An algorithm to test the conflict preorder

An algorithm to test the conflict preorder

Science of Computer Programming 89 (2014) 23–40 Contents lists available at ScienceDirect Science of Computer Programming www.elsevier.com/locate/sc...
Download PDF
600KB Sizes 7 Downloads 51 Views
Report

Science of Computer Programming 89 (2014) 23–40

Contents lists available at ScienceDirect

Science of Computer Programming www.elsevier.com/locate/scico

An algorithm to test the conflict preorder Simon Ware ∗ , Robi Malik Department of Computer Science, University of Waikato, Hamilton, New Zealand

a r t i c l e

i n f o

Article history: Received 30 January 2012 Received in revised form 11 June 2013 Accepted 17 September 2013 Available online 3 October 2013 Keywords: Finite automata Process algebra Model checking Nonblocking

a b s t r a c t This paper proposes a way to effectively compare the potential of processes to cause conflict. In discrete event systems theory, two concurrent systems are said to be in conflict if they can get trapped in a situation where they are both waiting or running endlessly, forever unable to complete their common task. The conflict preorder is a processalgebraic pre-congruence that compares two processes based on their possible conflicts in combination with other processes. This paper improves on previous theoretical descriptions of the conflict preorder by introducing less conflicting pairs as a concrete state-based characterisation. Based on this characterisation, an effective algorithm is presented to determine whether two processes are related according to the conflict preorder. © 2013 Elsevier B.V. All rights reserved.

1. Introduction A key question in process algebra is how processes can be composed and compared [1,2]. An understanding of what makes processes equivalent is important for several applications, ranging from comparison and minimisation to hierarchical interface design [3] and program construction using abstraction and refinement. Several equivalence relations have been studied, most notably weak bisimulation or observation equivalence [4], failures equivalence [5], and trace equivalence [6]. Each equivalence has its own properties, making it suitable for particular applications and verification tasks [2]. This paper proposes a decision procedure for conflict equivalence and the associated preorder, which is also known as weak termination accordance [7]. Conflict equivalence relates processes based on which other processes they can come into conflict [8,9] with. Two processes are in conflict, if they can reach a state from which termination is no longer possible. This can be because of deadlock where neither process is capable of doing anything, or livelock where the system continues to run without ever terminating. Conflict equivalence is introduced in [10] as the best possible process equivalence to reason compositionally about conflicts. It is shown in [10] that conflict equivalence is coarser than weak bisimulation [4], and different from failures and trace equivalence [5], for which decision procedures are known. Weak bisimulation can be decided in cubic complexity [11], while the decision problems for failures and trace equivalence are PSPACE-complete [12]. The process-algebraic theory most closely related to conflict equivalence is fair testing [13,14]. The fair testing preorder has got an exponential decision procedure [13], but this procedure cannot be used directly to test the conflict preorder. The essential difference between the conflict and fair testing preorders lies in the capability of the conflict preorder to compare processes that exhibit blocking behaviour, as expressed by the set of certain conflicts [10,15,16]. In [17,18], various conflict-preserving rewrite rules are used to simplify processes and check whether or not large systems of concurrent finite automata are free from conflict. While of good use in practice, the rewrite rules are incomplete, and it remains an open question how processes can be normalised or compared for conflict equivalence. This paper improves on previous results about conflict equivalence and the associated conflict preorder [10], and fair testing [13], by providing a state-based characterisation of the conflict preorder. It proposes less conflicting pairs as a more

*

Corresponding author. E-mail addresses: [email protected] (S. Ware), [email protected] (R. Malik).

0167-6423/$ – see front matter © 2013 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.scico.2013.09.006

24

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

concrete way to compare processes for their conflicting behaviour than the abstract test-based characterisation using nonconflicting completions [10] and the refusal trees [13]. Less conflicting pairs give a means to directly compare processes based on their reachable state sets, which leads to an alternative algorithm to test the conflict and fair testing preorders. While still exponential, this algorithm is simpler and has better time complexity than the decision procedure for fair testing [13]. This paper is an extended version of [19]. It contains a more detailed introduction with motivation of compositional nonblocking verification and discussion of the relationship to fair testing, plus a more detailed description of the conflict preorder algorithm with experimental results. Section 2 introduces and motivates the needed terminology of languages, automata, nonblocking, conflict equivalence, and compositional verification. Then Section 3 introduces less conflicting pairs and shows how they can be used to describe certain conflicts and the conflict preorder. Afterwards, Section 4 proposes an algorithm to calculate less conflicting pairs for finite automata, Section 5 describes the implementation of the algorithm and presents the experimental results, and Section 6 adds some concluding remarks. 2. Preliminaries 2.1. Languages and automata Event sequences and languages are a simple means to describe process behaviours. Their basic building blocks are events, which are taken from a finite alphabet Σ . Two special events are used, the silent event τ and the termination event ω . These are never included in an alphabet Σ unless mentioned explicitly. Σ ∗ denotes the set of all finite traces of the form σ1 σ2 · · · σn of events from Σ , including the empty trace ε . The length of trace s is denoted by |s|. A subset L ⊆ Σ ∗ is called a language. The concatenation of two traces s, t ∈ Σ ∗ is written as st, and a trace s is called a prefix of t, written s  t, if t = su for some trace u. A language L ⊆ Σ ∗ is prefix-closed, if s ∈ L and r  s implies r ∈ L. In this paper, process behaviour is modelled using nondeterministic labelled transition systems or automata A = Σ, Q , →, Q ◦ , where Σ is a finite alphabet of events, Q is a set of states, → ⊆ Q × (Σ ∪ {τ , ω}) × Q is the state transition relation, and Q ◦ ⊆ Q is the set of initial states. A is called finite if its alphabet Σ and state set Q are finite. σ

ε

The transition relation is written in infix notation x → y , and extended to traces by letting x → x for all x ∈ Q , and



σ

s

ω

x → y if x → z → y for some z ∈ Q . The transition relation must satisfy the additional requirement that, whenever x → y , there does not exist any outgoing transition from y . The automaton A is deterministic if | Q ◦ |  1 and the transition relation σ

σ

s

s

τ , and if x → y 1 and x → y 2 always implies y 1 = y 2 . s To support silent transitions, x ⇒ y , with s ∈ (Σ ∪ {ω})∗ , denotes the existence of a trace t ∈ (Σ ∪ {ω, τ })∗ such that t s x → y , and s is obtained from t by deleting all τ events. For a state set X ⊆ Q and a state y ∈ Q , the expression X ⇒ y

contains no transitions labelled

s

denotes the existence of x ∈ X such that x ⇒ y , and A ⇒ y means that Q ◦ ⇒ y . Furthermore, x ⇒ y denotes the existence s

s

s

of a trace s such that x ⇒ y , and x ⇒ denotes the existence of a state y ∈ Q such that x ⇒ y . For a state, state set, or automaton X, the language and the marked language are





∗  s   X ⇒ and Lω (X) = L(X) ∩ Σ ∗ ω.

L(X) = s ∈ Σ ∪ {ω}

(1)

Every prefix-closed language L is recognised by an automaton A such that L( A ) = L, but only regular languages are recognised by a finite automaton [6]. When two automata are running in parallel, lock-step synchronisation in the style of [5] is used. Definition 1. Let A = Σ A , Q A , → A , Q A◦ and B = Σ B , Q B , → B , Q B◦ be two automata. The synchronous composition of A and B is





A B = Σ A ∪ Σ B , Q A × Q B , →, Q A◦ × Q B◦ ,

(2)

where σ

σ

σ

(x A , x B ) → ( y A , y B ) if σ ∈ (Σ A ∩ Σ B ) ∪ {ω}, x A → A y A , and x B → B y B ; σ σ (x A , x B ) → ( y A , x B ) if σ ∈ (Σ A \ Σ B ) ∪ {τ } and x A → A y A ; σ σ (x A , x B ) → (x A , y B ) if σ ∈ (Σ B \ Σ A ) ∪ {τ } and x B → B y B . In synchronous composition, shared events (including ω ) must be executed by all automata together, while events used by only one of the composed automata and silent (τ ) events are executed independently. Hiding is the act of replacing certain events by the silent event τ . This is a simple way of abstraction that in general introduces nondeterminism. Definition 2. Let A = Σ, Q , →, Q ◦ and Υ ⊆ Σ . The result of hiding Υ from A, written A \ Υ , is the automaton obtained υ

from A by replacing each transition x → y with

τ

υ ∈ Υ by x → y , and removing all events in Υ from Σ .

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

25

Fig. 1. Examples of blocking and nonblocking automata.

Fig. 2. Example of automata that are not conflict equivalent.

2.2. Conflict equivalence The key liveness property in supervisory control theory [9] is the nonblocking property. Given an automaton A, it is desirable that every trace in L( A ) can be completed to a trace in Lω ( A ), otherwise A may become unable to terminate. A process that may become unable to terminate is called blocking. This concept becomes more interesting when multiple processes are running in parallel—in this case the term conflicting is used instead. Definition 3. (See [9].) An automaton A = Σ, Q , →, Q ◦ is nonblocking if for every state x ∈ Q and every trace s ∈ Σ ∗ s

such that Q ◦ ⇒ x it holds that Lω (x ) = ∅. Otherwise A is blocking. Two automata A and B are nonconflicting if A B is nonblocking, otherwise they are conflicting. The nonblocking property is also called weak termination [7]. For an automaton to be nonblocking, it is enough that a terminal state can be reached from every reachable state. There is no requirement for termination to be guaranteed. For example, automaton A 0 in Fig. 1 is nonblocking despite the presence of a possibly infinite loop of α -transitions in state a0 : it is always possible to reach state a2 and terminate. Automaton B 0 is blocking because, after execution of α β , it can enter state b3 , from where it is no longer possible to reach a state where the termination event ω is enabled. To reason about nonblocking in a compositional way, the notion of conflict equivalence is developed in [10]. According to process-algebraic testing theory, two automata are considered as equivalent if they both respond in the same way to all tests [1]. For conflict equivalence, a test is understood to be an arbitrary automaton, and the response is the observation whether or not the test is conflicting with the automaton in question. Definition 4. (See [10].) Let A and B be two automata. A is less conflicting than B, written A conf B, if, for every automaton T , if B T is nonblocking then A T also is nonblocking. A and B are conflict equivalent, A conf B, if A conf B and B conf A. Example 1. Automaton A 1 in Fig. 2 is not less conflicting than B 1 , since A 1 T 1 is blocking while B 1 T 1 is nonblocking. This is because A 1 T 1 can enter the blocking state (a2 , q1 ) after executing of α , whereas after executing α in B 1 , it eventually becomes possible to continue using either the β - or γ -transition of T 1 . It can also be shown that B 1 conf A 1 does not hold. 2.3. Compositional nonblocking verification A common model checking problem, particularly in the context of discrete event systems [9], is to check whether a large system of concurrent processes is conflicting or not. The straightforward approach to check whether automata A 1 , A 2 , . . . , A n are conflicting is to construct the synchronous product

A 1 A 2 · · · An

(3)

and check whether it is blocking. This is done by checking whether a terminal state can be reached from every reachable state. Using symbolic representations such as BDDs [20] or IDDs [21], this approach has been used to analyse very large models. Yet, the technique always remains limited by the amount of memory available to store representations of the synchronous product. As an alternative, compositional verification [17] seeks to replace automaton A 1 , e.g., by a simpler version A 1 , and analyse the simpler system

A 1 A 2 · · · A n .

(4)

26

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

Fig. 3. Dining philosophers example.

If A 1 and A 1 are conflict equivalent, then (3) is nonblocking if and only if (4) is nonblocking. This is a consequence of the congruence properties of the conflict preorder [10]. The following results follow directly from Definition 4. Proposition 1. (See [10].) conf is a pre-congruence with respect to . That is, if A conf B, then A T conf B T for every automaton T . Proposition 2. (See [10].) conf respects blocking. That is, if A conf B and B is nonblocking, then A also is nonblocking. Compositional verification relies on the above two congruence properties and the following simple facts about hiding. Lemma 3. Let A = Σ A , Q A , → A , Q A◦ be an automaton and Υ ⊆ Σ A . (i) A is nonblocking if and only if A \ Υ is nonblocking. (ii) If B = Σ B , Q B , → B , Q B◦ is an automaton such that Σ B ∩ Υ = ∅, then ( A \ Υ ) B = ( A B ) \ Υ . Property (ii) shows how local events are exploited in compositional verification. A component A 1 in a larger system such as (3) typically contains certain events that are not used in any of the remaining components A 2 , . . . , A n . Such events are local to A 1 , and their identity can be removed. These events can be replaced by the silent event τ , making it possible to simplify the automaton. Compositional verification is based on this fact and the congruence properties. Proposition 4. Let A = Σ A , Q A , → A , Q A◦ and B = Σ B , Q B , → B , Q B◦ be two automata, and let Υ ⊆ Σ A such that Σ B ∩ Υ = ∅. Furthermore, let A  be an automaton such that A \ Υ conf A  . Then it holds that, if A  B is nonblocking then A B is nonblocking. Proof. Let A  B be nonblocking. Since A \ Υ conf A  , it follows by Proposition 1 that ( A \ Υ ) B conf A  B, which implies by Proposition 2 that ( A \ Υ ) B is nonblocking. Then it follows from Lemma 3(ii) that ( A B ) \ Υ = ( A \ Υ ) B is nonblocking, which means Lemma 3(i) that A B is nonblocking. 2 Proposition 4 gives a basic way to exploit the conflict preorder when verifying a composed system to be nonblocking. The following example shows how such results can be used to model check a large system of composed automata. Example 2. Fig. 3 shows a discrete event system model of a solution to the well-known dining philosophers problem [22]. The model involves n philosophers sitting at a circular table with a large bowl of spaghetti in the centre. A fork is placed between each pair of philosophers, and each philosopher must eat with the two forks next to him or her. The diagram in Fig. 3 shows the philosophers P0 , . . . , Pn−1 with the forks F0 , . . . , Fn−1 between them, and the automata represent an attempt to control the system such that every philosopher can eventually get a chance to eat.

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

27

Fig. 4. Abstractions for dining philosophers example.

Access to the forks is modelled using events t i , j and p i , j , where t i , j means that philosopher Pi takes fork Fj , and p i , j means that he or she puts it back. The automata Pi , for i = 0, . . . , n − 1, model the behaviour of each philosopher Pi : after a thinking phase, the philosopher gets hungry and signals his or her intention to eat (h i ), then he or she picks up both adjacent forks (t i ,i and t i ,(i +1) mod n ), eats (e i ), puts the forks back (p i ,i and p i ,(i +1) mod n ), and returns to the thinking phase. The fork automata Fj and FPi , j model for each fork Fj the requirement of mutual exclusion, making sure that it is picked up at most once before being put back. Finally, the coordinators C j sequence access to fork Fj by the two philosophers using it, such that the philosopher who gets hungry first also gets access first. The state space of this model grows exponentially in the number n of philosophers. At n = 16, it exceeds 1.123 · 1013 reachable states, and for larger parameter values it becomes infeasible to model check the system using explicit or symbolic methods. Using compositional verification based on the conflict preorder, the system can be proven to be nonblocking for arbitrary values of n. Composing the automata for philosophers P0 and P1 and the shared fork F1 produces the subsystem

S1 = FP0,0 P0 FP0,1 F1 C1 FP1,1 P1 FP1,2

(5)

with local events e 0 , t 0,1 , p 0,1 , t 1,1 , p 1,1 , and e 1 . These events are used only in the automata comprising S1 , so they can be hidden, i.e., replaced by the silent event τ before composing S1 with further automata. The resulting automaton has 52 reachable states, but it can be shown to be less conflicting than (in fact, conflict equivalent to) the 12-state abstraction S1 in Fig. 4,

S1 \ {e 0 , t 0,1 , p 0,1 , t 1,1 , p 1,1 , e 1 } conf S1 .

(6)

The next step to add the automata for fork F2 and philosopher P2 to the system results in a 90-state automaton S1,2 , with new local events. Hiding the local events leads to a new 13-state abstraction S1,2 also shown in Fig. 4,





S1 F2 C2 FP2,2 P2 FP2,3 \ {h1 , t 1,2 , p 1,2 , t 2,2 , p 2,2 , e 2 } conf S1,2 .

(7)

Repeating this process by including the next fork F3 and philosopher P3 gives a 100-state automaton S1,2,3 and an abstraction S1,2,3 identical to S1,2 except that the events for fork F2 and philosopher P2 are replaced by the corresponding events for fork F3 and philosopher P3 . By induction, it can be shown that the subsystem consisting of forks F1 , . . . , Fi and philosophers P0 , . . . , Pi is less conflicting than the abstraction S1,...,i in Fig. 4. Composing this abstraction with the missing automata for fork F0 gives a 41-state automaton F0 C0 S1,...,i , which is easily shown to be nonblocking. By repeated application of Proposition 4 it follows that the dining philosophers model is nonblocking for all values of n  4. Despite the enormous state space, this is possible without ever considering an automaton with more than 100 states. The necessary tests for the conflict preorder have been completed in less than one second using the implementation described below in Section 5. The most difficult is the test for (7), which takes less than 0.1s to complete. Further performance data is given in Section 5.2. 2.4. The set of certain conflicts Every automaton can be associated with a language of certain conflicts, which plays an important role in conflict semantics [15].

28

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

Definition 5. For an automaton A = Σ, Q , →, Q ◦ , write







Conf( A ) = s ∈ Σ ∗  for every automaton T such that T ⇒, it holds that A T is blocking , s

  s NConf( A ) = s ∈ Σ  there exists an automaton T such that T ⇒ and A T is nonblocking . 



(8) (9)

Conf( A ) is the set of certain conflicts of A. It contains all traces that, when possible in the environment, necessarily cause blocking. Its complement NConf( A ) is the most general behaviour of processes that are to be nonconflicting with A. If A is nonblocking, then Conf( A ) = ∅ and NConf( A ) = Σ ∗ , because in this case A U is nonblocking, where U is a deterministic automaton such that Lω (U ) = Σ ∗ ω . The set of certain conflicts becomes more interesting for blocking automata. Example 3. Consider again automaton B 0 in Fig. 1. Obviously, α β ∈ Conf( B 0 ) as B 0 can enter the deadlock state b3 by executing α β , and therefore every test T that can execute α β is conflicting with B 0 . But also α ∈ Conf( B 0 ), because B 0 can enter state b2 by executing α , from where the only possibility to terminate is by executing β ω . So any test that can execute α also needs to be able to execute α β if it is to be nonconflicting with B 0 ; but such a test is conflicting with B 0 as explained above. It can be shown that Conf( B 0 ) = α Σ ∗ . The set of certain conflicts is introduced in [15], and its properties and its relationship to conflict equivalence are studied in [10]. Even if an automaton is nondeterministic, its set of certain conflicts is a language, but as shown in Example 3, it is not necessarily a subset of the language L( A ) of its automaton. An algorithm to compute the set of certain conflicts for a given finite automaton is presented in [16]. 2.5. Fair testing Conflict equivalence can be considered as a generalisation of fair testing [13,14], which was introduced as a processalgebraic testing theory that treats divergence under the assumption of fairness. This section revisits and extends results from [10] on the relationship between conflicts and fair testing. It is shown that the fair testing preorder can be expressed using the conflict preorder, but not vice versa. The conflict and fair testing preorders are defined in very similar ways—the only difference is that the conflict preorder allows both processes and tests to synchronise on the termination action ω . In traditional testing scenarios, like fair testing, success is determined solely by the test, making it impossible to describe blocking processes directly. In fact, blocking processes are the most important case where the conflict preorder differs from fair testing. Fair testing [13] uses a relation A should T to define when an automaton A passes a test T . This relation is very similar to A and T being nonconflicting, except that in fair testing only tests may determine whether success occurs or not. To / Σ is introduced. The set TΣ of fair testing relate fair testing to the conflict preorder, the special fair testing success action ✓ ∈ tests contains automata that make arbitrary use of all actions in Σ ∪ {ω}, and use the success action ✓ as a termination ✓

action like ω is used in ordinary automata. That is, if x → y in a test, then no further transitions are enabled in state y. The automata being compared cannot synchronise on the success action ✓. Definition 6. Let A be an automaton and let T ∈ TΣ be a test. Write A should T if for every s ∈ (Σ ∪ {ω})∗ and all states s

t✓

(x, xT ) of A T such that A T ⇒ (x, xT ) there exists t ∈ (Σ ∪ {ω})∗ such that (x, xT ) ⇒. Definition 7. The fair testing preorder is defined by A should B, if B should T implies A should T for every test T ∈ TΣ . Essentially, A should T means the same as A T being nonblocking, except that ✓ is used as the termination action instead of ω, and A cannot use ✓. If the termination event ω occurs in A, it is treated like every other event for the purpose of fair testing. Therefore, when comparing automata with respect to fair testing, it can be assumed without loss of generality that they do not synchronise on ω. In this case, it is easy to express the fair testing preorder using the conflict preorder. Definition 8. Let A = Σ, Q , →, Q ◦ be an automaton. A is ω -free, if → does not contain any transitions with event ω . The ω-saturated form of A is A ω = Σ, Q ∪ {⊥}, →ω , Q ◦ , where ⊥ ∈/ Q and →ω = → ∪ { (x , ω, ⊥) | x ∈ Q }. Proposition 5. Let A and B be ω -free automata. Then A should B if and only if A ω conf B ω . Proof. First assume A should B, and let T be such that B ω T is nonblocking. As B ω does not synchronise on ✓, it can be assumed without loss of generality that T does not use ✓ either. Then construct the test T ✓ from T by replacing all ω -transitions with ✓-transitions. With this construction, since B is ω -free and B ω T is nonblocking, it follows that B should T ✓ . Since A should B, this implies A should T ✓ , and again by construction of T ✓ it follows that A ω T is nonblocking.

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

29

Fig. 5. Two automata that are conflict equivalent but not fair testing equivalent.

Second assume A ω conf B ω and let T ∈ TΣ be such that B should T . Construct the test T ω from T by replacing all ✓-transitions with ω -transitions. With this construction, it follows from B should T that B ω T ω is nonblocking. Since A ω conf B ω , this implies that A ω T ω is nonblocking, and since A is ω -free it follows by construction of T ω that A should T . 2 According to Proposition 5, it is possible to compare two ω -free automata for fair testing using the conflict preorder, simply by considering all states as terminal states. Therefore, the algorithm presented below in Section 4 can also be used to test the fair testing preorder. Conversely, there is no easy way to express the conflict preorder using fair testing. The main difference between the two preorders is caused by certain conflicts. In fair testing, it is not possible to specify an automaton with blocking states, because a test can always decide to enable the fair testing success action ✓. To make automata more suitable for fair testing, they can be saturated by adding in all certain conflicts [15,16]. For example, automaton B 0 in Fig. 1 can be replaced by the conflict equivalent automaton B 0 , which uses the single deadlock state ⊥. However, this saturation is a nontrivial task [16]. In addition, termination is treated differently by the conflict and fair testing preorders. When testing for nonblocking, the termination event ω always means success, while in fair testing, a test may decide to fail after an occurrence of ω . This leads to different relationships to language inclusion: if A should B, it follows that L( A ) ⊆ L( B ) [13], but A conf B does not necessarily imply L( A ) ⊆ L( B ) [10]. The following example shows the problem this causes when trying to test the conflict preorder using fair testing. Example 4. Automata A 2 and B 2 in Fig. 5 are conflict equivalent, because independently of the possibility to terminate in the initial state, a test that is to be nonblocking with either automaton needs to be able to execute an infinite number of α actions (see Example 6 below for a more detailed explanation). However, B 2 should A 2 does not hold as demonstrated ω

by the test T 2 . It can be seen that A 2 should T 2 , but B 2 should T 2 does not hold because B 2 T 2 → (bω , qω ), and no ✓-transition is possible from this state. 3. Characterising the conflict preorder This section is concerned with characterising two automata A and B as conflict equivalent, or characterising A as less conflicting than B, in a state-based way. First, Section 3.1 explains the crucial properties of conflict equivalence using examples. Less conflicting pairs are introduced in Section 3.2, and they are used to characterise certain conflicts in Section 3.3 and the conflict preorder in Section 3.4. 3.1. Understanding conflict equivalence Every reachable state of an automaton A carries a nonblocking requirement (also known as a nonconflicting completion [10]) s

that needs to be satisfied by tests that are to be nonconflicting with A. For example, if A ⇒ x A , then every test T that can execute s needs to be able to continue with at least one trace t ∈ Lω (x A ), or T is conflicting with A. An automaton A is less conflicting than another automaton B, if every nonblocking requirement associated with A also is a nonblocking requirement associated with B. Example 5. Consider again automata A 1 and B 1 in Fig. 2. They have the same marked languages. Thus, if the initial state a0 of A 1 is blocking in combination with some test T , then so is the initial state b0 of B 1 . But this is not the case when A 1 T enters a state (a1 , x T ) after execution of α . State a1 requires x T to be capable of performing at least one trace from the language Lω (a1 ) = (αα )∗ β ω + (αα )∗ αγ ω , whereas the states b1 and b2 , which can both be entered after executing α , require a trace from the language α ∗ β ω and α ∗ γ ω , respectively. Both of these languages contain traces outside of the language Lω (a1 ). Automaton T 1 in Fig. 2 is in conflict with A 1 but not with B 1 . In general, it is not enough to compare only the marked languages of states reached by equal traces. Not every nonblocking requirement is a marked language of some state of its automaton. The following example shows one of the problems. Example 6. Consider again automata A 2 and B 2 in Fig. 5. The marked language of the initial state of A 2 is Lω (a0 ) = αα + ω , while the marked languages of the two states in B 2 that can be entered initially are Lω (b0 ) = α ∗ ω and Lω (b1 ) = α + ω . Although the marked languages are different, for any automaton T , if B 2 T is nonblocking, then A 2 T must also be

30

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

nonblocking. If T is to be nonconflicting in combination with B 2 , since B 2 may initially enter state b1 , there must be the possibility to continue with event α . However, after executing α , automaton B 2 may again silently enter state b1 , which means that α must be possible again. This is enough to ensure that A 2 T is nonblocking. Using this argument, it can be shown that A 2 and B 2 are conflict equivalent. 3.2. Less conflicting pairs In order to compare two nondeterministic automata according to conflicts, it is necessary to identify sets of states the two automata may reach under the same input. This is done using the well-known subset construction [6]. To capture termination, the usual powerset state space is extended by a special state ω entered only after termination. Definition 9. The deterministic state space of automaton A = Σ, Q , →, Q ◦ is

Q Adet = P( Q ) ∪ {ω},

(10)

and the deterministic transition function



δ det A :

Q

det

× (Σ ∪ {ω}) → Q

det

for A is defined as

ω

ω, if σ = ω and X ⇒; δ det σ A (X, σ ) = { y ∈ Q | X ⇒ y }, otherwise.

(11)

det ∗ ∗ The deterministic transition function δ det A is extended to traces s ∈ Σ ∪ Σ ω in the standard way. Note that δ A ( X , s) is

defined for every trace s ∈ Σ ∗ ∪ Σ ∗ ω ; if none of the states in X accepts the trace s, this is indicated by δ det A ( X , s) = ∅. This

det is also true for termination: if ω is enabled in some state in X , then δ det A ( X , ω ) = ω , otherwise δ A ( X , ω ) = ∅. In order to compare two automata A and B with respect to possible conflicts, pairs of state sets of the subset construction of A and B need to be considered. Therefore, the deterministic transition function is also applied to pairs X = ( X A , X B ) of state sets X A ⊆ Q A and X B ⊆ Q B ,

 det  det det δ det A , B (X, s) = δ A , B ( X A , X B , s) = δ A ( X A , s), δ B ( X B , s) .

(12)

To determine whether A conf B, it is necessary to check all states x A ∈ Q A against matching state sets X B ⊆ Q B and determine whether all possible conflicts of x A are also present in X B . For example, when automaton A 2 in Fig. 5 is in state a1 , then B 2 may be in b0 or b1 . In state a1 , at least one of the traces in α + ω needs to be enabled to avert blocking, and the same requirement to avert blocking is seen in state b1 . When state a1 is entered with some test T , blocking occurs if none of the traces in α + ω is enabled, and such a test T is also blocking when combined with a system that may be in b0 or b1 . Therefore, a1 is considered in the following as less conflicting (LC) than {b0 , b1 }. It cannot always be determined directly whether a state x A ∈ Q A is less conflicting than a state set X B ⊆ Q B . In some cases, it is necessary also to consider the deterministic successors of x A and X B . Therefore, the following definition considers pairs ( X A , X B ) of state sets. Definition 10. Let A = Σ, Q A , → A , Q A◦ and B = Σ, Q B , → B , Q B◦ be automata. The set LC( A , B ) ⊆ Q Adet × Q Bdet of less conflicting pairs for A and B is inductively defined by







LC0 ( A , B ) = {ω} × Q Bdet ∪ ( X A , X B )  X B ⊆ Q B and there exists x B ∈ X B such that Lω (x B ) = ∅ ; n +1

LC

 ( A , B ) = ( X A , X B )  there exists x B ∈ X B such that for all t ∈ Σ ∗ , tω

LC( A , B ) =

(13)







i if x B ⇒ then there exists r  t ω such that δ det A , B ( X A , X B , r ) ∈ LC ( A , B ) for some i  n ;

(14)

n

LC ( A , B ).

(15)

n0 tω

Remark 1. If ( X A , X B ) ∈ / LC( A , B ), then according to (14), for every state x B ∈ X B , there exists t ∈ Σ ∗ such that x B ⇒, and δ det ( X A , X B , r ) ∈ / LC( A , B ) for all prefixes r  t ω . The idea of Definition 10 is to classify a pair ( X A , X B ) as less conflicting, if every test that is nonconflicting in combination with each of the states in X B can terminate with at least one trace from the marked language of X A . Or equivalently, every test that cannot terminate using any of the traces in the marked language of X A also is conflicting with X B . More precisely, ( X A , X B ) is a less conflicting pair, if every test T such that Lω ( X A ) ∩ Lω ( T ) = ∅ is conflicting with X B (see Lemma 6 below). The first state set X A of a pair ( X A , X B ) is just used to represent a language of possible completions. If state sets X A and Y A have the same languages, then all pairs ( X A , X B ) and (Y A , X B ) have exactly the same less conflicting status. For the second state set X B on the other hand, the complete nondeterministic behaviour is relevant.

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

31

A pair (ω, X B ) is considered as “less conflicting” (13), since termination has already been achieved in A. If X B contains a state x B such that Lω (x B ) = ∅, then ( X A , X B ) also is less conflicting (13), because conflict is guaranteed in X B . For other pairs ( X A , X B ), it must be checked whether X B contains a requirement to avert blocking matching that given by the language of X A (14). Example 7. Consider again automata A 0 and B 0 in Fig. 1. It holds that ({a0 }, {b0 }) ∈ LC1 ( A 0 , B 0 ). There are three ways to terminate from b0 , by executing ω or α β ω or αα β ω . All three traces are possible in a0 , each taking the pair ({a0 }, {b0 }) to the deterministic successor (ω, ω) ∈ LC0 ( A 0 , B 0 ). This is enough to confirm that (14) is satisfied. On the other hand, ({a0 }, {b2 }) ∈ / LC1 ( A 0 , B 0 ). From state a0 , blocking occurs with a test T that can only execute β ω , but βω

this test is nonblocking with b2 . It holds that b2 →, where trace β ω has the prefixes ε , β , and β ω , but δ det A 0 , B 0 ({a0 }, {b 2 }, ε ) = 0 0 det det a }, { b }) ∈ / LC ( A , B ) , δ ({ a }, { b }, β) = (∅, { b }) ∈ / LC ( A , B ) , and δ ({ a }, { b }, β ω ) = (∅, ω) ∈/ LC0 ( A 0 , B 0 ). ({ 0 2 0 0 0 2 4 0 0 0 2 A ,B A ,B 0

0

0

0

/ LC1 ( A 0 , B 0 ). It can also be shown that ({a0 }, {b2 }) ∈ / LC( A 0 , B 0 ). Therefore, (14) is not satisfied and ({a0 }, {b2 }) ∈ For a level-1 less conflicting pair ( X A , X B ) ∈ LC1 ( A , B ), if X B does not contain blocking states, then there must exist a state x B ∈ X B such that Lω (x B ) ⊆ Lω ( X A ). This is not the case for every less conflicting pair, as some nonblocking requirements are only implicitly contained in the automaton. To show that ( X A , X B ) is a less conflicting pair, it is enough to find a state x B ∈ X B that can cover an initial segment of Lω ( X A ), as long as a less conflicting pair of a lower level is reached afterwards. Example 8. Consider again automata A 2 and B 2 in Fig. 5. By definition, (ω, ω) ∈ LC0 ( A 2 , B 2 ), and following from this, ({a1 }, {b0 , b1 }) ∈ LC1 ( A 2 , B 2 ), because the marked language of a1 is α + ω , which also is the marked language of b1 . Now consider the pair ({a0 }, {b0 , b1 }). State a0 has the marked language αα + ω , i.e., to avert blocking from a0 , a test must be able to execute at least one of the traces in αα + ω . Although this language is not directly associated with any state in B 2 , the nonblocking requirement is implicitly present in state b1 . If blocking is to be averted from state b1 , event α must be possible. After executing α , state b0 is entered, from where it is always possible to silently return to state b1 with marked language α + ω . Therefore, in order to avert blocking from state b1 , it is necessary to execute α and afterwards be able to terminate using one of the traces in α + ω . This amounts to the implicit nonblocking requirement to execute a trace from αα + ω in state b1 . Hence ({a0 }, {b0 , b1 }) ∈ / LC1 ( A 2 , B 2 ), but ({a0 }, {b0 , b1 }) ∈ LC2 ( A 2 , B 2 ) according to (14): every trace that leads to a ter1 minal state from state b1 has the prefix α , and δ det A , B ({a0 }, {b 0 , b 1 }, α ) = ({a1 }, {b 0 , b 1 }) ∈ LC ( A 2 , B 2 ). 2

2

As shown in the example, some nonblocking requirements are obtained through a saturation operation that combines two previously found nonblocking requirements. The level n of a less conflicting pair ( X A , X B ) ∈ LCn ( A , B ) represents the nesting depth of applications of this saturation operation. Lemma 6. Let A = Σ, Q A , → A , Q A◦ , B = Σ, Q B , → B , Q B◦ , and T = Σ, Q T , → T , Q T◦ be automata, and let x T ∈ Q T be a (possibly unreachable) state. For every less conflicting pair ( X A , X B ) ∈ LC( A , B ), at least one of the following conditions holds. (i) X A = ω , or X A ⊆ Q A and there exists x A ∈ X A such that Lω (x A , x T ) = ∅. (ii) There exist states x B ∈ X B , y B ∈ Q B , and y T ∈ Q T such that (x B , x T ) ⇒ ( y B , y T ) and Lω ( y B , y T ) = ∅. (Here and in the following, notation Lω (x A , x T ) is abused to be a shorthand for Lω ((x A , x T )).) Proof. Since ( X A , X B ) is a less conflicting pair, it holds that ( X A , X B ) ∈ LCn ( A , B ) for some n ∈ N0 . The claim is shown by induction on n. If ( X A , X B ) ∈ LC0 ( A , B ) then by (13) it holds that X A = ω , or X B ⊆ Q B and there exists x B ∈ X B such that Lω (x B ) = ∅. In ε

the first case (i) holds, and in the second case (ii) holds as (x B , x T ) → (x B , x T ) and Lω (x B , x T ) = Lω (x B ) ∩ Lω (x T ) = ∅. Now assume the claim holds for all i  n, i.e., for all ( X A , X B ) ∈ LCi ( A , B ), one of the conditions (i) or (ii) holds, and tω

consider ( X A , X B ) ∈ LCn+1 ( A , B ). By (14), there exists x B ∈ X B such that for all t ∈ Σ ∗ , if x B ⇒ then there exists a prefix

ε X B , r ) ∈ LC ( A , B ) for some i  n. If Lω (x B , x T ) = ∅, (ii) follows immediately as (x B , x T ) → (x B , x T ). r  t ω such that t t ω ω Therefore assume that Lω (x B , x T ) = ∅, i.e., there exists t ∈ Σ ∗ such that (x B , x T ) ⇒. Then x B ⇒, so there exists r  t ω such tω r i that δ det A , B ( X A , X B , r ) ∈ LC ( A , B ) for some i  n. As r  t ω and x T ⇒, it also holds that x T ⇒ y T for some y T ∈ Q T . Let i

δ det A, B ( X A ,

i δ det A , B ( X A , X B , r ) = ( Y A , Y B ). By inductive assumption, (i) or (ii) holds for ( Y A , Y B ) ∈ LC ( A , B ) and y T .



(i) In this case, either Y A = ω or Y A ⊆ Q A and there exist y A ∈ Y A and u ∈ Σ ∗ such that ( y A , y T ) ⇒. If Y A = ω , then ∗ δ det A ( X A , r ) = Y A = ω and according to Definition 9 there exists r A ∈ Σ such that r = r A ω , and there exist states x A ∈ X A rA

ω

rAω



and y A ∈ Q A such that x A ⇒ y A ⇒, i.e., (x A , x T ) ⇒ . If there exist y A ∈ Y A and u ∈ Σ ∗ such that ( y A , y T ) ⇒, then since

32

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40 r



r

δ det A ( X A , r ) = Y A , there exists x A ∈ X A such that x A ⇒ y A , i.e., (x A , x T ) ⇒ ( y A , y T ) ⇒. In both cases, (i) holds for ( X A , X B )

and x T . (ii) If there exists a state y B ∈ Y B such that ( y B , y T ) ⇒ ( z B , z T ) where Lω ( z B , z T ) = ∅, then since δ det B ( X B , r ) = Y B , there r

r

exists x B ∈ X B such that x B ⇒ y B , which implies (x B , x T ) ⇒ ( y B , y T ) ⇒ ( z B , z T ) with Lω ( z B , z T ) = ∅. Thus, (ii) holds for ( X A , X B ) and xT . 2 Conversely, if a pair of state sets is not a less conflicting pair for A and B, then this pair gives rise to a test automaton to show that A is not less conflicting than B. This test exhibits blocking behaviour in combination with A but not with B. Lemma 7. Let A = Σ, Q A , → A , Q A◦ and B = Σ, Q B , → B , Q B◦ be automata. For every pair X = ( X A , X B ) ∈ / LC( A , B ), there exists a deterministic automaton T X = Σ, Q T , → T , {x◦T } such that both the following conditions hold. (i) For all states x A ∈ X A , it holds that Lω (x A , x◦T ) = ∅. (ii) For all states x B ∈ X B , y B ∈ Q B , y T ∈ Q T such that (x B , x◦T ) ⇒ ( y B , y T ), it holds that Lω ( y B , y T ) = ∅. Proof. Construct the deterministic automaton T X = Σ, Q T , → T , {x◦T } such that







L( T X ) = s ∈ Σ ∗ ∪ Σ ∗ ω  δ det / LC( A , B ) for all r  s . A , B (X, r ) ∈

(16)

This language is prefix-closed by construction and nonempty because X ∈ / LC( A , B ). Therefore, T X is a well-defined automaton. tω 0 det by (i) Let x A ∈ X A . If x A ⇒ for some t ∈ Σ ∗ , then δ det A , B (X, t ω ) = (ω , Y B ) ∈ LC ( A , B ) ⊆ LC( A , B ) for some Y B ∈ Q B tω

Definitions 9 and 10. It follows from (16) that t ω ∈ / L( T X ), and thus (x A , x◦T ) ⇒ does not hold. Since t ∈ Σ ∗ was chosen arbitrarily, it follows that Lω (x A , x◦T ) = ∅. s

(ii) Let x B ∈ X B , y B ∈ Q B , y T ∈ Q T , and s ∈ Σ ∗ such that (x B , x◦T ) ⇒ ( y B , y T ). Clearly s ∈ L( T X ), and by (16) it follows / LC( A , B ) for all prefixes r  s. Let δ det / LC( A , B ), so there exists a trace t ∈ Σ ∗ such that that δ det A , B (X, r ) ∈ A , B (X, s) = Y. Then Y ∈ tω

s



y B ⇒ and for all r  t it holds that δ det / LC( A , B ) (see Remark 1). Thus x B ⇒ y B ⇒ and for all prefixes u  st ω , it A , B (Y, r ) ∈ tω

holds that δ det / LC( A , B ). Then st ω ∈ L( T X ) according to (16), and since T X is deterministic, it follows that y T ⇒. A , B (X, u ) ∈ tω

Therefore, ( y B , y T ) ⇒, i.e., Lω ( y B , y T ) = ∅.

2

3.3. Less conflicting pairs and certain conflicts Less conflicting pairs can be used to characterise the set of certain conflicts of an automaton as defined in 2.4. This shows the close link between the conflict preorder and the set of certain conflicts. If a pair (∅, X B ) is a less conflicting pair then, since termination is impossible from ∅, conflict must be also present in X B . In this case, every trace leading to X B must be a trace of certain conflicts. This observation leads to the following alternative characterisation of the set of certain conflicts. Theorem 8. The set of certain conflicts of B = Σ, Q , →, Q ◦ can also be written as







Conf( B ) = s ∈ Σ ∗  ∅, δ det Q ◦, r B



 ∈ LC( O , B ) for some r  s ,

(17)

where O = Σ, ∅, ∅, ∅ stands for the empty automaton. ◦ ◦ Proof. First let s ∈ Σ ∗ such that (∅, δ det B ( Q , r )) ∈ LC( O , B ) for some r  s, and let T = Σ, Q T , → T , Q T be an automaton s

s

r

such that T ⇒. It is to be shown that B T is blocking. Since T ⇒ and r  s, it holds that T ⇒ x T for some state x T ∈ Q T . ◦ Since (∅, δ det B ( Q , r )) ∈ LC( O , B ), either (i) or (ii) in Lemma 6 holds. However, (i) is impossible as the first state set of the ◦ ω pair is empty, so (ii) must be true. Thus, there exists a state x ∈ δ det B ( Q , r ) such that (x, x T ) ⇒ ( y , y T ) where L ( y , y T ) = ∅. r

Then B T is blocking as B T ⇒ (x, x T ) ⇒ ( y , y T ). ◦ / LC( O , B ) for every prefix r  s. It is to be shown that s ∈ NConf( B ). Conversely, let s ∈ Σ ∗ such that (∅, δ det B ( Q , r )) ∈ Consider the deterministic automaton T such that







L( T ) = t ∈ Σ ∗  ∅, δ det Q ◦, r B



 ∈ / LC( O , B ) for all r  t .

(18)

T is a well-defined automaton as L( T ) is prefix-closed by construction. It remains to be shown that B T is nonblocking. Let t

◦ B T ⇒ (x, x T ). Then t ∈ L( T ), and by definition of T (18), it holds that (∅, δ det / LC( O , B ), and the same holds for B ( Q , t )) ∈ uω

◦ ∗ all prefixes of t. Also x ∈ δ det B ( Q , t ), so there exists a trace u ∈ Σ such that x ⇒, and for every prefix r  u ω , it holds that det det ◦ δ O , B (∅, δ B ( Q , t ), r ) ∈ / LC( O , B ) (see Remark 1). By definition (18), it follows that tu ω ∈ L( T ), and since T is deterministic uω

t



also x T ⇒. Therefore, B T ⇒ (x, x T ) ⇒, i.e., B T is nonblocking.

2

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

33

The result of Theorem 8 shows how less conflicting pairs generalise certain conflicts for the case when two automata are compared, and in combination with the algorithm in Section 4, less conflicting pairs lead to an alternative presentation of the algorithm [16] to compute the set of certain conflicts. 3.4. Testing the conflict preorder Given the less conflicting pairs for two automata A and B, it is possible to determine whether A conf B. Automaton A is less conflicting than B if every test T that is nonconflicting in combination with B also is nonconflicting with A. To s

check this condition, it is enough to consider traces B T ⇒ (x B , x T ), and check whether termination is also possible for s

s

every state x A of A such that A T ⇒ (x A , x T ). This amounts to checking whether ({x A }, X B ) ∈ LC( A , B ) when A ⇒ x A and

◦ δ det B ( Q B , s) = X B .

However, this condition does not apply to traces of certain conflicts. If s ∈ Conf( B ), then every test T that can execute s is in conflict with B. In this case, A can still be less conflicting than B, no matter whether A can or cannot execute the trace s and terminate afterwards. This observation leads to the following result. Theorem 9. Let A = Σ, Q A , → A , Q A◦ and B = Σ, Q B , → B , Q B◦ be two automata. A is less conflicting than B if and only if for all s

◦ s ∈ NConf( B ) and all x A ∈ Q A such that A ⇒ x A it holds that ({x A }, X B ) ∈ LC( A , B ), where δ det B ( Q B , s) = X B . s

Proof. First assume that for all s ∈ NConf( B ) and all x A ∈ Q A such that A ⇒ x A it holds that ({x A }, X B ) ∈ LC( A , B ), where ◦ δ det B ( Q B , s)

=

s

X B . Let T = Σ, Q T , → T , Q T◦ such that B

T is nonblocking, and assume that A T ⇒ (x A , xT ). Since B T is nonblocking and T ⇒, it follows that s ∈ NConf( B ). Therefore by assumption ({x A }, X B ) ∈ LC( A , B ), so (i) or (ii) in Lemma 6 s ◦ must be true. However, (ii) cannot hold, because for all x B ∈ X B = δ det B ( Q , s) it holds that B T ⇒ (x B , x T ), and since B T ω is nonblocking, there cannot exist any state ( y B , y T ) such that (x B , x T ) ⇒ ( y B , y T ) and L ( y B , y T ) = ∅. Thus, (i) must be s true, and this means that Lω (x A , x T ) = ∅. Since T and s such that A T ⇒ (x A , x T ) were chosen arbitrarily, it follows that A conf B. s / LC( A , B ), where Second assume that there exists s ∈ NConf( B ) and x A ∈ Q A such that A ⇒ x A and X = ({x A }, X B ) ∈ ◦ , s). Let N = Σ, Q , → , {x◦ } be a deterministic recogniser of the language NConf( B ), and let T = X B = δ det ( Q B N N X B B N Σ, Q T , → T , {x◦T } be the deterministic automaton that exists according to Lemma 7. Since s ∈ NConf( B ), there exists a s

s

unique state xs ∈ Q N such that N B → xs . Then construct the automaton



˙ Q T , →N ∪ →T ∪ T = Σ, Q N ∪



xs , τ , x◦T

  ◦  , xN .

(19)

τ

s Clearly, A T ⇒ (x A , xs ) → (x A , x◦T ), and Lω (x A , x◦T ) = ∅ by Lemma 7(i). Thus, A T is blocking. t

On the other hand, B T is nonblocking. To see this, consider B T ⇒ ( y B , y T ). If y T ∈ Q N , then it follows from the uω

fact that B N B is nonblocking [10] that there exists u ∈ Σ ∗ such that ( y B , y T ) ⇒. Otherwise y T ∈ Q T , which means that τ

s

u

t

det ◦ ◦ det ( Q B◦ , su ) = δ det t = su and T → xs → x◦T → y T . Also since B ⇒ y B , it follows that y B ∈ δ det B ( Q B , t) = δ B (δ B ( Q B , s), u ) = u

u

◦ δ det B ( X B , u ), i.e., there exists x B ∈ X B such that x B ⇒ y B . Thus (x B , x T ) ⇒ ( y B , y T ), and by Lemma 7(ii), it holds that Lω ( y B , y T ) = ∅. Thus, A T is blocking and B T is nonblocking, so A conf B cannot hold. 2

Example 9. Consider again automata A 0 and B 0 in Fig. 1. Recall that Conf( B 0 ) = α Σ ∗ from Example 3, so the only state in A 0 that can be reached by a trace s ∈ / Conf( B 0 ) is a0 . Therefore, it is enough to check the pair ({a0 }, {b0 }) according to Theorem 9, and it has been shown in Example 7 that ({a0 }, {b0 }) ∈ LC1 ( A 0 , B 0 ). It follows that A 0 conf B 0 . This conclusion is made despite the fact that ({a0 }, {b2 }) ∈ / LC( A 0 , B 0 ), because ({a0 }, {b2 }) is only reachable by traces αn ∈ Conf( B 0 ), n  1. When using Theorem 9 to determine whether an automaton A is less conflicting than some blocking automaton B, the set of certain conflicts of B must be known first. This can be achieved using Theorem 8, which makes it possible to classify state sets in the subset construction of B as certain conflicts. If a state set X B ⊆ Q B is found to represent certain conflicts, i.e., (∅, X B ) ∈ LC( O , B ) according to Theorem 8, then ( X A , X B ) ∈ LC( A , B ) for every state set X A ⊆ Q A . Successors reached only from such pairs are also certain conflicts of B and should not be considered when testing whether A conf B according to Theorem 9. Example 10. Consider again automata A 1 and B 1 in Fig. 2. Composing A 1 with a deterministic version of B 1 results in the following four pairs of states in A 1 and sets of states in B 1 that should be tested according to Theorem 9 to determine whether A 1 conf B 1 :



 

{a0 }, {b0 }

 

{a1 }, {b1 , b2 }

 

{a2 }, {b1 , b2 }

 {a3 }, {b3 } .

All four pairs need to be considered as B 1 is nonblocking and thus Conf( B 1 ) = ∅.

(20)

34

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

Fig. 6. Less conflicting pairs for the automata Fig. 2.

Fig. 7. Less conflicting pairs for the automata in Fig. 5.

The graph in Fig. 6 shows these four pairs and their deterministic successors. The four pairs (20) are marked as initial states, and the arrows in the graph represent the deterministic transition function. Although the deterministic transition function is defined for all state set pairs and events, arrows to (∅, ∅) are suppressed for clarity of presentation. The following less conflicting pairs to compare A 1 to B 1 are determined from the graph:

(ω, ω) ∈ LC0 ( A 1 , B 1 );      {a0 }, {b0 } , {a1 , a2 }, {b1 , b2 } , {a3 }, {b3 } ∈ LC1 ( A 1 , B 1 ).



(21) (22)

For example, ({a1 , a2 }, {b1 , b2 }) ∈ LC ( A 1 , B 1 ), because all the ways to reach termination from state b1 , i.e., all traces in Lω (b1 ) = α ∗ β ω take the pair ({a1 , a2 }, {b1 , b2 }) to (ω, ω) ∈ LC 0 ( A 1 , B 1 ). Another iteration yields no further pairs in LC2 ( A 1 , B 1 ), so LC( A 1 , B 1 ) consists only of the pairs listed above. For example, ({a1 }, {b1 , b2 }) ∈ / LC2 ( A 1 , B 1 ), because the traces α β ω ∈ Lω (b1 ) and γ ω ∈ Lω (b2 ) do not have any prefixes that reach a pair in LC1 ( A 1 , B 1 ). As ({a1 }, {b1 , b2 }) ∈ / LC( A 1 , B 1 ), it follows from Theorem 9 that A 1 is not less conflicting than B 1 . 1

Example 11. Consider again automata A 2 and B 2 in Fig. 5. Again note that Conf( B 2 ) = ∅. By composing A 2 with a deterministic version of B 2 , it becomes clear that the only pairs that need to be tested to determine whether A 2 conf B 2 according to Theorem 9 are ({a0 }, {b0 , b1 }) reached after ε , ({a1 }, {b0 , b1 }) reached after α + , and ({a2 }, {b0 , b1 }) reached after αα + . The graph with these pairs and their deterministic successors is shown in Fig. 7, with the three crucial pairs marked as initial. The following less conflicting pairs are discovered (see Example 8):

(ω, ω) ∈ LC0 ( A 2 , B 2 );      {a1 }, {b0 , b1 } , {a1 , a2 }, {b0 , b1 } , {a2 }, {b0 , b1 } ∈ LC1 ( A 2 , B 2 );   {a0 }, {b0 , b1 } ∈ LC2 ( A 2 , B 2 ).



(23) (24) (25)

As the three crucial pairs are all in LC( A 2 , B 2 ), it follows from Theorem 9 that A 2 conf B 2 . The result of Theorem 9 is related to the decision procedure for fair testing [13]. The fair testing decision procedure starts by composing the automaton A with a deterministic form of B, which gives rise to the same state set combinations that need to be considered as in Theorem 9. From this point on, the two methods differ. The fair testing decision procedure annotates each state of the synchronous product of A and the deterministic form of B with automata representing the associated refusal trees, and searches for matching automata (or more precisely, for matching productive subautomata) within these annotations. The method based on less conflicting pairs avoids some of the resulting complexity by performing the complete decision on the flat state space of the synchronous product of the deterministic forms of A and B. 4. Algorithm to compute less conflicting pairs This section proposes a method to compute the less conflicting pairs for two given finite automata A and B. This is done in a nested iteration. Assuming that the set LCn ( A , B ) is already known, the set LCn+1 ( A , B ) is computed in a secondary iteration based on more conflicting triples.

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

35

Definition 11. Let A = Σ, Q A , → A , Q A◦ and B = Σ, Q B , → B , Q B◦ be automata. The set MCn ( A , B ) ⊆ Q Adet × Q Bdet × Q B of nth level more conflicting triples for A and B is defined inductively as follows.







MCn0 ( A , B ) = (∅, ω, x B )  x B ∈ Q B ;

(26)

 MCnm+1 ( A , B ) = ( X A , X B , x B )  ( X A , X B ) ∈ / LCn ( A , B ) and x B ∈ X B and there exists (Y A , Y B , y B ) ∈ MCnm ( A , B )  σ and σ ∈ Σ such that δ det (27) A , B ( X A , X B , σ ) = ( Y A , Y B ) and x B ⇒ y B ;

n n MCm ( A , B ). (28) MC ( A , B ) = 

m0

For a pair ( X A , X B ) to be a less conflicting pair, according to Definition 10 there must be a state x B ∈ X B such that every trace that takes x B to termination in B has a prefix that leads to another less conflicting pair. A triple ( X A , X B , x B ) is considered “more conflicting” if ( X A , X B ) is not yet known to be a less conflicting pair, and the state x B ∈ X B cannot be used to confirm the above property. Therefore, Lemma 10 shows that a triple ( X A , X B , x B ) is nth-level “more conflicting” if and only if the state x B ∈ X B can reach termination without passing through a pair in LCn . If the triples ( X A , X B , x B ) are “more conflicting” for all x B ∈ X B , then ( X A , X B ) cannot be a less conflicting pair. Otherwise, if there exists at least one state x B ∈ X B such that ( X A , X B , x B ) is not “more conflicting”, then ( X A , X B ) is added to set of less conflicting pairs in the next iteration. Theorem 11 below confirms the correctness of this approach. Lemma 10. Let A = Σ, Q A , → A , Q A◦ and B = Σ, Q B , → B , Q B◦ be automata, let n ∈ N0 and ( X A , X B , x B ) ∈ Q Adet × Q Bdet × Q B . The following statements are equivalent. (i) ( X A , X B , x B ) ∈ MCn ( A , B );

s

det / LCn ( A , B ) for all prefixes (ii) There exists a trace s ∈ Σ ∗ ω ∪ {ε } such that δ det A , B ( X A , X B , s) = (∅, ω ) and x B ⇒, and δ A , B ( X A , X B , r ) ∈ r  s.

Proof. First let ( X A , X B , x B ) ∈ MCn ( A , B ), i.e., ( X A , X B , x B ) ∈ MCnm ( A , B ) for some m ∈ N0 . It is shown by induction on m that (ii) holds. In the base case, m = 0, and by definition ( X A , X B , x B ) ∈ MCn0 ( A , B ) means ( X A , X B ) = (∅, ω). Then consider s = ε , and ε

det note δ det / A , B ( X A , X B , ε ) = ( X A , X B ) = (∅, ω ) and x B ⇒. Clearly r  ε implies r = ε , so it follows that δ A , B ( X A , X B , ε ) = (∅, ω ) ∈ n LC( A , B ) ⊇ LC ( A , B ) by Lemma 6. Now consider ( X A , X B , x B ) ∈ MCnm+1 ( A , B ). It follows from Definition 11 that ( X A , X B ) ∈ / LC n ( A , B ) and x B ∈ X B , and

σ

there exists (Y A , Y B , y B ) ∈ MCnm ( A , B ) and

σ ∈ Σ such that δ det A , B ( X A , X B , σ ) = ( Y A , Y B ) and x B ⇒ y B . By inductive ass ∗ sumption, there exists s ∈ Σ ω ∪ {ε } such that δ det ( Y , Y , A B s) = (∅, ω ) and y B ⇒, and for all r  s it holds that A, B s σ det δ det / LCn ( A , B ). Then δ det A , B (Y A , Y B , r ) ∈ A , B ( X A , X B , σ s) = δ A , B ( Y A , Y B , s) = (∅, ω ) and x B ⇒ y B ⇒, and for all r  σ s it holds / LCn ( A , B ). that δ det A, B ( X A , X B , r ) ∈ s det Conversely, let s ∈ Σ ∗ ω ∪{ε } such that (ii) holds. Then δ det / LCn ( A , B ) A , B ( X A , X B , s) = (∅, ω ) and x B ⇒, and δ A , B ( X A , X B , r ) ∈ n for all r  s. It is shown by induction on m = |s| that ( X A , X B , x B ) ∈ MCm ( A , B ). n In the base case, m = 0 and s = ε , it holds by definition that ( X A , X B ) = δ det A , B ( X A , X B , ε ) = (∅, ω , x B ) ∈ MC0 ( A , B ). Now let s =

s

det σ t such that |t | = m, and δ det / LCn ( A , B ) for all A , B ( X A , X B , s) = (∅, ω ) and x B ⇒, and δ A , B ( X A , X B , r ) ∈

σ

t

t

det det r  s. Write δ det A , B ( X A , X B , σ ) = ( Y A , Y B ) and x B ⇒ y B ⇒. This means that y B ⇒ and δ A , B ( Y A , Y B , t ) = δ A , B ( X A , X B , σ t ) = det δ det / LCn ( A , B ) for all r  t. Then (Y A , Y B , y B ) ∈ MCnm ( A , B ) by inductive assumpA , B ( X A , X B , s) = (∅, ω ) and δ A , B ( Y A , Y B , r ) ∈ tion, and by Definition 11 it follows that ( X A , X B , x B ) ∈ MCnm+1 ( A , B ). 2

Theorem 11. Let A = Σ, Q A , → A , Q A◦ and B = Σ, Q B , → B , Q B◦ be automata, and let n ∈ N0 . Then







LCn+1 ( A , B ) = ( X A , X B ) ∈ Q Adet × Q Bdet  ( X A , X B , x B ) ∈ / MCn ( A , B ) for some x B ∈ X B .

(29) tω

Proof. Let ( X A , X B ) ∈ LC n+1 ( A , B ). Then by Definition 10, there exists x B ∈ X B such that for all t ∈ Σ ∗ such that x B ⇒, there i exists r  t ω such that δ det A , B ( X A , X B , r ) ∈ LC ( A , B ) for some i  n. Equivalently, this means that there does not exist a trace tω

t ∈ Σ ∗ such that x B ⇒ and for all prefixes r  t ω it holds that δ det / LCn ( A , B ). Then ( X A , X B , x B ) ∈ / MCn ( A , B ) A, B ( X A , X B , r ) ∈ because otherwise such a trace would exist by Lemma 10. / MCn ( A , B ). To check the condition in Definition 10 (14), consider t ∈ Σ ∗ Conversely, let x B ∈ X B such that ( X A , X B , x B ) ∈ tω

det det such that x B ⇒. Then clearly δ det B ( X B , t ω ) = ω . By Definition 9, it holds that either δ A ( X A , t ω ) = ω or δ A ( X A , t ω ) = ∅.

0 det det det If δ det A ( X A , t ω ) = ω , then δ A , B ( X A , X B , t ω ) = (ω , ω ) ∈ LC ( A , B ). Otherwise δ A ( X A , t ω ) = ∅ and thus δ A , B ( X A , X B , t ω ) =

36

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

Fig. 8. Calculating more conflicting triples for automata A 2 and B 2 in Fig. 5. n n (∅, ω), and by Lemma 10 there exists r  t ω such that δ det A , B ( X A , X B , r ) ∈ LC ( A , B ) as otherwise ( X A , X B , x B ) ∈ MC ( A , B ). In tω

i ∗ both cases, δ det A , B ( X A , X B , r ) ∈ LC ( A , B ) for some r  t ω and i  n. Since t ∈ Σ with x B ⇒ was chosen arbitrarily, it follows n+1 from Definition 10 (14) that ( X A , X B ) ∈ LC ( A , B ). 2

Example 12. Fig. 8 shows a graph representing the more conflicting triples to check whether A 2 conf B 2 in Fig. 5. The arrows in the graph represent the deterministic transition function in combination with the transition relation of B 2 . An σ

σ

arrow ( X A , X B , x B ) → (Y A , Y B , y B ) indicates that δ det A 2 , B 2 ( X A , X B , σ ) = ( Y A , Y B ) and x B ⇒ y B . 0 In the first iteration to compute MC ( A 2 , B 2 ), the triple (∅, ω, bω ) is added to MC00 ( A 2 , B 2 ). Next, the triples ({a0 }, {b0 , b1 }, b0 ) and ({a1 }, {b0 , b1 }, b0 ) are both added to MC01 ( A 2 , B 2 ) as they can immediately reach (∅, ω, bω ). Finally, ({a0 }, {b0 , b1 }, b1 ) is also added to MC02 ( A 2 , B 2 ) because it can reach ({a1 }, {b0 , b1 }, b0 ) ∈ MC01 ( A 2 , B 2 ). A fourth itera/ MC0 ( A 2 , B 2 ), so it follows from Theorem 11 that tion yields no further pairs in MC03 ( A 2 , B 2 ). Thus, ({a1 }, {b0 , b1 }, b1 ) ∈ ({a1 }, {b0 , b1 }) ∈ LC1 ( A 2 , B 2 ), and likewise ({a1 , a2 }, {b0 , b1 }), ({a2 }, {b0 , b1 }) ∈ LC1 ( A 2 , B 2 ). In the next iteration to compute MC1 ( A 2 , B 2 ), note ({a1 }, {b0 , b1 }, b0 ) ∈ / MC11 ( A 2 , B 2 ) because ({a1 }, {b0 , b1 }) ∈ LC1 ( A 2 , 1 B 2 ). Nevertheless, it holds that ({a0 }, {b0 , b1 }, b0 ) ∈ MC1 ( A 2 , B 2 ) because of the transition to (∅, ω, bω ) ∈ MC10 ( A 2 , B 2 ). / MC12 ( A 2 , B 2 ) as now ({a1 }, {b0 , b1 }, b0 ) ∈ / MC11 ( A 2 , B 2 ). Accordingly, the pair On the other hand, ({a0 }, {b0 , b1 }, b1 ) ∈ 2 ({a0 }, {b0 , b1 }) is added to LC ( A 2 , B 2 ). In a final iteration to compute MC2 ( A 2 , B 2 ), only one more conflicting triple is found, (∅, ω, bω ) ∈ MC20 ( A 2 , B 2 ). No further pairs are added in LC3 ( A 2 , B 2 ). At this point, the iteration terminates, having found exactly the four less conflicting pairs given in Example 11, (24) and (25). To determine whether an automaton A is less conflicting than automaton B, it is first needed to determine the set of certain conflicts of B, and then to find all the state-set pairs for A and B that are reachable from a pair like ({x A }, X B ) associated with some trace that is not a certain conflict of B. The more conflicting triples can be constructed as they are discovered during the backwards search from the terminal states. The complexity of each iteration of the more conflicting triples computation is determined by the number of arrows in the graph, which is bounded by |Σ| · | Q B |2 · 2| Q A | · 2| Q B | , because the powerset transitions are deterministic, which is not the case for the transitions of B. Each iteration except the last adds at least one less conflicting pair, so the number of iterations is bounded by 2| Q A | · 2| Q B | . The complexity of this loop dominates all other tasks of the computation. Therefore, the worst-case time complexity to determine whether A conf B using less conflicting pairs is









O |Σ| · | Q B |2 · 4| Q A | · 4| Q B | = O |Σ| · | Q B |2 · 22| Q A |+2| Q B | .

(30)

1

This indicates linear exponential complexity, as is the case for the fair testing decision procedure. Yet, the above (30) is better than the time complexity of the decision procedure for fair testing, which is O (| Q A | · | Q B | · 23| Q A |+5| Q B | ) [13]. 5. Implementation The algorithm to test the conflict preorder has been implemented in the discrete event systems tool Supremica [23], which is freely available for download [24]. Section 5.1 describes the implemented algorithm in more detail, and Section 5.2 presents the results of some experiments with this implementation. 5.1. Algorithm To determine for two automata A and B whether A conf B, the implementation performs three steps, presented as separate algorithms. First Algorithm 1 computes the set of reachable state-set pairs, second Algorithm 2 determines which of these pairs are less conflicting pairs, and third Algorithm 3 examines the computed pairs to determine whether A conf B based on Theorem 9. 1

Linear exponential complexity means O (2 f (n) ) for some linear function f .

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

37

Algorithm 1 Construct deterministic state space. 1: Stack ← {( Q A◦ , Q B◦ ), (∅, Q B◦ )} 2: Pairs ← {( Q A◦ , Q B◦ ), (∅, Q B◦ )} 3: while Stack = ∅ do 4: ( X A , X B ) ← Stack.pop() 5: for all σ ∈ Σ ∪ {ω} do 6: (Y A , Y B ) ← δ det A, B ( X A , X B , σ ) 7: if (Y A , Y B ) ∈ / Pairs then 8: Pairs ← Pairs ∪ {(Y A , Y B )} 9: Stack.push((Y A , Y B )) 10: end if 11: end for 12: for all x A ∈ X A do 13: if ({x A }, X B ) ∈ / Pairs then 14: Pairs ← Pairs ∪ {({x A }, X B )} 15: Stack.push(({x A }, X B )) 16: end if 17: end for 18: end while

In the first step, given two automata A = Σ, Q A , → A , Q A◦ and B = Σ, Q B , → B , Q B◦ , Algorithm 1 performs a depth-

first search to collect the set Pairs of all reachable state-set pairs ( X A , X B ) ∈ Q Adet × Q Bdet , using a Stack of pairs yet to be expanded. The search begins with the initial state-set pair ( Q A◦ , Q B◦ ) and with (∅, Q B◦ ), in order to calculate both the composed deterministic state space of A and B and the set of certain conflicts of B according to Theorem 8. For each state-set pair ( X A , X B ), the loop in lines 5–11 finds all successors and adds them into the set of pairs. In addition, the loop in lines 12–17 adds the pairs ({x A }, X B ) for each x A ∈ X A . This is done because these pairs have to be checked for containment in LC( A , B ) according to Theorem 9. Algorithm 1 constructs the state-set pairs to detect the set of certain conflicts and to test the less conflicting condition in one iteration. For blocking automata, it may be more efficient to discover all certain conflicts first and use them to prune the search for the remaining pairs. In the second step, Algorithm 2 calculates the set LC( A , B ) of less conflicting pairs for A and B, using more conflicting triples as described in Section 4. The loop in lines 2–6 collects all pairs in LC0 ( A , B ) according to Definition 10 (13) and adds them to the set LC. Then the loop starting in line 7 adds to this the pairs in the next level LCn ( A , B ) by collecting the corresponding set of more Algorithm 2 Collect LC-pairs. 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32:

LC ← ∅ for all ( X A , X B ) ∈ Pairs do if X A = {ω} or X B contains a blocking state then LC ← LC ∪ {( X A , X B )} end if end for repeat tω

Stack ← { (∅, {ω}, x B ) | B → x B } tω

MC ← { (∅, {ω}, x B ) | B → x B } while Stack = ∅ do ( X A , X B , x B ) ← Stack.pop() for all σ ∈ Σ do for all (Y A , Y B ) ∈ Pairs \ LC such that δ det A , B ( Y A , Y B , σ ) = ( X A , X B ) do σ for all y B ∈ Y B such that y B → x B do if (Y A , Y B , y B ) ∈ / MC then MC ← MC ∪ {(Y A , Y B , y B )} Stack.push((Y A , Y B , y B )) end if end for end for end for end while unchanged ← true for all ( X A , X B ) ∈ Pairs do for all x B ∈ X B do if ( X A , X B , x B ) ∈ / MC then LC ← LC ∪ {( X A , X B )} unchanged ← false end if end for end for until unchanged

38

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

conflicting triples. According to Definition 11 (26), this iteration starts with the triples in MCn0 ( A , B ) = { (∅, ω, x B ) | x B ∈ Q B },

which can be restricted to states reached by ω as no other transitions lead to ω ∈ Q Bdet . Then the algorithm looks backward to visit the predecessors of each triple ( X A , X B , x B ). To find pairs (Y A , Y B ) such that δ det A , B ( Y A , Y B , σ ) = ( X A , X B ) in line 13 efficiently, it is advisable to remember the backwards transition relation during the construction of the state space in Algorithm 1. Finally, after all the more conflicting triples for the current level n are found, the loop in lines 24–31 adds the new less conflicting pairs for LCn+1 ( A , B ) to the set LC. According to Theorem 11, this is done by checking for each pair ( X A , X B ) if / MCn0 ( A , B ) with x B ∈ X B . If a new less conflicting pair is discovered during this iteration, there is any triple ( X A , X B , x B ) ∈ line 28 ensures that the main loop starting in line 7 is executed once more to check for less conflicting pairs of the next level. Lastly, Algorithm 3 is invoked to determine whether A conf B based on Theorem 9: Algorithm 3 Check for less conflicting. 1: Stack ← {( Q A◦ , Q B◦ )} 2: Pairs ← {( Q A◦ , Q B◦ )} 3: while Stack = ∅ do 4: ( X A , X B ) ← Stack.pop() 5: if X A = ∅ and (∅, X B ) ∈ / LC then 6: for all x A ∈ X A do 7: if ({x A }, X B ) ∈ / LC then 8: return false 9: end if 10: end for 11: for all σ ∈ Σ ∪ {ω} do 12: (Y A , Y B ) ← δ det A, B ( X A , X B , σ ) 13: if (Y A , Y B ) ∈ / Pairs then 14: Pairs ← Pairs ∪ {(Y A , Y B )} 15: Stack.push((Y A , Y B )) 16: end if 17: end for 18: end if 19: end while 20: return true

The reachable state-set pairs are explored a second time to see if the relevant pairs are in fact less conflicting pairs. In line 5, the search stops when encountering a pair ( X A , X B ) with X A = ∅, as such pairs cannot lead to a pair ({x A }, X B ). And when (∅, X B ) ∈ LC( A , B ), then X B and its successors represent certain conflicts according to Theorem 8, so according to Theorem 9, these pairs are not explored further either. For the remaining pairs ( X A , X B ), the loop in lines 6–10 checks for states x A ∈ X A such that ({x A }, X B ) is not a less conflicting pair—if such a pair exists then A cannot be less conflicting than B according to Theorem 9. If no such pair exists, the loop in lines 11–17 proceeds to visit the successors. If no relevant / LC( A , B ) can be found after visiting all reachable state-set pairs, the algorithm terminates and reports that pair ({x A }, X B ) ∈ A conf B. 5.2. Experimental results The conflict preorder algorithm has been tested on pairs of moderately large automata obtained from applications of discrete event systems, and the results are shown in Table 1. Three groups of tests have been considered:

• The first group consists of the checks needed to verify the dining philosophers example as discussed in Example 2. • The second group represents parts of hierarchical models of industrial-scale manufacturing systems [25]. Here, the conflict preorder check is used to verify interface consistency [3]. It is checked whether each system is conflict equivalent to its interface. As the system models are large, they are first simplified using compositional conflict-preserving simplification algorithms [17], and the result of this is compared to the interface automaton. • The final group of tests contains some interesting automata encountered during the above simplification process, and compares the automata before and after simplification. This helps to test the simplification procedure. Table 1 shows for each test case the number of states of each of the two automata composed (States), the number of reachable state-set pairs in the combined deterministic state space (Pairs), the largest number of more conflicting triples constructed during the iterations of Algorithm 2 (Triples), and the number of less conflicting pairs (LC-Pairs). The number in column |LCk | indicates the number of new pairs discovered at level k. Furthermore, the table displays the execution time (Time) of each test, and whether or not the conflict preorder is satisfied (Res.). All experiments were run on a standard desktop computer using a single 3.3 GHz CPU and not more than 512 MB of RAM. Despite the exponential complexity of the algorithm, it successfully compares automata with up to a few thousand states in a few seconds or minutes. The level of less conflicting pairs, which has an exponential worst-case, does not exceed seven

Table 1 Experimental results. States

Pairs

Triples

LC-pairs

A conf B

|Q A |

|Q B |

|Pairs|

|MC |

|LC0 |

52 12

12 52

198 80

13 149

2 1

90 13

13 90

483 200

65 1055

100 13

13 100

529 154

smm

76 96

96 76

smm_bad

76 56

aip3el12

conf

|LC4 |

|LC5 |

90 25

0 0

0 0

0 0

0 0

0 0

0 0

0.04 0.02

true true

2 1

193 44

22 0

0 0

0 0

0 0

0 0

0 0

0.03 0.07

true true

53 1054

2 1

236 34

14 0

0 0

0 0

0 0

0 0

0 0

0.02 0.06

true true

808 673

965 1878

208 22

311 0

28 0

0 0

0 0

0 0

0 0

0 0

0.04 0.05

true false

56 76

688 501

1345 1596

208 22

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0.03 0.04

false false

228 227

227 228

5889 7441

20 076 26 393

2 2

4359 5022

0 399

0 12

0 0

0 0

0 0

0 0

0.62 1.14

true false

aip3el12b

333 227

227 333

7456 9455

23 459 64 312

2 3

5201 0

0 0

0 0

0 0

0 0

0 0

0 0

0.70 2.06

false false

aip3el3

111 88

88 111

1320 1214

1988 3452

2 2

959 883

0 0

0 0

0 0

0 0

0 0

0 0

0.06 0.11

true true

aip3el4

35 14

14 35

462 523

829 1412

2 2

151 424

88 0

104 0

0 0

0 0

0 0

0 0

0.02 0.06

true true

2346 15

15 2346

82 548 78 708

406 1 549 090

2 27

0 0

0 0

0 0

0 0

0 0

0 0

0 0

5.58 260.71

false false

S1,2 conf S1,2 S1,2 conf S1,2

S1,2,3 conf S1,2,3 S1,2,3 conf S1,2,3

aip1sub1

|LC7 |

Res.

|LC3 |

S1 conf 1 S1 conf S1

|LC6 |

Time [s]

|LC2 |

S

|LC1 |

(a) (b)

40 40

40 40

97 766 97 766

1 165 155 1 165 155

1 1

96 474 96 474

0 0

0 0

0 0

0 0

0 0

0 0

149.88 150.66

true true

2.

(a) (b)

304 207

207 304

3346 2967

3717 2281

237 1409

1427 1152

24 0

0 0

0 0

0 0

0 0

0 0

0.30 0.17

true true

3.

(a) (b)

386 131

131 386

14 477 12 871

12 884 96 170

2 1

11 755 10 913

0 0

0 0

0 0

0 0

0 0

0 0

1.86 25.21

true true

4.

(a) (b)

328 236

236 328

3410 2185

4832 4813

2 1

2274 1674

0 0

0 0

0 0

0 0

0 0

0 0

0.24 0.25

true true

5.

(a) (b)

616 454

454 616

3414 2056

1255 1691

171 152

1630 1218

33 0

0 0

0 0

0 0

0 0

0 0

0.12 0.10

true true

6.

(a) (b)

720 503

503 720

4201 2865

1973 3240

2 1

2259 1859

55 0

0 0

0 0

0 0

0 0

0 0

0.13 0.14

true true

7.

(a) (b)

811 440

440 811

34 754 24 063

62 378 144 022

2 1

30 232 21 603

58 0

0 0

0 0

0 0

0 0

0 0

3.58 9.57

true true

8.

(a) (b)

1001 637

637 1001

9438 4309

7512 13 361

709 112

4702 179

832 164

0 188

0 156

0 57

0 2501

0 4

0.25 0.88

true true

9.

(a) (b)

1670 373

373 1670

20 954 3094

29 784 45 333

2 1

15 156 2279

0 0

0 0

0 0

0 0

0 0

0 0

1.61 14.90

true true

10.

(a) (b)

2669 236

236 2669

52 756 6831

76 441 238 431

2 1

42 409 4675

18 0

0 0

0 0

0 0

0 0

0 0

8.07 300.51

true true

11.

(a) (b)

1773 1766

1766 1773

5976 5956

3325 3309

328 335

3734 3720

0 0

0 0

0 0

0 0

0 0

0 0

0.29 0.28

true true

12.

(a) (b)

8304 5927

5927 8304

70 214 37 140

28 269 37 243

2450 2029

40 459 24 313

15 0

0 0

0 0

0 0

0 0

0 0

4.27 3.13

true true

39

1.

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

Instance

40

S. Ware, R. Malik / Science of Computer Programming 89 (2014) 23–40

in any test. There are cases where the number of pairs and triples grows dramatically, e.g., the first test in the third group. While subset construction often is well-behaved in practice, these are cases [6] where it increases the number of states substantially. Fortunately, conflict-preserving simplification algorithms [17] can assert conflict equivalence more quickly in some of these cases. Overall, the results suggest that the conflict preorder can be tested in a reasonable time for moderately large automata derived from practical applications. 6. Conclusions Less conflicting pairs provide a concrete state-based means to characterise the extent by which one process is or is not less conflicting than another. The characterisation generalises and includes previous results about certain conflicts, and it gives rise to a direct way to test the conflict preorder and the related fair testing preorder by inspecting sets of reachable states. Based on the characterisation, an effective algorithm is presented to test whether a finite automaton is less conflicting than another. The algorithm, while still linear exponential, has better time complexity than the previously known decision procedure for fair testing [13]. Experimental results demonstrate that the algorithm can check the conflict preorder for moderately large automata in a reasonable time. References [1] R. De Nicola, M.C.B. Hennessy, Testing equivalences for processes, Theor. Comput. Sci. 34 (1–2) (1984) 83–133, http://dx.doi.org/10.1016/ 0304-3975(84)90113-0. [2] R.J. van Glabbeek, The linear time — branching time spectrum I: The semantics of concrete, sequential processes, in: J.A. Bergstra, A. Ponse, S.A. Smolka (Eds.), Handbook of Process Algebra, Elsevier, 2001, pp. 3–99. [3] R. Malik, R. Leduc, Hierarchical interface-based supervisory control using the conflict preorder, in: Proc. 11th Int. Workshop on Discrete Event Systems, WODES ’12, Guadalajara, Mexico, 2012, pp. 163–168. [4] R. Milner, Communication and Concurrency, Series in Computer Science, Prentice–Hall, 1989. [5] C.A.R. Hoare, Communicating Sequential Processes, Prentice–Hall, 1985. [6] J.E. Hopcroft, R. Motwani, J.D. Ullman, Introduction to Automata Theory, Languages, and Computation, Addison–Wesley, 2001. [7] A.J. Mooij, C. Stahl, M. Voorhoeve, Relating fair testing and accordance for service replaceability, J. Log. Algebr. Program. 79 (3–5) (2010) 233–244. [8] C.G. Cassandras, S. Lafortune, Introduction to Discrete Event Systems, Kluwer, 1999. [9] P.J.G. Ramadge, W.M. Wonham, The control of discrete event systems, Proc. IEEE 77 (1) (1989) 81–98. [10] R. Malik, D. Streader, S. Reeves, Conflicts and fair testing, Int. J. Found. Comput. Sci. 17 (4) (2006) 797–813, http://dx.doi.org/10.1142/ S012905410600411X. [11] T. Bolognesi, S.A. Smolka, Fundamental results for the verification of observational equivalence: a survey, in: H. Rudin, C.H. West (Eds.), Protocol Specification, Testing and Verification VII, Proc. IFIP WG6.1 7th Int. Conf. Protocol Specification, Testing and Verification, North-Holland, Amsterdam, The Netherlands, 1987, pp. 165–179. [12] H. Hüttel, S. Shukla, On the complexity of deciding behavioural equivalences and preorders, Tech. Rep. RS-96-39, Dept. of Computer Science, University of Aarhus, Denmark, 1996. [13] A. Rensink, W. Vogler, Fair testing, Inf. Comput. 205 (2) (2007) 125–198, http://dx.doi.org/10.1016/j.ic.2006.06.002. [14] V. Natarajan, R. Cleaveland, Divergence and fair testing, in: Proc. 22nd Int. Colloquium on Automata, Languages, and Programming, ICALP ’95, 1995, pp. 648–659. [15] R. Malik, On the set of certain conflicts of a given language, in: Proc. 7th Int. Workshop on Discrete Event Systems, WODES ’04, Reims, France, 2004, pp. 277–282. [16] R. Malik, The language of certain conflicts of a nondeterministic process, Working Paper 05/2010, Dept. of Computer Science, University of Waikato, Hamilton, New Zealand, 2010. [17] H. Flordal, R. Malik, Compositional verification in supervisory control, SIAM J. Control Optim. 48 (3) (2009) 1914–1938, http://dx.doi.org/ 10.1137/070695526. [18] R. Su, J.H. van Schuppen, J.E. Rooda, A.T. Hofkamp, Nonconflict check by using sequential automaton abstractions based on weak observation equivalence, Automatica 46 (6) (2010) 968–978, http://dx.doi.org/10.1016/j.automatica.2010.02.025. [19] S. Ware, R. Malik, A state-based characterisation of the conflict preorder, in: Proc. 10th Int. Workshop on the Foundations of Coordination Languages and Software Architectures, FOCLASA 2011, Aachen, Germany, 2011, pp. 34–48. [20] R.E. Bryant, Graph-based algorithms for Boolean function manipulation, IEEE Trans. Comput. 35 (8) (1986) 677–691. [21] Z.H. Zhang, W.M. Wonham, STCT: An efficient algorithm for supervisory control design, in: B. Caillaud, P. Darondeau, L. Lavagno, X. Xie (Eds.), Synthesis and Control of Discrete Event Systems, Kluwer, 2002, pp. 77–100. [22] E.W. Dijkstra, Hierarchical ordering of sequential processes, Acta Inform. 1 (2) (1971) 115–138. [23] K. Åkesson, M. Fabian, H. Flordal, R. Malik, Supremica—an integrated environment for verification, synthesis and simulation of discrete event systems, in: Proc. 8th Int. Workshop on Discrete Event Systems, WODES ’06, Ann Arbor, MI, USA, 2006, pp. 384–385. [24] Supremica, http://www.supremica.org, the official website for the Supremica project. [25] R.J. Leduc, Hierarchical interface-based supervisory control, PhD thesis, Dept. of Electrical Engineering, University of Toronto, ON, Canada, 2002, http://www.cas.mcmaster.ca/~leduc.