). Sogaard-Andersen, Lync h, and L amp son [51] presents a s imilar metho d , with the main diﬀerence b eing that the liv eness prop ert y is giv en b y a linear temp oral logic formula. No w, the pro of obligatio n is that if an execution α of the implementa tion A corresp onds to an execution α ′ of th e sp eciﬁcation B , and α satisﬁes the liv eness formula for A , then α ′ satisﬁes th e liveness formula for B . Henzinger et. al. [21 ] present s v arious extensions of sim ulation that tak e fairness int o account. F airness is expressed usin g either Buchi or S treett (i.e., complemente d -pairs) acceptance cond itions. Ho w ever, the fair sim u lation notions are deﬁn ed u sing a game-theoreti c s eman tics, and requ ire a priori that fair executions of the concrete automaton ha ve matc hing fair executions in the abstract automaton. Th ere is n o metho d of matc hing the Red and Green states in the concrete and ab- stract automata to assure fair trace conta in men t. Also , the setting is ﬁnite state, and the pap er concen trates on algorithms for chec king fair sim ulation. Alur and Henzinger [4] prop oses th e use of complemente d -pairs acceptance conditions to deﬁne liv eness prop erties. Ho wev er it r estricts the conditions to con tain only a ﬁn ite num b er of p airs. As our example in S ection 6 sh o ws, it is very con venien t to b e able to s p ecify an in ﬁnite num b er of pairs—in this case, we were able to u se t wo pairs for eac h op eration x submitted to the d ata service, one p air to c heck for r esp onse, and the other to c h ec k for stabilization. It would b e quite d iﬃcult to sp ecify the liveness pr op erties of the data service using only a ﬁnite n u mb er of pairs. If ho wev er, the system b eing consid ered is ﬁn ite-state, then we remark that muc h of the 11 L must satisfy the machine closure constraint of Deﬁnition 5. 12 See [17], p age 89. 39 w ork on temp oral logic mo d el chec king seems applicable. F or example, the algorithm of Emerson and Lei [13] for mo del chec king un der fairn ess assumptions can handle th e complemented-pairs acceptance condition. Wh ile [4] giv es r ules f or comp ositional and mo d u lar r easoning, it do es not pro vid e a m etho d for r eﬁning live n ess p rop erties. As stated ab o ve , w e b eliev e this is a crucial asp ect of a successful metho dology f or d ealing with liv eness. It should b e clear that Figure 5 provi d es a ve r y succinct presen tation for the reﬁnement of the liv eness p rop erty expressed b y h h h x ∈ wait , x 6∈ wait i i i , namely that every r equ est even tually receiv es a resp onse. Our w ork is in the linear-time setting, where the external b eha vior is a set of traces. In the branc h ing-time setting, the external b eha vior can b e giv en as a “trace-tree” [21], i.e., a tree whose branc h es are traces. Our live n ess-preserving sim ulation relations should imp ly an app ropriate con tainment notion b et w een “live -trace-trees,” i.e., a tree whose branc h es are liv e traces. Ho wev er w e p oint out tec hnical diﬀerences b et ween our setting and [4, 21]: we abs tract a wa y s tates and in ternal actions to obtain traces, whereas in [4, 21] an execution is a sequence of states (actions are not named), and a trace is obtained by applying an “observ ation fun ction” to eac h state along the execution. Kesten, Pnueli , and V ardi [24, 25] p r esen t a metho d of ﬁnitary abstr action : construct a ﬁnite- state abstraction (“abstract system”) of an inﬁnite-state “concrete” system, an d mo d el chec k this abstraction for the required pr op erties. The metho d deals with pr op erties expressed in full linear time temp oral logic, (and so handles b oth safet y and liv eness), and is complete, i.e., a su itable ﬁ nite state abstraction can alw a ys b e constructed. The seman tics of the concrete system is giv en b y a F air Discr ete System (FDS), whic h consists of (1) a ﬁ nite set of typed system v ariables, cont ainin g th e data and cont r ol state (the c oncr ete v ariables), (2) a predicate giving the s et of initial states, (3) a predicate giving the tr ansition relation, (4) a justic e c ondition ; a ﬁnite set of p r edicates { J 1 , ..., J k } , where eac h J i m us t hold inﬁnitely often along a computation, and (5) a c omp assion c ondition , a ﬁ nite set of pairs of predicates { < p 1 , q 1 >, ...., < p n , q n > } ; along a computation, if p i holds inﬁnitely often, then q i m us t hold inﬁ nitely often. The justice and compassion conditions ensure that the concrete system satisﬁes liv eness prop er ties by restricting atten tion to “fair” computations. F or a give n concrete system, a ﬁnite-state abstract system is sp eciﬁed synt actically , by giving a set of abstract v ariables (with ﬁnite domains), and for eac h abstract v ariable, giving its v alue as an expression o v er the concrete v ariables. This implicitly deﬁ nes a mappin g from concrete to abstract states, and giv es rise to t wo ab s traction op erators on concrete predicates: (1) a u niv er s al (con tracting) abstraction, that h olds in an abstract s tate iﬀ the concrete predicate h olds in all corresp ondin g concrete states, and (2) an existen tial (expanding) abstraction, th at h olds in an abstract state iﬀ the concrete predicate h olds in s ome corresp onding concrete state. T h e (concrete) temp oral p rop erties to b e v eriﬁ ed are abstracted by d istributing these op erators throu gh temp oral mo dalities (nexttime, until) and disjunction. Distribution thr ough negation con verts a universal abstraction into an existen tial one, and vice-v ersa. The abstract sy s tem is obtained by applying existen tial abstraction to the initial state predicate and eac h justice pr edicate. The transition relation is abstracted by “lifting” it to the abstract lev el using the deﬁnitions of the abstract v ariables in terms of the concrete v ariables. The compassion p airs < p i , q i > are abstracted by applying universal abstraction to p i and existen tial abstraction to q i . A main result is th at if the abstracted sys tem satisﬁes the abstracted prop ert y , then the concrete sys tem satisﬁes th e concrete prop er ty . Another main result is th at the metho d is complete: if the concrete system satsiﬁes the prop er ty , then there exists a corresp onding ﬁnite state abstract system and abstracted pr op erty suc h that th e abs tr act system satsiﬁes the abstract prop er ty . T o obtain completeness, the concrete system must b e “augmen ted” by comp osing it (sync hr onously) with a “ranking mon itor,” wh ic h trac ks the diﬀerence in successiv e v alues of a v arian t function (“progress measure” in the pap er) 40 that d ecreases with progress to wa r ds satisfying the liveness pr op erty , and is deﬁn ed ov er a well- founded domain. The r eason for incompleteness of th e unaugmente d metho d is liveness p r op erties. A ma jor diﬀerence with our ap p roac h is that the n u mb er of complemen ted pairs is ﬁnite, whereas w e allo w an inﬁn ite set. F urtherm ore, the abstr act system in our approac h is not necessarily ﬁnite state. V eriﬁcation in our app r oac h is by manually devising a liv eness-preserving sim u lation relation, and the needed complemente d pairs latti ces, and th en chec king the conditions in the corresp onding deﬁnitions, p ossibly with mec hanization via theorem p ro ving (see Section 7.3). V eriﬁcation in [24, 25] is b y m an ually devising the ﬁ nitary abstraction mapping and the ranking monitors, and then mo del-c hec king th e resulting abstracted system against the abstracted prop ert y . T here is no metho d for deriving a liv eness p rop erty at one lev el fr om other liv eness pr op erties at the s ame leve l, lik e our complemen ted-pairs lattices pr o vide. In [52], a metho d of abstraction based on Galois theory is presente d . T h is is based on extensions of the framework of abstract in terp r etation [10] to temp oral prop erties. Agai n , there are tw o abstraction n otions: un der-approximat ion and o v er-app r o ximation. In [11], the interac tion b et ween abstraction and mo d el c hec king und er f airn ess is discussed. I t is p oin ted out th at abstraction really requires th r ee-v alued logic, since, e.g., a prop osition that is true in one concrete state and f alse in another has “un k n o wn ” v alue in an abstract state that rep resen ts b oth concrete states. T o hand le fairness prop erly , tw o abstractions of the transition relation are introdu ced, called the free and constrained transition relations. 10 Conclusions and F urther W ork W e hav e presen ted ﬁve liv eness-pr eserving sim ulation relations that allo w us to r eﬁne the liv eness prop er ties of inﬁnite-state distributed systems. Our metho d for reﬁning live n ess r equ ires reasoning only o v er individu al s tates and ﬁ n ite execution fragmen ts, rather than reasoning o ver en tire exe- cutions. W e b eliev e th at the use of sim u lation-based reﬁnement toget h er with complement ed-p airs lattice s for expressing and com b ining liveness p rop erties provides a p o werful and general frame- w ork for r eﬁning liv eness p rop erties. In particular, our app r oac h f acilitates the decomp osition of the reﬁn ement task at eac h lev el into sim p ler subtasks: devise the liv eness-preserving sim ulation relation, and devise th e complemen ted-pairs lattices. Sin ce the lattice s are a kind of diagram, th ey also facilitate the decomp osition of pr o ofs and the separation of concerns, which con tribu tes to scalabilit y of the metho d . The general appr oac h and tec hniques used in this p ap er d o n ot d ep end intimately on the par- ticular automaton mo del that we used. Thus, f or example, our app r oac h can b e applied to lab eled transition systems, w h ic h are u s ed to deﬁne op erational semantics for pro cess algebras such as Algebra of C omm un icating Pro cesses [7], Communicating Sequential Pro cesses [22], Calculus of Comm u n icating Systems [42 ], and the π -calculus [43]. O ur app roac h can also b e extended in a straigh tforwa r d wa y to form alisms with unlab eled actions, such as (ﬁ n ite or inﬁn ite) Kr ipk e struc- tures, since the fact th at actions are named is not used in an y essen tial wa y , it ju st cont r ibutes to the “matc hing” condition in simulatio n relations, and to the d eﬁnition of external b eha vior (trace). W e show ed that the Streett accepta n ce condition (generalized to arb itrary cardinalit y) is ex- pressiv e enough to d eﬁne an y liv en ess pr op ert y , p ro vid ed that it satisﬁes a notion of robustness, or pro vid ed that history v ariables can b e used. Sim u lation relations as a pro of metho d for reﬁnement hav e b een widely studied. One ma jor imp ediment to th eir widespr ead adoption in pr actice is the abs ence of eﬃcien t metho d ologies f or 41 establishing s im ulation r elations. Doing so usually r equires long pr o ofs, with man y inv ariants, etc. Some of the ideas in this pap er ma y b e applicable to decomp osing and simplifying the task of establishing simulat ion relations in the ﬁ rst place. F or example, it ma y b e p ossible to apply our approac h to reﬁn ing th e in v arian ts that are used in suc h p ro ofs. An other p oten tial application is to mo dels of compu tation for dyn amic [6], r eal-time [31], hybrid [32], and probabilistic [49] systems. F or examp le, a real-time analogue of a complemen ted-pair condition w ould b e: if a Red state o ccurs, th en a Green s tate m us t o ccur within t time units. A complemen ted-pairs lattice that reﬁnes a complemente d -pair would then ha ve to satisfy , in addition to the current r equiremen ts of Deﬁnition 17, a condition for the time b ounds: ev ery path from the b ottom elemen t to the top element should h a ve a “tota l” time b ound matc h ing the pair b eing r eﬁned. In [6], w e p resen t an automata- th eoretic mo del f or dynamic computation, in whic h ind ividual p r o cesses (automata) that constitute a system can b e created and destro yed, an d can dynamically c hange their action signature. Since the tec hn iques of this p ap er assume only a generic au tomaton s tructure, they are applicable to the mo del of [6]. C om binin g th ese tw o pieces of work will resu lt in a comprehensiv e metho d for verifying th e liv eness prop erties of d y n amic s y s tems. 42 References [1] M. Abadi and L . Lamp ort. The existence of r eﬁnement mappings. The or etic al Computer Scienc e , 82(2):253–2 84, Ma y 1991. [2] B. Alp ern and F. Schneider. R ecognizing safet y and liv eness. Distribute d Computing. , 2(3):11 7– 126, 1987. [3] B. Alp ern and F. Schneider. V erifyin g temp oral p rop erties with ou t temp oral logic. ACM T r ans. Pr o gr am. L ang. Syst. , 11(1):1 47–167, Jan. 1989. [4] R. Alur and T. A. Henzinger. Lo cal live n ess for comp ositional mo deling of fair reactiv e sys- tems. In P . W olp er, editor, CA V 95: Computer-aide d V eriﬁc ation , Lecture Notes in Computer Science 939, pages 166–179. Springer-V erlag, 1995. [5] A. Arora, P . C . A ttie, and E. A. Emerson. Syn thesis of fau lt-toleran t concur ren t programs. In 7th Annual ACM Symp osium on the Principles of Di stribute d Computing , pages 173 – 182, June 1998. [6] P . C. Atti e and N.A. Ly n c h. Dyn amic inpu t/output automata: a formal m o del f or dynamic systems (extended abstract). I n CONCUR’01: 12th International Confer enc e on Concurr ency The ory , LNCS. Sp ringer-V erlag, Aug. 2001. [7] J .C .M. Bae ten and W.P . W eijland. P r o c ess algebr a . Cambridge T racts in Theoretical Comp uter Science. Cam b ridge Universit y Press, 1990. [8] A. Browne, Z. Manna, and H. Sip ma. Generalized temp oral veriﬁcati on diagrams. In 15th Confer enc e on the F oundations of Softwar e T e chnolo gy a nd The or etic al Computer Scienc e , v olume 1026 , pages 484–498. Springer-V erlag LNCS, Dec. 1995. [9] K . M. Ch andy and J. Misra. Par al lel Pr o gr am Design . Addison-W esley , Reading, Mass., 1988. [10] P . Cousot and R. Cousot. Abs tr act interpretatio n : A uniﬁed lattice mo del for static analysis of programs by construction or approxi m ation of ﬁxp oin ts. In Pr o c e e dings 4’th Annual Symp osium on Principles of Pr o gr amming L anguages . ACM Pr ess, 1977. [11] D. Dams, R. Gerth, and O. Grumb er g. F air mo d el chec king of abstractions. In P r o c e e dings of the Workshop on V eriﬁc ation and Computational L o gic (VCL’2000) , Univ ers it y of Southamp - ton, July 2000. S pringer-V erlag. [12] M. Demirbas an d A. Arora. Conv ergence reﬁnement. In International c onfer enc e on distribute d c omputing systems , Vienna,Austria, J uly 2002. [13] E. A. E merson and C. Lei. Mo dalities for mo del chec king: Branc hing time logic strike s back. In 12’th Ann. ACM Symp. on Principles of Pr o gr amming L anguages , pages 84–96, New Orleans, Louisiana, Jan. 1985. ACM P ress. [14] A. F ek ete, D. Gupta, V. Lu c hango, N. Lync h , and A. S h v artsman. Even tually-serializable data services. The or e tic al Computer Scienc e , 220:113– 156, 1999. Conference version app ears in A CM Symp osium on Pr inciples of Distributed C omputing, 1996. [15] N. F rancez. F airness . S pringer-V erlag, New Y ork, 1986. 43 [16] S. J. Garland and N. A. Lync h. Using I/O automata for d ev eloping distribu ted systems. In Gary T. Lea v ens and Murali Sitaraman, editors, F oundations of Comp onent-Base d Systems , pages 285–31 2. Cam b ridge Univ ersity Press, 2000. [17] R. Ga wlic k, R. Segala, J.F. Sogaard-Andersen, and N.A. Lyn c h. Liv eness in timed and un timed systems. T ec hn ical Rep ort MIT/LCS /TR-587, MIT Lab oratory for Computer Science, Boston, Mass., No v. 1993. [18] R. Ga wlic k, R. Segala, J.F. Sogaard-Andersen, and N.A. Lyn c h. Liv eness in timed and un timed systems. Information and Computation , 141( 2):119–171, Mar. 1998. [19] D. Griﬃo en and F. V aandr ager. A theory of normed simulat ions. ACM T r ansactio ns on Computation al L o gic , 5(4):5 77–610, 2004. [20] O. Grumb er g and D.E. Long. Mo del chec k in g and mo du lar v eriﬁ cation. ACM T r ans. Pr o gr am. L ang. Syst. , 16(3): 843–871, Ma y 1994 . [21] T.A. Henzinger, O . Kupfer m an, and S.K . Ra jamani. F air sim u lation. In A. m azurkiewicz and J. W onko wski, editors, CONCUR’97: Eig hth International Confer enc e on Concurr enc y The ory , Lecture Notes in Compu ter Science 939, pages 273–2 87, W arsa w, P oland, July 1997. Springer-V erlag. [22] C.A.R. Hoare. Communic ating Se quential Pr o c esses . Prent ice Hall Int er n ational Series in Computer Science, 1985. [23] H.E. Jens en . Abstr action-b ase d V eriﬁc ation of D i stribute d Systems . PhD thesis, In stitute for Computer Science, Aalb org Univ ers ity , J une 1999. [24] Y. Kesten an d A. Pnueli. V eriﬁ cation by augmente d ﬁ nitary abstraction. Inform ation and Computation , 163(1 ):203–243, 2000. [25] Y. Kesten, A. Pnueli, and M. Y. V ardi. V eriﬁcation b y augmen ted abstraction: The automata- theoretic view. J ournal of Computer and System Scienc es , 62(4):6 68–690, 2001. [26] R. Ladin, B. Lisko v, L. S hrira, and S. Ghema wat. Pro viding high a v ailabilit y usin g lazy replication. ACM T r ansactions on Computer Systems , 10(4):3 60–391, No v. 1992 . [27] L. Lamp ort. Pro vin g the correctness of m ultipro cess p rograms. IEE E T r ansactions on Softwar e Engine ering , S E-3(2):12 5–143, Mar. 1977. [28] L. Lamp ort. The temp oral logic of actions. ACM T r ans. Pr o gr am. L ang. Syst. , 16(3):872 –923, Ma y 1994. [29] L L amp ort. Sp e ci fying Systems: The TLA + L anguage and T o ols for Har dwar e and Softwar e Engine ers . Addison-W esley , Boston, Mass., 2002. [30] B.H. Lisk o v and J .M. Wing. A b ehavio r al n otion of subtyping. ACM T r ans. Pr o gr am. L ang. Syst. , 16(6):18 11 – 1841, No v . 1994. [31] N.A. Lynch, R. S egala, F.V aandrager, and D.K. Kaynar. Timed I/O automata. In pr eparation, 2003. 44 [32] N.A. L ync h , R. Segala, and F. V aandraager. Hybrid I/O automata. T echnical Rep ort MIT- LCS-TR-827d, MIT Lab oratory for Computer Science, C am brid ge, MA 02139, Jan . 2003. To app ear in In formation and Computation. [33] N.A. Lyn c h and M.R. T u ttle. An in tro duction to inp ut/output automata. T ec h n ical Re- p ort CWI-Quarterly , 2(3):21 9–246, Cen tru m voor Wiskunde en Informatica, Amsterdam, The Netherlands, Sept. 1989. [34] N.A. Lynch and F.W. V aandrager. F orwa r d and bac kward simulatio n s — part I: Untimed systems. Information and Computation , 121( 2):214–233, sep 1995. [35] Z. Manna, A. Browne, H. Sipma, and T. Urib e. Visual abstraction for temp oral veriﬁcat ion. In AMA ST’98 , vol u me 1548, pages 28–41. Springer-V erlag LNCS, 1998. [36] Z. Manna and A. Pnueli. Ho w to co ok a temp oral pr o of system for y our p et language. In ACM Principles of Pr o gr amming L anguages , Austin, T exas, Jan. 1983. [37] Z. Manna an d A. Pn u eli. A hierarc hy of temp oral prop erties. In 9’th p o dc , p ages 377– 408, Queb ec, Canada, Aug. 1990. [38] Z. Manna and A. Pnueli. Completing the temp oral picture. The or etic al Computer Scienc e Journal , 83(1):97– 130, 1991. [39] Z. Manna and A. Pnueli. The T e mp or al L o gi c of R e active and Concurr ent Systems . S pringer- V erlag, 1992 . [40] Z. Manna and A. Pnueli. A temp oral pro of m etho dology for reactiv e systems. In Pr o gr am Design Calculi, volume 118 of NA TO A SI Series, Series F: Computer and System Scienc es , pages 287–32 3. Sprin ger-V erlag, 1993. [41] Z. Manna and A. Pn u eli. T emp oral v eriﬁcation d iagrams. In International Symp osium on The or etic al A sp e cts of Computer Softwar e , Lecture Notes in C omp uter S cience 789, pages 726–7 65. Springer-V erlag, 1994. [42] R. Milner. Communic ation and Concurr ency . Prentice -Hall, Hemel Hempstead, U.K., 1989. [43] R. Milner. Communic ating and mobile systems: the π -c alculus . Addison -W esley , Reading, Mass., 1999. [44] A. My ers, P . Dinda, a n d H. Zhang. Performance c haracteristics of mirror serv ers on the in ternet. In IEEE INFOCOM , 1999. [45] S. Owic ki and L. Lamp ort. Pro vin g liv eness prop erties of concurrent p r ograms. ACM T r ans. Pr o gr am. L ang. Syst. , 4(3):455–49 5, July 1982. [46] S. Owre, N. Shan k ar, and J. Rushb y . Pvs: A protot yp e ve r iﬁcation system. In Pr o c e e dings CADE 11 , Saratoga Sp rings, NY, jun 1992. [47] A. Pnueli. The temp oral logic of programs. In IEEE Symp osium on F oundations of Computer Scienc e , p ages 46–57. IEEE Pr ess, 1977. [48] K. P r uhs and B. Kaly an asu ndaram. The online transp ortation prob lem. The SIAM Journal on Discr ete Mathematics , 13(3):370–3 83, 2000. 45 [49] R. Segala. A comp ositional trace-based seman tics for probabilistic automata. I n Insu p Lee and Scott A. S molk a, editors, CONCUR’95: Concurr ency The ory (6th International Confer e nc e) , v olume 962 of LNCS , pages 234–248 . Spr in ger-V erlag, 1995. [50] P . Sistla. Safet y , liveness and fairn ess in temp oral logic. F ormal Asp e cts i n Computing , 6:495– 511, 1994. [51] J.F. Sogaard-Andersen, N.A. Lync h , and B.W. Lamp son. Correctness of comunicati on pro- to cols: a case stud y . T ec h nical R ep ort MIT/LCS/TR-589, MIT Lab oratory f or Computer Science, Boston, Mass., Nov. 1993. [52] T. E. Urib e. Abstr action-b ase d De ductive-Algorith mic V eriﬁc ation of R e active Systems . PhD thesis, Computer Science Department, Stanford Univ ers it y , Dec. 1998. T ec h nical Rep ort ST AN-CS-TR-99-161 8. [53] M. Y. V ardi. V eriﬁ cation of concur rent pr ograms — the automata theoretic framework. Anna ls of pur e applie d lo gic , 51:79–9 8, 1991. 46 A Sim ulation Relations W e present here ﬁve simulat ion relations, us in g th e d eﬁnitions of [34]. Deﬁnition 22 (F orward Sim ulat ion) L et A and B b e automata with the same external actions. A forw ard sim ulation f r om A to B is a r elation f over states ( A ) × states ( B ) that satisﬁes: 1. If s ∈ start ( A ) , then f [ s ] ∩ start ( B ) 6 = ∅ . 2. If s a − → A s ′ and u ∈ f [ s ] , then ther e exists a ﬁnite exe cution fr agment α of B such that fstate ( α ) = u , lstate ( α ) ∈ f [ s ′ ] , and tr ac e ( α ) = tr ac e ( a ) . Sim u lation based pro of metho d s typicall y u s e invariants to restrict th e steps th at ha ve to b e considered. An inv arian t of an automaton is a predicate that holds in all of its reac h able s tates, or alternativ ely , is a sup erset of the reac h able states. Deﬁnition 23 (F orward Sim ulat ion w.r.t. In v arian ts) L et A and B b e automata with the same external actions and with invariants I A , I B , r esp e ctively. A forw ard sim ulation fr om A to B with r esp e ct to I A and I B is a r elation f over states ( A ) × states ( B ) that satisﬁes: 1. If s ∈ start ( A ) , then f [ s ] ∩ start ( B ) 6 = ∅ . 2. If s a − → A s ′ , s ∈ I A , and u ∈ f [ s ] ∩ I B , then ther e exists a ﬁnite exe cution fr agment α of B such that fstate ( α ) = u , lstate ( α ) ∈ f [ s ′ ] , and tr ac e ( α ) = tr ac e ( a ) . W e write A ≤ F B if there exists a forward sim ulation fr om A to B w .r.t. some inv ariants, and A ≤ F B via f if f is a forwa r d s imulation from A to B w.r .t. some inv ariants. Deﬁnition 24 (Reﬁnemen t Mapping w .r.t. In v arian ts) L et A and B b e automata with the same external actions and with invariants I A , I B , r esp e ctively. A reﬁnement m ap p ing fr om A to B with r esp e ct to I A and I B is a function r fr om states ( A ) to states ( B ) that satisﬁes: 1. If s ∈ start ( A ) , then r ( s ) ∈ start ( B ) . 2. If s a − → A s ′ , s ∈ I A , and r ( s ) ∈ I B , then ther e exists a ﬁnite exe cution fr agment α of B such that fstate ( α ) = r ( s ) , lstate ( α ) = r ( s ′ ) , and tr ac e ( α ) = tr ac e ( a ) . W e w r ite A ≤ R B if there exists a r eﬁnement mapping from A to B w.r.t. some inv arian ts, and A ≤ R B via r if r is a reﬁnement mapping from A to B w.r .t. some inv arian ts. Deﬁnition 25 (Bac kward Simulation w.r.t. Inv a rian ts) L et A and B b e automata with the same external actions and with invariants I A , I B , r esp e ctively. A backw ard sim ulation fr om A to B with r esp e ct to I A and I B is a r elation b over states ( A ) × states ( B ) that satisﬁes: 1. If s ∈ I A , then b [ s ] ∩ I B 6 = ∅ . 2. If s ∈ start ( A ) , then b [ s ] ∩ I B ⊆ start ( B ) . 47 3. If s a − → A s ′ , s ∈ I A , and u ′ ∈ b [ s ′ ] ∩ I B , then ther e exists a ﬁnite exe cution fr agment α of B such that fstate ( α ) ∈ b [ s ] ∩ I B , lstate ( α ) = u ′ , and tr ac e ( α ) = tr ac e ( a ) . A bac kward sim u lation b w.r.t. in v arian ts is image-ﬁnite iﬀ for eac h s ∈ states ( A ), b [ s ] is a ﬁn ite set. W e write A ≤ B B if there exists a bac k ward simulatio n fr om A to B w.r.t. some inv arian ts, and A ≤ B B via b if b is a backw ard sim u lation from A to B w.r.t. some in v arian ts. If the bac kward sim ulation is image-ﬁnite, then we w rite A ≤ iB B , A ≤ iB B via b , resp ectiv ely . Deﬁnition 26 (History Relation w.r.t. In v arian ts) L et A and B b e automata with the same external actions and with invariants I A , I B , r esp e ctively. A history relation fr om A to B with r e sp e ct to I A and I B is a r elation h over states ( A ) × states ( B ) that satisﬁes: 1. h is a f orwar d simulation fr om A to B w.r.t. I A and I B . 2. h − 1 is a r eﬁnement fr om B to A w.r.t. I B and I A . W e w rite A ≤ H B if there exists a history relation fr om A to B w.r.t. some inv ariant s , and A ≤ H B via h if h is a history relation fr om A to B w.r.t. some in v arian ts. Deﬁnition 27 (Prophecy Relation w.r.t. In v arian ts) L et A and B b e automata with the same external actions and with invariants I A , I B , r esp e ctively. A prophecy relation fr om A to B with r e sp e ct to I A and I B is a r elation p over states ( A ) × states ( B ) that satisﬁes: 1. p i s a b ackwar d simulation fr om A to B w.r.t. I A and I B . 2. p − 1 is a r eﬁnement fr om B to A w.r.t. I B and I A . A pr ophecy relation p w .r.t. inv arian ts is image-ﬁnite iﬀ for eac h s ∈ states ( A ), p [ s ] is a ﬁnite set. W e write A ≤ P B if there exists a prophecy relation from A to B w.r.t. some inv arian ts, and A ≤ P B via p if p is a prophecy r elation from A to B w.r.t. some inv arian ts. If the p rophecy relation is image-ﬁnite, th en w e write A ≤ iP B , A ≤ iP B via p , resp ectiv ely . 48 B Linear-time T emp oral Logic W e deﬁn e th e synta x and s emantics of the temp oral logic that we use as follo ws. This is essen tially linear-time temp oral logic without the until and n exttime op erators. Deﬁnition 28 (Syn t ax of Linea r- time T emp oral Logic) The syntax of a line ar-time temp o- r al lo gic formula is gi ven inductively as fol lows, wher e f , g ar e sub-formulae, and U is a set of states ( which deﬁnes a state-assertion ): • Each of U, f ∧ g and ¬ f is a formula • ✷ f is a formula which intuitively me ans that f ho lds in every state of the exe cution b eing c onsider e d • ✸ f is a formula which intuitively me ans that f hold s in some state of the exe cution b eing c onsider e d F ormally , we d eﬁne the semantic s of linear-time temp oral logic form ulae with r esp ect to an inﬁnite execution, that is, an inﬁn ite sequen ce of states. Deﬁnition 29 (Semantics of Linear-time T emp oral Logic) We use the usual notation to in- dic ate truth: α | = f me ans that f is true of exe cution α . W e deﬁne | = inductively, wher e α = s 0 s 1 s 2 . . . is an inﬁnite se quenc e of states, and α i = s i s i +1 . . . is the suﬃx of α starting in s i . α | = U iﬀ s 0 ∈ U α | = ¬ f iﬀ it is not the c ase that α | = f α | = f ∧ g iﬀ α | = f and α | = g α | = ✷ f iﬀ for al l i ≥ 0 , α i | = f α | = ✸ f iﬀ for some i ≥ 0 , α i | = f In particular, α | = ✷✸ f meains that α i | = f for an inﬁn ite num b er of v alues of i . 49 C I/O Automaton Co de for the ESDS Example, fr om [14] I/O Aut omaton Users Signature Input: response ( x, v ), where x ∈ O and v ∈ V Output: request ( x ), where x ∈ O State r e queste d , a s ubset of O , initially empty Actions Output request ( x ) Pre: x. id / ∈ r equeste d . id x. pr ev ⊆ re quested . id Eﬀ: r e queste d ← r e queste d ∪ { x } Input resp onse ( x, v ) Eﬀ: None Figure 7: Th e Users Automaton 50 I/O Aut omaton ESDS-I Signature Input: request ( x ), where x ∈ O Output: response ( x, v ), where x ∈ O and v ∈ V Internal: enter ( x, new-p o ), where x ∈ O and new-p o is a strict partial order on I stabilize ( x ), where x ∈ O calculate ( x, v ), where x ∈ O and v ∈ V add constraints ( new-p o ), where new-p o is a partial order on I State wait , a subset of O , initially empty; the operations requested but not yet resp onded to r ept , a subset of O × V , initiall y empty ; op erations and resp onses that may b e returned to clients ops , a subset of O , initial ly empty ; the set of all op erations that ha ve ever b een en tered p o , a partial order on I , initially empt y; constrain ts on the order oper ations in ops are applied stabilize d , a subset of O , i nitially empty; the set of stable operations Actions Input request ( x ) Eﬀ: wait ← wait ∪ { x } In terna l enter ( x, new-p o ) Pre: x ∈ wait x / ∈ ops x. pr ev ⊆ ops . id sp an ( new-p o ) ⊆ ops . id ∪ { x. i d } p o ⊆ new-p o CSC ( { x } ) ⊆ ne w-p o { ( y. id , x. id ) : y ∈ stabilize d } ⊆ new-p o Eﬀ: ops ← ops ∪ { x } p o ← ne w-p o In terna l add constraints ( new-p o ) Pre: sp an ( new-p o ) ⊆ ops . id p o ⊆ new-p o Eﬀ: p o ← new-p o In terna l stabilize ( x ) Pre: x ∈ ops x / ∈ stabilize d ∀ y ∈ ops , y  p o x ∨ x  p o y ops | ≺ po x ⊆ stabilize d Eﬀ: stabilize d ← st abilize d ∪ { x } In terna l calculate ( x, v ) Pre: x ∈ ops x. strict ⇒ x ∈ stabilize d v ∈ v alset ( x, ops , ≺ p o ) Eﬀ: if x ∈ wait then r ept ← r ept ∪ { ( x, v ) } Output resp onse ( x, v ) Pre: ( x, v ) ∈ r ept x ∈ w ait Eﬀ: wait ← wait − { x } r ept ← r ept − { ( x, v ′ ) : ( x, v ′ ) ∈ r e pt } Figure 8: Th e Sp eciﬁcation ES DS-I In terna l enter ( x, new-p o ) Pre: x ∈ wait x. pr ev ⊆ ops . id sp an ( new-p o ) ⊆ ops . id ∪ { x. i d } p o ⊆ new-p o CSC ( { x } ) ⊆ ne w-p o { ( y. id , x. id ) : y ∈ stabilize d } ⊆ new-p o Eﬀ: ops ← ops ∪ { x } p o ← ne w-p o In terna l stabilize ( x ) Pre: x ∈ ops ∀ y ∈ ops , y  p o x ∨ x  p o y ≺ p o totally orders ops | ≺ po x Eﬀ: stabilize d ← st abilize d ∪ { x } Figure 9: The Sp eciﬁcation ESDS-I I. O n ly d iﬀeren ces with ESDS-I are s ho wn . 51 I/O Aut omaton F r ontend ( c ) Signature Input: request ( x ), where x ∈ O and c = cl ient ( x ) receive r c ( m ), where r is a replica and m ∈ M r esp Output: response ( x, v ), where x ∈ O , c = client ( x ), and v ∈ V send cr ( m ), where r is a replica and m ∈ M r eq State wait c , a subset of O , initially empty r ept c , a subset of O × V , initially empty Actions Input request ( x ) Eﬀ: wait c ← wait c ∪ { x } Output send cr ( h “request” , x i ) Pre: x ∈ wait c Eﬀ: None Input receive r c ( h “response” , x, v i ) Eﬀ: if x ∈ wait c then r ept c ← r ept c ∪ { ( x, v ) } Output resp onse ( x, v ) Pre: ( x, v ) ∈ r ept c x ∈ wait c Eﬀ: wait c ← wait c − { x } r ept c ← r ept c − { ( x, v ′ ) : ( x, v ′ ) ∈ rep t c } Figure 10: The Automaton f or the front end of clien t c 52 I/O Aut omaton R eplic a ( r ) Signature Input: receive cr ( m ), where c is a client and m ∈ M r eq receive r ′ r ( m ), where r ′ 6 = r is a replica and m ∈ M gossip Output: send r c ( m ), where c is a client and m ∈ M r esp send r r ′ ( m ), where r ′ 6 = r is a replica and m ∈ M gossip Internal: do it r ( x, l ), where x ∈ O and l ∈ L r State p ending r , a subset of O , initially empty; the messages that require a r esponse r cvd r , a subset of O , initially empty; the op erations that hav e b een received done r [ i ] for eac h replica i , a subset of O , initially empty; the op erations r knows are done at i stable r [ i ] for each replica i , a subset of O , initially empty; the op erations r knows are stable at i lab el r : I → L ∪ {∞} , i nitially all ∞ ; the m inimum label r has seen for id ∈ I Derived v ariable: lc r = { ( id , id ′ ) : lab el r ( id ) < lab el r ( id ′ ) } , a strict partial order on I ; the local constraint s at r Actions Input receive cr ( h “request” , x i ) Eﬀ: p ending r ← p ending r ∪ { x } r cvd r ← r cvd r ∪ { x } In terna l do it r ( x, l ) Pre: x ∈ r cvd r − done r [ r ] x. pr ev ⊆ done r [ r ] . id l > lab el r ( y. i d ) for all y ∈ done r [ r ] Eﬀ: done r [ r ] ← done r [ r ] ∪ { x } lab el r ( x. id ) ← l Output send r c ( h “response” , x, v i ) Pre: x ∈ p ending r ∩ done r [ r ] x. strict ⇒ x ∈ T i stable r [ i ] v ∈ v alset ( x, done r [ r ] , ≺ lc r ) c = client ( x ) Eﬀ: p ending r ← p ending r − { x } Output send r r ′ ( h “gossip” , R, D , L, S i ) Pre: R = r cvd r ; D = done r [ r ]; L = lab el r ; S = stable r [ r ] Input receive r ′ r ( h “gossip” , R, D , L, S i ) Eﬀ: r cvd r ← r cvd r ∪ R done r [ r ′ ] ← done r [ r ′ ] ∪ D ∪ S done r [ r ] ← done r [ r ] ∪ D ∪ S done r [ i ] ← done r [ i ] ∪ S f or all i 6 = r, r ′ lab el r ← min( lab el r , L ) stable r [ r ′ ] ← stable r [ r ′ ] ∪ S stable r [ r ] ← stable r [ r ] ∪ S ∪ ( T i done r [ i ]) Figure 11: Au tomaton for replica r 53 I/O Aut omaton Channel ( i, j, M ) Signature Input: send ij ( m ), where m ∈ M Output: receive ij ( m ), where m ∈ M State channel ij , a mu l tiset of messages, (tak en from M ), initiall y empty Actions Input send ij ( m ) Eﬀ: channel ij ← channel ij ∪ { m } Output receive ij ( m ) Pre: m ∈ c hannel ij Eﬀ: channel ij ← channel ij − { m } Figure 12: The Ch annel Automaton 54

On the Refinement of Liveness Properties of Distributed Systems

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment