q0
q1
q2
q3
[x <1],x:= 0
x:= 1 [x <3],x:=x+ 1
[x= 2],x:= 0
[x≤2],x:= 0 [x≤2],x:=x−1
[x <1]
Figure 3.1: A satisfaction relation between an automaton and specification2x= 0.
However, all other computation paths don’t satisfy this specification. Thus, the automaton does not implement2x= 0.
3.4 Model element-based slicing technique
In this section, the idea of model slicing will be presented in a general fashion, where in the next section a valid instance of that procedure is introduced. Our slicing model technique is applying a sound compositional verification on the desired model checking task as shown in the following theorem.
Theorem 3.1: Compositional Verification
Let A1 ∈ Aut1 and A2 ∈ Aut2 be automata and T1 and T2 operational seman-tics for Aut1 and Aut2, respectively. Let P → Q be an assumption-commitment specification.
1. The common-P-hypothesis: whenever the set of observable behaviours ofA1 that satisfyP is equal to the set of observable behaviours ofA2 that satisfy P, thenA1 satisfiesP →Qif and only if A2 satisfiesP →Q, i.e.,
OT1(A1)∩P =OT2(A2)∩P =⇒ (A1|=T1 P →Q ⇐⇒ A2|=T2 P →Q).
2. The over-approximating-P-hypothesis: whenever the set of observable be-haviours of A1 that satisfy P is a subset of the set of observable behaviours ofA2, thenA1 satisfiesP →QifA2 satisfiesQ, i.e.,
OT1(A1)∩P ⊆ OT2(A2) =⇒ (A2 |=T2 Q =⇒ A1 |=T1 P →Q).
In general, the second implication does not hold in the other direction.
3.4. MODEL ELEMENT-BASED SLICING TECHNIQUE
Proof of Compositional Verification We will begin with the first part of the theorem:
1. LetOT1(A1)∩P =OT2(A2)∩P as given in the premise of common-P-rule.
By using Definition 3.3, we know that: the automaton A1 under T1 satisfies the specification P → Q if and only if the set of observable behaviour ofA1 underT1 is a subset of theP →Q.
That is,
A1 |=T1 P →Q ⇐⇒ OT1(A1)⊆P →Q Consequently be using Definition 3.7we get:
A1 |=T1 P →Q ⇐⇒ OT1(A1)⊆P∪Q(∗)
Now, if we consider the whole set of observable behaviour i.e. P ∪P together with the result obtained in (∗); i.e. OT1(A1)⊆P∪Qwe get:
OT1(A1)∩(P∪P)⊆(P∪Q)∩(P∪P) OT1(A1)∩(P ∪P)⊆(P∪Q)(∗∗) Now we split (∗∗) into two expressions; namely:
OT1(A1)∩P ⊆(P∪Q) and OT1(A1)∩P ⊆(P∪Q) We know thatOT1(A1)∩P 6⊆P, thus:
OT1(A1)∩P ⊆(P∪Q)≡ OT1(A1)∩P ⊆Q
We know also thatOT1(A1)∩P ⊆(P ∪Q) is a tautology. Additionally, OT1(A1)∩P ⊆ Q holds if and only if the premise of the rule holds i.e.
OT2(A2)∩P ⊆Q(as given in the rule).
With the same procedure of previous analysis, we can say:
OT2(A2)∩P ⊆P
By combiningOT2(A2)∩P ⊆Qwith OT2(A2)∩P ⊆P, we get:
(OT2(A2)∩P)∪(OT2(A2)∩P)⊆P∪Q So
OT2(A2)⊆P∪Q By using Definition3.7, we get
A2|=T2 P →Q
2. For the second part of the theorem, let OT1(A1)∩P ⊆ OT2(A2) as given in the premise of the rule.
We are given that the second automatonA2 satisfies the specificationQ
3.4. MODEL ELEMENT-BASED SLICING TECHNIQUE
i.e. A2 |=T2 Q. By using Definition3.3 we get:
OT2(A2)⊆Q
By using the premise ofover-approximating-P-rule we get:
OT1(A1)∩P ⊆ OT2(A2)⊆Q
We know that any operation over observable behaviour follows set-semantics. Thus
OT1(A1)∩P ⊆P .
By combiningOT1(A1)∩P ⊆Qwith OT1(A1)∩P ⊆P, we get:
(OT1(A1)∩P)∪(OT1(A1)∩P)⊆(P∪Q)∪P) So
OT1(A1)⊆P∪Q By using Definitions3.7, we get:
A1|=T1 P →Q
The previous theorem states two observations for assumption-commitment specifications S of the form P →Q. Firstly, whether an automaton satisfiesS depends exactly on the observable behaviours satisfyingP. That is, in order to check an automaton A1 against S, we may as well checkA2 (even under a different operational semantics) as long asA1 andA2 (under the considered semantics) agree on the observable behaviours satisfyingP. Secondly, it is possible to verify satisfaction ofS by an automaton through checking only Qin an overapproximation of the automaton’s observable behaviour.
Moreover, in order to understand the idea behind Theorem3.1, let us consider the cases depicted in Figure 3.2. We have five cases, where each case represents either a holding situation of the specification or a violation situation. For each figure, the green area represents the area where the specification P holds and the specification Q doesn’t hold.
Thered arearepresents the situation where the specificationQholds only. The last area represents the situation where neitherP norQholds. Themixed area (green and read) represents the situation where the both specificationsP and Qhold. Thecyan polygon areaand blue polygon arearepresent the observable behaviours of automatonA1 and A2 respectively.
Figure 3.2a represents the situation where the set of observable behaviours of A1 that satisfyP is equivalent to the set of observable behaviours of A2 that satisfy P. On the same time the set of observable behaviours of A1 satisfy the specification P → Q since the green area is not touched at all. At this point, we conclude that the set of observable behaviours ofA2 satisfy also P →Q by using Theorem1.
Figure 3.2b represents the situation where the set of observable behaviours of A1 that satisfyP is equivalent to the set of observable behaviours of A2 that satisfy P. On the same time the set of observable behaviours ofA1 do not satisfy the specification P →Q
3.4. MODEL ELEMENT-BASED SLICING TECHNIQUE
P,¬Q
P,Q ¬P,Q
¬P,¬Q OT1(A1)
OT2(A2)
(a) Theorem3.1.1– positive case.
P,¬Q
P,Q ¬P,Q
¬P,¬Q
OT1(A1)
OT2(A2)
(b) Theorem3.1.1– negative case.
P,¬Q
P,Q ¬P,Q
¬P,¬Q OT1(A1)
OT2(A2)
(c) Theorem3.1.2– positive case.
P,¬Q
P,Q ¬P,Q
¬P,¬Q OT1(A1)
OT2(A2)
(d) Theorem3.1.2– negative case.
P,¬Q
P,Q ¬P,Q
¬P,¬Q OT1(A1)
OT2(A2)
(e) Theorem3.1.2– negative case.
Figure 3.2: List of interesting cases for Theorem3.1.
since the green area is intersected withOT1(A1). At this point, we conclude that the set of observable behaviours ofA2 do not satisfy alsoP →Qby using Theorem 1.
Figure 3.2c represents the situation where the set of observable behaviours of A1 that satisfy P is a subset of the set of observable behaviours of A2 and on the same time the set of observable behaviours ofA2 satisfy the specification Q, since neither the green area nor the white one is touched. At this point, we conclude that the set of observable behaviours ofA1 satisfy also P →Q by using Theorem2.
Figure 3.2d represents the situation where the set of observable behaviours of A1 that satisfyP is a subset of the set of observable behaviours of A2 and on the same time the set of observable behaviours ofA2 do not satisfy the specification Qsince the white area is touched. At this point, we cannot conclude any result forA1, despite the fact that the automataA1 and A2 satisfy the specification P →Q.
Figure 3.2e represents the situation where the set of observable behaviours of A1 that satisfyP is a subset of the set of observable behaviours ofA2. On the same time the set of observable behaviours ofA2 do not satisfy the specification Q, since parts of white and the green areas are included. At this point, we cannot conclude any result forA1, despite the fact thatA1 does not satisfy the specification P → Q. The latter two cases address the limitation of over-approximatingP-rule usage.
The next section introduces two kinds of source-to-source transformation functions that entail the premises of the over-approximating-P- and the common-P-rules.