## Normed Simulations (1998)

Venue: | In Proceedings CAV'98 |

Citations: | 14 - 1 self |

### BibTeX

@INPROCEEDINGS{Griffioen98normedsimulations,

author = {David Griffioen and Frits Vaandrager},

title = {Normed Simulations},

booktitle = {In Proceedings CAV'98},

year = {1998},

pages = {332--344},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

. In existing simulation proof techniques, a single step in a lowlevel system may be simulated by an extended execution fragment in a high-level system. As a result, it is undecidable whether a given relation is a simulation, even if tautology checking is decidable for the underlying specification logic. This paper introduces various types of normed simulations. In a normed simulation, each step in a low-level system can be simulated by at most one step in the high level system, for any related pair of states. We show that it is decidable whether a given relation is a normed simulation relation, given that tautology checking is decidable. We also prove that, at the semantic level, normed simulations form a complete proof method for establishing behavior inclusion, provided that the high-level system has finite invisible nondeterminism. As an illustration of our method we discuss the verification in PVS of a leader election algorithm that is used within the IEEE 1394 protocol. 1 Introdu...

### Citations

466 | The existence of refinement mappings
- Abadi, Lamport
- 1991
(Show Context)
Citation Context ...e IEEE 1394 protocol. 1 Introduction Simulation relations and refinement functions are widely used to prove that a low-level specification of a reactive system correctly implements a higher-level one =-=[1, 13]-=-. Technically, a simulation (or refinement) is a relation (or function) R between the states of a low-level system A and a high-level system B, that satisfies conditions such as (s; u) 2 Rss a \Gamma!... |

316 | Formal verification for fault-tolerant architectures: Prolegomena to the design of PVS
- Owre, Rushby, et al.
- 1995
(Show Context)
Citation Context ...s the second manifests in the need of finding sufficiently strong invariants. In order to address the first problem, powerful decision procedures have been incorporated in theorem provers such as PVS =-=[16]-=-. If tautology checking is decidable then it is decidable whether a given state predicate is valid for the initial states and preserved by all transitions. The task of finding such a predicate, i.e. s... |

278 | Branching time and abstraction in bisimulation semantics (extended abstract
- Glabbeek, Weijland
- 1989
(Show Context)
Citation Context ...y normed forward simulations are strictly finer than the preorders induced by the simulations of [13]. In fact, it is easy to characterize normed forward simulations in terms of branching simulations =-=[9]-=-. We believe it will be possible to come up with a notion of normed simulation that induces the same preorder as forward simulations, but technically this will be much more involved. In [9] it is argu... |

147 |
Characterizing finite Kripke structures in propositional temporal logic
- Browne, Clarke, et al.
- 1988
(Show Context)
Citation Context ...ne of [8, 19], but has the advantage that it also preserves until properties. Theorem 1. (Execution correspondence) (1) If (ff; ff 0 ) 2 R then trace(ff) = trace(ff 0 ). (2) If (A; B) 2 R then A T B. =-=(3)-=- If [A; B] 2 R then AsT B. Theorem 2. (Soundness of refinements) If r is a step refinement from A to B then (A; B) 2 r. Combining Theorems 1 and 2 gives that A R B implies A T B. In addition, Theorem ... |

116 |
Three logics for branching bisimulation
- Nicola, Vaandrager
- 1995
(Show Context)
Citation Context ...14]. He uses them to obtain a characterization of the stuttering bisimulation of [3], which is the equivalent of branching bisimulation in a setting where states rather than actions are labelled (see =-=[4]-=-). Both [10] and [14] do not address effectiveness issues. Although we present normed simulations in a setting of labeled transition systems, it should not be difficult to transfer our results to a pr... |

92 | Powerful techniques for the automatic generation of invariants
- Bensalem, Lakhnech, et al.
- 1996
(Show Context)
Citation Context ...stems that perform internal (or stuttering) steps. The usual transfer condition for forward simulations [13], for instance, says (s; u) 2 Rss a \Gamma! A s 0 ) 9 execution fragment ff : first(ff) = u =-=(2)-=-strace(ff) = trace(a)s(s 0 ; last(ff)) 2 R (Each low-level transition can be simulated by a sequence of transitions which, apart from the action that has to be matched, may also contain an arbitrary n... |

87 | Liveness in timed and untimed systems
- Gawlick, Segala, et al.
- 1994
(Show Context)
Citation Context ...on (Condition 3), and each non-�� action in the high-level execution corresponds to an action in the low-level execution (Condition 4). Our notion of correspondence is similar to the one presented=-= in [8, 19]-=-. Within the theory of I/O automata, execution correspondence plays a crucial role in proofs of preservation of both safety and liveness properties. Our notion is more restrictive than the one of [8, ... |

58 | Proof-checking a data link protocol
- Helmink, Sellink, et al.
- 1994
(Show Context)
Citation Context ...are described, the authors only define a restricted type of simulation or refinement in which each transition of the low-level system is formalized by one or zero transitions of the high-level system =-=[11, 15, 6]-=-. In approaches such as [18], in which the full transfer condition (2) is formalized, the user has to supply the simulating execution fragment ff to the prover explicitly in each case of the proof, wh... |

48 |
F.: Forward and backward simulations I: untimed systems
- Lynch, Vaandrager
- 1995
(Show Context)
Citation Context ...e IEEE 1394 protocol. 1 Introduction Simulation relations and refinement functions are widely used to prove that a low-level specification of a reactive system correctly implements a higher-level one =-=[1, 13]-=-. Technically, a simulation (or refinement) is a relation (or function) R between the states of a low-level system A and a high-level system B, that satisfies conditions such as (s; u) 2 Rss a \Gamma!... |

41 | Focus points and convergent process operators. A proof strategy for protocol veri
- Groote, Springintveld
(Show Context)
Citation Context ...cal theory of normed simulations appears to be nicer and more tractable than the theory of simulations developed in [13]. The idea of using norm functions to prove simulation relations also occurs in =-=[10], wh-=-ere it is used to prove branching bisimilarity in the context of the process algebra ��CRL. However, in [10] the norm function is defined on the states of B only, and does not involve the transiti... |

31 | Verification of a Leader Election Protocol - Formal Methods Applied to IEEE 1394
- Devillers, Griffioen, et al.
- 1997
(Show Context)
Citation Context ...are described, the authors only define a restricted type of simulation or refinement in which each transition of the low-level system is formalized by one or zero transitions of the high-level system =-=[11, 15, 6]-=-. In approaches such as [18], in which the full transfer condition (2) is formalized, the user has to supply the simulating execution fragment ff to the prover explicitly in each case of the proof, wh... |

30 |
A simple characterization of stuttering bisimulation
- Namjoshi
- 1997
(Show Context)
Citation Context ...reorder. The following theorem states that normed forward simulations induce the same preorder on automata as "branching forward simulations ". Basically the same result has been obtained by=-= Namjoshi [14]-=- in the setting of stuttering bisimulations. Theorem 3. A F B iff there is a branching forward simulation from A to B, i.e., a relation f over states(A) \Theta states(B) such that 1. If s 2 start(A) t... |

23 | I/O automata in Isabelle/HOL
- Nipkow, Slind
- 1995
(Show Context)
Citation Context ...are described, the authors only define a restricted type of simulation or refinement in which each transition of the low-level system is formalized by one or zero transitions of the high-level system =-=[11, 15, 6]-=-. In approaches such as [18], in which the full transfer condition (2) is formalized, the user has to supply the simulating execution fragment ff to the prover explicitly in each case of the proof, wh... |

7 |
Computer-assisted simulation proofs
- Sgaard-Andersen, Garland, et al.
- 1993
(Show Context)
Citation Context ...ine a restricted type of simulation or refinement in which each transition of the low-level system is formalized by one or zero transitions of the high-level system [11, 15, 6]. In approaches such as =-=[18]-=-, in which the full transfer condition (2) is formalized, the user has to supply the simulating execution fragment ff to the prover explicitly in each case of the proof, which makes the verification p... |

5 |
Correctness of communication protocols. a case study
- Sgaard-Andersen, Lynch, et al.
- 1993
(Show Context)
Citation Context ...on (Condition 3), and each non-�� action in the high-level execution corresponds to an action in the low-level execution (Condition 4). Our notion of correspondence is similar to the one presented=-= in [8, 19]-=-. Within the theory of I/O automata, execution correspondence plays a crucial role in proofs of preservation of both safety and liveness properties. Our notion is more restrictive than the one of [8, ... |

4 |
Possibly infinite sequences: A comparative case study
- Devillers, Griffioen, et al.
- 1997
(Show Context)
Citation Context ...uences, and move effortlessly from transitions to executions and back. In contrast, it turns out to be rather cumbersome to formalize arguments involving sequences using existing theorem provers (see =-=[5]-=- for a comparative study). In fact, in several papers in which formalizations of simulation proofs are described, the authors only define a restricted type of simulation or refinement in which each tr... |

3 |
IOA: A language for specifiying, programming, and validating distributed systems
- Garland, Lynch, et al.
- 1997
(Show Context)
Citation Context ...t of L for which tautology checking is decidable and if the transition relations of A and B can be specified using a finite number of deterministic transition predicates (as defined, for instance in, =-=[7]-=-), then it is decidable whether the pair (R; n) is a normed forward or normed backward simulation. It is not hard to prove that this result does not hold for the refinements, forward and backward simu... |

3 |
Proving correctness with respect to nondeterministic safety speci cations
- Sistla
- 1991
(Show Context)
Citation Context ...n A and B in the sense of Van Glabbeek and Weijland [9]. Hence, history relations preserve behavior of automata in a very strong sense. The following theorem is a variant of a result proved by Sistla =-=[17]-=-. Theorem 8. (Completeness of history relations and backward simulations) If AsT B then there exists a forest C such that A H C B B. Theorem 9. A F B , (9C : A H C R B). 2.5 Prophecy Relations A pair ... |