## A Comparison of Simulation Techniques and Algebraic Techniques for Verifying Concurrent Systems (1997)

### Cached

### Download Links

Venue: | Formal Aspects of Computing |

Citations: | 6 - 1 self |

### BibTeX

@TECHREPORT{Lynch97acomparison,

author = {Nancy Lynch and Roberto Segala},

title = {A Comparison of Simulation Techniques and Algebraic Techniques for Verifying Concurrent Systems},

institution = {Formal Aspects of Computing},

year = {1997}

}

### OpenURL

### Abstract

Simulation-based assertional techniques and process algebraic techniques are two of the major methods that have been proposed for the verification of concurrent and distributed systems. It is shown how each of these techniques can be applied to the task of verifying systems described as input/output automata; both safety and liveness properties are considered. A small but typical circuit is verified in both of these ways, first using forward simulations, an execution correspondence lemma, and a simple fairness argument, and second using deductions within the process algebra DIOA for I/O automata. An extended evaluation and comparison of the two methods is given.

### Citations

3204 |
Communication and Concurrency
- Milner
- 1989
(Show Context)
Citation Context ... DIOA; note that the sort of an expression is computable. Table 2 contains the operational semantics of DIOA in terms of transition systems. The operators of DIOA recall the standard operators of CCS =-=[Mil89]-=-; however they are different in the sense that they also guarantee input enabling by moving an automaton to the state\Omega whenever some unexpected input is provided. The expression nil models a quie... |

405 | Testing equivalences for processes - Nicola, Hennessy - 1984 |

403 | Bisimulation through probabilistic testing - Larsen, Skou - 1991 |

393 | Algebraic Theory of Processes - Hennessy - 1988 |

366 | Hierarchical correctness proofs for distributed algorithms
- Lynch, Tuttle
- 1987
(Show Context)
Citation Context ...egala In this paper, we unify, evaluate and compare the simulation-based and process algebraic verification techniques in terms of the Input/Output automaton (I/O automaton) model of Lynch and Tuttle =-=[LyT87]-=-. This framework has been used extensively for the verification of complex algorithms and pieces of distributed systems [WLL88, LaS92, LyP92, SLL93b], and has already been given a process algebraic ch... |

106 |
Process Algebra. Cambridge Tracts in Theoretical Computer Science 18
- Baeten, Weijland
- 1990
(Show Context)
Citation Context ..., this is of limited use since almost any nontrivial I/O automaton contains loops that have to be specified using recursion. Even our small example cannot be specified without using recursion. In ACP =-=[BaW90]-=- there is another approach to fairness by means of a rule called Koomen's Fair Abstraction Rule (KFAR). The basic idea for KFAR is that fairness issues can be reformulated in terms of divergences. Thu... |

82 | Liveness in timed and untimed systems
- Gawlick, Segala, et al.
- 1998
(Show Context)
Citation Context ...ta. The two proofs proceed very differently. First, the simulation proof uses a forward simulation [LyV91] from the implementation to the specification, then invokes an execution correspondence lemma =-=[GSSL93]-=- to obtain a correspondence between executions of the implementation and the specification. Then a simple argument about fairness is made, based on the correspondence between executions; this fairness... |

63 | Forward and backward simulations for timingbased systems
- Lynch, Vaandrager
- 1991
(Show Context)
Citation Context ...r relation (i.e., fair trace inclusion) holds between the implementation and the specification automata. The two proofs proceed very differently. First, the simulation proof uses a forward simulation =-=[LyV91]-=- from the implementation to the specification, then invokes an execution correspondence lemma [GSSL93] to obtain a correspondence between executions of the implementation and the specification. Then a... |

55 | Proof-checking a data link protocol
- Helmink, Sellink, et al.
- 1994
(Show Context)
Citation Context ...r has been used successfully for this purpose. Also the theorem prover Isabelle was used for the same purpose in [Nip89], and the proof assistant Coq (Calculus of Inductive Constructions) was used in =-=[HSV94]-=-. The work on mechanical simulation-based verifications is still under development, and [HSV94, Nip89, SGG + 93] are just the first attempts at solving the problem. It seems unlikely that an automatic... |

41 |
Receptive process theory
- Josephs
- 1992
(Show Context)
Citation Context ...to the common task of verifying both safety and liveness properties of systems described as I/O automata. We then use each technique to verify a small but typical delay insensitive circuit taken from =-=[Jos92]-=-: a Muller C element [MuB59] implemented in terms of a majority element and a wire. Both the implementation and the specification are described as I/O automata, and the verification consists of showin... |

39 | On the relationship between process algebra and input/output automata
- Vaandrager
- 1991
(Show Context)
Citation Context ...a. This process algebra contains a collection of axioms (i.e., sound proof rules) asserting that the quiescent preorder relation holds for a pair of I/O automata. The quiescent preorder is defined in =-=[Vaa91]-=- and consists of trace inclusion and quiescent trace inclusion. It is an approximation, based on finite traces only, of the fair preorder. The reason for the use of the quiescent preorder rather than ... |

37 |
and W.P.Weijland. Process Algebra. Cambridge Tracts in Theoretical Computer Science 18
- Baeten
- 1990
(Show Context)
Citation Context ...on the given specification. This heuristic is generally applicable when dealing with (finite state) circuit descriptions. It is also applied in [Jos92, Seg92, OrP92] and in several of the examples of =-=[Bae90]-=-. In these cases, algebraic manipulators like those of [MaV91, Lin91] can be used. However, when the problem becomes large or is described by an infinite state machine, the remarks at the end of Secti... |

37 | An algebraic verification of a mobile network - Orava, Parrow - 1992 |

20 | A Bounded Retransmission Protocol for Large Data Packets
- Groote, Pol
- 1996
(Show Context)
Citation Context ...hat some form of simulation has to be defined even for an algebraic proof; therefore, the difficulties involved in the mechanization of simulation and algebraic proofs are comparable. A case study in =-=[GrP93]-=-, which is an algebraic verification of the same protocol as [HSV94] using Coq, shows, in our opinion, how deriving a process algebraic proof for a large system is tantamount to finding a simulation r... |

17 | PAM: A Process Algebra Manipulator - Lin - 1995 |

13 | Foundations of a theory of specification for distributed systems - STARK - 1984 |

12 |
Formal verification of data type refinement — theory and practice
- Nipkow
(Show Context)
Citation Context ...s to verify that the simulation is correct. As described in [SGG + 93], the Larch prover has been used successfully for this purpose. Also the theorem prover Isabelle was used for the same purpose in =-=[Nip89]-=-, and the proof assistant Coq (Calculus of Inductive Constructions) was used in [HSV94]. The work on mechanical simulation-based verifications is still under development, and [HSV94, Nip89, SGG + 93] ... |

12 | A lattice-structured proof technique applied to a minimum spanning tree algorithm - Welch, Lamport, et al. - 1988 |

7 | On the relations computable by a class of concurrent automata
- Stark
- 1990
(Show Context)
Citation Context ... I/O automaton A with a single class, we derive A 0 vF B, and, from Proposition 5.8, we derive A vF B. Examples of systems satisfying the condition of Proposition 5.8 are the monotone I/O automata of =-=[Sta90]-=-, which can model a large class of dataflow networks, and the semi-modular, speed-independent circuits of [MuB59]. Our problem is based on delay insensitive circuits. 5.1.2. The Calculus of Demonic I/... |

6 | A process-algebraic view of i-o automata
- Segala
(Show Context)
Citation Context ... a backward simulation from X 0 to X, therefore also backward simulation is incomparable with DIOA deduction. All the examples above also work for the simple trace preorder. The reader is referred to =-=[DnS92]-=- for its axiomatization. 6.2. Treatment of Fairness In the given example, a separate argument about fairness is made in the simulation proof, whereas no such argument is needed in the algebraic proof.... |

5 |
A theory of asynchronous circuits. Annals of the Computation
- Muller, Bartky
- 1959
(Show Context)
Citation Context ...ing both safety and liveness properties of systems described as I/O automata. We then use each technique to verify a small but typical delay insensitive circuit taken from [Jos92]: a Muller C element =-=[MuB59]-=- implemented in terms of a majority element and a wire. Both the implementation and the specification are described as I/O automata, and the verification consists of showing that the fair preorder rel... |

5 |
Correctness of communications protocols: a case study
- Sgaard-Andersen, Lynch, et al.
- 1993
(Show Context)
Citation Context ...r proof. 4.1.2. Forcing I/O Automata In carrying out the proof of fairness, it turns out to be notationally convenient to use a slight generalization of I/O automata that we call forcing I/O automata =-=[SLL93b]-=-. The generalization consists of associating a set of states, called a forcing set , with each class of part(A). Forcing I/O automata are no more expressive 3 In [GSSL93], it is also shown that a simi... |

4 | A proof assistant for PSF - Mauw, Veltink - 1991 |

3 | fairness, testing, and the notion of implementation - Quiescence - 1993 |

2 | Distributed Algorithms. Fall 1990 Lecture Notes for 6.852 - Lynch, Saias - 1992 |

1 | Distributed Algorithms. Fall 1992 Lecture Notes for 6.852 - Lynch, Patt-Shamir - 1992 |

1 | Correctness of at-mostComparison of Simulation Algebraic Techniques for Verification 35 once message delivery protocols - Sgaard-Andersen, Lampson, et al. - 1993 |