Mathematical Problems in Engineering

Volume 2015, Article ID 173012, 13 pages

http://dx.doi.org/10.1155/2015/173012

## Quantitative Analysis of Software Approximate Correctness

School of Computer Science and Technology, Huaibei Normal University, Huaibei 235000, China

Received 6 November 2014; Accepted 14 June 2015

Academic Editor: Fabio Tramontana

Copyright © 2015 Yanfang Ma. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Parameterized bisimulation provides an abstract description of software correctness. In real world situations, however, many software products are approximately correct. To characterize the approximate correctness, we generalize the parameterized bisimulation to numerical version and probabilistic setting. First, we propose the definition of the parameterized bisimulation index that expresses the degree to which a binary relation is parameterized bisimulation. Then, -parameterized bisimulation over environment and its substitutivity laws are presented. Finally, -parameterized probabilistic bisimulation is established to describe complicated software products with probabilistic phenomena.

#### 1. Introduction

Correctness is a key feature of software trustworthiness [1–3], which can be abstracted by using various behavior equivalences between processes, such as (strong and weak) bisimilarity, trace equivalence, testing equivalence, and failure equivalence [4–6]. Specification and implementation of software are considered as two processes. If a certain behavior equivalence exists between specification and implementation, then the software is considered as correctness. Thus a certain behavior equivalence must be established between specification and implementation to prove software correctness.

However, the prerequisites for successful application of software products may not always hold when they are actually running on the computers. As physical devices, computers cannot be assumed to behave reliably. In addition, standard implementations at best approximate the formal definition of semantics. Ying [7] proposed strong/weak bisimulation indexes to establish the approximate description between specification and implementation. The proposed indexes characterize the degree to which a binary relation between processes is strong/weak bisimulations. Ying and Wirsing [8] presented the strong/weak bisimulation limits and obtained the strong/weak bisimulation topologies to describe that the sequence of implementations can be treated as an evolution toward the specification. Girard and Pappas [9] defined a hierarchy of approximate pseudometric between two systems that quantifies the qualities of the approximations. To verify whether a program behaved as desired, Henzinger [10] introduced quantitative fitness measures for programs, particularly to measure the function, performance, and robustness of reactive programs such as concurrent processes. To compare these existing quantitative models of program approximate correctness, Fahrenberg and Legay [11] presented a distance-agnostic approach to quantify the verification. They defined a spectrum of different interesting system distances that corresponds to the given trace distance.

In fact, some complicated software products contain probabilistic phenomena. These software products can be abstracted as probabilistic processes. Similarly, many quantitative models based on probabilistic processes [12] have existed to obtain the degree to which implementations satisfy their specification. For example, Giacalone et al. [13, 14] presented -bisimulation equivalence relation over deterministic probabilistic processes and proposed a kind of measure model to describe the degree of similarity among probabilistic processes. This measure is defined based on the probability differences of the processes that execute the same action. Song et al. [15] proposed a measure model according to the probability of the processes that performs the same trace with a discount factor. Deng et al. [16] defined state-metrics as a natural extension of bisimulation from nonquantitative systems to quantitative ones over action-labeled quantitative systems. Alves de Medeiros et al. [17] built a measure relation based on the observable actions of processes. Abate [18] also established an approximate metric based on probabilistic bisimulation.

However, the running of a software depends on its environment. The environment should be considered when the approximation degree between specification and implementation is discussed. The influences of the environment are absent in the existing quantitative models. In [19], Larsen and Skou presented two-thirds bisimulation based on probabilistic transition systems to characterize that two processes are undistinguished when they have the same sets of observations for all tests. If an environment is considered as a set of actions [20], then two-thirds bisimulation expresses the relation in which the process refuses the environment. We proposed two-thirds simulation index and established a measure model to describe the degree of approximation among processes [21]. In -calculus [22] and applied -calculus [23], the observation equivalences were researched. And the influence of environment on the execution of software was considered as well. In [22], a process context is speaking a process expression containing a hole. In [23], the contexts may be used to represent the adversarial environment in which a process is run. The environment provides the data that the process inputs and consumes the data that it outputs.

Larsen [24] presented parameterized bisimulation equivalence to obtain flexible hierarchic development methods. In the work of Larsen, bisimulation equivalence is parameterized with information about context called environment. Environment is considered as an object that consumes the actions produced by a process in that environment. However, the abilities of environment to consume actions might be limited. Suppose that is a process, and it can execute action to next process ; that is, . However, cannot consume the action ; then derivation will never be considered when is executed in environment . If and both perform the same action for all transitions of , then we can determine . In particular, strong bisimulation in CCS (Communication and Concurrency Systems) model is generalized by parameterized bisimulation equivalence. Parameterized limit bisimulation and parameterized bisimulation limit were proposed in [25, 26] to describe the infinite evolution mechanism.

The conditions possessing the same observable actions consumed by the environment are rigorous when we choose parameterized bisimulation to verify software correctness. Sometimes we can determine that two processes fail to meet these conditions. However, these processes are still close to parameterized bisimulation in the sense that whenever a process can execute an action of environment consumption, another process can produce an action that is different from but highly similar to the observable action that the first process executed. Alternatively, another process can perform an action that is highly similar to the observable action that the first process made whenever a process can produce an action that is different from the action of the environment consuming.

The aim of this study is to build mathematical tools that are suitable for describing this kind of approximate parameterized bisimulation. First, we propose parameterized bisimulation index over environment in order to describe the degree to which binary relation is a parameterized bisimulation. Then we define -parameterized bisimulation and discuss algebraic properties. We specially prove the congruence of -parameterized bisimulation under various operators. Finally, in order to describe the characterization of software with probabilistic information, we also extend parameterized bisimulation to probabilistic setting and propose the approximate parameterized probabilistic bisimulation.

Compared with the main focuses of [7, 8, 21], the main focus of our work is on parameterized bisimulation. In [7, 8], the set of labels in a labeled transition system is equipped with a metric. Given a binary relation between processes, the degree to which the relation is bisimulation is defined. Similar to [7, 21], we also equip the set of actions with a metric. Parameterized bisimulation that includes the information about context is different from bisimulation. For every environment , is a binary relation between processes. Therefore, in order to obtain the approximate parameterized bisimulation, we need to establish the bisimulation index for every environment . We consider two cases to obtain the bisimulation index for an environment. One case is that when the environment consumes an action, a process can accept this action and another process cannot accept this action. Another case is that when the environment has the transition with an action, two processes cannot both accept this action. Therefore, our definition about bisimulation index on the environment is different from the definition of bisimulation index in [7]. Furthermore, we establish the -parameterized bisimulation on the environment . In order to obtain the hierarchic development and modular decomposition of software, similar to [7, 21], we also consider the substitutivity laws of -parameterized bisimulation on the environment under various combinators.

Meanwhile, we notice that many metric models are proposed based on the difference of probabilities in which two processes execute the same action [16]. But the influence of environment was not considered in these models. In order to describe the approximation of the complicated software with probabilistic information, we extend parameterized bisimulation to probabilistic setting in order to reflect the environment. First, we extend the environment transition system to probabilistic case. Then, we define parameterized probabilistic bisimulation. Finally, we obtain the -parameterized probabilistic bisimulation based on the probabilities that the environment consumes an action and the processes perform the same action. This point is similar to [14, 16]. Our method is different from the method in [18]. In [18], the state space is equipped with a rich structure, whereas the metric is characterized by probabilistic conditional kernels.

In Section 2, we recall the syntax of CCS and parameterized bisimulation. Parameterized bisimulation index over environment and -parameterized bisimulation are defined in Section 3. Their some algebraic properties are researched in Section 3. In Section 4, the substitutivity laws of -parameterized bisimulation under various operators are proved. In Section 5, parameterized probabilistic bisimulation is proposed and -parameterized probabilistic bisimulation is defined. Furthermore, the congruence of -parameterized probabilistic bisimulation is proved. Our conclusions and future work are presented in Section 6.

#### 2. Preliminaries

##### 2.1. CCS Summary

This section recalls some fundamental concepts and the results of process calculus needed in the subsequent sections. The following definitions mainly come from the book by Ying [27].

We introduce the* names *, the* conames *, and* labels *. range over , range over , range over is defined. We also introduce the silent or perfect action . is defined as the set of* actions*, whereas are defined range over . Furthermore, we introduce set of process variables and set of processes constants. Mapping is a relabeling function if for every We may extend relabeling function to be a mapping from to itself by decreeing that . The syntax of the basic process calculus is presented in the following definition.

*Definition 1 (process expression [28]). *The class of process expressions is the smallest class of symbol strings that satisfies the following conditions:(1).(2)If and , then . .(3)If is an indexing set and , then (4)If , then .(5)If and , then .(6)If and is a relabeling function, then .

The process expressions without process variables are called processes and the class of processes is denoted by For any , we assume that there is a defining equation , such as Constants provide us a mechanism of recursion in the process calculus.

The transitional semantics of the basic calculus is presented in the style of Plotkin’s structural operational semantics [29]. We have the following definition.

*Definition 2 (labeled transition system [7]). *Let be a labeled transition system, where the transition relations are presented by the following rules:

Transitions with strings of labels may be defined in a natural way. If , then we write provided that for some . In this case, we call an action sequence of and is a -derivative of . If for some is a -derivative of , then is called a derivative of .

In the subsequent sections, we mainly consider the restriction of on , where, for each is restriction of on . For simplicity, we always write for .

For example, suppose that a vending machine that sells CocaCola can be described as an expression of CCS:

Its behavior can be expressed as a transition diagram as in Figure 1.