Discusiones y Aciertos “acercamiento a la teoría”

By definition of port behaviours we have beh(C)/H = beh(C)p:P withH = SLC \ {p.m_|m_∈msg(P)_}, i.e., we have to prove that

(c.beh(C)/H)σ2⊗(d.beh(D))σ2≈gb(c.beh(C)/H)σ1 implies (c.beh(C))σ2⊗(d.beh(D))σ2≈gb(c.beh(C))σ1

NowH does not interfere withσ1 andσ2. Therefore, by A ≡ (c.beh(C))σ2/H,B ≡

(d.beh(D))σ2andC≡(c.beh(C))σ1we have an instance of Cor. 3.9. The theorem allows for a port-based computation of the neutral leaves of an assembly which links our analysis back to the results of Sect. 1.

Corollary 3.13 Letabe a synchronous assembly,d:D_∈leaves(a),ports(D) =_{q:Q_}

andk: (c.p:P, d.q:Q)_∈conns(a). Ifbeh(D)q:Qis weakly deterministic andbeh(D)q:Q

isk-neutral forbeh(C)p:Pthend:D∈neutralleaves(a), whereC=ty(cmp(c.p:P)).

PROOF. By Thm. 3.12 we derive neutrality of the leaf componentD from the given port neutrality, and with the definition of neutral leaves the claim follows.

3. Application to the Compressing Proxy System

We apply the results of this chapter, in particular the reduction algorithm of Sect. 1, to the efficient computation of the behaviour of the CompressingProxy component (cf.

Fig. 2.2). We start with the underlying assembly which contains the three components

adapt:Adaptor,gzip:GZip, andgifToJpg:GifToJpgand assume synchronous connectors.

Leta=_hC;_Kibe a synchronous assembly,C={adapt:Adaptor,gzip:GZip,gif:GifToJpg_}

and K = {tz:(t:TxtCompr, z:Zip), gj: (g: GifCompr, j:ToJpg)_}. First, we choose the leaf gzip:GZipand consider its portz:Zip. SinceGZipis a single-port component, component be-

haviour and port behaviour ofz:Zipin the context ofgzip:GZipcoincide. The port behaviour

is obviously weakly deterministic, since there are noτ-transitions and the transition sys- tem is already (strongly) deterministic; cf. Fig. 2.3. Then we check thatbeh(GZip)z:Zipis tz-neutral forbeh(Adaptor)t:TxtComprby computation of the product

beh(Adaptor)t:TxtComprσ⊗beh(GZip)z:Zipσ

with synchronous relabelling σ according to the connectortz. This product represents

the synchronisation viatzin an assembly according to Def. 3.11. By computation of the

port behaviourbeh(Adaptor)t:TxtComprσall transitions of the adaptor behaviour as given in

Fig. 2.3 which do not involve port t:TxtComprare relabelled to τ. The resulting IOTS

can be replaced by an observationally equivalent minimised IOTS. Then the product with

beh(GZip)z:Zipσyields an IOTS as given in Fig. 3.3. The product of the port behaviours

is greybox equivalent to (beh(Adaptor)t:TxtComprσ)θS (cf. Fig. 2.3), where the shared la-

belsS ={tz.txt,tz.endTxt,tz.zip,tz.endZip,tz.stop}are internalised. Hence, by Cor. 3.13, gzip:GZipis a neutral leaf of the assemblya. Our algorithm proceeds by removing this leaf

and hiding the portt:TxtCompr, i.e., the component typeAdaptoris replaced by the com-

ponent typeAdaptor’obtained from the port hidingAdaptor\(t:TxtCompr). The resulting

behaviour ofAdaptor’has a large number ofτ-transitions and can be minimised to an IOTS

with4states and5transitions. Leta0 _{be the new assembly obtained fromaafter the first}

reduction step.

In the second step, we choose the leaf gifToJpg:GifToJpgofa0 _{and consider its port} j:ToJpg. Again it is a single-port component but unfortunately, the port behaviour atj:ToJpg

is not weakly deterministic, since there is a weak tracegifwhich leads to statej1and also to statej2(cf. Fig. 2.3), but these states are not greybox equivalent since inj1it is possible to choosecanceland reach statej0which does not show an output transition labelledj.jpg. Such an output, however would be required to be in relation with j2. Thus we cannot apply Cor. 3.13 and we have to show directly on the level of component behaviours that the synchronisation viagjina0_{is behaviourally neutral foradapt : Adaptor’. The neutrality}

44 3. BEHAVIOURAL NEUTRALITY IN SYNCHRONOUS ASSEMBLIES tz.txt tz.zip tz.endZip tz.stop tz.endTxt tz.txt tz.zip

FIGURE3.3.beh(Adaptor)t:TxtComprσ⊗beh(GZip)z:Zipσ

check is indeed successful. Our algorithm now removes also the leaf gifToJpg:GifToJpg

froma0 _{and hides the portg:GifComprofAdaptor’. Thus, we obtain as the final result of}

the reduction an assemblya00 _{consisting of a single componentadaptor : Adaptor”where} Adaptor”has only two portsu:UpStreamandd:DownStream. The behaviour ofAdaptor”has

only two states and three transitions after minimisation and hence the same holds for the behaviour ofa00_.

Finally, we apply Thm. 3.5 which shows thatbeh(CompressingProxy)is observational

equivalent to the behaviour of a composite component which encapsulates the very simple assemblya00 _{and which results in the behaviour shown in Fig. 2.4b. The most expensive}

task in our reduction was the neutrality check betweengifToJpg:GifToJpgandadapt:Adaptor’

which led to the construction of a product IOTS with12states and23transitions (before minimisation). On the other hand, if we would have directly computed the behaviour of CompressingProxy based on the behaviour of the original assemblya, then the most

expensive task would have been the construction of the complete behaviour ofawhich has

30states and65transitions (also before minimisation). 4. Discussion and Related Work

The neutrality check during the syntactical reduction of an assembly involves the com- putation of a product at the border of the component assembly for each leaf component. Therefore, compared to the computation of the complete product, there is no direct im- provement with respect to the number of considered transition systems. However, besides the construction of syntactically reduced and observationally equivalent component types, the approach can be used as a starting point for analysis of verification problems that do not depend on the local behaviours of removed neutral leaf components.

Our approach and, in particular, our notion of neutral component behaviour shows similarities to work of Cheung and Kramer [CK96] and Bernardo et al. [BCD02].

4.1. Neutral Leaf Components and Context Constraints. Cheung and Kramer use automatically derived context constraints to construct the behaviour, formalised by labelled transition systems (LTS), of composed systems more efficiently [CK96]. Context con- straints take the form of interface processes that capture the interplay between a set of com- posed processes playing the role of an environment for a single fixed process as part of the composition. If the composition of interface and fixed process results in a smaller transition system, it is substituted. The correctness of the approach relies on a transparency property that requires a strong semantic equivalence between a (possibly) composed processP and its compositionP _kIwith the interface processI. Criteria guaranteeing the transparency are identified in an interface theorem [CK96, Thm. 6.4.1] to which Prop. 3.8 can be con- sidered the counterpart using IOTSs together with weaker equivalence notions. The criteria of [CK96] have been formulated for communicating finite-state processes where parallel composition involves an error state for failing communications and relies on strong traces, strong process equivalence, and strongly deterministic finite-state processes. Even though the possibility of using weaker equivalences is mentioned in [CK96, p. 354], it is not elab- orated. We have generalised the assumptions to include not necessarily finite IOTSs and