Symbolic Alternative Characterizations of Testing Preorders for Regular Timed Processes

to the rst characterizations by abstracting some nite number of time intervals from the time domain. This abstraction can be nitely possible for the regular class of real-time communicating processes. These second characterizations provide a proof technique for the regular class of real-time communicating processes. The time-out combinator, written by /d, is a binary in x combinator where d is a non-negative real number. A real-time communicating process P /dQ behaves like P if P commits any observable event within time d, and behaves like Q otherwise. Exactly after time d, the behavior is nondeterministically either like P or like Q. Namely, P /d Q makes a choice after time d and is considered as an extension of the choice operator of CCS. This kind of time-out combinator is introduced as the primitive in the literature[8][11] [19][20] and is shown that the combinator can model the variety of timed behavior. Following the testing principle[18], a real-time communicating process is seen as a kind of black box and known only by interacting with synchronous communications. An examiner of a real-time communicating process, called a \timed test", is also a process with time constraints and some successful terminating states. While testing, the examiner may perform an interaction in an eager way, i.e. an observable event interacts as soon as it becomes available both for the process and for the examiner. We also assume that the passage of time is identical on both sides. As are done for the untimed processes, we de ne the testing preorders vmay and vmust to understand the timed behavior of the process being examined, where vmay and vmust characterize the possibility and the necessity of interaction respectively. In the untimed case, vmay is alternatively characterized by the inclusion of the languages of events, and vmust by the possibility and necessity after a sequence of events. Also for the real-time communicating processes, we can give such alternative characterizations where vmay is the inclusion of the languages of timed events and vmust by the possibility and necessity accompanied time after a sequence of timed events. However, when we consider the alternative characterizations as a proof technique for the testing preorder, these characterizations are inadequate. Since we take the time domain as the nonnegative real number, we have to consider the in nitely many timed events to see when the events happen. Again, we consider when are the \essential timing" to characterize the preorders. Focusing on that the essential timing is the time-out point that can be known from the syntax of a real-time communicating process, we will give the nite characterizations for the regular class of real-time communicating processes. This idea for real-time communicating processes is originally presented for bisimulation semantics in [17]. We apply the idea to the testing semantics and develop the \symbolic" alternative characterizations as a proof technique. The structure of the paper is as follows. In section 2, we de ne a calculus for timed processes. In section 3, testing preorders are introduced in a standard manner and the rst type of alternative characterizations is presented. Section 4 presents a symbolic alternative characterization. In 5, we compare our result with others and present concluding remarks. 2 Timed Process Calculus Let R+ be the set of positive real numbers and R 0 = R+[f0g. A set of observable actions is given by Act ranged over by a; b; ai; bi; : : :. = f (c) j c 2 R+g is de ned 2 as a set of delay labels following [23]. We write A for Act [ , ranged over by . A set of process variables is given by V ranged over by x; y; : : :. We assume a constant 1 that extends R 0, satisfying the following conditions for all r 2 R 0 with respect to the arithmetic operations: r <1 r +1 =1+ r =1 1 r =1 And we write R1 for R 0 [f1g. A class of timed process expressions is de ned by the following BNF: E ::= nil j a:E j E1 +E2 j E1 E2 j E1 /d E2 j x j rec :x:E where a 2 Act, d 2 R 0 and x 2 V. We write PE for the set of timed process expressions. All occurrences of x in the context rec : x:E are bound, and free otherwise. For E;F 2 PE , E[F=x] denotes the timed process expression where all free occurrences of x in E are simultaneously replaced by F . A timed process expression is closed if it contains no free occurrence of process variables. Following [17], we require the action guardedness condition for a timed process expression, that is de ned as follows: De nition 1 A process variable x is guarded in E if all occurrences of x appear in the form of a:F which is a subexpression of E. We say E is guarded when all the process variables appearing in E are guarded in E and x is guarded in F where every subexpression of E in the form rec :x:F . As a basic operational semantics, we de ne a transition system h PE ;!;Ai with the derivation relation ! (PE PE) [ (PE A PE) shown in table 1. We denote E ! E0 if (E;E0) 2! and E ! E0 if (E; ;E0) 2!. E is called a regular timed process if it is closed and guarded. The set of regular timed processes is denoted by P. From the construction of the SOS rules and the de nition of P, we get the following closure property of the closed timed process. Lemma 1 If P 2 P, then fE j P ! Eg [ fE j P !E; 2 Ag P. Henceforth, we focus on the sub-LTS h P ;!;Ai to exactly model the timed processes. For this sub-LTS, we use the following notation1: P ! if for some P 0 P ! P 0. P ! if for some P 0 P !P 0. P!0P 0 if P (!) P 0. P!cP 0 if P (!) (c) ! (!) P 0. P)dP 0 if P c1 ! cn !P 0 for ci 2 R 0 where 1 i n and d = ni=1ci. P a !dP 0 if P)d a !P 0. 3 Inaction nil (c) ! nil Pre x a:E a ! E a:E (c) ! a:E Time-out E a ! E0 E /d F a ! E0 E ! E0 E /d F ! E0 /d F E (c) ! E0 E /d F (c) ! E0 /d c F if d c E /0 F ! F External Choice E ! E0 E + F ! E0 + F F ! F 0 E + F ! E + F 0 E a ! E0 E + F a ! E0 E a ! E0 E + F a ! F 0 E (c) ! E0 ; F (c) ! F 0 E + F (c) ! E0 + F 0 Internal Choice E F ! E E F ! F Recursion rec :x:E ! E[rec :x:E=x] Table 1: Operational Semantics by derivations 4 S(P ) = fa 2 Act j P (!) a !g. The derivation relation have the following basic properties ([7][17][23]): Lemma 2 1. (transition liveness) P ! or P (c) ! for some c 2 R+. 2. (time determinacy) P (c) !P 0 and P (c) !P 00 imply P 0 P 00. 3. (time continuity) For c1; c2 2 R+, P)c1+c2P 0 if and only if P)c1P 00 and P 00)c2P 0 for some P 00. 4. (maximal progress) P ! implies P (c) 6 !. 5. (strong persistency) Whenever P (c) !P 0 for some c 2 R+, P a ! if and only if P 0 a !. Proof: Induction on the structure of P . 2 Note that the strong persistency property holds because the time-out operator performs the empty unobservable transition. Thus, if we take the weak transition, the property does not hold as in[16]. 3 Testing Preorders 3.1 Timed tests We de ne the class of timed tests as the examiner by the following BNF: T ::= nil j a:T j w:T j T1 /d T2 j T1 + T2 j T1 T2 where a 2 Act, d 2 R 0 and w = 2 Act. The set of all timed tests is denoted by T . The operational semantics for the timed tests is given by a transition system h T ;!;A[ fwg i where ! is de ned by table 1 in addition to the following SOS rule: w:T w ! T A timed test is essentially same as a timed process besides that it has no recursion power and there is a special action pre x w to indicate the successful termination of interaction. This means that a process is observed by a nite sequence of observable actions. 3.2 Interaction System The interaction system is a composition of a timed process and a timed test. The interaction between a timed process and a timed test is formally de ned as follows: De nition 2 An interaction system for P and T , written as I(P ;T ), is a transition system h I;!I i where the states I = P T and the transition relation !I I R 0 I de ned by table 2. Following the literature [10], [18], we write PkT for a state hP; T i 2 I. We write PkT c !IP 0kT 0 when hPkT; c; P 0kT 0 i 2!I . 5 P (c) ! P 0 ; T (c) ! T 0 PkT c !I P 0kT 0 if S(P ) \ S(T ) = ; P ! P 0 PkT 0 !I P 0kT T ! T 0 PkT 0 !I PkT 0 P a ! P 0 ; T a ! T 0 PkT 0 !I P 0kT 0 where a 2 Act Table 2: Interaction System De nition 3 For an interaction system I(P; T ), a state PkT is successful whenever T w !. A (possibly in nite) sequence of transitions: P0kT0 c1 !IP1kT1 c2 !I cn !IPnkTncn+1 ! I is a computation from P0kT0 if one of the following conditions is satis ed: (1) The sequence is nite and the last state is successful (2) The sequence is in nite and ici is in nite. A computation satisfying (1) is called successful. Note that di erent from the untimed case, the dead-locked failure does not happen due to the transition liveness property. We exclude the \Zeno-phenomenon" by condition (2). We now establish testing preorders as usual. De nition 4 Let P 2 P and T 2 T . 1. P may T if some computation from PkT is successful. 2. P mustT if every computation from PkT is successful. De nition 5 Let E T . 1. P vEmay Q if for all T 2 E P may T implies Qmay T . 2. P vEmust Q if for all T 2 E P must T implies Qmust T . 3. P vE Q if P vEmay Q and P vEmust Q. When E = T , we simply write P vmay Q, P vmust Q and P v Q. 1If necessary, we also use this notation for h PE ;!;Ai. 6 3.3 Alternative Characterizations Here we give the alternative characterizations for the testing preorders de ned above. The characterizations are the direct extensions of those for the untimed communicating processes by re ecting the \essential" pattern of testing. A nite sequence of pairs h di; ai i where di 2 R+ and ai 2 Act: h d1; a1 ih d2; a2 i h dn; an i is called a timed word and a set of timed words is called a timed language. The empty timed word is denoted by and the set of all timed word is denoted by LAct = (R 0 Act) . When P a1 !d1 a2 !d2 an !dnP 0, we write P )P 0 for a timed word = h a1; d1 ih a2; d2 i h an; dn i. First we show that vmay is characterized by the inclusion relation between timed languages. De nition 6 Let P 2 P. The timed language of P is de ned by L(P ) = f j P )g. For a timed word , a timed test T0( ) is recursively de ned with respect to as follows: T0( ) = w:nil T0(h d; a i 0) = nil /d (a:T0( 0) /0 nil) We write T0 = fT0( ) j 2 LActg. Lemma 3 P vT0 may Q if and only if P vmay Q Proof: The only-if part is obvious since T0 T . For if part, suppose P may T . Then, there exists a successful computation from PkT . For the computation, there exists a transition of T such that T )T 00)dT 0 w !. Thus, P may T0( ). By the assumption, Qmay T0( ). Then, QkT c1 !I cn !IQ0kT 00 and by the transition liveness property (lemma 2(1)) Qmay T . 2 Lemma 4 2 L(P ) if and only if P may T0( ). Theorem 1 P vmay Q if and only if L(P ) L(Q). Proof: The theorem follows from lemma 3 and 4. 2 Next we show an alternative characterization of the must preorder. De nition 7 P must Q if the following holds: For 2 L(Q) and c 2 R 0, Q ) )cQ0 implies S(P 0) S(Q0) for some P 0 such that P ) )cP 0. Let 2 R+, 2 LAct and a 2 Act. For a nite subset of Act, A = fa1; : : : ; ang and d 2 R 0, timed tests T 1 ( ; a; d) and T 2 ( ;A; d) are recursively de ned as follows: T 1 ( ; a; d) = nil /d (a:nil / w:nil) T 1 (h d1; a1 i ; a; d) = nil /d1 (a1:T 1 ( ; a; d) / w:nil) T 2 ( ;A; d) = nil /d ((a1:w:nil+ + an:w:nil) / nil) A = fa1; a2; : : : ; ang T 2 (h d1; a1 i ;A; d) = nil /d1 (a1:T 2 ( ;A; d) / nil) 7 We write Te( ) = fT 1 ( ; a; d); T 2 ( ;A; d) j 2 LAct; f initeA Act; a 2 Act; d 2 R 0g. We shall show Te( ) is essential to verify vmust if is small enough to distinguish processes. Lemma 5 For 2 R+, P vTe( ) must Q implies L(Q) L(P ). Proof: By induction on the length of , it is shown that P must 6 T 1 ( ; a; d) if and only if h d; a i 2 L(P ). Let = 0h d; a i 2 L(Q). Then, for all 2 R+, Q must 6 T 1 ( ; a; d). By the assumption P must 6 T 1 ( ; a; d). Thus, 2 L(P ). 2 Lemma 6 For 2 R+, P vTe( ) must Q implies P must Q. Proof: Suppose for all 2 R+, P vTe( ) must Q and P 6 must Q. Let Q ) )dQ0, then P ) )dP 0 for some P 0 such that S(P 0) 6 S(Q0). Take a such that a 2 S(P 0) and a = 2 S(Q0). Then, either Q0 a 6!0 or Q0 a !c for some c 2 R+. For the former case, for all 2 R+, T 2 ( ; fag; d) and P mustT 2 ( ; fag; d). For the latter case, take the least c0 for such c. Then, for < c0, Qmust 6 T 2 ( ; fag; d) and P mustT 2 ( ; fag; d). This complete the proof since a contradiction is derived for both cases. 2 Lemma 7 P must Q implies P vmust Q. Proof: Suppose P must Q and we show that Q must 6 T implies P must 6 T for all T 2 T . Let Q must 6 T , then there exists an in nite computation from QkT such that QkT c1 !IQ1kT1 c2 !I cn !IQnkTncn+1 ! I where n is such that for all m > n S(Tm 1) = S(Tm), S(Qm) \ S(Tm) = ; and Tn w 6!. Such n exists since a timed test is nite. Thus, for some 2 LAct and d, Q ) )dQn. By the de nition of must, there exists Pk such that P ) )dPk and S(Pk) S(Qn). Thus, there exists a sequence of transition: PkT c01 !I c0k !IPkkTn. And Tn will not change in the following transitions since S(Pk) S(Qn). This concludes P must 6 T . 2 Theorem 2 P vmust Q if and only if P must Q. Proof: For \only-if" part, P vmust Q implies P vTe( ) must Q for all since Te( ) T . By lemma 6, P must Q. \if" part is lemma 7. 2 From theorem 1, theorem 2 and lemma 5, we obtain the following characterization for the testing preorder. Corollary 1 P v Q if and only if L(P ) = L(Q) and P must Q. For the alternative characterizations shown above, we have the following useful lemma to prove the preorders for regular timed processes. Lemma 8 Let rec :x:E; P 2 P. Then, 1. L(E[P=x]) L(P ) implies L(rec :x:E) L(P ) 2. E[P=x] must P implies rec :x:E must P 8 M(x) = 0 M(nil) = 1 M(a:E) = 1 M(E1 /d E2) = min(M(E1); d) M(E1 +E2) = min(M(E1);M(E2)) M(E1 E2) = 0 M(rec :x:E) = M(E) Table 3: Life Function M 4 Symbolic Alternative Characterizations This section gives \symbolic" alternative characterizations as a proof technique. Due to the dense property of a time domain, the alternative characterizations in the previous section still require an in nite checking procedure with respect to time. But there are only nite number of points at which a real-time communicating process may change its behavior through the timeout combinator by the construction of a process. For example, the characterization of a:nil /5 b:nil can be divided into the three cases: before time 5, exactly at time 5 and after time 5. Based on this observation, we will de ne characterizations with respect to time intervals that are \essential" to observe the behavior of a process. 4.1 Symbolic Transition Relation We de ne the life time functionM : PE ! R1 by table 3. We also de ne a symbolic delay relation d ; P P as follows: P 0 ;P 0 if P (!) P 0 When M(P ) = d <1, P (d) !P 00 and P 00 d0 ;P 0 imply P d+d0 ; P 0 If P d ;P 0 for some P 0, then we simply write P d ;. Lemma 9 When P 2 P, fd j P d ;g is nite. Proof: Suppose fd j P d ;g is in nite. By the construction of d ;, there must be an in nite derivation from P only by ! and (c) ! . But this is impossible because of the guardedness condition and the de nition of computation. 2 In the rest of this subsection, we present the basic properties with respect to the labeled transition system h P;!;Ai. Lemma 10 M(P ) = d and 0 < d <1 imply P (d) ! . Lemma 11 P ! implies M(P ) = 0. Lemma 12 When P (c) !P 0, one of the followings holds: 1. M(P ) =1 2. P c ;P 0 and M(P 0) = 0 9 3. There exists d such that P d ;P 0, M(P 0) > 0 and d c < d+M(P ) A timed action is a triple h d; a; t i 2 R 0 Act R1 to express that action a is enabled after time d for time t. We write atd for a timed action h d; a; t i. The set of all timed actions is denoted by AT , ranged over by ; . A relation over AT , atd aue , holds if e d and d+ t u+ e. atd aue is said that atd covers aue , meaning that action a in atd is possible whenever action a is enabled in aue . We write atd aue when d < e + u and e < d + t, meaning that action a may be enabled both in atd and aue at the same time. A sequence of timed actions is called a symbolic timed word. We use the notation for a symbolic timed word. The empty symbolic timed word is denoted by s. And the set of all symbolic timed words is denoted by LT . Let symbolic timed words s = 1 2 n and 0 s = 01 02 0n. s 0 s if i 0i for 1 i n. Let s LT . s " s = f s 2 s j j sj = 1g s " 0 0 = 0s( 0) " 0 s where 0s( 0) = f sj s 2 s; 0 g. Let AT AT . AT covers atd if there exists ati di 2 AT such that d1 d, d+ t dn + tn, di di+1 di + ti for 1 i < n. De nition 8 A symbolic transition relation atd 7 ! is de ned as follows: P atd 7 ! P 0 if for some P 00 P d ;P 00, P 00 a !P 0 and M(P 00) = t Let s = 1 2 n 2 AT . We write P j= s )P 0 if P 1 7 ! n !P 0. Intuitively, P atd !P 0 means that P waits for time d and do an action a before t to become P 0. This notion is justi ed by the time-determinacy property and the time continuity property. Lemma 13 P a !P 0 and M(P ) > 0 imply P a !dP 0 for all d such that 0 d < M(P ). Lemma 14 Let P atd 7 ! P 0. 1. t = 0 implies P a !dP 0 2. t > 0 implies P a !dP 0 for all d0 such that d d0 < d+ t The derivation by the symbolic transition relation is nite. Lemma 15 Let P 2 P. fhP 0; i j P 7 ! P 0; 2 AT g is nite. Proof: From lemma 9, d's for = atd 2 f j P 7 !g are nitely many. And by the construction of M(P ), t's must appear in a timeout operator /t or 1. And P is nite branching with respect to communication. 2 10 4.2 Symbolic Characterization of vmay De nition 9 The symbolic timed language of P is de ned as follows: Ls(P ) = f s j P j= s )g A symbolic timed word speci es a timed language by the timeout points. For example, Ls(a:nil /5 b:nil) = f s; a50; b15 g which speci es the timed language f ; h a; t i; h b; u i j 0 t 5; u 5g. De nition 10 The covering relation is de ned as follows: (1) s 2 s implies s s (2) ( s " s) covers implies s s We write 0s s if for all s 2 0s s s. Intuitively Ls(P ) Ls(Q) means that the timed language speci ed by Ls(P ) is covered by some timed language speci ed by Ls(Q). In the rest of this subsection, we shall show that the covering relation characterizes vmay . First we show the adequacy of the characterization. Before showing the adequacy result, we show the following technical lemma. Lemma 16 Let P a !dP 0 and fQ1; : : : ; Qng P, then, Ls(P ) [iLs(Qi) implies Ls(P 0) [ifQ0 j Qi a !dQ0g. Proof: Let P 00 such that P)dP 00 a !P 0. By repeated applications of Lemma 11 and Lemma 12, either of the following (1) or (2) holds: (1): M(P 00) = 0 and d = d0 (2): M(P 00) > 0 and d0 d < d0 +M(P 00) We prove for each cases: (1): M(P 00) = 0 and d = d0 If s 2 Ls(P 0): Since a0t 2 Ls(P ), Ls(P ) [nk=1Ls(Qk). Following from this, ([nk=1fLs(Qk)g [nk=1) covers a0t . Thus, there exist atl dl for 1 l m such that fat1 d1 ; : : : ; atm dmg and d1 d dm+tm where dj dj+1 and dj+1 dj+tj (1 l < n). Then, for some j, Qjj=atd )Q0j and dj d < dj + tj . Since by lemma 14 Qj a !dQ0j , [nk=1fLs(Q0)jQj a !dQ0jg 6= ;. Then, by the de nition, s [nk=1fLs(Q0)jQk a !dQ0g since s 2 Ls(P ) for every P . If 0 s 2 Ls(P 0): Since a0d 0 s 2 Ls(P ), [nk=1Ls(Qk) " a0d 0 s 2 Ls(P ) covers . Thus, for 0 s there exists Q( 0 s ) such that Q( 0 s ) [nk=1fQ0jQk 7 ! Q0; a0d g and [fLs(R)jR 2 Q( 0 s )g " 0 s covers . Thus, 0 s Q( 0 s ). Then since by lemma 14 Q( 0 s ) [nk=1fQ0jQk a !dQ0g, 0 s [nk=1fQ0jQk a !dQ0g. 11 Thus, Ls(P 0) [nk=1fQ0jQk a !dQ0g for case (1). (2): M(P 00) > 0 and d0 d < d0 +M(P 00) If s 2 Ls(P 0): Since aM(P 00) d0 2 Ls(P ), there exist atl dl for 1 l m such that d1 d0, d0+M(P 00) dm, di di+1, di+1 di+ti and fat1 d1 ; : : : ; atm dmg [nk=1Ls(Qk). Since d0 d < d0 + M(P 0), for d, there exists j such that atj dj atd0 , dj d < dj + tj and Qj atj dj 7 ! Q0j. Since by lemma 14 Qj a !dQ0j , s 2 [nk=1fLs(Q0)jQj a !dQ0g showing s fLs(Q0)jQj a !dQ0g. If 0 s 2 Ls(P 0): Since aM(P 00) d0 0 s 2 Ls(P ), [nk=1fLs(R)jQk 7 ! R; aM(P 00) d0 g " 0 s covers . While, aM(P 00) d0 implies that Qk a !dR when Qk 7 ! R by lemma 14. This establishes [nk=1fLs(R)jQk a !dRg " 0 s covers . Thus, 0 s [nk=1fLs(Q0)jQk a !dQ0g. Thus, Ls(P 0) [nk=1fQ0jQk a !dQ0g for case (2). 2 Lemma 17 Ls(P ) Ls(Q) implies L(P ) L(Q). Proof: We shall prove the following by induction on the length of . For 2 L(P ), Ls(P ) [ni=1Ls(Qi) implies 2 [ni=1Ls(Qi). For = , it is trivial. Let = h d; a i 0. Then, there exists P 0 such that P a !dP 0 and 0 2 L(P 0). By lemma 16, Ls(P 0) [ifQ0i;j jQi a !dQ0i;jg By the induction hypothesis, 0 2 [i;jL(Q0i;j). Thus, 2 [iL(Qi). Taking [iQi as fQg completes the proof. 2 Next we show the abstractness of the characterization. We introduce a function that expands a symbolic timed word to the timed language being speci ed. exp( s) = fh d; a i j 2 exp( s)g exp(a0d) = fh d; a i j 2 exp( s)g exp(atd) = fh d0; a i j 2 exp( s); d d0 < d+ tg (t > 0) Lemma 18 L(P ) L(Q) implies Ls(P ) Ls(Q). Proof: We prove the contra-positive. Suppose Ls(P ) 6 Ls(Q). Then there exists satd 2 Ls(P ) such that (Ls(Q) " s) covers = atd. (1): Ls(Q) " s = ;: for 2 exp( satd), 2 L(P ) and = 2 L(Q). Namely L(P ) 6 L(Q). 12 (2): Ls(Q) " s = fat1 d1 ; : : : ; atn dng: Since (Ls(Q) " s) covers = atd, there exists e such that d e < t + d and e < di or di + ti e for all 1 i n. Then, for 2 exp( s), h e; a i 2 L(P ) and h e; a i = 2 L(Q). Thus, L(P ) 6 L(Q). 2 Combination of Lemma 17 with lemma 18 shows the full abstractness. Theorem 3 Ls(P ) Ls(Q) if and only if L(P ) L(Q). Corollary 2 Ls(P ) Ls(Q) if and only if L(P ) vmay L(Q). Corollary 3 Ls(E[P=x]) Ls(P ) implies Ls(rec :x:E) Ls(P ). Thus, together with lemma 15, we can nitely prove vmay for a regular class of real-time communicating processes. 4.3 Symbolic Characterization of vmust In this subsection, we present a symbolic alternative characterization for vmust . The underlying idea for the characterization is to consider the essential type of timed tests, shown in de nition 7 only for the timeout points. In the characterization, we use the following \past" notation. Let P=h 0 s; c i = fR j P j= 0 ) c ;R;M(R) = 0g [fR j P j= 0 ) c0 ;R; c0 c < c0 +M(R) for some c0g. P=h 0 s; c i denotes the set of timed processes after timed word 0 s is performed time c. De nition 11 P sym must Q if for s 2 Ls(Q) and d 2 R 0 Qj= s ) d ;Q0 implies the following (1) and (2): (1) s f 0 s 2 Ls(P )j 0 s sg (2) For 0 s s and 0 s 2 Ls(P ), either of (2-a) or (2-b) holds: (2-a) When M(Q0) = 0: There exists P 0 such that P 0 2 P=h 0 s; d i and S(P 0) S(Q0) (2-b) When M(Q0) > 0: For all c0 2 fdg [ fcjd c < d+M(Q0); P j= 0 s ) c ;g, there exists P 0 such that P 0 2 P=h 0 s; c0 i and S(P 0) S(Q0). We shall show the equivalence between sym must and must in the rest of this subsection. First we show the adequacy of the characterization. Lemma 19 P sym must Q implies P must Q. Proof: Suppose Q )Q00)dQ0 and P sym must Q. We will show the existence of P 0 and P 00 such that P )P 00)dP 0 and S(P 0) S(Q0). Let = h d1; a1 i h dn; an i, then there exist some symbolic word s = 1 n such that for each i = aiui ei either ui = 0 and di = ei or ui > 0 and ei di < ei+ui. Then, Qj= s )Q00. And also 2 exp( s). 13 For Q00)dQ0, let Q00 ds ;Q0 then either M(Q0) = 0 and ds = d or M(Q0) > 0 and ds d < ds +M(Q0) hold. From condition (1) of de nition 11 and lemma 17, there exists 0 s such that 2 expand( 0 s) and 0 s s. For this 0 s, we will show either of condition (2) holds. If M(Q0) = 0: When P 0 2 fRjP j= 0 s ) d ;R;M(R) = 0g and S(P 0) S(Q0), P j= 0 s ) )dP 0. From the fact that 2 exp( 0 s), P ) )dP 0. Otherwise, P 0 2 fRjP j= 0 s ) d ;R;M(R) > 0; c0 d < c0 +M(R)g and S(P 0) S(Q0). P j= 0 s )P 00 d ;P 0. Since 2 exp( 0 s) and P 00)dP 0 by lemma 12(3), P )P 00)dP 0. If M(Q0) > 0: Let C = fcjds c < ds +M(Q0); P j= 0 s ) c ;g. If C = ;, then there exists P 0 such that P 0=h 0 s; ds i and S(P 0) S(Q0). Let P j= 0 s )P 00 e ;P 00, then ds+M(Q0) e+M(P 0). Then, for all e0 such that ds e0 < ds +M(Q0), P 00)e0P 0. If C = fciji = 1; 2; g, for all e, c1 = e < ds +M(Q0) implies that there exists i such that ci = e and ci e < ds +M(Q0). Let Rj such that P j= 0 s ) cj ;Rj , then by the assumption S(Rj) S(Q0) for all j. Then, if c1 d < ds +M(Q0), then there exists i such that P j= 0 s ) !dP 0 = Ri. If ds d < c1, there exists some P 0 2 P=h 0 s; ds i such that P j= 0 s ) !dP 0. 2 Next we present the abstractness of the characterization. Lemma 20 P must Q implies P sym must Q. Proof: We derive a contradiction supposing P must Q and P = sym must Q. Let Qj= s ) ds ;Q0. We also suppose 0s = f 0 s 2 Ls(P )j s 0 sg and s 0s. Then, there must be s 2 Ls(P ) such that s s and none of condition (2-a) and (2-b) holds. If M(Q0) = 0: For all P 0 2 P=h s; ds i, S(P 0) 6 S(Q0). Then, for some 2 exp( s) and d = ds, fRjP ) !dRg P=h s; ds ig. Then, for Q ) )dQ0, there is no P 0 such that P ) )dP 0 and S(P 0) S(Q0). This contradicts P must Q. If M(Q0) > 0: Let 2 exp( s) \ exp( 0 s) 6= ;. Then, from lemma 12(3), for d such that ds d < ds +M(Q00), Q )Q0!dQ0. From P must Q, for all such d, there must exist P 0 such that P ) !dP 0 and S(P 0) S(Q0). But this makes condition (2-b) established. Then, this contradicts P = sym must Q. 2 From lemma 19 and lemma 20, we obtain the following characterization. Theorem 4 P sym must Q if and only if P must Q. 14 Corollary 4 P sym must Q if and only if P vmust Q. Corollary 5 E[P=x] sym must P implies rec :x:E sym must P . Together with lemma 15, we can nitely check the preorder for the regular class of real-time communicating processes. 4.4 Examples We end this section by showing some examples of proofs using the symbolic alternative characterizations. For notational convenience, we simply write a for a:nil in what follows. Example 1 Let P2 = (nil /5 a) (nil /6 b) and Q2 = nil /5 (a /1 (a + b)). Then, Ls(P2) = f s; a15 ; b16 g and Ls(Q2) = f s; a15; a16 ; b16 g. Since Ls(P2) Ls(Q2) and Ls(Q2) Ls(P2), Ls(P2) vmay Ls(Q2) and Ls(Q2) vmay Ls(P2). Thus, for P2 and Q2, condition (1) of de nition 11 holds. For Q2 5 ;(a/1 b), S(a/1 b) = fag and M(a/1 b) = 1. Then, P2 5 ;a and M(a) =1 make condition (2-b) hold. For Q 6 ;a /0 (a+ b), P2 5 ;a satis es condition (2-a). For Q2 6 ;a + b, P2 6 ;b satis es condition (2-b). And for Q2j=a15 )nil, Q2j=a16 )nil. For P2j=a15 )nil and Q2j=b16)nil, P2j=b16)nil Thus, P2 sym must Q2. But for P2j= s ) 6 ;b, fcj6 c;Q2 s ) c ;g = f6g. And P=h s; 6 i = fa; a + bg. Then, there is no symbolic transition that satis es condition (2-b). Therefore, Q2 = sym must P2. Example 2 For the vending machine example[17], we can show P3 that is less deterministic than Q3 with respect to timeout is related less in the sense of must by our characterization. P3 = rec :x:coin:(co ee:x /20 x co ee:x /21 x) Q3 = rec :x:coin:(co ee:x /20 x) Since Ls(coin:(co ee:x/20 x)[P3=x]) = Ls(coin:(co ee:P3 /20P3)) Ls(P3), by corollary 3 Q3 P3. Not let R3 = coin:(co ee:Q3 /20 Q3 co ee:Q3 /21 Q3). If we can show that R3 sym must Q3, then by corollary 5, we can conclude that P3 sym must Q3. First since Q3 P3, condition (1) in de nition 11 is satis ed. Here, M(R3) = M(Q3) = 1, S(R3) = S(Q3) = fcoing. Let Q03 = co ee:Q3 /20 Q3 and Q00 3 = co ee:Q3 /0 Q3. Then, Q3j=coin10 =) Q03 where M(Q03) = 20. And Q03 20 ;Q00 3 and Q03 20 ;Q3, Q03j=co ee200 =) Q3. Let R0 3 = co ee:Q3 /20 Q3 co ee:Q3 /21 Q3, then R3 coin10 7 ! R0 3. We have the following three cases: (1) For Q3j=coin10 =) 0 ;Q03, M(Q03) = 20 > 0. Thus, we check condition (2-b). Now f0g [ fcj0 c < 20; R3j=coin10 =) c ;g = f0g. For 0, R3=h coin10 ; 0 i = fR0 3; co ee:Q3 /20 Q3; co ee:Q3 /21 Q3g. S(R0 3) = fco eeg S(Q03) = fco eeg make the condition hold. 15 (2) ForQ3j=coin10=) 20;Q003, M(Q003) = 0. Thus, we check condition (2-a).R03=h coin10 ; 20 i = fco ee:Q3 /0 Q3; Q3g.And S(R03) = fcoffeeg S(co e:Q3 /0 Q3) = fco eeg.(3) ForQ3j=coin10=) 20;Q3, M(Q3) =1. Thus, we check condition (2-b). f20g [fcj20 c < 1;R3j=coin10=)c;g = f20; 21g. For 20, Q3 2 R03=h coin10 ; 20 isatis es the condition.For 21, Q3 2 R03=h coin10 ; 21 i also satis es the condition.Henceforth, the transitions form R3 are same as those from Q3. Then, we have thecondition (2).Conversely, forR3j=coin10=) 21;co ee:Q3/0Q3, there exists no R such thatQ3j=coin10=))21R and co ee 2 S(R). Thus, Q3 = symmust P3.5 Concluding RemarksIn this paper, we have presented a testing framework for real-time communicatingprocesses that is extended to deal with the time constraints for communication.The time domain dealt with is the real numbers. Our calculus is extended by the\timeout" combinator, /d, where P /d Q is intended to denote the process thatbehaves like P if P performs any observable event before time d, or behaves like Qotherwise.We have established the testing preorders for the extended calculus of real-timecommunicating processes and the alternative characterizations which are fully ab-stract to the testing preordres, focusing on the \essential" type of timed tests. More-over, we also have given another type of alternative characterizations, called symbolicalternative characterizations, in need to establish a proof technique for the regularclass of real-time communicating processes.Our calculus for real-time communicating processes is based on the sub-calculusof Timed CSP[7] and Timed CCS[23]. We chose such a timeout operator that ispresented in[19] as a time-constraint combinator, which is considered general enough.For example, we can de ne the delay pre x[23] (c):E as nil/dE. In [23], the timeoutis presented by the rules that a transition must be prior to the time passage. [19]also uses the timeout operation as the time constraint. Since their approach ofmodeling a process as a graph is also based on a strong bisimulation, it di ers fromour approach. But, for the untimed processes, the testing preorder can be related byconstructing acceptance graphs[6]. It is a future topic to investigate such a relationfor the real-time communicating processes.The \symbolic" technique presented here is studied rst in [17] for the strongbisimulation. In [17], a logical characterization is presented as a proof technique.We studied the technique for the testing preorders and established the \symbolic"alternative characterizations as a proof technique. One of the advantages of thetesting preorders is that they are formulated as preorders of nondeterminism. In ourobservation, if the timing to make a choice is uncertain, then it should be treated asa nondeterminism. Thus, in testing preorders, we can conclude the third example inthe previous section, while they are treated unequal in the bisimulation semantics.The symbolic alternative characterizations here cannot deal with the time con-straints bound by communications as presented in [4][16]. By using another type of16 \symbolic" technique [9], it can be treated in a nite way. This is also a future topicof research.By excluding divergent processes, the failure semantics[7] for timed CSP charac-terizes our testing preorders. In our framework, we considered no divergent processessince our main objective is to have some proof technique. Di erent from the un-timed processes, if we have the maximal progress property, a divergent process isconsidered as a \time-stop" process. Timed CSP deals with this time-stop process.[7] proposes a stronger testing preorders than ours in the sense to distinguish thedivergent processes. While, our framework is incapable to distinguish the divergentprocesses from the inactive processes. We do not know yet whether this lack ofdistinguishing power is a substantial drawback in modeling the practical real-timeprograms or not.For other future work, we need to introduce the composition operator and theexpansion theorem. The expansion theorem enabled more process to be convertedfor our method. And implementing a software tools as the practical veri cationand debugging method for real-time systems based on the testing preorders is alsoa future topic of research.References[1] J.C.M. Baeten and J.A. Bergstra. \Real time process algebra." Formal Aspectsof Computing, Vol.3, pp.142{188, 1991.[2] J.C.M. Baeten and W.P. Weijland. Process Algebra. Cambridge Tracts inComputer Science 18. Cambridge University Press, 1990.[3] T. Bolognesi and S.A. Smolka. \Fundamental Results for the Veri cation ofObservational Equivalence." Protocol Speci cation, Testing and Veri cation,VII, H.Rudin and C.H.West (editors), pp.165{179, 1987 (North Holland).[4] Liang Chen. Timed Processes: Models, Axioms and Decidability. PhD thesis,The University of Edinburgh, Department of Computer Science, 1993.[5] R. Cleaveland and A.E. Zwarico. \A theory of testing for real-time." Proc.Logics in Computer Science '91, pp.110{119, 1991.[6] R. Cleaveland and M. Hennessy. \Testing Equivalence as a Bisimulation Equiv-alence" Formal Aspects of Computing, Vol. 5, pp.1{20, 1993.[7] J. Davies and S. Schneider. \A brief history of timed CSP." Theoretical Com-puter Science, Vol.138, pp.243{271, 1995.[8] Hans A. Hansson. Time and Probability in Formal Design of Distributed Sys-tems. PhD thesis, Uppsala University, Department of Computer Science, 1991.[9] M. Hennessy and H. Lin. \Symbolic bisimulations." Theoretical ComputerScience, Vol.138, pp.353{389, 1995.[10] M. Hennessy. Algebraic Theory of Processes. The MIT Press, 1988.[11] M. Hennessy. \On timed process algebras: A tutorial." Technical Report Report2/93, University of Sussex, Computer Science, 1993.17 [12] M. Hennessy and H. Lin. \Symbolic bisimulations." Theoretical ComputerScience, Vol.138, pp.353{389, 1995.[13] C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1985.[14] U. Holmer, K. Larsen, and W. Yi. \Deciding properties of regular real timedprocesses." Proc. CAV '91 (LNCS Vol.575), pp.443{453, 1991.[15] R. Milner. Communication and Concurrency. Prentice-Hall, 1989.[16] F. Moller and C. Tofts. \A temporal calculus of communicating systems." Proc.CONCUR 90 (LNCS Vol.458), pp.401{415, 1990.[17] U.Holmer, K.Larsen, and Yi Wang. \Deciding properties of regular real timedprocesses." Proc. CAV '91 (LNCS Vol.575), pp.443-353, 1991.[18] R. De Nicola and M.C.B. Hennessy. \Testing equivalences for processes." The-oretical Computer Science, Vol.34,pp.83{133, 1983.[19] X.Nicollin, J.Sifakis and S.Yovine. \From ATP to Timed Graphs and HybridSystems." Proc. Real-Time: Theory in Practice (LNCS Vol.600), pp.549{572,1991.[20] Tim Regan. Process Algebra for Timed Systems. PhD thesis, University ofSussex, Computer Science, 1991.[21] S. Schneider. \An operational semantics for timed CSP." Technical ReportTR-1-91, Programming Research Group, Oxford University, 1991.[22] Wang Yi. \CCS+Time=an interleaving model for real time systems." Proc.ICALP 91 (LNCS Vol.510), pp.217{228, 1991.[23] Wang Yi. A Calculus of Real Time Systems. PhD thesis, Chalmers Universityof Technology, Department of Computer Science, 1991.18