Abstract
Components or services must often be compliant to organizatorial or legal regulations. Furthermore, they should avoid unwanted behaviour such as abortion of the execution of a service without notification of the client. Violation of both might happen due to unintended uses of services. In general, the intention is specified by contracts. In this work, we consider a special form of contracts: service protocols. These specify for a service legal sequences of operation calls. We propose an approach for checking whether such protocols are obeyed in a service composition. For this, it is necessary to define a conservative abstraction of the behaviour of service-oriented systems and a contract based on interactions (named service protocol) to be verified. In our previous work, we have modelled unbound concurrency, unbound recursion, and synchronization. This article briefly presents the previous results and extends them by exception handling mechanisms. In particular, it takes into account that the execution of service may raise an exception and allows the clients to react on the exception.
Similar content being viewed by others
Notes
This can be easily extended to a subtype hierarchy of exception types.
Formally, it also contains the rule \(q_2.q_1{\mathop {\rightarrow }\limits ^{\lambda }} q_2\), but this rule plays no role in the discussion.
References
Afrati FN, Borkar V, Carey M, Polyzotis N, Ullman JD (2011) Map-reduce extensions and recursive queries. In: Proceedings of the 14th international conference on extending database technology. ACM, pp 1–8
Allen R, Garlan D (1997) A formal basis for architectural connection. ACM Trans Softw Eng Methodol (TOSEM) 6(3): 213–249
Both A, Zimmermann W, Franke R (2010) Model checking of component protocol conformance—optimizations by reducing false negatives. Electron. Notes Theor. Comput. Sci. 263:67–94
Both A, Zimmermann W (2008) Automatic protocol conformance checking of recursive and parallel BPEL systems. In: IEEE sixth European conference on web services (ECOWS ’08), pp 81–91. IEEE Computer Society
Both A, Zimmermann W (2008) Automatic protocol conformance checking of recursive and parallel component-based systems. In: Component-based software engineering, 11th international symposium (CBSE 2008), pp 163–179
Both A, Zimmermann W (2009) A step towards a more practical protocol conformance checking algorithm. In: 35th Euromicro conference on software engineering and advanced applications (SEAA 2009), pp 458–465. IEEE Computer Society
Bouajjani A, Emmi M (2012) Analysis of recursively parallel programs. In: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on principles of programming languages POPL’12, pp 203–214
Bravetti M, Zavattaro G (2009) Contract-based discovery and composition of web services. Formal Methods Web Serv, pp 261– 295
Bures T, Hnetynka P, Plasil F (2006) Sofa 2.0: Balancing advanced features in a hierarchical component model. In: SERA ’06: Proceedings of the fourth international conference on software engineering research, management and applications, pp 40–48. IEEE Computer Society
Burkart O, Steffen B (1992) Model checking for context-free processes. In: CONCUR’92: Proceedings of the 3rd international conference on concurrency theory, lecture notes in computer science, vol. 630. Springer, pp 123–137
Burkart O, Steffen B (1994) Pushdown processes: parallel composition and model checking. In: CONCUR’94: Proceedings of the 5th international conference on concurrency theory, lecture notes in computer science, vol. 836. Springer, pp 98–113
de Caso G, Braberman V, Garbervetsky D, Uchitel S (2012) Automated abstractions for contract validation. IEEE Trans Softw Eng 38(1):141–162
Dahl OJ, Nygaard K (1966) Simula: an algol-based simulation language. Commun ACM 9:671–678
Dumez C, Bakhouya M, Gaber J, Wack M, Lorenz P (2013) Model-driven approach supporting formal verification for web service composition protocols. J Netw Comput Appl 36(4):1102–1115
Durán F, Ouederni M, Salaün G (2012) A generic framework for n-protocol compatibility checking, Sci. Comput. Program. vol. 77, pp 870–886. Elsevier North-Holland, Inc.
Foster H, Uchitel S, Magee J, Kramer J (2003) Model-based verification of web service compositions. In: ASE, pp 152–163
Ghezzi C, Mocci A, Sangiorgio M (2012) Runtime monitoring of functional component changes with behavior models. In: Models in software engineering. Springer, pp 152–166
Gorbenko A, Romanovsky A, Kharchenko V, Mikhaylichenko A (2008) Experimenting with exception propagation mechanisms in service-oriented architecture. In: Proceedings of the 4th international workshop on exception handling, WEH ’08, pp 1–7. ACM
Gosling J, Joy B, Steele G (2012) The java language specification. Addison-Wesley, Reading
Haddad S, Poitrenaud D (2007) Recursive petri nets. Acta Informatica 44(7–8):463–508
Hauck EA, Dent BA (1968) Burroughs’ b6500/b7500 stack mechanism. In: AFIPS ’68 (Spring): proceedings of the April 30-May 2, 1968, spring joint computer conference. ACM, pp 245– 251
Hopcroft JE, Motwani R, Ullman JD (2001) Introduction to automata theory, languages, and computation, 2nd edn. Addison-Wesley, Reading
Jannach D, Gut A (2011) Exception handling in web service processes. The evolution of conceptual modeling, pp 225– 253
Lin HH, Aoki T, Katayama T (2010) Non-regular adaptation of services using model checking. In: 13th IEEE international symposium on object/component/service-oriented real-time distributed computing (ISORC). IEEE, pp 170–174
Löwe W, Neumann R, Trapp M, Zimmermann W (1999) Robust dynamic exchange of implementation aspects. In: TOOLS 29—technology of object-oriented languages and systems. IEEE, pp 351–360
Mayr R (2000) Process rewrite systems. Inf Comput 156(1–2):264–286
Müller M, Balz M, Goedicke M (2011) Enriching java enterprise interfaces with formal sequential contracts. In: Proceedings of the third workshop on behavioural modelling (BM-FA ’11). ACM, pp 5–11
Nierstrasz O (1995) Regular types for active objects. In: Nierstrasz O, Tsichritzis D (eds) Object-oriented software composition. Prentice-Hall, Englewood Cliffs, pp 99–121
Papazoglou MP, Traverso P, Dustdar S, Leymann F (2007) Service-oriented computing: state of the art and research challenges. Comput Innov Technol Comput Prof 40(11):38–45
Parizek P, Plasil F (2008) Modeling of component environment in presence of callbacks and autonomous activities. In: TOOLS (46), pp 2–21
Plasil F, Visnovsky S (2002) Behavior protocols for software components. In: IEEE Trans Softw Eng (28), pp 1056–1076
Pradel M, Jaspan C, Aldrich J, Gross TR (2012) Statically checking API protocol conformance with mined multi-object specifications. In: Proceedings of the 2012 international conference on software engineering (ICSE 2012), pp 925–935. IEEE
Rajamani S, Rehof J (2006) Models for contract conformance. Leverag Appl Formal Methods pp 181–196
Reisig W (2005) Modeling- and analysis techniques for web services and business processes. In: Steffen M, Zavattaro G (eds) Formal methods for open object-based distributed systems: 7th IFIP WG 6.1 international conference, FMOODS 2005, Athens, Greece, June 15–17, 2005. Proceedings, LNCS, vol. 3535, pp 243–258. Springer
Ren H, Liu J (2012) Service substitutability analysis based on behavior automata. Innov Syst Softw Eng 8(4):301–308
Salaün G, Bordeaux L, Schaerf M (2004) Describing and reasoning on web services using process algebra. In: International conference on web services, p 43. IEEE Computer Society
Schmidt HW, Krämer BJ, Poernemo I, Reussner R (2002) Predictable component architectures using dependent finite state machines. In: Proceedings of the NATO workshop radical innovations of software and systems engineering in the future, lecture notes in computer science, vol. 2941. Springer, pp 310– 324
Tenzer J, Stevens P (2003) Modelling recursive calls with uml state diagrams. In: 6th international conference on fundamental approaches to software engineering (FASE’03), lecture notes in computer science, vol. 2621. Springer, pp 135– 149
van der Aalst WMP (1997) Verification of workflow nets. LNCS 1248:407–426
Zimmermann W, Schaarschmidt M (2006) Automatic checking of component protocols in component-based systems. In: Löwe W, Südholt M (eds) Software composition, LNCS, vol. 4089. Springer, pp 1–17
Acknowledgments
We thank the anonymous referees for their remarks and suggestions. They were helpful to considerably improve the article.
Author information
Authors and Affiliations
Corresponding author
Appendix A: Proof of Theorem 1
Appendix A: Proof of Theorem 1
This appendix contains the complete proof of Theorem 1 and the formalization of the notion of top-of-stack elements. Before Theorem 1 is being proven, we have to introduce some notions and properties of these notions to be used in the proof. The first subsection discusses properties of process-algebraic expressions in general and shows formally how process rewrite rules are applied. The second subsection discusses properties of the Combined Abstraction \(K\) of PRS \(U_s\) and a protocol \(A_s\). In particular, process-algebraic expressions of \(K\) are related to process-algebraic expressions of \(U_s\) and protocol states of \(A_s\). The last subsection contains the proof of Theorem 1.
1.1 A.1 Properties of process-algebraic expressions
Let \(Q\) be a set of atomic processes and \(e \in {\textit{PEX}}(Q)\) be a process-algebraic expression over \(Q\). Although the operators . and \(\parallel \) are associative, we assume for the purpose of this appendix a left associative bracketing. Furthermore, we assume that expressions containing the empty process are being simplified.
An occurrence is a finite sequence \(o \in \{ 0,1 \}^{*}\). Figure 14 shows some notations on occurrences. \(\mathsf {+\!\!+}\) is an associative operator with identity \([]\).
Occurrences are used to navigate in process-algebraic expressions, to denote specific sub-expressions, and to replace specific sub-expressions by other sub-expressions. The following definitions are the usual definitions used for general terms over a given signature and are specialized to process-algebraic expressions.
Definition 1
(Navigation by Occurrences) Let \(Q\) be a set of atomic expressions and \(\bot \not \in Q\) (it represents the symbol for undefined). The subexpression of \(e \in {\textit{PEX}}(Q)\) at occurrence \(o \in \{ 0, 1 \}^{*}\) is a process-algebraic expression \(e[o] \in {\textit{PEX}}(Q)\) inductively defined as follows:
-
(i)
\(\varepsilon [o]\triangleq \bot \) and \(q[o]\triangleq \bot \) for \(q \in Q,\,o \ne []\)
-
(ii)
\(e[[]] \triangleq e\) for \(e \ne \varepsilon \)
-
(iii)
\((e_1 \circ e_2)[0:o] \triangleq e_1[o]\) for \(e_1,e_2 \ne \varepsilon ,\,\circ \in \{ . , \parallel \}\)
-
(iv)
\((e_1 \circ e_2)[1:o] \triangleq e_2[o]\) for \(e_1,e_2 \ne \varepsilon ,\,\circ \in \{ . , \parallel \}\)
Definition 2
(Replacement) Let \(Q\) be a set of atomic expressions, \(e \in {\textit{PEX}}(Q)\) and \(o \in \{ 0,1 \}^{*}\) be such that \(e[o] \ne \bot \). The replacement of \(e\) at \(o\) by \(e'\in {\textit{PEX}}(Q)\) is a process-algebraic expression \(e[e'/o] \in {\textit{PEX}}(Q)\) inductively defined by:
-
(i)
\(e[e'/[]] \triangleq e'\)
-
(ii)
\((e_1 \circ e_2)[e'/0:o] \triangleq e_1[e'/o] \circ e_2\) for \(e_1,e_2 \ne \varepsilon ,\circ \in \{ . , \parallel \}\)
-
(iii)
\((e_1 \circ e_2)[1:o] \triangleq e_1\circ e_2[e'/o]\) for \(e_1,e_2 \ne \varepsilon ,\,\circ \in \{ . , \parallel \}\)
Example 6
(Occurrences) Let \(e \triangleq (((q_{28}\!\!\parallel \!\!q_{23}).q_{32}.q_9) \!\!\parallel \!\!q_{\mathsf{Exc}_1}).q_{16}. q_{35}.q_3\). Then, \(e[[0,0,0,0,0,0,0]]=q_{28}\), \(e[[0,0,0,0,0,0,1]]=q_{21}, \,e[[0,0,1]]=q_{\mathsf{Exc}_1},e[[1,1]]=\bot ,\,e[[0,0,0]]=(q_{28}\!\!\parallel \!\!q_{21}).q_{32}.q_9)\), and \(e[[0,0,0,0,0,0]]=q_{28}\!\!\parallel \!\!q_{23}\). Furthermore \(e[q_{29}/[0,0,0,0,0,0])=((q_{29}.q_{32}.q_9) \!\!\parallel \!\!q_{\mathsf{Exc}_1}).q_{16}. q_{35}.q_3\).
Figure 15 shows the expression tree of the expression in Example 6 and the result of the replacement. In general, an occurrence \(o\) defines a path in \(e \in {\textit{PEX}}(Q)\) from the root to a sub-tree, \(e[o]\) is the expression corresponding to this sub-tree and \(e[e'/o]\) replaces this subtree by the tree corresponding to expression \(e'\).
Informally, Proposition 1(i) states that if \(e\) is replaced by \(e'\) at \(o\) then each occurrence \(\bar{o}\) with prefix \(o\) refers to a subexpression of \(e'\), in particular to those where \(o'\) is the suffix obtained by removing \(\bar{o}\) from \(o\). Note that \(o\) refers to the root of \(e'\). Proposition 1(ii) states that replacing twice an expression by a sub-expression, the last replacement overrides the first replacement. Proposition 1(iii) states that if an expression is replaced at occurrence \(o\) the sub-expression of \(e\) at \(o\), then \(e\) remains unchanged. Proposition 1(iv) states that a sub-expression at an occurrence \(o'\) is independent of a replacement if \(o'\) does not refer to a sub-tree of \(o\). Note that \(o'\) refers to a sub-tree of \(e[o]\) iff \(o \sqsubseteq o'\). Proposition 1(v) states for this case, the replacements can be exchanged.
Proposition 1
(Properties of Occurrences and Replacements) Let \(Q\) be a set of atomic processes, \(e,e',e'' \in {\textit{PEX}}(Q)\) be process-algebraic expressions over \(Q\), and \(o,o' \in \{0, 1 \}^*\) such that \(e[o]\ne \bot \) and \(e[o'] \ne \bot \). Then, the following properties hold:
-
(i)
\(e[e'/o][o\mathsf {+\!\!+}o']=e'[o']\). In particular \(e[e'/o][o]=e'\).
-
(ii)
\(e[e'/o][e''/o]=e[e''/o]\)
-
(iii)
If \(e[o]=e'\) then \(e[e'/o]=e\)
-
(iv)
If \(o \not \sqsubseteq o'\) and \(o' \not \sqsubseteq o\) then \(e[e'/o][o']=e[o']\)
-
(v)
If \(o \not \sqsubseteq o'\) and \(o' \not \sqsubseteq o\) then \(e[e'/o][/e''/o']=e[e''/o'][e'/o]\)
Proof
(i) The proof is by induction on \(o\)
-
Case 1: \(o=[]\). Then,
$$\begin{aligned} \begin{array}{lll} e[e'/[]][[]\mathsf {+\!\!+}o'] &{}=e[e'/[]][o'] &{} \quad []~\text {is identitiy of}~\mathsf {+\!\!+}\\ &{}= e'[o] &{} \quad \text {by Definition 2(i)} \end{array} \end{aligned}$$ -
Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^{*}\). Then, \(e=e_1 \circ e_2\) for a \(\circ \in \{ . , \parallel \}\). Hence,
$$\begin{aligned} \begin{array}{ll} (e_1\circ e_2)[e'/0:\bar{o}][(0:\bar{o})\mathsf {+\!\!+}o'] \\ \quad = (e_1\circ e_2)[e'/0:\bar{o}][0:(\bar{o}\mathsf {+\!\!+}o')] &{}\quad \text {associativity of}~\mathsf {+\!\!+}\\ \quad =(e_1[e'/\bar{o}] \circ e_2)[0:(\bar{o}\mathsf {+\!\!+}o')] &{}\quad \text {Definition 2(ii)}\\ \quad =e_1[e'/\bar{o}][\bar{o}\mathsf {+\!\!+}o'] &{}\quad \text {by Definition 1(iii)}\\ \quad =e'[o'] &{}\quad \text {by induction hypothesis} \end{array} \end{aligned}$$ -
Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^{*}\). The proof is analogous to Case 2.
(ii) The claim is proved by induction on \(o\).
-
Case 1: \(o=[]\). Then,
$$\begin{aligned} \begin{array}{lll} e[e'/[]][e''/[]] &{}= e'' &{} \quad \text {by Definition 2(i)}\\ &{}= e[e''/[]] &{} \quad \text {by Definition 2(i)} \end{array} \end{aligned}$$ -
Case 2: \(o=0:\bar{o}\). Then, \(e=e_1 \circ e_2\) for a \(\circ \in \{ . , \parallel \}\). Hence,
$$\begin{aligned} \begin{array}{ll} (e_1 \circ e_2)[e'/0:\bar{o}][e''/0:\bar{o}] \\ \quad = (e_1[e'/\bar{o}] \circ e_2)[e''/0:\bar{o}] &{}\quad \text {by Definition 2(ii)}\\ \quad =(e_1[e'/\bar{o}][e''/\bar{o}] \circ e_2) &{}\quad \text {by Definition 2(ii)}\\ \quad =(e_1[e''/\bar{o}] \circ e_2) &{}\quad \text {by induction hypothesis}\\ \quad =(e_1 \circ e_2)[e''/0:\bar{o}] &{}\quad \text {by Definition 2(ii)} \end{array} \end{aligned}$$ -
Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). The proof is analogous to Case 2.
(iii) Let be \(e[o]=e'\). Then, it must be shown that \(e[e'/o]=e\). The proof is also an induction on \(o\).
-
Case 1: \(o=[]\). Then, it holds
$$\begin{aligned} \begin{array}{lll} e[e'/[]] &{}= e' &{} \quad \text {by Definition 2(i)}\\ &{}=e[[]] &{}\quad \text {since}~e[o]=e'\\ &{}=e &{}\quad \text {by Definition 1(ii)} \end{array} \end{aligned}$$ -
Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). Then, \(e=e_1 \circ e_2\) for a \(\circ \in \{ . , \parallel \}\). Hence,
$$\begin{aligned} \begin{array}{lll} e_1[\bar{o}] &{}=(e_1.e_2)[0:\bar{o}] &{}\quad \text {by Definition 1(iii)}\\ &{}=e' &{}\quad \text {since}~e[o]=e'. \end{array} \end{aligned}$$Thus, by induction hypothesis it is \(e_1[e'/\bar{o}]=e_1\). Then, it holds:
$$\begin{aligned} \begin{array}{lll} (e_1 \circ e_2)[e'/0:\bar{o}] &{}= (e_1[e'/\bar{o}] \circ e_2) &{}\quad \text {by Definition 2(ii)}\\ &{}= e_1 \circ e_2 &{} \quad \text {by induction hypothesis} \end{array} \end{aligned}$$ -
Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). The proof is analogous to Case 2.
(iv) The proof is by induction on the longest common prefix of \(o\) and \(o'\).
-
Case 1: \([]\) is the longest common prefix of \(o\) and \(o'\). Then, it is \(o=[c_1:\bar{o}]\) and \(o'=[c_2:\bar{\hat{o}}]\) for \(c_1,c_2 \in \{ 0,1 \},\,c_1 \ne c_2,\,\bar{o}, \hat{o} \in \{ 0, 1 \}^*\). Since \(e[o] \ne \bot \), it is \(e=e_1 \circ e_2\) for a \(\circ \in \{ . , \parallel \}\). Let be \(c_1=0\) and \(c_2=1\) (the case \(c_1=1\) and \(c_2=0\) is proven analogously). Then,
$$\begin{aligned} \begin{array}{ll} (e_1 \circ e_2)[e'/0:\bar{o}][1:\hat{o}] &{}\\ \quad = (e_1[e'/\bar{o}] \circ e_2)[1:\hat{o}] &{}\quad \text {by Definition 2(ii)}\\ \quad =e_2[\hat{o}] &{}\quad \text {by Definition 1(iv)}\\ \quad =(e_1 \circ e_2)[1:\hat{o}] &{}\quad \text {by Definition 1(iv)} \end{array} \end{aligned}$$ -
Case 2: The longest common prefix of \(o\) is \(c:o''\) for a \(o'' \in \{ 0, 1 \}^*\). Then, it is \(o=[c:\bar{o}]\) and \(o'=[c:\bar{\hat{o}}],\,\bar{o}, \hat{o} \in \{ 0, 1 \}^*\) and \(o''\) is the longest common prefix of \(\bar{o}\) and \(\hat{o}\). We prove the case \(c=0\) (the case \(c=1\) is proven analogously):
$$\begin{aligned} \begin{array}{ll} (e_1 \circ e_2)[e'/0:\bar{o}][0:\hat{o}] &{} \\ \quad = (e_1[e'/\bar{o}] \circ e_2)[0:\hat{o}]&{}\quad \text {by Definition 2(ii)}\\ \quad =e_1[e'/\bar{o}][\hat{o}]&{}\quad \text {by Definition 1(iii)}\\ \quad =e_1[\hat{o}] &{}\quad \text {by induction hypothesis}\\ \quad =(e_1 \circ e_2)[0:\hat{o}] &{}\quad \text {by Definition 1(iii)} \end{array} \end{aligned}$$
(v) The proof is also by induction on the longest common prefix of \(o\) and \(o'\).
-
Case 1: \([]\) is the longest common prefix of \(o\) and \(o'\). Then, it is \(o=[c_1:\bar{o}]\) and \(o'=[c_2:\bar{\hat{o}}]\) for \(c_1,c_2 \in \{ 0,1 \},\,c_1 \ne c_2,\,\bar{o}, \hat{o} \in \{ 0, 1 \}^*\). Since \(e[o] \ne \bot \), it is \(e=e_1 \circ e_2\) for a \(\circ \in \{ . , \parallel \}\). Let be \(c_1=0\) and \(c_2=1\) (the case \(c_1=1\) and \(c_2=0\) is proven analogously). Then,
$$\begin{aligned} \begin{array}{ll} (e_1 \circ e_2)[e'/0:\bar{o}][e''/1:\hat{o}] &{} \\ \quad = (e_1[e'/\bar{o}] \circ e_2)[e''/1:\hat{o}] &{}\quad \text {by Definition 2(ii)}\\ \quad = (e_1[e'/\bar{o}] \circ e_2[e''/ \hat{o}]) &{}\quad \text {by Definition 2(iii)}\\ \quad = (e_1 \circ e_2[e''/\hat{o}])[e'/0:\bar{o}] &{}\quad \text {by Definition 2(ii)}\\ \quad = (e_1 \circ e_2)[e''/1:\hat{o}][e'/0:\bar{o}] &{}\quad \text {by Definition 2(iii)} \end{array} \end{aligned}$$ -
Case 2: The longest common prefix of \(o\) is \(c:o''\) for a \(o'' \in \{ 0, 1 \}^*\). Then, \(o=[c:\bar{o}]\) and \(o'=[c:\bar{\hat{o}}]\,\bar{o}, \hat{o} \in \{ 0, 1 \}^*\) and \(o''\) is the longest common prefix of \(\bar{o}\) and \(\hat{o}\). We prove the case \(c=0\) (the case \(c=1\) is proven analogously):
$$\begin{aligned} \begin{array}{ll} (e_1 \circ e_2)[e'/0:\bar{o}][e''/0:\hat{o}]&{} \\ \quad = (e_1[e'/\bar{o}] \circ e_2)[e''/0:\hat{o}] &{}\quad \text {by Definition 2(ii)}\\ \quad =e_1[e'/\bar{o}][e''/\hat{o}] \circ e_2 &{}\quad \text {by Definition 2(ii)}\\ \quad =e_1[e''/\hat{o}][e'/\bar{o}] \circ e_2 &{}\quad \text {by induction hypothesis}\\ \quad =(e_1[e''/\hat{o}] \circ e_2)[e'/0:\bar{o}] &{}\quad \text {by Definition 2(ii)}\\ \quad =(e_1 \circ e_2)[e''/0:\hat{o}][e'/0:\bar{o}] &{}\quad \text {by Definition 2(ii)} \end{array} \end{aligned}$$
\(\square \)
The following definition defines for process-algebraic expressions the occurrences for the top-of-stack elements of the corresponding cactus stacks, respectively.
Definition 3
(Top-of-Stack Occurrences) Let \(Q\) be a set of atomic processes and \(e \in {\textit{PEX}}(Q)\). The set \({\textit{TOP}}(e)\) of top-of-stack occurrences of \(e\) is inductively defined by:
-
(i)
\({\textit{TOP}}(\varepsilon ) \triangleq \emptyset \)
-
(ii)
\({\textit{TOP}}(q) \triangleq \{ [] \}\) for \(q \in Q\)
-
(iii)
\({\textit{TOP}}(e_1.e_2) \triangleq 0: {\textit{TOP}}(e_1)\)
-
(iv)
\({\textit{TOP}}(e_1\!\!\parallel \!\!e_2) \triangleq (0: {\textit{TOP}}(e_1)) \cup (1:{\textit{TOP}}(e_2))\)
Example 7
(Top-of-Stack Elements) For the process-algebraic expression \(e \triangleq (((q_{28}\!\!\parallel \!\!q_{23}).q_{32}.q_9) \!\!\parallel \!\!q_{\mathsf{Exc}_1}).q_{16}. q_{35}.q_3\), it is
This expression corresponds to the cactus stack in Fig. 15c.
Proposition 2 defines some properties on top-of-stack elements. The first property states that if an expression \(e\) is replaced at a occurrence \(o\) by a sub-expression \(e'\) and \(e[o]\) contains top-of-stack elements, a top-of-stack element of \(e[e'/o]\) is a top-of-stack element of \(e\) outside of \(e[o]\) or a top-of-stack element of \(e'\) (adjusted for \(e[/e'/o]\)). The second property states that if \(e[o]\) doesn’t contain top-of-stack elements then the top-of-stack elements of \(e\) are not affected by replacements at \(o\). Furthermore, each top-of-stack elements refers to an atomic expression and two top-of-stack elements cannot be proper sub-expressions of each other.
Proposition 2
(Properties of Top-Of-Stack Elements) Let \(Q\) be a set of atomic processes, \(e,e' \in {\textit{PEX}}(Q)\) be process-algebraic expressions over \(Q\), and \(o,o' \in \{ 0,1 \}^*\) be occurrences. Then, the following properties hold:
-
(i)
If \(e[o] \ne \bot \) and \({\textit{TOP}}(e) \cap {\textit{PREF}}(o) \ne \emptyset \) then \({\textit{TOP}}(e[e'/o])={\textit{TOP}}(e) \setminus {\textit{PREF}}(o) \cup (o \mathsf {+\!\!+}{\textit{TOP}}(e'))\).
-
(ii)
If \(e[o] \ne \bot \) and \({\textit{TOP}}(e) \cap {\textit{PREF}}(o) = \emptyset \) then \({\textit{TOP}}(e[e'/o])={\textit{TOP}}(e)\).
-
(iii)
For each \(o\in {\textit{TOP}}(e)\) it is \(e[o] \in Q\)
-
(iv)
If \(o \sqsubseteq o'\) for a \(o' \in {\textit{TOP}}(e)\) then \(e[o]\ne \bot \).
-
(v)
If \(o,o' \in {\textit{TOP}}(e)\) and \(o \ne o'\), then \(o \not \sqsubseteq o'\) and \(o'\not \sqsubseteq e\).
Proof
(i) The proof is by induction on \(o\).
-
Case 1: \(o=[]\). Then, \(e \ne \varepsilon \) since otherwise \(e[o]=\bot \). Furthermore, it holds \({\textit{PREF}}([]) = \{ 0, 1 \}^*\). Then,
$$\begin{aligned} \begin{array}{ll} {\textit{TOP}}(e) {\setminus } {\textit{PREF}}([]) \!\cup \! ([] \mathsf {+\!\!+}{\textit{TOP}}(e'))&{}\\ \quad = {\textit{TOP}}(e) {\setminus } \{ 0, 1 \}^* \cup {\textit{TOP}}(e') &{}\quad \text {by definition of}~\mathsf {+\!\!+}~\text {for sets}\\ \quad = \emptyset \!\cup \! {\textit{TOP}}(e')&{} \\ \quad = {\textit{TOP}}(e') = {\textit{TOP}}(e[e'/[]]) &{} \quad \text {by Definition 2(i)} \end{array} \end{aligned}$$ -
Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1 \}^*\). Then, \(e=e_1.e_2\) or \(e=e_1 \!\!\parallel \!\!e_2\). Otherwise it would be \(e[o]=\bot \). By induction hypothesis it holds
$$\begin{aligned} {\textit{TOP}}(e_1[e'/\bar{o}]) = {\textit{TOP}}(e_1) \setminus {\textit{PREF}}(\bar{o}) \cup (\bar{o} \mathsf {+\!\!+}{\textit{TOP}}(e')) \nonumber \\ \end{aligned}$$(1)and
$$\begin{aligned} {\textit{PREF}}(0:\bar{o}) = 0:{\textit{PREF}}(\bar{o}) \end{aligned}$$(2) -
Case 2.1: \(e=e_1.e_2\). Then,
$$\begin{aligned} \begin{array}{ll} {\textit{TOP}}((e_1.e_2)[e'/0:\bar{o}])&{}\\ \quad \!=\!{\textit{TOP}}(e_1[e'\bar{o}].e_2) &{}\quad \text {by Definition 2(ii)}\\ \quad \!=\! 0\!:\!{\textit{TOP}}(e_1[e'/ \bar{o}]) &{}\quad \text {by Definition 3(iii)}\\ \quad \!=\! 0\!:\!({\textit{TOP}}(e_1) {\setminus } {\textit{PREF}}(\bar{o}) \!\cup \! (\bar{o} \mathsf {+\!\!+}{\textit{TOP}}(e'))&{} \quad \text {by}~(1)\\ \quad \!=\!(0\!:\!{\textit{TOP}}(e_1)) {\setminus } (0\!:\!{\textit{PREF}}(\bar{o})) \!\cup \! (0:(\bar{o} \mathsf {+\!\!+}{\textit{TOP}}(e')) &{} \\ \quad \!=\!(0\!:\!{\textit{TOP}}(e_1)) {\setminus } ({\textit{PREF}}(0\!:\!\bar{o})) \!\cup \! (0:(\bar{o} \mathsf {+\!\!+}{\textit{TOP}}(e')) &{} \quad \text {by}~(2)\\ \quad \!=\!(0\!:\!{\textit{TOP}}(e_1)) {\setminus } ({\textit{PREF}}(0\!:\!\bar{o})) \!\cup \! ((0\!:\!\bar{o}) \mathsf {+\!\!+}{\textit{TOP}}(e')) &{} \quad \text {by associativity of}~\mathsf {+\!\!+}\\ \quad \!=\! {\textit{TOP}}(e_1.e_2) {\setminus } ({\textit{PREF}}(0\!:\!\bar{o})) \!\cup \! ((0:\bar{o}) \mathsf {+\!\!+}{\textit{TOP}}(e')) &{} \quad \text {by Definition 3(iii)} \end{array} \end{aligned}$$ -
Case 2.2: \(e=e_1 \!\!\parallel \!\!e_2\). Then,
$$\begin{aligned} \begin{array}{ll} {\textit{TOP}}((e_1\!\!\parallel \!\!e_2)[e'/0:\bar{o}])&{}\\ \quad ={\textit{TOP}}(e_1[e'\!\!\parallel \!\!o].e_2)&{} \quad \text {by Definition 2(ii)}\\ \quad = 0:{\textit{TOP}}(e_1[e'/\bar{o}]) \cup (1:{\textit{TOP}}(e_2)) &{}\quad \text {by Definition 3(iii)}\\ \quad =(0:{\textit{TOP}}(e_1)) \setminus ({\textit{PREF}}(0:\bar{o})) \cup ((0:\bar{o}) \mathsf {+\!\!+}{\textit{TOP}}(e')) \cup (1:{\textit{TOP}}(e_2)) &{}\quad \text {analogous to Case 2.1}\\ \quad =((0:{\textit{TOP}}(e_1)) \cup (1:{\textit{TOP}}(e_2)) \setminus ({\textit{PREF}}(0:\bar{o})) \cup ((0:\bar{o}) \mathsf {+\!\!+}{\textit{TOP}}(e'))\\ \quad = {\textit{TOP}}(e_1\!\!\parallel \!\!e_2) \setminus ({\textit{PREF}}(0:\bar{o})) \cup ((0:\bar{o}) \mathsf {+\!\!+}{\textit{TOP}}(e')) &{} \quad \text {by Definition 3(iii)} \end{array} \end{aligned}$$ -
Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1 \}^*\). Then, \(e=e_1 \!\!\parallel \!\!e_2\). Otherwise it would be \(e[o]=\bot \) or \({\textit{TOP}}(e) \cap {\textit{PREF}}(1:\bar{o})=\emptyset \). The case is proven analogously to Case 2.2
(ii) For the case \(o=[]\), it always holds \({\textit{TOP}}(e) \cap {\textit{PREF}}([]) = {\textit{TOP}}(e) \ne \emptyset \). Similarly, if \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1 \}^*\) and for \(e=e_1 \circ e_2,\, \circ \in \{ . \parallel \}\) it holds \({\textit{TOP}}(e) \supseteq 0:{\textit{TOP}}(e_1) \ne \emptyset \). If \(e=e_1\!\!\parallel \!\!e_2\), it holds \({\textit{TOP}}(e) \supseteq 1:{\textit{TOP}}(e_2) \ne \emptyset \). Hence, it remains \(e=e_1.e_2\) and \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1 \}^{*}\). Then, it holds
(iii) Suppose \(e[o] \not \in Q\) for a \(o \in {\textit{TOP}}(e)\). Then, \(e=e_1.e_2\) or \(e=e_1\!\!\parallel \!\!e_2\). We prove by induction on \(o\) that \(o \not \in {\textit{TOP}}(e)\).
-
Case 1: \(o=[]\): Then, \(e[o]=e\).
-
Case 1.1: \(e=e_1.e_2\). Then, \({\textit{TOP}}(e) = 0:{\textit{TOP}}(e_1) \not \ni []\).
-
Case 1.2: \(e=e_1\!\!\parallel \!\!e_2\). Then, \({\textit{TOP}}(e) = (0:{\textit{TOP}}(e_1)) \cup (1:{\textit{TOP}}(e_2) \not \ni []\).
-
Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1 \}^*\).
-
Case 2.1: \(e=e_1.e_2\). Then, \(e[o]=e_1[\bar{o}]\). By induction hypothesis \(\bar{o} \not \in {\textit{TOP}}(e_1)\). Hence, \(0:\bar{o} \not \in 0:{\textit{TOP}}(e_1) = {\textit{TOP}}(e_1.e_2)\)
-
Case 2.2: \(e=e_1\!\!\parallel \!\!e_2\). By induction hypothesis \(\bar{o} \not \in {\textit{TOP}}(e_1)\). Hence, it is \(0:\bar{o} \not \in (0:{\textit{TOP}}(e_1)) \cup (1:{\textit{TOP}}(e_2)) = {\textit{TOP}}(e_1.e_2)\)
-
Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1 \}^*\). Hence, \(1:\bar{o}\not \in 0:{\textit{TOP}}(e_1) = {\textit{TOP}}(e_1.e_2)\)
-
Case 3.1: \(e=e_1.e_2\). Hence, \(1:\bar{o}\not \in 0:{\textit{TOP}}(e_1) = {\textit{TOP}}(e_1.e_2)\)
-
Case 3.2: \(e=e_1\!\!\parallel \!\!e_2\). The proof is analogous to the proof of Case 2.2.
(iv) By (iii), \(e[o] \ne \bot \) for a \(o \in {\textit{TOP}}(e)\). Hence, by Definition 1(i), \(e[o'] \ne \bot \) for each prefix \(o' \sqsubseteq o\).
(v) Let \(o \sqsubset o'\) for a \(o' \in {\textit{TOP}}(e)\). By (iii): \(e[o'] \in Q\). Hence, by Definition 1(ii) \(e[o] \not \in Q\) is a composed expression. \(\square \)
The following Lemma states that the application of a process rewrite rule \(l\rightarrow r\) to a process-algebraic expression replaces \(l\) by \(r\) at an occurrence \(o\) where \(e[o]\) contains TOP-of-stack elements.
Lemma 1
(Application of Process Rewrite Rules) Let \(\varPi \triangleq (\varSigma , Q,\rightarrow ,q_0,F)\) be a process rewrite system, \(e \in {\textit{PEX}}(Q)\) be a process-algebraic expression, \(l {\mathop {\rightarrow }\limits ^{a}} r\) be a process rewrite rule, and \(o \in \{ 0, 1 \}^*\) be an occurrence with \({\textit{TOP}}(e) \cap {\textit{PREF}}(o) \ne \emptyset \) and \(e[o]=l\). Then, it holds \(e {\mathop {\Rightarrow }\limits ^{a}} e[r/o]\).
Proof
The proof is an induction on \(o\).
-
Case 1: \(o=[]\). Then,
$$\begin{aligned} \begin{array}{lll} e[[]] &{}=l &{}\quad \text {by assumption}\\ &{}{\mathop {\Rightarrow }\limits ^{a}} r &{}\quad \text {by inference rule (R)}\\ &{}=e[r/[]] &{} \quad \text {by Definition 2(i)} \end{array} \end{aligned}$$ -
Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0,1 \}^*\). Then, \(e=e_1 \circ e_2\) for a \(\circ \in \{ ., \parallel \}\). Then, it holds
$$\begin{aligned} \begin{array}{lll} e_1[\bar{o}] &{}= e[0:\bar{o}] &{} \quad \text {by Definition 1(iii)} \\ &{}=l &{} \quad \text {by assumption} \end{array} \end{aligned}$$Hence, by induction hypothesis, it is
$$\begin{aligned} e_1 {\mathop {\Rightarrow }\limits ^{a}} e_1[r/\bar{o}] \end{aligned}$$(3) -
Case 2.1: \(e=e_1.e_2\). Then,
$$\begin{aligned} \begin{array}{lll} e_1.e_2 &{}{\mathop {\Rightarrow }\limits ^{a}} e_1[r/\bar{o}].e_2 &{} \quad \text {by (3) and inference rule (S)}\\ &{}= (e_1.e_2)[r/0:o] &{} \quad \text {by Definition 2(ii)} \end{array} \end{aligned}$$ -
Case 2.2: \(e=e_1\!\!\parallel \!\!e_2\). Then,
$$\begin{aligned} \begin{array}{lll} e_1\!\!\parallel \!\!e_2 &{}{\mathop {\Rightarrow }\limits ^{a}} e_1[r/\bar{o}] \!\!\parallel \!\!e_2 &{} \quad \text {by (3) and inference rule (P1)}\\ &{}= (e_1 \!\!\parallel \!\!e_2)[r/0:o] &{} \quad \text {by Definition 2(ii)} \end{array} \end{aligned}$$ -
Case 3: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0,1 \}^*\). Then, \(e=e_1\!\!\parallel \!\!e_2\) since \({\textit{TOP}}(e) \cap {\textit{PREF}}(o)=\emptyset \) for \(e=e_1.e_2\). The proof for this case is analogous to Case 2.2. \(\square \)
1.2 Appendix 1.2 Properties of the combined abstraction
Throughout this subsection, let \(U_s \triangleq (\varSigma _s,Q,\rightarrow ,q_0,F)\) be a process rewrite system specifying an abstraction for the use of service \(s,\,R_s \triangleq (\varSigma _s,R_s,\rightarrow _s,q_o^s,\bar{F}_s)\) be a finite state machine without \(\lambda \)-transitions specifying an (inverted) protocol for \(s\), and \(K \triangleq (\varSigma _s, Q_K, \rightarrow _K, q_0^K, F_K)\) be the Combined Abstraction of \(U_s\) and \(R_s\) as defined in Sect. 4.
Definition 4
(Stripping Protocol States and Protocol States on Top of Stacks) Let \(e \in {\textit{PEX}}(Q_K)\) a process-algebraic expression over the atomic processes of the Combined Abstraction. The stripping of protocol state from \(e\) is a process-algebraic expression \(\pi (e) \in {\textit{PEX}}(Q)\) over the atomic processes of \(U_s\), inductively defined by:
-
(i)
\(\pi (\varepsilon ) \triangleq \varepsilon \) and \(\pi ((r,q)) \triangleq q\)
-
(ii)
\(\pi (e_1 \circ e_2) \triangleq \pi (e_1) \circ \pi (e_2)\) for \(\circ \in \{ ., \parallel \}\)
The set \({ TOS}(e) \triangleq \{ r : \text {there is a} o \in {\textit{TOP}}(e)\) and \(q \in Q\) such that \(e[o]=(r,q) \}\) is the set of top-of-stack protocol states of \(e \in {\textit{PEX}}(Q_K)\). The process-algebraic expression \(e\) is inconsistent with \(r\) iff \({\textit{TOP}}(e) \ne \{r\}\).
The cactus stack corresponding to \(\pi (e)\) has the same shape as the cactus stack corresponding \(e\), and if a stack element of \(e\) contains \((r,q)\) then the stack element of \(\pi (e)\) contains \(q\). The top-of-stack protocol states is the set of protocol states on the top-of-stack elements of the cactus stack corresponding to \(e\).
Example 8
Let \(e \triangleq ((r_1,q_1)\!\!\parallel \!\!(r_2,q_2)).(r_3.q_3)\).
Then,
The following proposition states some properties on \(\pi \). The first one states that stripping and navigation by occurrences can be interchanged. The second states that stripping a replacement can be interchanged by stripping the expression and the replacing expression. The third property states that the set of top-of-stack occurrences are not affected by stripping. The fourth proposition and fifth property are technical ones. They relate replacements on a stripped expression to stripping a replacement. The fifth property is a generalization of the fourth as it considers the states at the top-of-stack occurrences.
Proposition 3
(Stripping Protocol States) Let \(e',e'',e''' \in {\textit{PEX}}(Q_K)\) process-algebraic expressions over the atomic processes of the Combined Abstraction of \(U_s\) and \(R_s,\,e, e_1, e_2 \in {\textit{PEX}}(Q)\) be process-algebraic expressions over the atomic states of \(U_s\), and \(o \in \{ 0, 1 \}^*\) be an occurrence such that \(e'[o]\ne \bot \) (and \(e[o] \ne \bot \)). Then, it holds:
-
(i)
\(\pi (e'[o]) = \pi (e)[o]\)
-
(ii)
\(\pi (e'[e''/o]) = \pi (e')[\pi (e'')/o]\)
-
(iii)
\({\textit{TOP}}(\pi (e')) = {\textit{TOP}}(e')\)
-
(iv)
If \(e[o]=e_1,\,\pi (e'')=e[e_2/o],\,\pi (e''')=e_1\), and \(e'=e''[e'''/o]\), then \(\pi (e')=e\)
-
(v)
Let \(o_1,\ldots ,o_k \in {\textit{TOP}}(e),\,o \not \in \{ o_1,\ldots , o_k \}\) and \(q_i \triangleq e[o_i],\,i=1,\ldots ,k\). Then, it holds for any protocol states \(r_1,\ldots ,r_k \in R_s\): If \(e[o]=e_1,\pi (e'')=e[e_2/o],\,\pi (e''')=e_1\), and \(e'=e''[(r_1,q_1)/o_1]\cdots [(r_k,q_k)/o_k][e'''/o]\), then \(\pi (e')=e\)
Proof
(i) The proof is an induction on \(o\).
-
Case 1: \(o=[]\). Then, by Definition 1(ii), it holds
$$\begin{aligned} \pi (e'[[]]) = \pi (e') =\pi (e')[[]]. \end{aligned}$$ -
Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). Then, \(e'=\bar{e}_1 \circ \bar{e}_2\) for a \(\circ \in \{ ., \parallel \}\). Hence,
$$\begin{aligned} \begin{array}{ll} \pi ((\bar{e}_1 \circ \bar{e}_2)[0:\bar{o}])&{} \\ \quad =\pi (\bar{e}_1[\bar{o}]) &{} \quad \text {by Definition 1(iii)}\\ \quad = \pi (\bar{e}_1)[\bar{o}] &{} \quad \text {by induction hypothesis}\\ \quad = (\pi (\bar{e}_1) \circ \pi (\bar{e}_2))[0:\bar{o}] &{} \quad \text {by Definition 1(iii)}\\ \quad =\pi (\bar{e}_1 \circ \bar{e}_2)[0:\bar{o}] &{}\quad \text {by Definition 4(ii)} \end{array} \end{aligned}$$ -
Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). The proof is analogous to Case 2.
(ii) The proof is an induction on \(o\).
-
Case 1: \(o=[]\). Then, by Definition 2(i), it holds
$$\begin{aligned} \pi (e'[e''/[]]) = \pi (e'') =\pi (e')[\pi (e'')/[]]. \end{aligned}$$ -
Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). Then, \(e'=\bar{e}_1 \circ \bar{e}_2\) for a \(\circ \in \{ ., \parallel \}\). Hence,
$$\begin{aligned} \begin{array}{ll} \pi ((\bar{e}_1 \circ \bar{e}_2)[e''/0:\bar{o}]) &{} \\ \quad = (\pi (\bar{e}_1) \circ \pi (\bar{e}_2))[e''/0:\bar{o}] &{} \quad \text {by Definition 4(ii)}\\ \quad =\pi (\bar{e}_1)[e''/\bar{o}] \circ \pi (\bar{e}_2) &{} \quad \text {by Definition 2(ii)}\\ \quad = \pi (\bar{e}_1)[\pi (e'')/\bar{o}] \circ \pi (\bar{e}_2) &{} \quad \text {by induction hypothesis}\\ \quad = (\pi (\bar{e}_1) \circ \pi (\bar{e}_2))[\pi (e'')/0:\bar{o}] &{} \quad \text {by Definition 2(ii)}\\ \quad =\pi (\bar{e}_1 \circ \bar{e}_2)[\pi (e'')/0:\bar{o}] &{}\quad \text {by Definition 4(ii)} \end{array} \end{aligned}$$ -
Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). The proof is analogous to Case 2.
(iii) The proof is by induction on \(e'\).
-
Case 1: \(e'=\varepsilon \) or \(e'=(r,q)\). Then, (iii) follows directly from Definition 4(i) and Definition 3(i), (ii).
-
Case 2: \(e'=\bar{e}_1 . \bar{e}_2\). Then,
$$\begin{aligned} \begin{array}{ll} {\textit{TOP}}(\pi (\bar{e}_1 . \bar{e}_2)) &{}\\ \quad = {\textit{TOP}}(\pi (\bar{e}_1) . \pi (\bar{e}_2)) &{}\quad \text {by Definition 4(ii)}\\ \quad ={\textit{TOP}}(\pi (\bar{e}_1)) &{}\quad \text {by Definition 3(iii)}\\ \quad ={\textit{TOP}}(e_1) &{} \quad \text {by induction hypothesis}\\ \quad ={\textit{TOP}}(e_1.e_2) &{}\quad \text {by Definition 3(iii)} \end{array} \end{aligned}$$ -
Case 3: \(e'=\bar{e}_1 \!\!\parallel \!\!\bar{e}_2\). Then,
$$\begin{aligned} \begin{array}{ll} {\textit{TOP}}(\pi (\bar{e}_1 \!\!\parallel \!\!\bar{e}_2)) &{} \\ \quad = {\textit{TOP}}(\pi (\bar{e}_1) \!\!\parallel \!\!\pi (\bar{e}_2)) &{}\quad \text {by Definition 4(ii)}\\ \quad ={\textit{TOP}}(\pi (\bar{e}_1)) \cup {\textit{TOP}}(\pi (\bar{e}_2)) &{}\quad \text {by Definition 3(iv)}\\ \quad ={\textit{TOP}}(e_1) \cup {\textit{TOP}}(e_2)&{}\quad \text {by induction hypothesis}\\ \quad ={\textit{TOP}}(e_1\!\!\parallel \!\!e_2) &{}\quad \text {by Definition 3(iv)} \end{array} \end{aligned}$$
(v)
(iv)
\(\square \)
The following properties for the top-of-stack protocol states are direct consequence of Proposition 2. The first property states that an atomic process of the Combined Abstraction can be deduced from the top-of-stack elements and the stripped process-algebraic expression. The second states that a protocol state is a top-of-stack protocol state in \(e[e'/o] \in {\textit{PEX}}(Q_K)\) if it is a top-of-stack protocol state outside of \(o\) or it is a top-of-stack protocol state of \(e'\). The third and fourth property are special cases of the second.
Proposition 4
(Top-Of-Stack Protocol States) Let \(e,e' \in {\textit{PEX}}(Q_K)\) be process-algebraic expressions over the atomic processes of the Combined Abstraction, \(o \in \{ 0, 1 \}^*\) be an occurrence with \(e[o] \ne \bot \), and \(o_1,\ldots ,o_k \in \{ 0, 1 \}^*\) be occurrence such that \({\textit{TOP}}(e) \setminus {\textit{PREF}}(e) = \{ o_1 , \ldots , o_k \}\). Then,
-
(i)
If \({ TOS}(e)=r,\,o \in {\textit{TOP}}(e)\) then \(e[o]=(r,q)\) where \(q=\pi (e)[o] \in Q\).
-
(ii)
Let be \((r_i,q_i) \triangleq e[o_i],\,i\!=\!1,\ldots ,k\). Then, \({ TOS}(e[e'/o]) = \{ r_1, \ldots , r_k \} \cup { TOS}(e')\).
-
(iii)
If there is a \(r \in R_s\) and \(q_1, \ldots , q_k \in Q\) such that \(e[o_i]=(r,q_i),\,i=1, \ldots , k\) and \({ TOS}(e')=\{ r \}\) then \({ TOS}(e[e'/o])=\{ r \}\).
-
(iv)
If \({ TOS}(e')=\{ r \}\) then \({ TOS}(e[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][e'/o])=\{ r \}\) for all \(q_1, \ldots , q_k \in Q\).
Proof
(i) follows directly from Definitions 3 and 4. Proposition 2(i) and Definition 4 directly imply (ii). (iii) and (iv) are special cases of (ii) (just choosing \(r_i=r\) for \(i=1,\ldots ,k\) \(\square \)
1.3 Appendix 1.3 Proof of the main theorem
For this subsection, let \(U_s \triangleq (\varSigma _s,Q,\rightarrow ,q_0,F)\) be a process rewrite system specifying an abstraction for the use of service \(s,\,R_s \triangleq (\varSigma _s,R_s,\rightarrow _s,q_o^s,\bar{F}_s)\) be a finite state machine without \(\lambda \)-transitions specifying an (inverted) protocol for \(s\), and \(K \triangleq (\varSigma _s, Q_K, \rightarrow _K, q_0^K, F_K)\) be the Combined Abstraction of \(U_s\) and \(R_s\) as defined in Sect. 4.
The application of process rewrite rule in \(T_{11} \cup T_{1S} \cup T_{S1} \cup T_{1P} \cup T_{P1}\) to a consistent \(e \in {\textit{PEX}}(Q_K)\) may change the protocol state on a top-of-stack element from a protocol state \(r\) to \(r'\). Thus, if \(e {\mathop {\Rightarrow }\limits ^{a}}_{K} e'\) then \({ TOS}(e')=\{r,r'\}\) is possible, i.e., \(e'\) is inconsistent. With following lemma it is possible to rewrite \(e'\) into \(e''\) with the same shape and \({\textit{TOP}}(e'') = \{ r' \}\).
Lemma 2
(Construction of Consistent Process-Algebraic Expressions) Let be \(e\in {\textit{PEX}}(Q_K),\,o\in {\textit{TOP}}(e),e[o]=(r,q)\). If \(r {\mathop {\rightarrow }\limits ^{a}}_{s} r'\) then \(e {\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e[(r',q)/o]\).
Proof
Since \(r {\mathop {\rightarrow }\limits ^{a}}_{s} r'\), it is \((r,q) {\mathop {\rightarrow }\limits ^{\lambda }}_{K}(r,q') \in T_0\). Thus, Lemma 1 implies \(e {\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e[(r',q)/o]\). \(\square \)
The following Theorem is the same as Theorem 1 where (i) and (ii) are rephrased using Definition 4
Theorem 1
Let be \(e \in {\textit{PEX}}(Q_K)\) be a process-algebraic expression over \(Q\) and \(r \in R_s\) a protocol state, and \(x \in \varSigma _{s}^{*}\) such that there is a \(f \in F\) and \(\bar{r} \in \bar{F}_s\) with \(e {\mathop {\Rightarrow }\limits ^{x}} f\) and \(r {\mathop {\Rightarrow }\limits ^{x}}_{s} \bar{r}\). Then, there is a \(e' \in {\textit{PEX}}(Q_K)\) and a \(f_k \in F_K\) such that the following properties are satisfied:
-
(i)
\(\pi (e')=e\)
-
(ii)
\({\textit{TOP}}(e')=\{ r \}\)
-
(iii)
\(e' {\mathop {\Rightarrow }\limits ^{x}}_{K} f_k\)
Proof
The proof is by induction on the number of applications of process rewrite rule \(\rightarrow \) of PRS \(U_s\) in \(e {\mathop {\Rightarrow }\limits ^{x}} f\).
Base Case:: No PRS-rule is being applied. Then, \(e=f\) and \(r=\bar{r}\) because \(R_s\) doesn’t contain rules \(r {\mathop {\rightarrow }\limits ^{\lambda }}_{s} r'\).Thus \(r \triangleq \bar{r} {\mathop {\Rightarrow }\limits ^{\lambda }}_{s} \bar{r}\). By definition of the combined abstraction, it holds \(f_k \triangleq (\bar{r}, f) \in F\). Define \(e' \triangleq f_k\). Then, \(\pi (e')=f (=e)\) by Definition 4(i), \({ TOS}(e') = \{ \bar{r} \} (= \{ r \}\)), and \(e' = f_k {\mathop {\Rightarrow }\limits ^{\lambda }}_{K} f_k\), i.e., it holds (i), (ii), and (iii) if no PRS-rule has been applied.
Inductive Case: Let \(lhs {\mathop {\rightarrow }\limits ^{a}} rhs\) be the first PRS-rule being applied in \(e {\mathop {\Rightarrow }\limits ^{x}} f\). Let \(o \in \{ 0,1\}^*\) be the occurrence where it is applied. Hence, by Lemma 1 it holds:
By induction hypothesis, there is a \(e''\in {\textit{PEX}}(Q_K)\) such that
Case 1: \(q {\mathop {\rightarrow }\limits ^{\lambda }} q'\) has been applied, i.e. \(lhs=q,\,rhs=q'\), and \(a=\lambda \). Define
Then, \(\pi (e') = e\) by Proposition 3(iv) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iii) and (11). It holds:
Together with (11), Proposition 4(i) implies
By definition of the combined abstraction, it is
Hence,
Thus (i), (ii), and (iii) hold for Case 1
Case 2: \(q {\mathop {\rightarrow }\limits ^{a}} q',\,a \in \varSigma _s\), has been applied, i.e. \(lhs=q\) and \(rhs=q'\). Let \(o_1, \ldots , o_k\) be the top-of-stack occurrences in \(e\) outside of \(o\), i.e.
Then, \(\pi (e') = e\) by Proposition 3(v) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iv), (11), and (16). Furthermore, by definition of the combined abstraction it is
By Proposition 1(i), it is \(e[q'/o][o]=q'\). Together with (11) and Proposition 4(i), this implies
Similarly, (11), (16), and Proposition 4(i) imply
\(i=1,\ldots ,k\). Hence,
Hence, (i), (ii), and (iii) hold also for Case 2.
Case 3: \(q {\mathop {\rightarrow }\limits ^{\lambda }} q'.q''\) has been applied, i.e. \(lhs=q,rhs=q'.q''\), and \(a=\lambda \). By (9) and Proposition 3(i) there is \(r''\in R_s\) such that
Define \(e'\) as in Case 1, i.e. by (12). Then, \(\pi (e') = e\) by Proposition 3(iv) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iii) and (11). By definition of the combined abstraction, it is
Hence,
Thus, (i), (ii), (iii) is also satisfied for Case 3.
Case 4: \(q {\mathop {\rightarrow }\limits ^{a}} q'.q'',\,a \in \varSigma _s\), has been applied, i.e. \(lhs=q\) and \(rhs=q'.q''\). Let \(o_1, \ldots , o_k\) be the top-of-stack occurrences in \(e\) outside of \(o\), i.e. (15) is satisfied, \(q_1,\ldots ,q_k\) be defined by (16) (cf. Case 2), and
Then, \(\pi (e') = e\) by Proposition 3(v) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iv), (11), and (16). Furthermore, by definition of the combined abstraction it is
The same arguments as in Case 3 show that (21) is satisfied. The same arguments as in Case 2 show that (20) holds. Hence,
Hence, (i), (ii), and (iii) hold also for Case 4.
Case 5: \(q.q' {\mathop {\rightarrow }\limits ^{\lambda }} q''\) has been applied, i.e. \(lhs=q.q',\,rhs=q''\), and \(a=\lambda \). Then, analogous to Case 1, it holds
Define for any \(r''\in R_s\):
Then, \(\pi (e') = e\) by Proposition 3(iv) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iii) and (11). By definition of the combined abstraction, it is
Then,
Thus, (i), (ii), (iii) is also satisfied for Case 5.
Case 6: \(q.q' {\mathop {\rightarrow }\limits ^{a}} q'',\,a \in \varSigma _s\), has been applied, i.e. \(lhs=q.q'\) and \(rhs=q''\). Let \(o_1, \ldots , o_k\) be the top-of-stack occurrences in \(e\) outside of \(o\), i.e. (15) is satisfied, \(q_1,\ldots ,q_k\) be defined by (16) (cf. Case 2), and for any \(r''\in R_s\) be
Then, \(\pi (e') = e\) by Proposition 3(v) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iv), (11), and (16). Furthermore, by definition of the combined abstraction it is
The same arguments as in Case 5 show that (25) is satisfied. The same arguments as in Case 2 and Case 4 show that (20) holds. Hence,
Thus, (i), (ii), (iii) is also satisfied for Case 6.
Case 7: \(q {\mathop {\rightarrow }\limits ^{\lambda }} q'.\!\!\parallel \!\!q''\) has been applied, i.e. \(lhs=q,rhs=q' \!\!\parallel \!\!q''\), and \(a=\lambda \). By (9) and Proposition 3(i) it holds
Define \(e'\) as in Case 1 and Case 3, i.e. by (12). Then, \(\pi (e') = e\) by Proposition 3(iv) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iii) and (11). By definition of the combined abstraction, it is
Hence,
Thus, (i), (ii), (iii) is also satisfied for Case 7.
Case 8: \(q {\mathop {\rightarrow }\limits ^{a}} q' \!\!\parallel \!\!q'',\,a \in \varSigma _s\), has been applied, i.e. \(lhs=q\) and \(rhs=q' \!\!\parallel \!\!q''\). Let \(o_1, \ldots , o_k\) be the top-of-stack occurrences in \(e\) outside of \(o\), i.e. (15) is satisfied, \(q_1,\ldots ,q_k\) be defined by (16) (cf. Case 2), and \(e'\) be defined by (17) (as in Case 2 and 4). Then, \(\pi (e') = e\) by Proposition 3(v) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iv), (11), and (16). Furthermore, by definition of the combined abstraction it is
The same arguments as in Case 3 show that (21) is satisfied. The same arguments as in Case 2 show that (20) holds.Hence,
Hence, (i), (ii), and (iii) hold also for Case 8.
Case 9: \(q \!\!\parallel \!\!q' {\mathop {\rightarrow }\limits ^{\lambda }} q''\) has been applied, i.e. \(lhs=q \!\!\parallel \!\!q',rhs=q''\), and \(a=\lambda \). Then, it holds (25) analogous to Case 5. Define
Then, \(\pi (e') = e\) by Proposition 3(iv) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iii) and (11). By definition of the combined abstraction, it is
Then,
Thus, (i), (ii), (iii) is also satisfied for Case 9.
Case 10: \(q\!\!\parallel \!\!q' {\mathop {\rightarrow }\limits ^{a}} q'',\,a \in \varSigma _s\), has been applied, i.e. \(lhs=q\!\!\parallel \!\!q'\) and \(rhs=q''\). Let \(o_1, \ldots , o_k\) be the top-of-stack occurrences in \(e\) outside of \(o\), i.e. (15) is satisfied, \(q_1,\ldots ,q_k\) be defined by (16) (cf. Case 2), and \(e'\) be defined by
Then, \(\pi (e') = e\) by Proposition 3(v) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iv), (11), and (16). Furthermore, by definition of the combined abstraction it is
The same arguments as in Case 5, 6, and 9 show that (25) is satisfied. The same arguments as in Case 2, 4, 6, and 8 show that (20) holds. Hence,
Thus, (i), (ii), (iii) is also satisfied for Case 10.
With Case 1–10 all possibilities are considered, and for each case (i), (ii), (iii) are satisfied. This completes the proof \(\square \)
Rights and permissions
About this article
Cite this article
Heike, C., Zimmermann, W. & Both, A. On expanding protocol conformance checking to exception handling. SOCA 8, 299–322 (2014). https://doi.org/10.1007/s11761-013-0146-2
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11761-013-0146-2