Alternating simulation and IOCO

We propose a symbolic framework called guarded labeled assignment systems or GLASs and show how GLASs can be used as a foundation for symbolic analysis of various aspects of formal specification languages. We define a notion of i/o-refinement over GLASs as an alternating simulation relation and provide formal proofs that relate i/o-refinement to ioco. We show that non-i/o-refinement reduces to a reachability problem and provide a translation from bounded non-i/o-refinement or bounded non-ioco to checking first-order assertions.


Introduction
The view of a system behavior as a labeled transition system (LTS) provides the semantical foundation for many behavioral aspects of systems in the context of formal verification and testing.The central problem in testing is to determine if an implementation LTS conforms to a given specification LTS and to find a counterexample if this is not the case.In the case of open systems, or in the presence of input (controllable) and output (observable) behavior, the conformance relation is commonly described as input-output conformance or ioco [18].A closely related notion of alternating simulation [3] is used in the context of open system verification, in particular for interface automata refinement [9,8].
In this paper we propose a theory of guarded labeled assignment systems or GLASs that formally relates these two notions and provides a foundation for their symbolic analysis.
GLASs are a generalization of non-deterministic model programs [23] to a purely symbolic setting, by abstracting from the particular background universe and the particular (action) label domain.The semantics of GLASs uses classical model theory.A GLAS is a symbolic representation of behavior whose trace semantics is given by an LTS that corresponds to the least fix-point of the strongest post-condition induced by the assignment system of the GLAS.We define the notion of i/o-refinement over GLASs that is based on alternating simulation and show that it is a generalization of ioco for all GLASs, generalizing an earlier result [21] for the deterministic case.The notion of i/o-refinement is essentially a compositional version of ioco.We provide a rigorous account for formally dealing with quiescence in GLASs in a way that supports symbolic analysis with or without the presence of quiescence.We also define the notion of a symbolic composition of GLASs that respects the standard parallel synchronous composition of LTSs [15,16] with the interleaving semantics of unshared labels.Composition of GLASs is used to show that the i/o-refinement relation between two GLASs can be formulated as an condition of the composite GLAS.This leads to a mapping of the non-i/o-refinement checking problem into a reachability checking problem for a pair of GLASs.For a class of GLASs that we call robust we can furthermore use established methods developed for verifying safety properties of reactive systems.We show that the non-i/o-refinement checking problem can be reduced to first-order assertion checking by using proof-rules similar to those that have been formulated for checking invariants of reactive systems.It can also be approximated as a bounded model program checking problem or BMPC [23].Detailed proofs of all statements omitted here can be found in the technical report [22].
Although the focus of the paper is theoretical, GLASs provide a foundation of applying state-of-the-art satisfiability modulo theories [5] (SMT) technology to a wide range of problems that are difficult to tackle using other techniques.SMT solving is a hybrid technology that has a flavor of model checking, SAT solving, and theorem proving.An advantage over model checking is avoidance of state-space explosion.Compared to SAT solving, bit blasting can be avoided by encoding operations over unbounded universes, such as integers, more succinctly.Compared to many automated theorem proving techniques, a solution is provided as a witness of satisfiability.The following three are sample applications: 1) symbolic model-checking of a given specification GLAS [23] with respect to a given property automaton; 2) symbolic refinement checking between two symbolic LTSs represented as GLASs; 3) incremental model-based parameter generation during on-the-fly testing for increased specification GLAS coverage.In all cases, the use of GLAS composition is central, e.g., for symbolic i/o-refinement or ioco, composition is used in Theorem 5.All examples used in the paper are tailored to such analyses and illustrate the use of background theories that are supported by state-of-the-art SMT solvers such as Z3 [10].

Preliminaries
We use classical logic and work in a fixed multi-sorted universe U of values.For each sort σ, U σ is a sub-universe of U. The basic sorts needed in this paper are the Boolean sort B, (U B = {true, false}), and the integer sort Z.There is a collection of functions with a fixed meaning associated with the universe, e.g., arithmetical operations over U Z .These functions (and the corresponding function symbols) are called background functions.For example, the background function < : Z × Z → B denotes the standard order on integers.There is also a generic background function Ite: B × σ × σ → σ where σ is a given sort.
Terms are defined by induction as usual and are assumed to be well-sorted.The sort σ of a term t is denoted by sort (t) or by t: σ.We write FV(t) for the set of free variables in t.Boolean terms are also called formulas or predicates.We use x ′ as an injective renaming operation on variables x, and lift the renaming to sets of variables, A Σ-model M is a mapping from Σ to U. 1 The interpretation of a term t over Σ in a Σ-model M , is denoted by t M and is defined by induction as usual.In particular, Ite(ϕ, has a model and valid, denoted by |= ϕ, if ϕ is true in all models.For two formulas ϕ and ψ, ϕ |= ψ means that any model of ϕ is also a model of ψ.We use elements in U also as terms and define the predicate of a Σ-model M as the predicate

Guarded Labeled Assignment Systems
This section introduces Guarded Labeled Assignment Systems, GLAS for short.The definition of GLAS combines labels, guarded updates, and internal choice.They capture the semantics of model programs.We start by providing the formal definition, which is followed by examples illustrating the definition.An assignment is a pair x := u where x is a variable, u is a term, and sort (x) = sort (u).Definition 1.A Guarded Labeled Assignment System or GLAS G is a tuple (Σ, X, ℓ, ı, α, γ, ∆) where -Σ is a finite set of variables called the model signature; -X is a finite set of variables disjoint from Σ called the choice signature; -ℓ is a variable not in Σ or X, called the label variable; -ı is a satisfiable formula over Σ called the initial condition; -α is a formula over {ℓ} called the label predicate; -γ is a formula over Σ ∪ X ∪ {ℓ} called the guard ; -∆ is a set {z := u z } z∈Σ where each u z is a term over Σ ∪ X ∪ {ℓ}, called the assignment system.
The set Σ ∪ X is called the internal signature of G.
We first illustrate a simple two-state GLAS.
Example 1.Consider the FSM A: Intuitively, A specifies a sequence of request and response labels where a single request is followed by one or more respones.Suppose that the labels have sort L and that L is associated with predicates IsReq, IsRes: L → B. A can be represented by the GLAS G A = ({z: Z}, {x: B}, ℓ: L, z = 1, IsReq(ℓ) ∨ IsRes(ℓ), Ite(IsReq(ℓ), z = 1, z = 2), {z := Ite(z = 1, 2, Ite(x, 1, 2))}).Note that x represents a nondeterministic choice of the target state of a response transition.⊠ The following example illustrates how an AsmL [4] program can be represented as a GLAS.Other encodings are possible using different techniques.The example makes use of several background sorts.Such sorts are derived from the given program.An important point regarding practical applications is that all sorts and associated axioms that are used are either directly supported, or user definable without any significant overhead, in state-of-the-art SMT solvers.
Example 2. We consider the following model program called Credits that describes the message-id-usage facet of a client-server sliding window protocol [14].The example uses tuples.There is a generic n-tuple sort T(σ 0 , . . ., σ n−1 ) of given element sorts σ i for i < n.An n-tuple constructor is denoted by t 0 , . . ., t n−1 and the projection functions are denoted by π i for i < n.For example π 1 ( t 0 , t 1 ) = t 1 .
The example also uses arrays, the sort A(σ, ρ) is a generic sort for extensional arrays (mathematical maps) with domain sort σ and range sort ρ.The functions on arrays are reading and storing elements in the array: The empty array ε maps every domain element to a default value of the range sort.(For Z the default is 0 and for B the default is false.The axioms assumed for arrays are the usual ones for propagating reads over store and the extensionality axiom.) We map Credits to the GLAS G Credits : (Σ, ∅, ℓ, ı, Given by the require-statements, the guard γ is: )) The assignment system ∆ consists of the assignments: The right-hand-sides of the assignments are easy to automatically generate from the program, but much harder to comprehend than the original assignments in the program, since they combine all the assignments from the separate actions by doing a case split based on the action label.They also add trivial assignments that take care of the implicit frame condition in AsmL that states that all variables not updated retain their previous values.⊠ A GLAS is a symbolic representation of a labeled transition system (LTS).In order to keep the paper self-contained and to fix the notations we include the standard definitions of LTSs and traces.
Definition 2. An LTS is a tuple L = (S, S 0 , L, T ), where S is a set of states; S 0 ⊆ S is a nonempty set of initial states; L is a set of labels; T ⊆ S × L × S is a transition relation.A label a ∈ L is enabled in a state S if (S, a, S ′ ) ∈ T for some S ′ ∈ S. L is deterministic if L has a single initial state and for all a ∈ L and S ∈ S there is at most one S ′ ∈ S such that (S, a, S ′ ) ∈ T .
We use L as a subscript to identify its components.If (S, a, S ′ ) ∈ T L we write In this paper we are only concerned with finite traces.
→ S where ǫ is the empty sequence.The set of all traces of L is denoted by Tr (L).
When L is deterministic, we view L as a function from all label sequences a to states or the value ⊥ L when a is not a trace of L. Thus, Note that L(ǫ) is the unique initial state of a deterministic LTS L.
A GLAS is associated with a transition relation formula that describes a single application of its assignments and a predicate transformer that maps a given predicate to a new predicate.The predicate transformer is used below to define semantics of GLASs in terms of LTSs.Definition 4. Let G = (Σ, X, ℓ, ı(Σ), α, γ(Σ), {z := u z (Σ)} z∈Σ ) be a GLAS.We define the transition relation TR G , and the strongest post-condition predicate transformer SP G , for G, where P (Σ) is a predicate over Σ: Note that, for a ∈ U sort (ℓ) , SP G (P, a) is a predicate over Σ. Next, we define two related semantics of a GLAS G in terms of LTSs.One is the concrete semantics ⌊G⌋ and the other one is the symbolic semantics ⌈G⌉.In the concrete semantics, states are Σ G -models.In the symbolic semantics, states are predicates over Σ G in the SP G -closure of {ı G }.We define the set of labels of G as We show that both semantics yield the same traces, i.e., ⌈G⌉ does not introduce new traces, although several models of ⌊G⌋ may collapse into a single state in ⌈G⌉.We use the following technical lemma.Note that ⌈G⌉ is deterministic and recall (1); let ⊥ ⌈G⌉ def = false.Given a sequence a and an element a, we write a • a for the extended sequence.The empty sequence is denoted by ǫ.
Proof.By induction over the length of a.The base case, a = ǫ, holds trivially by Assume by IH that the statement holds for a, we prove it for a • a.
The statement follows by the induction principle.⊠ The lemma implies the following theorem that is a fundamental property of the symbolic semantics.It justifies the whole approach presented in the paper and provides a symbolic generalization of the classical LTS determinization.

is the definition of Tr (⌊G⌋). ⊠
There is an important point about this choice of trace-style semantics.It is tailored for the case where internal choices of GLASs are opaque.Symbolic semantics plays an important role when we later define alternating simulation and conformance, where G may be nondeterministic, i.e., ⌊G⌋ is nondeterministic, but where ⌈G⌉ is used, which, by Theorem 1, does not change the intended trace semantics of G.Moreover, ⌈G⌉ directly reflects the symbolic unfolding of the transition relation of a GLAS, that is fundamental in the construction of first-order assertions for reduction to symbolic analysis.
Example 3. The Credits program in Example 2 is deterministic.The following is a trace of G Credits : (Req(0, 3), Res(0, 2), Req(2, 1), Req(1, 1), Res(2, 0), Res(1, 0)).Intuitively, the trace describes a valid communication scenario between the client and the server (based on a sliding window protocol), where the client is able to use message ids based on credits granted earlier by the server.⊠

GLAS Composition
Composition of GLASs is a purely symbolic construction.
We abbreviate i∈I G i by I G i and for {1,2} G i we write G 1 ⊗ G 2 .Note that I G i is indeed well-defined as a GLAS.In particular, ı I Gi is satisfiable because all the individual initial conditions are satisfiable and do not share free variables.The other side conditions in Definition 1 hold similarly.The following technical lemma is used below.Let G i , for i ∈ I, be as above.
Proof.We first show (*): ) by using the assumption, definition of TR G , Definition 8, and standard logical transformations (that use disjointness of the internal signatures of G i for i ∈ I).The lemma follows by using (*), Definition 4, and further logical transformations.⊠ One can show that composition of GLASs respects the standard parallel synchronous composition of LTSs with the interleaving semantics of unshared labels.Here we assume the special case of all labels being shared, i.e.L Gi = L Gj for i, j ∈ I.A general statement can be formulated that describes the interleaving of unshared labels, but the special case is sufficient for this paper.
Proof.We prove (i) by induction over a.The base case holds trivially since ⌈G⌉(ǫ) = i∈I ı i = i∈I ⌈G i ⌉(ǫ).Assume (i) holds for a; we prove (i) for a • a: ⌈G⌉(a • a) ⇔ SP G (⌈G⌉(a), a) Statement (i) follows by the induction principle.We now prove (ii): The third equality assumes disjointness of Σ Gi for i ∈ I. ⊠ Example 4. Consider the composition G = G Credits ⊗ G A with G Credits and G A from examples 2 and 1, respectively.The traces of G are the traces of both G Credits and G A , i.e., the traces that conform to the Credits specification while restricted to the scenarios described by A. For example, the trace illustrated in Example 3 is therefore not a trace of G. ⊠

I/O GLAS
Here we consider GLASs where the labels are divided into input and output labels that describe reactive or open system behavior.
Definition 9.An i/o-GLAS G is an extension (G ′ , α out ) of a GLAS G ′ where α out is a formula such that α out |= α G called the output label predicate.
In the corresponding i/o LTS the labels are separated so that L out G is the set of all labels that satisfy α out G and L in G is the set of all labels that satisfy α G ∧ ¬α out G .We say GLAS (LTS) to also mean i/o-GLAS (i/o LTS) and let the context determine whether the labels are separated into input and output labels.
Example 5. Consider the Credits program and assume that Req is marked as an input-action and Res is marked as an output-action.The output label predicate α out is a disjunction over all cases of action labels in the AsmL program that are marked as output-actions, i.e, in this case α out is IsRes(ℓ).⊠ When dealing with formal notions of conformance, in particular ioco [18], an important aspect is how to deal with quiescence, that is a special output label, usually denoted by δ, indicating absence of other enabled output labels in a given state.An LTS can be extended to include δ as a new output label [18]: We define a corresponding symbolic extension for GLASs.
Definition 11.For G = (Σ, X, ℓ, ı, α, γ, {z := u z } z∈Σ , α out ), δ ∈ U sort (ℓ) \ L G : Thus, in G δ there is a new output label δ and The intended meaning of G δ is made precise by the following theorem that says that the symbolic extension precisely captures the intended suspension trace semantics [18] of ⌊G⌋.
Proof.(i) follows from definitions.(ii) uses (i), Definition 7 and Theorem 1. ⊠ Note however that Tr (G δ ) = Tr (⌈G⌉ δ ) as illustrated by the following example which also illustrates the use of choice variables in a GLAS.Example 6.The example is derived from a standard example that is used to illustrate properties of quiescence during determinization of non-deterministic LTSs [18,Figure 6].The GLAS G is represented below by an FSM where there is a single input label 1 and a single output label 0. We assume the following representation for G: G δ is the following GLAS where we have simplified γ G δ by using that the formula We can illustrate the GLASs as follows: ⌊G⌋ : The formula that defines absence of outputs in G, ¬∃ℓ X G (α out G ∧ γ G ), is, after simplifications, equivalent to the formula msgs = ε.Intuitively, there should not be a response from the server, i.e. the server must be quiescent, if there is no pending request from the client, i.e., δ is enabled in any model of ⌊G δ ⌋ where msgs is empty.⊠ We define a notion of conformance between two GLASs that is based on alternating simulation [3] between two LTSs and show below that this notion of conformance coincides with ioco for GLASs. Let The intuition behind the following definition is that M 1 can only make outputs that M 2 can make, and M 2 can only make inputs that M 1 can make.Definition 12. M 1 i/o-refines M 2 , M 1 M 2 , iff there exists an alternating simulation ρ from M 1 to M 2 such that (S 0 1 , S 0 2 ) ∈ ρ, where an alternating simulation from Given GLASs G and H then G H def = ⌈G⌉ ⌈H⌉.
Definition 12 is consistent with [8].In particular, several foundational properties of (like reflexivity and transitivity) are established in [8] that show that is a suitable refinement relation.
Example 8. Consider two GLASs Spec and Impl where ℓ: B and α out is ¬ℓ.
It is easy to see that Impl Spec and Spec Impl .⊠ A useful characterization of i/o-refinement uses counter-examples.
For example, the (singleton) sequence true is a witness of ⌈Spec⌉ ⌈Impl ⌉ in Example 8.The following lemma justifies Definition 13.
For symbolic analysis, we are interested in the approximations of i/o-refinement that hold for a given upper length bound on traces.
It follows directly from Lemma 3 that M 1 M 2 iff M 1 n M 2 for all n > 0. For example, Spec 1 Impl in Example 8. We are interested in the following decision problem.For GLASs G and H, a witness of G H is a witness of ⌈G⌉ ⌈H⌉ and we let Definition 15.Bounded Non-Conformance or BNC is the problem of deciding if G n H, for given G, H and n > 0, and finding a witness of G n H.
We show how to reduce BNC to the BMPC problem [23] for a class of GLASs.There is a mapping of the BMPC problem over AsmL model programs and the encoding described in [23] to GLASs: given G, n, and a reachability condition ϕ that is a formula such that FV(ϕ) ⊆ Σ G , decide if there exists a trace a of G of length ≤ n such that M |= ϕ for some M |= ⌈G⌉(a).For this reduction we need to consider GLASs that are robust in the following sense.
Definition 16.For a ∈ L G and P ∈ S ⌈G⌉ , a is robust in Intuitively, if a is robust and enabled in a symbolic state, then a is enabled in all of the corresponding concrete states.
The intuition behind robustness is that internal choices should behave uniformly in terms of external behavior.For example, deterministic GLASs (such as G Credits ) are trivially robust, since there are no internal choices.The following example illustrates a nontrivial example of a robust GLAS that is nondeterministic and where internal choices arise naturally as a way of abstracting externally visible behavior.
Example 9. We consider the Credits program and modify it by abstracting the message ids from the labels.The constructors of the L sort are also modified so that Req, Res : Z → L and the accessors Req m and Res m are removed.We call the resulting program Credits2 : We write Credits and Credits2 also for the corresponding GLASs.Credits2 has two choice variables, say m Req and m Res , the guard and the assignment system of Credits2 is obtained from the guard and the assignment system of Credits by replacing each occurrence of Req m(ℓ) (Res m(ℓ)) with m Req (m Res ).It is easy to see that Credits2 is non-deterministic.For example, a = (Req(3), Res(3), Req(1)) is a trace of Credits2 .After Req(3) there is a pending request with id 0. After Res(3) the range of possible message ids contains the pair 1, 3 and the used set of messages in {0}.After Req(1), i.e., in the state S = ⌈Credits2 ⌉(a), there are 3 possible models.One can show that Credits2 is both input-robust and output-robust, the key property that determines enabledness of a request is the number of available message ids, similarly for responses.⊠ The following example illustrates a GLAS that is not output-robust.
Example 10.We consider the Credits program again and this time we modify only the Req action as in Example 9. We call it Credits3 .For example, consider the trace a = (Req(3), Res(0, 3), Req(1)) of Credits3 .The state S = ⌈Credits2 ⌉(a) contains 3 models, where, for example, the output label Res(1, 1) is only enabled in the model in S where request 1 is pending but not in the model where request 2 is pending.So Credits3 is not output-robust.⊠ The key insight of reducing BNC to BMPC comes from Lemma 3 and the use of composition.Let α in stand for the formula α ∧ ¬α out .We assume that G and H below have disjoint internal signatures.
The intuition behind P is that if an output label ℓ is possible in G then ℓ must be possible in H, and vice versa for input labels.We get the following corollary by using the definition P , Lemma 3, and Theorem 2.
In the following theorem we assume, without loss of generality, that L ⌈G⌉ = L ⌈H⌉ .The proof uses Lemma 3.
The robustness assumptions are not needed for the direction ⇐= of the theorem.It is easy to show that the direction =⇒ does not hold without the assumption.
Example 11.Consider the GLAS G illustrated by the FSM in Example 6.Note that G is not output-robust.Let G 1 be a copy of G where z is replaced by z 1 and x is replaced by x 1 .Clearly ⌈G⌉ ⌈G 1 ⌉ (since ⌈G⌉ ⌈G⌉ by reflexivity of ).Now consider G ⊗ G 1 , where The LTSs ⌊G ⊗ G 1 ⌋ and ⌈G ⊗ G 1 ⌉ can be illustrated as follows where a pair z, z 1 shows the values of the respective model variables: The following example illustrates a case when H in Theorem 4 is nondeterministic but robust.
Example 12.We consider a model program CreditsImpl that describes the abstracted behavior of a protocol implementation.
The formula is satisfiable if and only if P (G, H) is violated within n steps.The size of the formula is O(n(|G ⊗ H| + |¬P (G, H)|)).Theorem 4 ensures that it suffices to check P as a state invariant.⊠ An LTS L is input-enabled if in all states in L that are reachable from the initial state, all input-labels are enabled. 3The following definition of ioco is consistent with the definition in [18] provided that δ is part of the output labels.1) a is a output-label that is enabled in S ′ G but not enabled in S ′ H , or 2) a is a input-label that is enabled in S ′ H but not enabled in S ′ G .The second case cannot be true since ⌈G⌉ is input-enabled.Thus, there is a trace a ∈ Tr (⌈H⌉) and an output-label a such that a • a ∈ Tr (⌈G⌉) but a • a / ∈ Tr (⌈H⌉).(⇐=): Assume ⌈G⌉ ioco ⌈H⌉ does not hold.We show that G H. From Definition 18 follows that there exists a trace a ∈ Tr (⌈H⌉) and an output-label a such that a • a ∈ Tr (⌈G⌉) but a • a / ∈ Tr (⌈H⌉).Now use Lemma 3. ⊠

Related work
The current paper generalizes the notion of model programs to GLASs and generalizes the results in [21] related to deterministic input-output model programs to GLASs.We introduced the notion of robustness as a nontrivial extension of deterministic GLASs by supporting "safe" internal nondeterminism, while retaining the property that non i/o-refinement checking reduces to safety analysis.The literature on ioco [6,19,20] and various extension of ioco is extensive.A recent overview and the formal foundations are described in [18].An extension of ioco theory to symbolic transition systems is proposed in [13].Composition of GLASs is related to composition of symbolic transition systems [12].The application of composition for symbolic analysis and formal relation to open system verification has not been studied in those contexts as far as we know.We believe that the results presented here can be used and complement the work on symbolic transition systems in [13,12].
We believe that GLASs can be used as a foundation for symbolic analysis of Event-B models [2] that is an extension of the B-method [1] with events (corresponding to labels of a GLAS) that describe atomic behaviors, where each event is associated with a guard and an assignment, that causes a state transition when the guard is true is a given state.Composition of Event-B models is discussed in [17,7].
BMPC [23], that is used in Section 4, is a generalization of SMT based bounded model checking [11] to GLASs.The notion of i/o-refinement of GLASs builds on the game view of systems [8], that can also be used to formulate other problems related to input-output GLASs, such as finding winning strategies to reach certain goal states.

var
ranges as Set of (Integer,Integer) = {(0,0)} var used as Set of Integer = {} var max as Integer = 0 var msgs as Map of Integer to Integer = {->} IsValidUnusedMessageId (m as Integer) as Boolean return m notin used and Exists r in ranges where First(r)<=m and m<=Second(r ) [Action] Req(m as Integer, c as Integer) require IsValidUnusedMessageId (m) and c > 0 msgs(m) := c add m to used [Action] Res(m as Integer, c as Integer) require m in msgs and 0<=c and c<=msgs(m) remove m from msgs if c>0 add (max , max +c) to ranges max := max +c Let us assume a sort L derived from the method signatures of the program; U L is an algebraic data type.In addition to the predicates IsReq and IsRes introduced in Example 1, L is associated with the constructors: Req, Res: Z × Z → L and accessors: Req m, Res m, Req c, Res c: L → Z.For example, IsReq(Res(6, 7)) is false and Req c(Req(3, 4)) is equal to 4.

Definition 5 .
⌊G⌋ = (S, {M | M |= ı G }, L G , T ) where S, T are the least sets such that S 0 ⌊G⌋ ⊆ S and (M, a, N ) ∈ T for a ∈ L G , M ∈ S, and N |= SP G (P M , a), then N ∈ S. Definition 6. ⌈G⌉ = (S, {ı G }, L G , T ) where S, T are the least sets such that ı G ∈ S, (P, a, SP G (P, a)) ∈ T for a ∈ L G , P ∈ S where SP G (P, a) is satisfiable.The notion of traces of G is based on the symbolic semantics of G. Definition 7. Tr (G) def = Tr (⌈G⌉).

[
Action] Req(c as Integer) require exists m where IsValidUnusedMessageId (m) and c > 0 choose m where IsValidUnusedMessageId (m) msgs(m) := c add m to used [Action] Res(c as Integer) require exists m where m in msgs and 0<=c and c<=msgs(m) choose m where m in msgs and 0<=c and c<=msgs(m) remove m from msgs if c>0 add (max , max +c) to ranges max := max +c var cs as Seq of Integer = [] [Action] Req(c as Integer) require true cs := cs + [c] [Action] Res(c as Integer) require c <> [] and c <= Head(cs) and c >= 0 cs := Tail(cs)

Definition 18 .
Let L be an LTS and M an input-enabled LTS.M ioco L iff, for all a ∈ Tr (L) and output-labels a, if a • a ∈ Tr (M) then a • a ∈ Tr (L).

Theorem 6 .
If ⌈G⌉ is input-enabled then ⌈G⌉ ioco ⌈H⌉ ⇐⇒ G H. Proof.Assume ⌈G⌉ is input-enabled.(=⇒): Assume G H.We show that ⌈G⌉ ioco ⌈H⌉ does not hold.From Definition 12 follows that there exists a trace a such that S 0 H , and there is a label a such that either3 Such LTSs are called input-output transition systems in[18].
The GLASs Credits2 (fromExample 9)and CreditsImpl are robust.On can show that CreditsImpl n Credits2 for any n by using the product encoding and Theorem 4. ⊠ Theorem 4 identifies conditions where we can use standard techniques for verification of safety formulas.We use this in Theorem 5 to formulate checking for P (G, H) as a symbolic bounded model checking problem.Theorem 5. Assume that G is input-robust and H is output-robust.There is an effective procedure that given G, H and a bound n > 0, creates a formula BNC (G, H, n) of size O(n(|G| + |H|)) with free variables ℓ i for i < n, such that BNC (G, H, n) is satisfiable iff G n H, and if M |= BNC (G, H, n) then for some a, and m < n, (ℓ M 0 , . . ., ℓ M m , a) is a witness of G n H.Proof.Given a GLAS G, we can characterize the set of states reachable after n steps by unfolding of the transition relation of G n times.The corresponding formula is Reach(G, n)