Fair Simulation

The simulation preorder for labeled transition systems is defined locally as a game that relates states with their immediate successor states. Simulation enjoys many appealing properties. First, simulation has a fully abstract semantics: system S simulates system I iff every computation tree embedded in the unrolling of I can be embedded also in the unrolling of S. Second, simulation has a logical characterization: S simulates I iff every universal branching-time formula satisfied by S is satisfied also by I . It follows that simulation is a suitable notion of implementation, and it is the coarsest abstraction of a system that preserves universal branching-time properties. Third, based on its local definition, simulation between finite-state systems can be checked in polynomial time. Finally, simulation implies trace-containment, which cannot be defined locally and requires polynomial space for verification. Hence simulation is widely used both in manual and in automatic verification. Liveness assumptions about transition systems are typically modeled using fairness constraints. Existing notions of simulation for fair transition systems, however, are not local, and as a result, many appealing properties of the simulation preorder are lost. We extend the local definition of simulation to account for fairness: system S fairly simulates system I iff in the simulation game, there is a strategy that matches with each fair computation of I a fair computation of S . Our definition enjoys a fully abstract semantics and has a logical characterization: S fairly simulates I iff every fair computation tree embedded in the unrolling of I can be embedded also in the unrolling of S or, equivalently, iff every Fair-8AFMC formula satisfied by S is satisfied also by I (8AFMC is the universal fragment of the alternation-free -calculus). The locality of the definition leads us to a polynomial-time algorithm for checking fair simulation for finite-state systems with weak and strong fairness constraints. Finally, fair simulation implies fair trace-containment, and is therefore useful as an efficiently-computable local criterion for proving linear-time abstraction hierarchies. In program verification, we check that an implementation satisfies a specification. Both the implementation and the specification describe the possible behaviors of a program at different levels of abstraction. We distinguish between two approaches to satisfaction of a specification by an implementation. In trace-based satisfaction, we require that every linear property (i.e., every property of computation sequences) which holds for the specification holds also for the implementation. In tree-based satisfaction, we require that every branching property (i.e., every property of computation trees) which holds for the specification holds also for the implementation [Pnu85]. If we represent the implementation I and the specification S using state-transition systems, then the formal relation that captures trace-based satisfaction is trace-containment: S trace-contains I iff it is possible to generate by S every sequence of observations that can be generated by I. The notion of trace-containment is robust with respect to linear temporal logics such as LTL, in the sense that S trace-contains I iff every LTL formula that holds for S holds also for I. Unfortunately, it is difficult to check trace-containment (complete for PSPACE [SM73]), and we are unlikely to find an efficient algorithm. The formal relation that captures tree-based satisfaction is tree-containment: S tree-contains I iff it is possible to embed in the unrolling of S every tree of observations that can be embedded in the unrolling of I. The notion of tree-containment is equivalent to the notion of simulation, as defined by Milner [Mil71]: S treecontains I iff S simulates I; that is, we can relate each state of I to a state of S so that two related states i and s agree on their observations and every successor of i is related to some successor of s. This research was supported in part by the SRC contract 95-DC-324.036.